Hello everyone, earlier we discussed about the Cyber Kill Chain and the different stages of this Advanced Persistent Threats (APT’s).
We also discussed on one way of protecting the delivery of the bad code to your systems by using Edge browser.
We would need to still protect our Operating System and the Kernel as something will still enter your endpoint and will try to install, exploit, gain persistence, steal credentials do a post attack reconnaissance so on, so forth.
We have been heavily relying on our Antivirus/Antispam solutions since ages and they have done their job nicely so far for known codes, signatures, known attacks (Indicators of Compromise, IOCs).
These solutions have evolved over time as well and today they have become intelligent with the usage of Advanced Machine Learning and Analytics.
Windows Defender Antivirus (WDAV) is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
In addition to the protection against the known malwares, Windows Defender AV has a Block at first Sight (BAFS) feature with cloud-delivered protection that provides a way to detect and block new malware within seconds.
Block at First Site (BAFS)
Window Defender AV works with Windows Defender Exploit Guard - Control Folder Access, Network Control and Attack Surface Reduction to protect the endpoint from various exploitation techniques that the attackers use to take control of your endpoints.
While the traditional solutions like Antivirus and Antispam have been offering protection against the known versions of threats, given the current complexity and the scale of the attacks, these might be incidental or inadequate.
Statistics from AV-Test suggests that they register 250,000 new malicious programs every day and it is increasing over the years.
Thus, a layered security approach is the need of the hour. Having it natively reduces the pain.
While, WDAV protects against known malwares and to some extent unknown malwares using BAFS, Windows Defender Application Control (WDAC earlier a component of Device Guard) works on a Trust Nothing Model and blocks everything untrusted and executes only the trusted code on the endpoints. As I said earlier we need to protect our Kernel as well, WDAC also restricts the code that runs in the System Core (Kernel).
WDAC uses the Virtualization Based Security concept (link), to protect its own process against tampering.
WDAC protecting against an untrusted executable
WDAC protecting against a untrusted malware that was hidden behind a Word document
Applocker is a less advanced form WDAC of which can be configured on your Windows 10 devices as well. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
Let’s make the life more difficult now for the attacker now to even exploit Application vulnerabilities. Exploit protection can apply exploit mitigation techniques to your apps.