In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks

[oldschool]

Our experience in detecting and blocking threats on millions of endpoints tells us that attackers will stop at nothing to circumvent protections. Even one gap in security can be disastrous to an organization.
At Microsoft, we don’t stop finding new ways to fill in gaps in security. We go beyond strengthening existing defenses by introducing new and innovative layers of protection. While our industry-leading endpoint protection platform stops threats before they can even run, we continue improving protections for instances where sophisticated adversarial attacks manage to slip through.
Multiple layers of protection mean multiple hurdles that attackers need to overcome to perpetrate attacks. We continuously innovate threat and malware prevention engines on the client and in the cloud to add more protection layers that detect and block sophisticated and evasive threats before they can even run.
In recent months, we introduced two machine learning protection features within the behavioral blocking and containment capabilities in Microsoft Defender Advanced Threat Protection. In keeping with the defense in depth strategy, coupled with the “assume breach” mindset, these new protection engines specialize in detecting threats by analyzing behavior, and adding new layers of protection after an attack has successfully started running on a machine:

• Behavior-based machine learning identifies suspicious process behavior sequences and advanced attack techniques observed on the client, which are used as triggers to analyze the process tree behavior using real-time machine learning models in the cloud
• AMSI-paired machine learning uses pairs of client-side and cloud-side models that integrate with Antimalware Scan Interface (AMSI) to perform advanced analysis of scripting behavior pre- and post-execution to catch advanced threats like fileless and in-memory attacks

The figure below illustrates how the two behavior-based machine learning protections enrich post-breach detections:

Figure 1. Pre and post-execution detection engines in Microsoft Defender ATP’s antivirus capabilities
The pre-execution and post-execution detection engines make up two important components of comprehensive threat and malware prevention. They reflect the defense in depth principle, which entails multiple layers of protection for thorough, wide-range defense.
In detecting post-execution behavior, using machine learning is critical. Many attack techniques are also used by legitimate applications. For example, a very common, documented method used by both clean applications and malware is creating a service for persistence.
To distinguish between malicious and clean applications when an attack technique is observed, Windows Defender Antivirus monitors and sends suspicious behaviors and process trees to the cloud protection service for real-time classification by machine learning. Cloud-based post-execution detection engines isolate known good behaviors from malicious intent to stop attacks in real time.
Within milliseconds of an attack technique or suspicious script execution being observed, machine learning classifiers return a verdict and the client blocks the threat. The pre-execution models then learn from these malicious blocks afterwards to protect Microsoft Defender ATP customers before attacks can begin executing new cycles of infection.


... continue reading here In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks - Microsoft Security

 

[93803123]

The whole protection is based upon allowing the malware to run. By the time it determines that something is malicious and needs to be stopped, the malware might have already done its dirty work.

Very much like Webroot.

 

[woodrowbone]

If the file only run on the cloud side to detect behavior, and not on the client side before it is blocked, we should be good right?
A bit like in ConfigureDefender, put the cloud examination time to 60 sec like we discussed in the CD thread.

/W

 

[oldschool]

put the cloud examination time to 60 sec like we discussed in the CD thread.

That is the maximum, so yes. Just don't forget brain.exe!

 

[93803123]

If the file only run on the cloud side to detect behavior, and not on the client side before it is blocked, we should be good right?

/W

That's not how it works. There is just a delay. And you are counting on the cloud to get it right - which it won't in many cases.

 

[EndangeredPootis]

So why dont they include this in Windows Defender? Greed?

 

[93803123]

So why dont they include this in Windows Defender? Greed?

File upload to the cloud and analysis there is already done. It is just that the setting to increase the time is hidden on Home and other versions of Windows.

Microsoft's first concern is taking care of enterprise users, and not home users. Home users are Microsoft's very last concern. So home users get what Microsoft decides to make available in Windows security.

