Windows Defender ATP helps analysts investigate and respond to threats

Photo of the Microsoft Cyber Defense Operations Center.

Microsoft looked to the capabilities of the cloud to help address the challenges of monitoring and protecting our corporate network from advanced adversaries and threats. Windows Defender Advanced Threat Protection (ATP) combines built-in behavioral sensors, machine learning, and security analytics that quickly adapt to changing threats. With this threat intelligence, Windows Defender ATP helps us investigate and respond to advanced threats faster and more precisely than ever before.

In the fast-paced world of cybersecurity, adversaries grow more advanced in response to the tactics that we and other organizations use to thwart their attacks. Protecting corporate information also becomes more complex as services move to the cloud, employees become more mobile, and new technologies are rapidly introduced.

It is important to have a threat protection solution that can adapt to change as the modern workplace evolves. Microsoft responded to the complexity and challenges of advanced attacks against the modern workplace with the release of Windows Defender Advanced Threat Protection (ATP).

Core Services Engineering (CSE, formerly Microsoft IT) uses Windows Defender ATP to detect, investigate, and respond to modern threats more rapidly and effectively than ever before. As more services are moving to the cloud, we have made a commitment to enable our mobile workforce to be more productive and secure. Windows Defender ATP has transformed how our security analysts can respond to security threats—providing more information and better tools that help us protect users and devices, including those that are outside the control of our corporate network.

Since deploying Windows Defender ATP, we have seen immediate benefits:

  • Intelligent alerting and improved detection. Windows Defender ATP detects behavior that other tools don’t. It detects system-level behaviors that escape traditional detection and gives access to processes and command-line contents.
  • Speeds up time to detection. Windows Defender ATP alerts and views draw attention to important things in near-real-time, putting relevant data right in front of our analysts—or just a click away.
  • Puts responses in the hands of analysts. Windows Defender ATP provides response actions that can quarantine and block a file, collect supplemental log data from a machine, isolate a machine, and initiate deep analysis on executable files.
  • Helps us stay current. The Windows Defender ATP product team is constantly developing new behavioral threat detection, improving existing detection, and improving the console. These capabilities are automatically pushed to Windows Defender ATP without any action by our analysts.

Windows Defender ATP architecture

Windows Defender ATP consists of three main components: Windows Defender ATP endpoint sensors, the Windows Defender ATP cloud services backend, and the Windows Defender ATP console in the Windows Defender Security Center.

As illustrated in Figure 1, the components work together to form a coherent, centralized picture of endpoint security and response across the company.

 

An illustration that depicts how the components work together to form a coherent, centralized picture of endpoint security and response across the company.
Figure 1. Windows Defender ATP high-level architecture

The Windows Defender ATP endpoint sensors are integrated into Windows 10 Anniversary Update, and later. There’s two-way communication between the endpoints and security analysts through Windows Defender ATP. The sensors enable Windows Defender ATP to gather high-fidelity, system-level data and behavioral information from devices. It also allows analysts to collect sample files for analysis, do deeper forensic log collection on devices, and even isolate devices if they have been compromised.

The Windows Defender ATP service is built on the power of the Azure cloud—where we and every customer have a dedicated Windows Defender ATP tenant. The cloud location allows Windows Defender ATP to receive data from its endpoints even when they are outside of the corporate network. Our Windows Defender ATP data is isolated and secure in its own tenant, just as customer implementations of Windows Defender ATP are isolated and secure in their own tenants. Data is only accessible via Azure Active Directory (Azure AD) authentication, and access is fully audited.

Our analysts use the web-based Windows Defender Security Center to access our Windows Defender ATP data and interact with Windows Defender ATP endpoints to further research or defend against malicious activity. The Windows Defender ATP console is where our analysis really happens—it provides a dashboard, an Alert queue, Machine view, File view, User view, and Search—which we use to find data about machines, files, users, URLs, and IPs within the enterprise. These console views allow our analysts to quickly see the big picture and zoom in on the most critical alerts and events in our enterprise.

Figure 2 illustrates how the Windows Defender ATP dashboard gives analysts a high-level view of alerts as well as the critical machines at risk within our organization.

