Page 1 | Windows Defender ATP helps analysts investigate and respond to threats

Windows Defender ATP helps analysts investigate and respond to threats

In the fast-paced world of cybersecurity, adversaries grow more advanced in response to the tactics that we and other organizations use to thwart their attacks. Protecting corporate information also becomes more complex as services move to the cloud, employees become more mobile, and new technologies are rapidly introduced.

It is important to have a threat protection solution that can adapt to change as the modern workplace evolves. Microsoft responded to the complexity and challenges of advanced attacks against the modern workplace with the release of Windows Defender Advanced Threat Protection (ATP).

Core Services Engineering (CSE, formerly Microsoft IT) uses Windows Defender ATP to detect, investigate, and respond to modern threats more rapidly and effectively than ever before. As more services are moving to the cloud, we have made a commitment to enable our mobile workforce to be more productive and secure. Windows Defender ATP has transformed how our security analysts can respond to security threats—providing more information and better tools that help us protect users and devices, including those that are outside the control of our corporate network.

Since deploying Windows Defender ATP, we have seen immediate benefits:

  • Intelligent alerting and improved detection. Windows Defender ATP detects behavior that other tools don’t. It detects system-level behaviors that escape traditional detection and givesaccess to processes and command-line contents.
  • Speeds up time to detection. Windows Defender ATP alerts and views draw attention to important things in near-real-time, putting relevant data right in front of our analysts—or just a click away.
  • Puts responses in the hands of analysts. Windows Defender ATP provides response actions that can quarantine and block a file, collect supplemental log data from a machine, isolate a machine, and initiate deep analysis on executable files.
  • Helps us stay current. The Windows Defender ATP product team is constantly developing new behavioral threat detection,improving existing detection, and improving the console. These capabilities are automatically pushed to WindowsDefenderATP without any action by our analysts.

For more information on how we rapidly deployed Windows Defender ATP in our environment read, Windows Defender ATP helps detect sophisticated threats.

Windows Defender ATP architecture

Windows Defender ATP consists ofthree main components: Windows Defender ATP endpoint sensors, the WindowsDefender ATP cloud services backend, and the Windows Defender ATP console in the WindowsDefenderSecurity Center.

As illustrated in Figure 1, the components work together to form a coherent, centralized picture of endpoint security and response across the company.

Figure 1. Windows Defender ATP high-level architecture

The Windows Defender ATP endpoint sensors are integrated into Windows 10 Anniversary Update, and later. There’s two-way communication between the endpoints and security analyststhrough Windows Defender ATP. The sensors enableWindows Defender ATP to gather high-fidelity, system-level data and behavioral information from devices. It also allows analysts to collect sample files for analysis, do deeper forensic log collection on devices, and even isolate devicesif they have been compromised.

The Windows Defender ATP service is built on the power of the Azure cloud—where we and every customer have a dedicated Windows Defender ATP tenant. The cloud location allows Windows Defender ATP to receive data from its endpoints even when they are outside of the corporate network. OurWindows Defender ATP data is isolated and secure in its own tenant, just as customer implementations of Windows Defender ATP are isolated and secure in their own tenants.Datais only accessible via Azure Active Directory (Azure AD) authentication, and access is fully audited.

Our analysts use the web-based Windows Defender Security Center to access ourWindows Defender ATP data and interact with Windows Defender ATPendpoints to further research or defend against malicious activity. The Windows Defender ATP console is where our analysis really happens—itprovidesa dashboard, an Alert queue, Machine view, File view,User view, and Search—which we use to find data about machines, files, users, URLs, and IPs within the enterprise. These console views allow our analysts to quickly see the big picture and zoom in on the most critical alerts and eventsin our enterprise.

Figure 2 illustrates how the Windows Defender ATP dashboard gives analysts a high-level view of alerts as well as the critical machines at risk within our organization.

Figure 2. The Windows Defender ATP dashboard

Detection at scale

Alerts in Windows Defender ATP giveour analysts unparalleled visibility into devices in ourenvironment. At Microsoft, we have over 250,000 active users and more than 500,000 devices in our tenant; we monitor and respond to alerts at a massive scale. Between the size of the environment we monitor and the reliability of Windows Defender ATPalerts, we must be able to process a huge number of events. With traditional security tools, this caused data-overload problems for both data storage and alert analysis.

