If you’ve ever felt like defending your organization from cyber threats is like trying to plug a thousand leaks at once, you’re not alone. Attackers are always looking for new ways to sneak into networks, and keeping up can feel overwhelming. That’s where Attack Surface Reduction (ASR) Rules come in—they help simplify the challenge by proactively closing the doors that attackers often try to exploit.
In our previous article in our Microsoft Defender for Endpoint series, we looked at Vulnerability Management. This article will explain the Attack Surface Reduction rules that Defender uses to protect your environment.
Attack Surface Reduction
Think of ASR rules as a set of security guards that stand by every possible entry point into your systems, constantly watching for suspicious behavior. Their job is to stop threats before they even have a chance to start, by blocking risky actions and reducing the “attack surface”—the parts of your environment that attackers can target.
In this article, we’ll explore what ASR rules are, why they’re such an important feature in Microsoft Defender for Endpoint, and how they can help you keep your organization safe. Whether you’re just starting out in cybersecurity or looking to deepen your understanding, we’ll break down ASR rules in a way that’s easy to understand, so you can see why they’re such a powerful tool for protecting what matters most.
What Are Attack Surface Reduction Rules?
In today’s world, employees aren’t always in a few locations. They can be spread across the globe. While this can bring many benefits, this can also open up a lot of areas for attacks. Attack Surface Reduction is a set of rules that are designed to reduce the number of areas where attackers can perform attacks.
Typically these rules target software behavior such as executable files, scripts and behaviors that applications don’t usually perform during normal work.
Types of Attack Surface Reduction Rules
There are a few types of rules that we’ll go over. All of these rules have been created as a response to viruses, malware and attacks that target these areas.
- Productivity apps rules – Microsoft Office is the most prevalent productivity app in the world. But at times hackers have used this program to create viruses, malicious processes, to inject code into machines, and to exploit vulnerabilities. Rules can be created to block office apps from doing these things. If a user opens a word document that is unsafe and wants to inject malicious code, a properly set rule will block this from happening.
- Email rules – You can create rules to block executable content from email. There’s usually no reason why someone should email this type of content. Blocking it can keep your environment safer.
- Script rules – There are rules designed to block code and downloaded executable scripts from running.
- Polymorphic threats – This is a threat that can take on many different forms. You can create rules to block processes and exe files that run from USB drives. You can block exe files that haven’t been seen in your environment yet, are less than 24 hours old, or are on a trusted list.
- Lateral movement & credential threat – Credentials are stored in the local security subsystem (lsass.exe). Rules can be created to keep this subsystem blocked off from the rest of your machine, so that processes can’t access credentials even if the system is hacked.
Warn Mode
You might be wondering if enabling these rules could cause a lot of false positives in an environment. The last thing a security team wants to do is to enable a rule that shuts down business. Microsoft has created a new mode called “Warn Mode” for these rules. When this happens, users can see a dialog box that indicates that the content is blocked. This dialog box offers users an option to unblock the content.
This can prevent against many attacks, but can also get your users prepared for the full implementation of these rules, by allowing them to access the content they need to perform their jobs.
Application Control
Application control is an advanced form of attack surface reduction that is built into Windows. If an organization enables this, the only applications that are allowed to run are those that are specifically white-listed. In years past, organizations would blacklist applications that they don’t trust. But this is a very reactive strategy. By only allowing white-listed applications, anything else that tries to run will get shut down. And if a new app is brought into the environment, it simply needs to be added to the white-list, and your users are free to use it.
Web Protection
Web protection doesn’t work with every browser, but it can be a powerful tool if organizations choose to implement it. Microsoft Edge can run in an isolated “virtual environment”. This means the OS is separated from the web browser. So if an employee goes to a risky website and pulls down a virus, that virus can only exist in the virtual environment that the web browser is in. It cannot cross over into the OS, and thus keeps your environment safe.
Conclusion
Many companies spend millions of dollars on expensive cybersecurity tools designed to prevent attacks, yet pay little notice to the attack surface reduction rules that in many cases are built into Windows or their existing Enterprise Agreement with Microsoft.
If organizations learn these rules, implement them and take them seriously, they are reducing their likelihood of getting attacked. Our recommendation is to implement them in warn mode first, then to enable as many of these as possible.
Up next, we’ll take a look at the Next Generation Protection capabilities built into Microsoft Defender and show how these advanced engines work and protect your environment.