Incident Detection and Prevention Tools for Windows 10 Workstations

Incident Detection and Prevention Tools for Windows 10 Workstations

Part (a): Using Windows Defender AV to Detect and Analyze Threats

Windows Defender AV is a free malware protection tool from Microsoft that helps improve computer system security. The antivirus runs in the background and can be used anytime to scan for malware if a computer isn’t functioning as per or after clicking a suspicious link. There can be automatic updates for the anti-virus definition files, which helps detect the latest threats as the antimalware product will be up to date. In case the updates do not update manually, one can trigger the updates, which immediately downloads and applies the latest definitions to the computer system.

When the definitions are installed, they make it easy for the computer system to detect viruses or malware present. There are configuration requirements that enable real-time scanning for analyzing potential threats. One can specify whether the monitoring is to be done on incoming, outgoing, or both, and this is mainly relevant for Windows Server installations. If the real-time protection is not turned on, one can click on the settings tab to display the various settings for security essentials, select the Real-time protection option, and turn it on on the right side of the panel.

With updated definitions of the antimalware product, a user can decide to do full system scans by running an on-demand scan on individual endpoints. That immediately starts scanning, and there are options for defining scan parameters such as location or type. There are options of whether to conduct full or quick scans; the best option is doing a full scan on endpoints to identify if any inactive components are requiring thorough cleanup after encountering malware threats. The full scan is best when running on-demand scans, while quick scans check on locations with the possibility of malware, such as Windows startup folders and registry keys. It is mostly adequate in finding viruses that were not seen by real-time protection, and it also performs removable media scanning. To run a scan one can use the mpcmdrum.exe command-line utility.

Once scanning is done, Windows Defender Antivirus records the results, and a user can view them. Reviewing the scan results can be done by the Configuration Manager, Windows Defender Security Center App, and PowerShell cmdlets, where a full history of the scan will be given. The Windows Defender AV can be used to detect malware at the point of entry to the system, e.g., in an email message or web page, by first scanning any attachment present before allowing it to open. When the real-time protection is on, intrusion attempts are easily detected as the antimalware product runs in the background.

When a full, quick, or custom scan is done, the antivirus analyzes files and file systems to detect and identify malware. In case a record is suspected of carrying malware, it is isolated, and the user is notified to either delete the file or repair it. Insertion of removable media prompts a quick scan that helps identify any threats and eliminates a virus when found. Recording of all event IDs by the Windows Defender AV allows for reviewing of event logs, which is done by either direct viewing or, if one has a third-party SIEM, they can review specific events and errors from their endpoints by consuming the Windows Defender client event IDs.

When using the Windows Defender Antivirus, a user is encouraged to ensure that the definitions are up to date by allowing automatic updates; they should also note that this only happens when there is a network connection available. Avoiding the use of removable devices that have been used in computers with viruses also helps if one has not updated their antimalware product definitions. So far this is the cheapest way of protecting the computer system when one is not in a position to purchase on the shelf antiviruses.

Part (b): Using Windows Defender SmartScreen

Windows Defender SmartScreen is a security feature that helps protect against malicious websites that got introduced in Internet Explorer 8,9-11 and is included in most Microsoft products. There is an inbuilt feature in the Windows Defender AV known as Block at First Sight that detects and blocks new malware within seconds.  This feature helps prevent some of the malicious sites that are known which would cause harm to the system. When some basic settings are enabled, the Block at First Sight feature is also enabled, making the feature run without any intervention. Most of the necessary settings are facilitated automatically, making the Block at First Sight always enabled; in case they get disabled, there is a full procedure on how to allow them to.

The Windows Defender Antivirus client runs on the background, and in case it detects a hidden suspicious file, it queries the cloud protection backend which does an automated analysis to determine whether the data is malicious or clean.  In case the cloud backend won’t be able to make a determination, the file gets locked by the Windows Defender AV, and a copy is uploaded to the cloud. The file uploaded to the cloud will undergo further scrutiny, and in case it is found to be malicious, it is blocked; if not, a user is allowed to download or view it.  The Block at First Fight features stop all non-portable executable files found to have malware and uses the cloud protection backend for executable files and non-portable executable files downloaded from the Internet. Reviewing the Windows Event Log entries for blocked sites, files, and applications is also possible as records of the relevant IDs and incident information are available.

Guidance document for Windows Defender SmartScreen

Windows Defender SmartScreen protects against malicious intrusion. It is capable of blocking any site, website, or application that is known to be malicious. It gives a direct benefit of responding to security incidents such as viruses though it can have indirect threats financially. (Microsoft, 2017a). The Windows Defender SmartScreen can be used by the Windows Defender Security Center App to ensure the most up-to-date information protection status is provided. For the Block, at First Sight, to work, one must ensure that they enable it either on the Google Policy, Intune, or with the Windows Security Center App.  Using the Windows Defender Security Center App to allow this, open it by clicking on the shield icon in the taskbar and selecting Defender. Go to the Virus & Threat Protection tile, then its settings, and enable it (Microsoft, 2017b).