 

The Windows Defender ATP dashboard provides analysts with a high-level view of alerts as well as the critical machines at risk within their organization. With the search bar, analysts can quickly locate any entity—whether machine, file, URL, or IP—and drill in to learn more.
Figure 2. The Windows Defender ATP dashboard

Detection at scale

Alerts in Windows Defender ATP give our analysts unparalleled visibility into devices in our environment. At Microsoft, we have over 250,000 active users and more than 500,000 devices in our tenant; we monitor and respond to alerts at a massive scale. Between the size of the environment we monitor and the reliability of Windows Defender ATP alerts, we must be able to process a huge number of events. With traditional security tools, this caused data-overload problems for both data storage and alert analysis.

With the scalability and power of the Azure cloud driving the service, Windows Defender ATP has proven it’s capable of handling the large volume of events generated by our endpoints. Additionally, Windows Defender ATP helps make a heavy volume of alert analysis more manageable. Near real-time intelligence displayed in dashboards and console views that summarize data help us focus on the most important information surrounding an alert. We can quickly determine if an alert is real and identify the support tier that should handle the investigation and response. We also use different threshold techniques to prioritize risks or refine the actionable alerts we see.

Intelligent alerting and improved detection

Moving past event logs and malware signatures, Windows Defender ATP uses intelligent alerting derived from multiple indicators.

  • Indicators of compromise (IOCs). Includes indicators that surface through evidence collected from past observed attacks and industry-wide knowledge sharing.
  • Indicators of attack (IOAs). Includes indicators from heuristics, behavioral rules, machine learning, and anomaly detection algorithms honed to detect suspicious, attack-related events.
  • Internal threat intelligence indicators. Derived from looking at up to six months of historical data.
  • Global threat intelligence indicators. Collected through partnerships with threat intelligence organizations.

Windows Defender ATP combines these indicators to provide alerts with maximum relevance to our organization. Additionally, this indicator set is constantly evolving, as indicator developers integrate newly discovered techniques and feedback from our analysts.

Using the Windows Defender ATP console

The Windows Defender ATP console, in the Windows Defender Security Center portal, gives our analysts a consolidated view of Windows security alerts and data at a greater fidelity than ever before. In near real-time, we have visibility into a system’s process history, suspicious file attributes, and what action initiated a network connection. We can discover where a suspected malicious file is, figure out where it came from, and check our environment to see where else it went. We use the console to view suspicious behaviors and drill down on the actions that created a suspicious process. For each alert, we see how many machines it has been on in our environment and how many times it has been seen worldwide. All of this happens from our analyst’s workstations, with just a few clicks.

Alert view

The Alert view provides an attack narrative overlay on top of collected raw security events. It displays essential background information on the alert and a process tree that aggregates detections and related events into a single view. It doesn’t simply tell us that a behavior looks suspicious; it allows us to view the underlying system activity and see what action was suspicious. From this view alone, we have more information on each alert than we ever had before, including:

  • File information on any file in the process tree, including its signer, multiple versions of the file hash, a third-party analysis of the hash, IP addresses and hostnames it may have contacted, and the file’s prevalence in our environment.
  • User who logged into the system most recently.
  • System name and domain.
  • An incident graph showing related activity on the endpoint and possibly other systems.
  • A timeline showing the alert or alerts.
  • Relevant hostnames or IP addresses.

Often, the Alert view has all the information we need to understand and resolve incidents without having to leave the alert page. This helps our analysts quickly understand what caused the event and what its impact was, dramatically reducing the time it takes to resolve cases. If an event is particularly interesting or complex, our analysts easily pivot to views focusing on other aspects of the suspicious activity. For example, in Figure 3 below, we can see that an executable has injected into rundll32.exe.

 

An alert view of a cross-process injection including the detailed process tree in the Windows Defender Security Center.
Figure 3. Alert view of a cross-process injection including the detailed process tree

From the Alert view, our analysts can pivot to Machine, File, or User views with a single click. These views provide detailed contextual information about the alert, allowing the analyst to easily follow suspicious activity and determine whether it is malicious or benign.

