08-08-2020 06:38 AM
08-08-2020 06:38 AM
Anti-Malware products like Windows Defender are getting smarter and stronger and it is not easy to find malware which won't be detected by them. In case we face such a case, we will send them to Microsoft Anti-Malware team for analyze and we do have have other defensive layers.
I am just wondering during the 0-days period where we are waiting for signature and we face undetected malware, how you are dealing with it and protect your enviroments?
Let me share some clue:
1) Use AppLocker to block them manually
2) Write some emergency PowerShell scripts
3) Isolate infected device
4) Implement some emergency policies
In case, we ATP is available, it would be much easier, but let say how we handle it without ATP (consider complex scenario) and then we discuss about using ATP (as easy scenario)
I am interested to hear what you think.
08-09-2020 03:05 AM
08-10-2020 10:43 AM - edited 08-10-2020 11:59 AM
Hi @Reza Ameri ,
On DART, we used a lot of Microsoft Threat Protection \ Defender ATP custom detections paired with response actions to deal with this. Using this approach, you can isolate machines, block files by hash or certificate, run a quick scan, or collect a forensics package.
What you're referring to falls more in line with hardening than preventing a 0-day. You can definitely use AppLocker to prevent malware, but it really depends on how it was set up. I'd recommend checking out AaronLocker - a config written by Aaron Margosis some time ago: https://github.com/Microsoft/AaronLocker.
Other protections would be attack surface reduction (ASR) https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/overview-..., exploit protection (sort of like the new EMET) https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/enable-ex..., or Application Guard https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-g....
At the end of the day, what really makes an attack successful (in my opinion) is availability of credentials with widespread administrative authority. Keep tabs on delegations made on the root object of the domain (the domainDns object), user rights (especially on domain controllers), and permissions to the AdminSDHolder object. Its that whole assume breach mentality, and why many customers are moving towards Azure AD joined devices since it decouples identity from authorization, uses strong authentication, and decouples authentication from authorization. Check out the famous Pass the Hash whitepaper for those: https://aka.ms/pth
Last, microservices are the way to go. Avoid having one huge monolithic infrastructure, instead favoring smaller containerized services which only have access to what they need to operate.
The other place to keep an eye on is Defender ATP's threat and vulnerability management capability which can identify vulnerable applications, including which applications have an exploit in the wild. This paired with the Threat Analytics dashboard should keep you informed of many of the exploitation-centric threats to your infrastructure.
08-11-2020 08:22 AM
Thank you @MichaelJMelone for your valuable inputs.
I believe security is more about defense strategy, MD ATP is great but due to certain company policy and licensing issues, it might take some times before approval and get this product running on environment, but when it happens, I believe people who are in charge of cybersecurity could start celebrating and have a easier life.
However, before that we need some defensive measurements in place which you discussed.