Detecting threat actors in recent German industrial attacks with Windows Defender ATP

Discussion in 'other anti-virus software' started by Minimalist, Jan 25, 2017.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    https://blogs.technet.microsoft.com...industrial-attacks-with-windows-defender-atp/
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    That's cool and all, but how does this benefit home-users? I think M$ should release a consumer based version, I would love to play with the behavior blocker. On the other hand, I'm sure it's probably depended on the cloud, so on second thought, no thanks.
     
  3. guest

    guest Guest

    It's an enterprise product, it doesn't make sense for home users because most of it's rules if not all are intended for enterprise environments; active directory, kerberos, radius, etc.
    In addition the ATP is feed of logs from IDS/IPS, firewalls, routers, etc

    https://technet.microsoft.com/en-us...e/windows-defender-advanced-threat-protection
    http://download.microsoft.com/download/C/F/6/CF62335F-C46B-4D84-B0C9-363A89B0C5E6/Microsoft_advanced_threat_analytics_datasheet.pdf
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    That's why I say they should release a consumer based version, just like most other AV's have behavior blockers. On the other hand, almost all software that M$ releases is crap, except for Windows. So I would be surprised if it would outperform other BB's.
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    This would be only appropriate for small group of people. Vast majority of regular users wouldn't know what to do with it. Similar as with HIPS, BB and other tools where user has to make decisions.
     
  6. guest

    guest Guest

    That is the primary goal in security, to benefit to the most people possible regardless of their skill.
    Who cares about an handful of geeks like us, if security vendors only focused on geeks for their sales , they will bankrupt quite fast. (aka Emsisoft abandoning Online Armor, clearly stating it was more a geek's tool than anything else; few sales , lot of complaints to deal with for their support team).

    i have 2 computers, one with only built-in security and tweaks (no 3rd party apps), the other is filled with isolation, anti-exploit, anti-exe , etc...; guess which one is most used by friends and family? :D

    about Win Def ATP, i too, would like this feature (as opt-in) for home users, but i guess MS don't want another cargo of complaints and bashing like they had with UAC .
     
    Last edited by a moderator: Jan 29, 2017
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    To clarify, officially speaking only HIPS give alerts, and behavior blockers are supposed to make decisions for users. Obviously HIPS are only meant for power users.
     
  8. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    It depends on how it's implemented. Emsisoft's BB gives alerts and user have to make a choice. I guess there is no "official" rule about it.
     
  9. guest

    guest Guest

    I think you don't understand what this product does or what a home version would need to do
     
  10. guest

    guest Guest

    Exactly. HIPS shouldn't be involved into any discussion about average consumers' basic security; and definitely not be compared with any built-in features made to offer a basic protection without much difficulties to use it.

    Btw, a BB usually display alerts if a decision can't be made based on its rules.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes correct, but officially BB's are supposed to auto-block, based on multiple violation scores, while HIPS simply alert about each monitored behavior. That's why I prefer HIPS, because I like to depend on my own expertise. But of course new generation BB's like the one offered by Invincea are supposed to generate very little false positives while spotting almost all malware, especially because they also use AI/Machine Learning.
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    No, I think you're missing the point. Of course I know what this product does, anyone can read about it. But I'm not sure if you realize this, but all advanced HIPS/BB's that are geared to the enterprise, could be ported to home user versions, think of CrowdStrike and Invincea.

    It's not like the malware they are trying stop are using different methods to infect the system, it's the same stuff that should be monitored. The reason why they are not releasing consumer versions, is because the corporate market is much more attractive, and it would require them to hire more tech support people.

    I think you're in the wrong threat, this topic IS about HIPS/BB. And for the last time, I don't care about other "average consumers", all of my comments are based on my own experiences with security tools. Obviously, HIPS is not for everyone, just like LUA/UAC isn't for everyone, because of the annoyance factor. But let's stay on topic.
     
  13. guest

    guest Guest

    @Rasheed187 if you dont care about average users why you ask it to be on home version?!
    go buy win10 enterprise...

    it is a corporate feature because average users wont have any clues how to deal with it. And as you said will generate tremendous amout of support requests which will force to hire buses of employees for something that should have stay for skilled users.
     
  14. guest

    guest Guest

    Still I think you don't know what this does.
    Try to deploy and enterprise class grade IDS/IPS (Sohphos, Snort, etc) and then disable all the rules that doesn't apply to your home environment, and take a look on how many are left.

    How many internet facing server do you have at home?
    How many web servers?
    How many OS out of support? or not patched?
    How many Databases?
    ...

    All this doesn't help a lot to protect endpoint, what your product would do that AV's and firewalls doesn't do already. Detect an APT (advanced persistent threat) in a home environment? lol a lateral movement from you PC to smartphone?
    Are you the target of a government, or a hacking group?

    No one will develop anything because it's useless and won't improve the level of protection that you can get with the current technologies
     
    Last edited by a moderator: Jan 31, 2017
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Now you're just kidding me right? I wonder if you even read my reply, because if you did, you would see that I mentioned products like CrowdStrike and Invincea, both very advanced tools, but home user HIPS/BB's monitor for the exact same things. It's a no brainer, that when I'm talking about a consumer version, I mean I would like to see a simplified version of their products. Is it really that hard to understand?

    You just answered your own question. I don't care about average users who don't know how to make use of it. As you may have noticed, I'm a big fan of HIPS/BB's. However, M$ could decide to add a basic BB to Win Defender, perhaps with auto-pilot function, that's all I'm saying.
     
  16. guest

    guest Guest

    They can , and in the improbable case they do , it will surely be not on Home version, which doesn't even have Applocker...sadly... all the best features are on Pro or Enterprise versions.
     
  17. guest

    guest Guest

    Yes is hard to understand, what kind of probable attacks do you plan to block with your consumer version that can't be block with current tech? maybe you are the only person in the world who has discover a new billionaire market, please enlighten us.

    CrowdStrike and Invincea? they don't do anything special, or really different than a normal AV, but the marketing. They are avanced because they use machine learning techniques? this is as old as the av industry itself
    https://eugene.kaspersky.com/2016/0...gence-bubble-and-the-future-of-cybersecurity/
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Exactly my point! HIPS and BB's that are used in the enterprise do the exact same thing as home user versions, only on a larger scale! That's what I'm saying, so it would be cool to see them releasing simplified products that are hopefully better than current offerings like Comodo and SpyShelter. So it's not about new tech versus old tech, it's about better products and more competition on the home user HIPS market. But it's not going to happen for the reasons we already mentioned. BTW, SentinelOne also looks cool:

    https://sentinelone.com/cyber-threat-protection/
    https://sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
     
  19. guest

    guest Guest

    Skilled enterprise admins use SUA combined with restriction policies mechanism (as Applocker in Windows or Appguard) to secure workstations, in some rare cases i saw tools like deepfreeze/shadow defender.
    they use server virtualization or mirroring and hardware firewalls associated with honeypots to protect the servers and network.
    All must be"set & forget", not stupid prompt-shower HIPS/BB. They don't have time for that.

    if you look at the winner of the yearly Homeland Security Awards, Appguard won 2 times in a row. there is a good reason for it. It doesn't let the choice to the user. It block "plain & simple" everything not-whitelisted by the admin.
     
    Last edited by a moderator: Feb 2, 2017
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Who says that these enterprise level HIPS/BB's give alerts? They probably just auto-block malware on end-points, and only admins get info about behaviors that were blocked, for further investigation.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.