Settings might be modifiable outside of the GUI. For example, by directly tweaking the registry or using a front-end such as @Andy Ful's Hard Configurator. However, just because hidden, non-exposed settings are tweakable does not mean that Microsoft wants people changing from the default settings. In fact, I would argue that since Microsoft deliberately does not make documentation or provide other information on these types of things, that implicitly means that Microsoft does not want you using any settings other than what it has made available via the GUI or other GUI-based controls. Furthermore, as proof, if you try to get support for registry tweaks from the official Microsoft support options, they will tell you that Microsoft does not officially support such tweaks made by a home user.

What the article discusses is for Windows Defender ATP. They are clearly talking to IT Pros and not home users. And yes, Windows Defender ATP is a paid subscription. Even if you are a home user you cannot get an ATP subscription even if you are willing to pay.

 

[Andy Ful]

New features described in the article are related to additional post-execution behavioral detection. So, this is different security from blocking temporarily the suspicious file with delay period (10-60s) and analyzing it in the cloud.

This type of security is triggered when the attack uses many non-malicious (but suspicious) actions that can end with running filelessly the malicious payload.

For example, the initial file in the infection chain can be an innocent script that downloads a file from the Internet. This action cannot be classified as malicious by the AV without running this script and downloading the file from the Internet (assuming that the URL is fresh & unknown). The downloaded file can be another script that downloads the legal but vulnerable program and some DLL. Again, this action cannot be classified as malicious until both files will be downloaded and analyzed by the AV.

In such multistage attacks, the AV cannot detect the malware until some actions related to the infection chain will be finished. That is the idea of post-execution behavioral detection.

It is not clear if these new features are fully functional on Windows Home and Pro. But, this can be tested on Malware Hub.
Behavior-based detections are named according to the MITRE ATT&CK matrix to help identify the attack stage where the malicious behavior was observed:

​

Tactic	Detection threat name
Initial Access	Behavior:Win32/InitialAccess.*!ml
Execution	Behavior:Win32/Execution.*!ml
Persistence	Behavior:Win32/Persistence.*!ml
Privilege Escalation	Behavior:Win32/PrivilegeEscalation.*!ml
Defense Evasion	Behavior:Win32/DefenseEvasion.*!ml
Credential Access	Behavior:Win32/CredentialAccess.*!ml
Discovery	Behavior:Win32/Discovery.*!ml
Lateral Movement	Behavior:Win32/LateralMovement.*!ml
Collection	Behavior:Win32/Collection.*!ml
Command and Control	Behavior:Win32/CommandAndControl.*!ml
Exfiltration	Behavior:Win32/Exfiltration.*!ml
Impact	Behavior:Win32/Impact.*!ml
Uncategorized	Behavior:Win32/Generic.*!ml

Malicious scripts blocked by AMSI-paired machine models are reported in Microsoft Defender Security Center using threat names like the following:

• Trojan:JS/Mountsi.A!ml
• Trojan:Script/Mountsi.A!ml
• Trojan:O97M/Mountsi.A!ml
• Trojan:VBS/Mountsi.A!ml
• Trojan;PowerShell/Mountsi.A!ml

 

[oldschool]

n such multistage attacks, the AV cannot detect the malware until some actions related to the infection chain will be finished. That is the idea of post-execution behavioral detection.

This was my understanding.

 

[Andy Ful]

Some people think that post-execution detection is related to weak AV detection. It is true for some AVs, but not in this case. Windows Defender uses it for advanced multistage attacks, which are prepared to avoid AV detection via pre-execution techniques.
These new features were probably introduced as an alternative to malware detonation in the sandbox (which is available only in Windows E5).

 

[93803123]

Some people think that post-execution detection is related to weak AV detection. It is true for some AVs, but not in this case. Windows Defender uses it for advanced multistage attacks, which are prepared to avoid AV detection via pre-execution techniques.
These new features were probably introduced as an alternative to malware detonation in the sandbox (which is available only in Windows E5).

Post-execution detection performance is dismal, not to mention that post-execution removal is dismal as well. Sure, it adds something to the security stack but allowing code to execute will inevitably result in infections.

People forget that out in the real world, Windows security does an overall relatively poor job.

So people have a choice - denial or acceptance of reality for what it is - they can read and buy into Microsoft's glossy marketing tabloid or acknowledge that Windows security is not that great.