Machine view

The Machine view provides a rich view of data and behaviors as observed on the machine, over time. It shows basic domain membership, when the system was first and last seen, and an overview of users who have signed into the system, even remotely. It also lists any alerts associated with that machine, both new and resolved. This allows our analysts to quickly see any infection history or record of false positives on the system, and provides additional context to the alert. The machine view is also where our analysts collect an investigation package of system logs from the machine or isolate the machine completely.

The machine timeline displays raw security events recorded on the machine, in the order in which they occurred. We expand timeline events to get detailed information about the context of the event. As show in in Figure 4 below, by expanding the suspicious token modification event, we can quickly see that Winword.exe opened an attachment to an email file, as well as the name of the email file and the Word document. A single click provides the likely infection vector for this malicious activity, as well as providing file names as an additional indicator.

 

A screen shot that shows how a single click provided the likely infection vector for malicious activity, as well as providing file names as an additional indicator.
Figure 4. Machine timeline displaying information about Outlook opening a Word document.

Clicking the “hotspot” to the left of a file name, host name, or IP address in the timeline also opens a side tab with a summary of the most important points of the selected item—while keeping the context of the item in the timeline. If an email message arrived on the endpoint using Office 365 ATP, the timeline provides a link directly to Threat Explorer to view information about the email without losing context.

Search capability within the Machine view timeline is even more powerful than the general Search in Windows Defender ATP. It allows our analysts to search for specific paths, strings within command lines, and user accounts, in addition to regular search items. This allows us to quickly jump to a point in the timeline that contains events of interest. Machine view also supports hunting for suspicious activity.

Machine view also offers our analysts the flexibility to collect forensic data and isolate a machine through a one-click operation. This saves a great deal of time in responding to security events, since we no longer must contact the user or an outside team to take action.

A Windows Defender ATP investigation package gathers specific logs from the system to supplement an investigation. When the analyst selects this action, the endpoint collects log information in a process that is transparent to the machine’s user. It puts the data in a compressed package that is stored securely in the cloud. Our analyst can then download the package from their Windows Defender ATP console.

Isolating the machine is an effective way to stop an attack from spreading and moving laterally to other devices. The Windows Defender ATP sensor uses the Windows host firewall to disconnect the machine and notify the user that the machine has been isolated.

File view

Many Windows Defender ATP alerts come from files that are behaving in a suspicious manner that we need to investigate. Or, we may receive information about suspicious files from an outside source and turn to Windows Defender ATP to determine if the file is in our environment. For these tasks, we look to the File view.

File view includes a wealth of information based on the file hash, so we can quickly determine if it is legitimate. File view provides the MD5, SHA1, and SHA256 for the file and shows information about the file’s signer. If Windows Defender Antivirus already has identified the file as malicious, that information is displayed, as well as a determination of the file hash’s reputation, provided by a third-party service. We can see the different names used by the file within our organization, based on the file hash. The view also includes a description about the file’s prevalence within our organization and worldwide (anonymously) so that we can determine if the file is custom to our environment or is widespread. Finally, File view provides a timeline view of machines on which Windows Defender ATP has seen the file hash, so we know which systems to remediate.

As illustrated in Figure 5, we can view information about a suspicious file and use one-click actions to halt the spread of the file and submit it for analysis.

 

A screen shot that show how we can use File view to see information about a suspicious file and use one-clock actions to halt the spread of the file submit it for analysis.
Figure 5. The File view in the Windows Defender ATP console

We can also respond to attacks from File view using one-click options to:

  • Stop and quarantine files. Contains the specific attack across the organization. Stops the malware that is running, quarantines the file, and removes it from the environment.
  • Block files. Blocks specific inbound attack files from any location on the Internet.
  • Submit files for deep analysis. If the file is executable, this action detonates the file to harvest indicators, such as callout IP addresses, files downloaded, or registry keys created or altered. Detonation occurs in a sandbox secure to our tenant—keeping the data secure.

User view

We can easily pivot from other views to User view to gather more information about specific user accounts. This view offers at-a-glance insight into what the user’s role is and what sort of activity we would normally expect from that user. When investigating cases of potentially compromised credentials, pivoting on the associated user account helps identify any lateral movement between machines with that user account. We find user account information in the dashboard, alert queue, and in the machine details page.