With the scalability and power of the Azure clouddriving the service, Windows Defender ATP has proven it’s capable of handling the large volume of events generated by our endpoints. Additionally, Windows Defender ATP helps make a heavy volume of alert analysis more manageable. Near real-time intelligence displayed in dashboards and console views that summarize data help us focus on the most important information surrounding an alert. We can quickly determine if an alert is real and identify the support tier that should handle the investigation and response. We also use different threshold techniques to prioritize risks or refine the actionable alerts we see.

Intelligent alerting and improved detection

Moving past event logs and malware signatures, Windows Defender ATP uses intelligent alerting derived from multiple indicators.

  • Indicators of compromise (IOCs). Includes indicators that surface through evidence collected from past observed attacks and industry-wide knowledge sharing.
  • Indicators of attack (IOAs).Includes indicators from heuristics, behavioral rules, machine learning, and anomaly detection algorithms honed to detect suspicious, attack-related events.
  • Internal threat intelligence indicators. Derived from looking at up to six months of historical data.
  • Global threat intelligence indicators. Collected through partnerships with threat intelligence organizations.

Windows Defender ATP combines these indicators to provide alerts with maximum relevance to our organization.Additionally, this indicator set is constantly evolving, as indicator developers integrate newlydiscovered techniques and feedback from our analysts.

Using the Windows Defender ATP console

The Windows Defender ATPconsole,in the Windows Defender Security Center portal, givesour analysts a consolidated view of Windows security alerts and data at a greater fidelity than ever before.In near real-time, we have visibilityinto a system’s process history, suspicious file attributes, and what action initiated a network connection. We can discover where a suspected malicious file is, figure out where it came from, and check our environment to see where else it went. We use the console to view suspicious behaviors and drill down on the actions that created a suspicious process. For each alert, we see how many machines it has been on in our environment and how many times it has been seen worldwide. All of this happens from our analyst’s workstations, with just a few clicks.

Alert view

The Alert viewprovides an attack narrative overlay on top of collected raw security events. It displaysessential background information on the alert and a process tree that aggregates detections and related events into a single view. It doesn’t simply tell us that a behavior looks suspicious;it allows us to view the underlying system activity and see what action was suspicious. From this view alone,wehave more information on each alert than we ever had before, including:

  • File information on any file in the process tree, including its signer, multiple versions of the file hash, a third-party analysis of the hash, IP addresses and hostnames it may have contacted, and the file’s prevalence in our environment.
  • User who logged into the system most recently.
  • System name and domain.
  • An incident graph showing related activity on the endpoint and possibly other systems.
  • A timeline showing the alert or alerts.
  • Relevant hostnames or IP addresses.

Often, the Alert view hasall the information we need to understand and resolve incidents without having to leave the alert page. This helps our analysts quickly understand what caused the event and what its impact was, dramatically reducing the time it takes to resolve cases.If an event is particularly interesting or complex, our analysts easily pivot to views focusing on other aspects of the suspicious activity. For example, in Figure 3 below, we can see that an executable has injected into rundll32.exe.

Figure 3. Alert view of a cross-process injection including the detailed process tree

From the Alert view, our analysts can pivot toMachine, File, or User views with a single click. These views provide detailed contextual information about the alert, allowing the analyst toeasily follow suspicious activity and determine whether it is malicious or benign.

Machine view

The Machine view provides a rich view of data and behaviors as observed on the machine, over time. It shows basic domain membership, when the system was first and last seen, and an overview of users who have signed into the system, even remotely. It also lists any alerts associated with that machine, both new and resolved. This allows our analysts to quickly see any infection history or record of false positives on the system, and provides additional context to the alert. The machine view is also where our analysts collect an investigation package of system logs from the machine or isolate the machine completely.

The machine timeline displays raw security events recorded on the machine, in the order in which they occurred. We expand timeline events to get detailed information about the context of the event. As show in in Figure 4 below, by expanding the suspicious token modification event, we canquickly see that Winword.exe opened an attachment to an email file, as well as the name of the email file and the Word document.A single click provides the likely infection vector for this malicious activity, as well as providing filenames as an additional indicator.

Figure 4. Machine timeline displaying information about Outlook opening a Word document.

Clicking the “hotspot” to the left of a filename, hostname, or IP address in the timeline also opens a side tab with a summary of the most important points of the selected item—while keeping the context of the item in the timeline. If an email message arrived on the endpoint using Office 365 ATP, the timeline provides a link directly to Threat Explorer to view information about the email without losing context.