Out of all the people that I know, I'm the only one that uses native Windows security. Everyone else is smarter than I - they use Linux. And of those that do use Windows, they're using paid security suite. None use SRP. None use anti-executable. None use freewares like NVT.

 

[ForgottenSeer 823865]

Post-execution detection performance is dismal, not to mention that post-execution removal is dismal as well. Sure, it adds something to the security stack but allowing code to execute will inevitably result in infections.

That is even worst than signature model...
As if in reality, i will let myself infected by the Ebola virus, wait the CDC to find what it is and give me a vaccine LOOOOL.
That is the BS people adhere with webroot or this MS crap.
When infected, there is only one remedy: Wipe the drive and clean install. Malware are too complex, infect too many areas and the time spent to remove them is ludicrous compare to a "wipe & re-install".

People forget that out in the real world, Windows security does an overall relatively poor job.

we can see it in businesses being compromised almost in a daily basis.

So people have a choice - denial or acceptance of reality for what it is - they can read and buy into Microsoft's glossy marketing tabloid or acknowledge that Windows security is not that great.

Many people are emotionally involved with their favorite softs, denying the facts when it goes against their feelings, acknowledging the lies when it goes their ways.
I'm a big supporter of AppGuard but if it goes down the road, i wont think twice to criticize it and leave it rot to hell if nothing is done.

Out of all the people that I know, I'm the only one that uses native Windows security. Everyone else is smarter than I - they use Linux. And of those that do use Windows, they're using paid security suite. None use SRP. None use anti-executable. None use freewares like NVT.

Same for me, i'm probably the only one in 50km radius to use default-deny and MS native security.
Security forums people are a microcosm, it is no small than vendors can't even rely on them to keep maintaining some softs...just look at Emsisoft's Online Armor, Sophos' Sandboxie, Defensewall, Geswall, even Comodo now made CIS paid.
Don't get me wrong, it doesnt mean they aren't knowledgeable , just that they aren't a market good enough to push products on.

 

[93803123]

Same for me, i'm probably the only one in 50km radius to use default-deny and MS native security.
Security forums people are a microcosm, it is no small than vendors can't even rely on them to keep maintaining some softs...just look at Emsisoft's Online Armor, Sophos' Sandboxie, Defensewall, Geswall, even Comodo now made CIS paid.
Don't get me wrong, it doesnt mean they aren't knowledgeable , just that they aren't a market good enough to push products on.

I am in an academic environment so most people around here use Linux of MacOS. Lots of kids from wealthy families. The parents buy them top of the line spec'd out $3500 MacBook Pro 15s. I've seen a few i7 SurfaceBook Pro 15s in use. Again $3000 machines.

With Linux and MacOS, the security mindset is different. Plus, these people aren't interested in security. They got other priorities, like getting laid.

Online places like this forum are a vestige of a paradigm and era that is an anachronism. Out of the 100+ Mudders that I know, I think I would say that only 3 are security enthusiasts. Out of those 3, I'm the only one who is really interested in it.

Back in the day these forums were serious about InfoSec. Nowadays they are more or less social media platforms. I am guessing that most people here just want free or low-cost and want to play with every security software that they can get their hands on. Then once they've arrived at a favorite, they just want to defend it as best. They are just reinforcing their own decisions because they want their choices and decisions to be the best. Sound about right ?

 

[ForgottenSeer 823865]

With Linux and MacOS, the security mindset is different. Plus, these people aren't interested in security. They got other priorities, like getting laid.

hahaha so do i, it is why i focus less on what or how good are my security apps but more to have an efficient security strategy to actually use my computers.

Out of the 100+ Mudders that I know, I think I would say that only 3 are security enthusiasts. Out of those 3, I'm the only one who is really interested in it.

im the only one aware, the rest of my friends don't care and only focuses on their social medias or do business.

I am guessing that most people here just want free or low-cost and want to play with every security software that they can get their hands on. Then once they've arrived at a favorite, they just want to defend it as best. They are just reinforcing their own decisions because they want their choices and decisions to be the best. Sound about right ?

