Post Breach Detection with Windows Defender Advanced Threat Protection


Guest author: Heike Ritter

71% of C-level IT and security executives put endpoints at the top of their most vulnerable list, as reported in November 2015. This growing concern is primarily attributed to Advanced Persistent Threats (APTs): sophisticated attacks, carried out by nation-state or politically motivated groups of hackers, that target enterprise intellectual property and information with high business impact. Traditional defenses, such as Anti-Virus solutions, often fail to stop these attacks, as determined attackers avoid using malware altogether. Instead, they opt to use legitimate OS management and penetration testing tools, simple social engineering tactics to trick users into granting them access and privilege, or they initiate attacks using zero-day vulnerabilities (0-days). The magnitude is alarming: 2,122 confirmed data breaches were reported in 2015 alone, with attackers maintaining presence in victims’ networks for a median period of 200 days before being detected. On average, it took the attackers minutes to breach the network, but it took security teams an average of 80 days to go from detection to full recovery.

This challenge requires a new toolset in order to shift the balance in favor of the defensive teams. Traditional solutions are focused on pre-breach measures: endpoint security solutions providing threat resistance and threat blocking, OS hardening by mitigation detection, virtual and physical patching, or acting as a gate keeper, examining incoming files and scanning memory for malicious content and blocking it in real-time (a-la Anti-Virus) – all in an effort to deny an attacker entry. But, as good as these preventive measure may be, determined, well-funded, and sophisticated attackers will find a way to breach these systems. Enter the post-breach mindset. Unlike pre-breach goals, post-breach solutions assume a breach has already occurred, and act as a “flight recorder” and Crime Scene Investigator (CSI) – monitoring security events on the endpoint and leveraging large scale correlation and anomaly detection algorithms to provide alerts of indications of an ongoing attack. Post-breach takes advantage of the attacker’s need to perform multiple activities following the initial breach – such as reconnaissance, hiding, moving across the network in search of high-value assets, and finally extracting and exfiltrating information. Post-breach solutions provide security teams the information and tools necessary to identify, investigate, and respond to attacks that would otherwise fly beneath the radar and remain undetected.

This new post-breach approach is globally recognized within security market segments referred to as Endpoint Detection and Response (EDR) (Gartner) or Specialized Threat Analysis and Protection (STAP) (IDC) and within these segments you’ll find growing number of specialized vendors and startups often delivering specialized and often times niche solutions. The Windows 10 Anniversary Update will introduce a robust and fully integrated post-breach solution called Windows Defender Advanced Threat Protection (ATP), which enables enterprise Security Operations (SecOps) to detect, investigate, and respond to advanced attacks on Windows endpoints. This new post-breach layer of protection will augment the existing endpoint Windows security stack to provide customers with a full-fledged post-breach solution.

So what exactly is Windows Defender ATP? It combines the power of an OS-embedded client sensor, cloud security analytics, and world class human security experts:

1. The Client: an end-point behavioral sensor, built into Windows 10 Anniversary Update, that logs highly detailed security events and behaviors on the endpoint. It’s a fully integrated component of the Windows 10 Operating System, meeting the highest performance bars and requiring no additional deployment. It is always up-to-date and designed to lower overall costs.

2. Cloud Security Analytics Service: combines data from endpoints with Microsoft’s broad data optics from over 1 billion Windows devices, 2.5 trillion indexed Web URLs, 600 million online reputation look-ups, and over 1 million suspicious files analyzed to detect anomalous behaviors, adversary techniques and identify similarities to known attacks. The service runs on Microsoft’s scalable Big Data platform, and combines Indicators of Attacks (IOAs), behavioral analytics, and machine learning rules.

3. Microsoft and Community Threat Intelligence: our Hunters and researchers constantly investigate data, identify new behavioral patterns, and correlate collected data with existing Indicators of Compromises (IOCs) collected from past attacks and the security community.

Windows Defender ATP key capabilities include post-breach detection of active attacks and incident investigation.

Post-breach detection of active attacks: ATP provides actionable, correlated, real-time and historical detections of both known and currently unknown adversaries, based on extensive behavioral security analytics that hunt for a never-before-seen attacker hiding in the noise, and deep intelligence understanding of attackers and their tools and techniques (Threat Intel).

The Windows Defender ATP dashboard shown below provides SecOps with a high-level view of alerts and top machines at risk within their organization. The search bar allows them to quickly locate any entity such that they can drill in a learn more – Machine, file, URL, IP, etc. – now, or in the past.


Windows Defender ATP’s incident graph provides a consolidated view of alert-related artifacts across all monitored endpoints, enabling IT to quickly gain an understanding of the scope of incidents. As you can see below SecOps can determine which machines are part of the incident, what tools are being used in the attack, etc.


SecOps can also drill into views that expose behavioral-based detections that have occurred across their environment or on individual machines. Windows Defender ATP uses Microsoft’s Intelligent Security Graph which harnesses the power of big data security analytics and human hunter teams to identify anomalous behaviors and adversary techniques. As new insights are gathered that information is put right back into graph and Windows Defender such that they can detect new and emerging threats.


Incident investigation: The machine timeline provides a rich view of events and behaviors (a semantic layer over raw events) observed on the machine over time, and facilitates remote investigation of any machine with the intuitive incident graph that allows users to quickly grasp the scope of an attack across an organization. It effectively provides an attack narrative overlay on top of the raw security events recorded on the machine. Windows Defender ATP stores these events in the cloud for up to six months to maximize historical investigation capabilities.


The machine timeline also enables SecOps to drill down and investigate issues using highly detailed view of the behavior’s that have been observed in a full process tree format – providing the SecOps with the means to understand the relationships between different artifacts participating in the same chain of execution.


Windows Defender ATP also offers investigators with Detonation-as-a-Service, where they can submit suspicious files from machines for deep analysis in a secure sandbox. Detonation executes a file or URL in a set of secured virtual environments (think several instances of Windows configured at different levels of security), where it’s allowed to run in isolated- or internet-connected mode, while meticulously recording all of the file’s activities and behaviors, including resources it accesses, processes it spawns or injects to, registry keys it creates or modifies, etc.

So that gives you quick overview of Windows Defender Advanced Threat Protection (ATP) and we look forward to hearing what you think about it. On May 15th we opened Windows Defender ATP for Public Preview, and hundreds of enterprises have already joined the preview program to test the products functionality and offer us their feedback. If you would like to join this community, sign up today. Windows Defender ATP will be available with the Windows 10 Anniversary Update.

Where to go from here:

  1. Learn more about the Product and Public Preview Program
  2. To learn more about our HUNTRs’ work, we recommend reports we published about the activity groups Strontium and Platinum on the Microsoft Malware Protection Center (MMPC) website.
Comments (0)

Skip to main content