A user account link takes us to the user account details page. Here, we see:

  • Machines the user has signed on to.
  • User account details from the Azure AD tenant.
  • Alerts related to this user.
  • Observed in organization (machines signed on to).

As illustrated in Figure 6, User view displays account details about users on signed on to a device, and alerts that are related to that user account. It enables the investigation of lateral movement and potential cases of credential compromise.

 

A screen shot that illustrates how the User view displays account details about users on logged on a device, and alerts that are related to that user account.
Figure 6. The User view in the Windows Defender ATP console

If we believe an account is compromised, we can use this view to determine which systems the account was recently used from. We can form a profile of the account activity before and after the suspected compromise date to better differentiate between legitimate user activity and malicious activity.

Using Search to look for evidence of attacks

We use the Search bar in the Windows Defender ATP console to look for evidence of attacks, including file names or hashes, IP addresses or URLs, behaviors, machines, or users. Searching and pivoting is particularly valuable to us when “hunting” for malicious activity in the network in the absence of an actual alert. We pivot off the results of searches to quickly scope the impact of a breach and broaden an investigation across our environment. For example, we quickly determine whether we have seen a specific IP address or file before, or that a set of file hashes has not been seen in our environment.

Use cases: phishing and ransomware

Windows Defender ATP detects all kinds of threat and breach activities on endpoints, including phishing and ransomware attacks.

Ransomware

Windows Defender ATP has specific built-in behavioral analytics to detect ransomware. These alerts notify us of infection even if the malicious files have evaded anti-malware. We may use the Isolate Machine response option if there is a risk of the malware spreading.

Each alert maps to an infection stage, enabling analysts to determine how far into its operation ransomware may have gone. Windows Defender ATP has robust indicators and forensic data gathering capabilities that help us determine the ransomware infection vector. We then use the indicators detected by behavioral alerting in Windows Defender ATP to block the threat across the entire network.

Phishing

The faster we determine the intent of a phishing attack, the faster we can respond. Windows Defender ATP uses a series of suspicious behavior alerts to detect phishing attacks on our users. Using the Windows Defender ATP console, we have all the information we need to determine if the phishing email resulted in a file drop, malicious file download, or visit to a credential stealing site.

  • Credential stealer. Data in the Windows Defender ATP console informs whether the user visited a credential-stealing site.
  • Malicious file. We can use Windows Defender ATP to search for the file or its hash across the network.
  • Malicious file download. Windows Defender ATP shows us where the file was downloaded from.

Integration with Office 365 ATP allows us to see where phishing emails came from and who else may have received it. We then pivot off the site IP or name to determine if other users have visited it and to find new variants. We also do retrospective analysis of the phishing indicators against up to six months of stored data to detect activity that would otherwise have gone unnoticed.

Helping us keep up with evolving threats

Windows Defender ATP is a constantly evolving product. It has a dedicated team working to improve detections and develop new ones based on emerging threats. The team works with malware analysis experts to understand the new techniques that modern malware is using to try to stay hidden, and to come up with ways to detect that activity on the endpoint.

We believe that a close interaction between Windows Defender ATP developers and our analysts has helped the product group deliver a tool that is truly analyst-focused, and constantly improving. The Windows Defender ATP product group worked extensively with our analysts to differentiate between legitimate, malware-like behaviors that are benign and actual instances of malicious activity, which helped reduce the false positive rate. They have also implemented methods of tuning alerts and allowing our analysts to suppress alerts and other events that we identify as benign, so we are not overwhelmed with unactionable alerts. This tuning helps make Windows Defender ATP detections better for all Windows Defender ATP tenants, not just Microsoft. They are also actively improving our console experience.

Conclusion

Windows Defender ATP represents the next generation of security products for the modern company, and has become our security analysts’ primary and preferred tool for detecting modern threats and analyzing machine data. It provides better detection, enables data-driven investigations, and helps us rapidly respond. Using this Windows Defender ATP, our analysts can respond to more alerts on more systems in less time.

Recent