Windows Defender Advanced Threat Protection (Windows Defender ATP) is a new cloud security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks.
It really enables you as an administrator to detect attacks on your most vulnerable systems: workstations. Attacks are detected almost instant en the service portal will give you recommended remediation, enables to you quarantine or block files, or even isolate machines from your enterprise network!
In this post I will guide you through the set-up and give you an example of an attack and response scenario.
Windows Defender ATP uses the following combination of technology built into Windows 10 and the cloud service:
- Endpoint behavioral sensors: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system (for example, process, registry, file, and network communications) and sends this sensor data to your private, isolated, cloud instance of Windows Defender ATP.
- Cloud security analytics: Leveraging big-data, machine-learning, and unique Microsoft optics across the Windows ecosystem (such as the Microsoft Malicious Software Removal Tool, enterprise cloud products (such as Office 365), and online assets (such as Bing and SmartScreen URL reputation), behavioral signals are translated into insights, detections, and recommended responses to advanced threats.
- Threat intelligence: Generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by partners, threat intelligence enables Windows Defender ATP to identify attacker tools, techniques, and procedures, and generate alerts when these are observed in collected sensor data. Yes, that’s right… you benefit from special teams that are organized to recognize (malware) attacks!
The following diagram shows these Windows Defender ATP service components:
Figure 1: Windows Defender ATP components (source)
Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
- Windows 10 Enterprise E5
- Windows 10 Education E5
- Secure Productive Enterprise E5 (SPE E5) which includes Windows 10 Enterprise E5
You can also request a trial for your tenant on the Windows Defender ATP website. Please note the trial will only be granted if you’re a Microsoft Partner or Enterprise customer. Adding it to your tenant is as easy as all the other Microsoft Cloud services; you go to the sign-up page, click “Want to add to an existing tenant?” and after a few clicks you’re done.
Configuring clients to report to the cloud service isn’t difficult as well. The Windows Defender ATP client can be installed on Windows 10 Pro, Education and Enterprise versions that are running build 1607 as a minimum. Clients are known as endpoints in the service and the Windows Defender ATP portal gives you the following download options:
- Group Policy
- System Center Configuration Manager (starting from 2012)
- Microsoft Intune or a third party MDM solution
- Local Script
The group policy and local script options will give you a batchfile that will onboard your endpoint to the cloud service.
For SCCM and Intune you will get a WindowsDefenderATP.onboarding file that you can import into these endpoint management products. In SCCM the new policy wizard will guide you through these simple steps. After you have created the policy you will need to deploy it to your Windows 10 (pilot) machines, the same as you do with other SCCM policies, packages, etc.
It is really that simple! Now give the process some time so the endpoints are reporting to the portal.
Checking the portal
The Windows Defender ATP portal is hosted at securitycenter.windows.com and after you login you will see the dashboard with an overview of active alerts for your users and machines, and some health statistics.
At the screenshot you will see that there are already some alerts. These alerts were generated by simulating an attack on one of the endpoints where a Word document contained a macro that infected the machine . This sample scenario is typically something that happens in every organization and since it’s usually coming from somebody that is known to the receiver, employees click “Enable Macros” almost instant. Careful social engineering would have been used to ensure the receiver doesn’t suspect a thing and unwittingly opens the document.
The document, however, is weaponized with crafted macro code which silently drops a malicious executable file onto the machine. The executable is a backdoor file that attains persistence on the machine, and will go on to open a remote shell communication to the attacker, and enabling them to run commands on the victim’s machine. The backdoor proceeds to gain control of one of the system ocesses and inject their malicious code into it, so they can stay in memory and remain undetected in preparation to collect and exfiltrate data to their command and control server.
The service allows you to configure a SMTP server for e-mail notifications or to send events to your SIEM system.
In a couple of minutes after a ran the attack I got notified via e-mail that there was suspicious social engineering activity because the Right-to-Left-Override (RLO) technique was observed.
Not long after this notification, I received the other alerts to inform me about the attack. Time to check the portal to investigate what’s going on!
Start the investigation
Back in the portal, you can browse the different alerts that were generated. While investigating an alert, you can change the status of the alert from New to In Progress to indicate it is being handled and to support your Security Operations Center workflow processes.
Click the alert link to see details about the alert, for example:
- Detailed description and recommended actions
- The process tree related to the files and processes in the alert, including command lines, times of execution, and other details shown in the side pane for selected processes
- The incident graph, including other machines in the organization this file was observed on
- The alert timeline, providing details of the event(s) that triggered the alert on this machine, including time observed, as well as the name, path and SHA1 hash of the dropped file.
Let’s take the RLO attack as an example. The indication picked up by Windows Defender ATP regards the file name of the dropped executable – specifically the use of the RLO support, a capability for correctly displaying left-to-right and right-to-left language text together, used here to make the file name appear like it has a “.jpg” extension instead of its true extension of “.exe”. This is typically used to hide the fact that the dropped file is an executable, raising further suspicion that results in an additional alert.
Next to information about the suspicious activity, the portal enables you to:
- View IP details to check if the malicious executable communicated with external IP addresses.
- Investigate the machine timeline. Alerts and related events are highlighted to make investigation easier.
- Submit the file for deep analysis. This will collect the file from the machine where it resides (if not already collected) and safely execute it in the Windows Defender ATP cloud sandbox, recording all activities observed during its execution.
Respond to the attack
Now that you have reviewed and confirmed files and machines involved in the attack, it’s time to perform some response actions to contain and mitigate the attack. Please be aware that responding requires endpoint to have at leat Windows 10 Creators Update installed (build 15031 and higher).
Response capabilities include isolation of compromised machines from the network, stop and quarantine of attack related files, and prevention of further propagation by blocking the file from subsequent execution.
After you have quarantined the file, the process is terminated (if running) and the file removed from the system. The user that is logged in to the infected machine will get the following notification.
To prevent further propagation of the attack in the organization, you can issue a block on a file to prevent future read, write, and execution of the file in the organization This feature requires Windows Defender AV with cloud-based protection enabled in your organization. To ensure it is enabled, open Windows Defender > Settings on the victim machine and ensure Real-time protection and Cloud-based Protection are On.
Depending on the sensitivity of the machine or severity of the attack, you might want to isolate the machine from the network to disrupt the attack and prevent further attacker activities. This operation will disconnect the victim machine from the network while retaining connectivity to Windows Defender ATP service.
After containing the attack, you can collect an investigation package from the machine to help identify the current state of the machine and collect evidence of more tools and techniques used by the attacker. The investigation package contains a rich set of data points such as: running processes, installed programs, network information, persistency, User & Groups, Event logs, Prefetch files and more.
As you can see Windows Defender ATP will give you an easy way to detect modern attacks and to respond properly. If your company already owns the required volume licenses, I can’t think of any reason why you shouldn’t implement this cloud service. It’s so easy to use!
In addition to this you can use Microsoft’s Advanced Threat Analytics to check and investigate malicious behaviour in your network that are pointed to your servers. We will talk about that in another blog post!