Search capability within the Machine view timeline is even more powerful than the general Search in WindowsDefenderATP. It allows our analysts to search for specific paths, strings within command lines, and user accounts, in addition to regular search items. This allows us to quickly jump to a point in the timeline that contains events of interest.Machine view also supports hunting for suspicious activity.

Machine view also offers our analysts the flexibility to collect forensic data and isolate a machine through a one-click operation. This saves a great deal of time in responding to security events, since we no longer must contact the user or an outside team to take action.

A Windows Defender ATP investigation package gathers specific logs from the system to supplement an investigation. When the analyst selects this action, the endpoint collects log information in a process that is transparent to the machine’s user. It puts the data in a compressed package that is stored securely in the cloud. Our analyst can then download the package from their Windows Defender ATP console.

Isolating the machine is an effective way to stopan attack from spreading and moving laterally to other devices. The Windows DefenderATP sensor uses the Windows host firewall to disconnect the machine and notify the user that the machine has been isolated.

File view

Many Windows Defender ATP alerts comefrom files that are behaving in a suspicious manner that we need to investigate. Or, we may receive information about suspicious files from an outside source and turn to WindowsDefenderATP to determine if the file is in our environment. For these tasks, we look to the File view.

File view includes a wealth of information based on the file hash, so we can quickly determine if it is legitimate.File view provides the MD5, SHA1, and SHA256 for the file and shows information about the file’s signer. If WindowsDefenderAntivirus already has identified the file as malicious, that information is displayed, as well as a determination of the file hash’s reputation, provided by athird-party service. We can see the different names used by the file within our organization, based on the file hash. The view also includes a description about the file’s prevalence within our organization and worldwide (anonymously)so that we can determine if the file is custom to our environment or is widespread. Finally, File view provides a timeline view of machines on which Windows Defender ATP has seen the file hash, so we know which systems to remediate.

As illustrated in Figure 5, we can view information about a suspicious file and use one-click actions to halt the spread of the file and submit it for analysis.

Figure 5. The File view in the Windows Defender ATP console

We can also respond to attacks from File view using one-click options to:

  • Stop and quarantine files. Contains the specific attack across the organization. Stops the malware that is running, quarantines the file, and removes it from the environment.
  • Block files. Blocks specific inbound attack files from any location on the Internet.
  • Submit files for deep analysis.If the file is executable, this action detonates the file to harvest indicators, such as callout IP addresses, files downloaded, or registry keys created or altered.Detonation occurs in a sandbox secure to our tenant—keeping the data secure.

User view

We can easily pivot from other views to User view to gather more information about specific user accounts.This view offersat-a-glance insight into what the user’s role is and what sort of activity we would normally expect from that user. When investigating cases of potentially compromised credentials, pivoting on the associated user account helps identify any lateral movement between machines with that user account. We find user account information in the dashboard, alert queue, and in the machine details page.

A user account link takes us to the user account details page. Here, we see:

  • Machines the user has signed on to.
  • User account details from the Azure AD tenant.
  • Alerts related to this user.
  • Observed in organization (machines signed on to).

As illustrated in Figure 6, User view displays account details about users on signed on to a device, and alerts that are related to that user account.It enables the investigation of lateral movement and potential cases of credential compromise.

Figure 6. The User viewin the Windows Defender ATP console

If we believe an account is compromised, we can use thisview to determine which systems the account was recently used from. We can form a profile of the account activity before and after the suspected compromise date to better differentiate between legitimate user activity and malicious activity.

Using Search to look for evidence of attacks

We use the Search bar in the Windows Defender ATP console to look for evidence of attacks, including file names or hashes, IP addresses or URLs, behaviors, machines, or users. Searching and pivoting is particularly valuable to us when “hunting” for malicious activity in the network in the absence of an actual alert. We pivot off the results of searches to quickly scope the impact of a breach and broaden an investigation across our environment. For example, we quickly determine whether we have seen a specific IP address or file before, or that a set of file hashes has not been seen in our environment.

Use cases: phishing and ransomware

Windows Defender ATP detects all kinds of threat and breach activities on endpoints, including phishing and ransomware attacks.

Ransomware

Windows Defender ATP has specific built-inbehavioral analytics to detect ransomware. These alerts notify us of infection even if the malicious files have evaded anti-malware. We may use the Isolate Machine response option if there is a risk of the malware spreading.