The University of Pittsburgh relies on a layered approach to security. No single process or technology is sufficient to secure the University’s environment. Instead, we have put in place a robust series of security controls that operate at different layers and perform different tasks. A threat that manages to circumvent one control is likely to be thwarted by a control in another layer.
Microsoft Advanced Threat Protection adds another layer to our existing security controls. It is designed to protect against “advanced persistent threats”.
What is an Advanced Persistent Threat?
An advanced persistent threat is one of the newer threats faced by the University. It is characterized by a person operating behind a keyboard who is actively trying to compromise a specific target or group of users. The individual may use a targeted email phishing attack that has been customized specifically for the University of Pittsburgh’s environment, or they may take advantage of brand new security vulnerabilities for which no security updates or patches are yet available.
Once the individual is able to trick a user or exploit a vulnerability, they attempt to escalate their access until they reach the systems or data they are seeking. The attackers also make every effort to remain undetected so that they can maintain access to their target.
What can be done to protect against Advanced Persistent Threats?
The University’s Spam and Virus Filtering service (Exchange Online Protection) does a good job of protecting against general attempts to exploit security vulnerabilities through email. It utilizes a standard set of signature-based algorithms to detect harmful email content. But because advanced persistent threats are customized and written to attack a specific target (such as the University of Pittsburgh), general signature-based algorithms are less likely to offer protection.
Microsoft Advanced Threat protection is designed to address this problem. It integrates with Exchange Online Protection to enhance security and help protect against advanced persistent threats.
How does Advanced Threat Protection work?
Advanced Threat Protection includes two features that can help protect against targeted phishing attacks.
Safe Links evaluates the links in an email message in real time to determine whether they link to safe or harmful content. All links evaluated by Safe Links will be replaced by a longer URL that that begins with 'https://na01.safelinks.protection.outlook.com?', similar to the example shown below:
If the link is safe, you will be sent to the original Web address when you click on it. If the link is not safe, you will see a warning message similar to the example below indicating that the Web site you are trying to visit is harmful:
Safe Attachments is a feature that protects against harmful email attachments. It does not rely on analysis through signature-based algorithms, which are less effective against advanced persistent threats. Instead, Safe Attachments opens the attachments in a virtual environment and analyzes their behavior to determine whether they are harmful.
If the attachment is safe, it will be delivered to you along with the original email message. If the attachment is harmful, the email will be blocked and the message and attachment will not be delivered
Please note that Safe Attachments does not analyze attachments in real time. This process may cause some minimal (measured in minutes) delay in delivery to you of email messages with attachments.
Frequently Asked Questions
Does Safe Links evaluate every link?
No. Safe Links evaluates links from external email addresses. It does not evaluate links in email messages that have been sent from an @pitt.edu email address.
Does Safe Attachments analyze an attachment every time I send it?
No. Safe Attachments will only analyze an attachment the first time that you send it. If you send the same attachment to someone later, it will not be analyzed a second time.
I want someone to be able to view my attachment right away. What can I do?