Correct. What is weird is that we dont use our IRL name so being wrong or right isn't catastrophic, our real persona wont be associated, or our real name put in shame publicly because our decision was wrong...but still, some will defend their opinion to the last breath even with evidence they are wrong.

whatever we are off-topic lol.

 

[93803123]

whatever we are off-topic lol.

Not really. People continue to cling to the Ai\ML scam and Windows security despite the industry warning about it numerous times. The feelings and thinking that motiviate that devotion are the real problem.

 

[Andy Ful]

Although post-execution detection is not a perfect solution, it can be a valuable security addition to pre-execution techniques in the below cases:

1. For prevalent threats (such as spam campaigns). Simply, the first user who will open the attachment will be infected if pre-execution protection will fail. But thousands of other people will be protected seconds later.
2. For multistage threats which use the complex infection chain that is malicious/dangerous only in its final phase. The user is still protected if AV will break the infection chain before the final phase.
3. For sophisticated malware which has strong capabilities of recognizing detonation in the sandbox.

I do not think that pre-execution behavior blocking can have an advantage over post-execution behavior blocking. The first does not have sufficient information to block all threads. The second does not have the capabilities to roll-back all the changes made during the attacks. So, both are required.
If one wants to be more secure, then he/she must apply other security layers like healthy security-related habits, default-deny setup, etc.
Finally, the Windows OS cannot be fully protected by any usable security. This follows from its design (programming languages, universality, usability, backward compatibility, etc.).

 

[Andy Ful]

Not really. People continue to cling to the Ai\ML scam and Windows security despite the industry warning about it numerous times. The feelings and thinking that motiviate that devotion are the real problem.

The situation is quite similar to the below:
People still use cars despite one million deaths per year related to traffic accidents and many deaths caused by smog.
The motivation is quite simple, both for using Windows (including Ai/ML and Windows security) and for using cars. It is ----> usability (in the very wide sense).

For most people, there is no real alternative - both when using Windows and cars.
You will be much safer when driving 60 km/h instead of 100 km/h and use only empty roads (healthy habits + default-deny setup).
You can also use Chromebook which will be much safer, too.
But, this would be as living in the country in retirement (like me).

Edit.
"You" did not mean zhuzhangspankspank, but any reader.

 

[93803123]

The situation is quite similar to the below:
People still use cars despite one million deaths per year related to traffic accidents and many deaths caused by smog.
The motivation is quite simple, both for using Windows (including Ai/ML and Windows security) and for using cars. It is ----> usability (in the very wide sense).

For most people, there is no real alternative - both when using Windows and cars.
You will be much safer when driving 60 km/h instead of 100 km/h and use only empty roads (healthy habits + default-deny setup).
You can also use Chromebook which will be much safer, too.
But, this would be as living in the country in retirement (like me).

Edit.
"You" did not mean zhuzhangspankspank, but any reader.

I wasn't talking about everyday sheeples, but instead about people on forums that keep saying Windows Defender has now become a top AV.

Windows Defender and the rest of Windows security are not top protection.

The advantage that they do offer, in theory, is fewer issues - if and only if - the user accepts the defaults. Once you start tweaking Windows, problems are bound to happen.

 

[ForgottenSeer 823865]

Once you start tweaking Windows, problems are bound to happen.

That i totally agree and experienced it...
Example: set Windows SRP restriction as "basic user" with dll enforcements , it blocks right away Windows Defender to show up (no more Security Center tray icon, WD whole settings disappeared, etc...) LOL

 

[93803123]

That i totally agree and experienced it...
Example: set Windows SRP restriction as "basic user" with dll enforcements , it blocks right away Windows Defender to show up (no more Security Center tray icon, WD whole settings disappeared, etc...) LOL

Like I posted earlier, Microsoft does not want people making such tweaks. They really don't. Just because you can tweak, doesn't mean that Microsoft thinks you should tweak. In fact, Microsoft says by its actions "don't tweak" Windows to the consumer group.

Microsoft's unspoken position is that Windows is optimized for the average person out of the box and they shouldn't be messing about with the default configuration.