To block any sites, websites, email messages, files, or any content on the internet, one must enable real-time protection in the Windows Defender SmartScreen. After doing this, there will be the Windows Defender Security Center App that uses the Windows Defender Security service, which must always be enabled; any malware that is detected gets blocked automatically. If the site opened is known in the cloud as a malware-prone site, the user is notified, and the option of blocking is given. The Block at First Sight feature checks any action done over the internet, in case there is a virus, threat or malware it blocks it, if it is a suspicious page it’s taken to the cloud backend automatically and checks it further then blocks it if it is harmful.

Warning: If it is not enabled the malicious apps, software’s and sites will not be blocked. Always ensure that the Windows Defender Antivirus definitions are up to date.

References

Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident handling guide (NIST SP 800-62 rev. 2). http://dx.doi.org/10.6028/NIST.SP.800-61r2

Microsoft. (2017a). Responding to IT security incidents. Retrieved from https://technet.microsoft.com/en-us/library/cc700825.aspx

Microsoft. (2017b). The Windows Defender Security Center app. Retrieved from https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-security-center/windows-defender-security-center

Microsoft. (2017d). Windows Defender SmartScreen FAQ. Retrieved from https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx

ORDER A PLAGIARISM-FREE PAPER HERE

We’ll write everything from scratch

Incident Detection and Prevention Tools for Windows 10 Workstations

Purpose:  Assess and Document Incident Detection & Prevention Tools for Windows 10 Workstations.

1. Assess and document the uses of the Windows Defender Antivirus utility as part of the incident response process.
2. Assess and document the uses of the Windows Defender SmartScreen utility as part of the incident response process.

Overview:

There are many different types of tools that perform automated detection and prevention of known threats (Cichonski, Millar, Grance, & Scarfone, 2012). For this activity, we will focus upon assessing and documenting two such tools which can be used in the detection and analysis phase of the Incident Response Process (as defined in NIST SP 800-61r2).

First, we will examine the host-based anti-virus (malware detection) and host-based intrusion detection and prevention capabilities that are built into Windows 10 in the Windows Defender Antivirus (AV) utility (Microsoft, 2017a; Microsoft, 2017b). This tool can be used to detect threats to confidentiality of information, threats to system integrity, and threats to system availability. Windows Defender AV also provides containment, eradication, and recovery capabilities that can automatically return Windows 10 workstations to known-good states (restoring system integrity) by removing or quarantining files that have been infected by malware. Windows Defender AV is usually configured to start during the workstation boot process and runs in the background to provide real-time threat detection and response. Incident responders can review the Windows Event Log for event ID’s reported by Windows Defender AV. See https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus#windows-defender-av-ids for a list of frequently reported Event ID’s and their definitions.

Next, we will investigate the Windows Defender SmartScreen utility (Microsoft, 2017c). This tool protects endpoints (both fixed and mobile) from known phishing websites and known sources of malware. The tool will also detect and report files (including application executables and installers) which appear to be malicious in nature. The tool uses a dynamic list of known “bad” and/or suspicious websites. This list is both a black list and a gray list. At the heart of SmartScreen’s functionality are the Windows 10 telemetry functions which gather information voluntarily reported by Windows 10 users. For incident reporting and handling, SmartScreen provides entries in the Windows Event Log using Event ID 1035 – Anti-Phishing. The Frequently Answered Questions for Windows Defender SmartScreen (Microsoft, 2017d) provides additional information about this capability, how it works, and how it can be configured.

Situation Report:

Recent contracts with the Departments of Defense and Homeland Security have imposed additional security requirements upon the company and its SCADA lab operations. The company is now required to comply with NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. The company must also comply with provisions of the Defense Federal Acquisition Regulations (DFARS) including section 252-204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. These requirements are designed to ensure that sensitive technical information, provided by the federal government and stored on computer systems in the Sifers-Grayson DevOps R&D lab, is protected from unauthorized disclosure. This information includes software designs and source code for robots and drones developed and maintained by Sifers-Grayson. The contract requirements also mandate that Sifers-Grayson report cyber incidents to the federal government in a timely manner.

Your Task

Prepare draft incident response guidance to be included in the Sifers-Grayson Incident Responder’s Handbook. Your draft guidance will explain the use of Windows Defender Anti-Virus and Windows Defender SmartScreen and then describe how each could be used as part of an incident response process. In each procedure, you should include discussion of how log files created by the tools can be used to support reporting requirements within an Incident Response & Recovery process.

You will create two separate procedures. The first will explain how to configure and use Windows Defender Anti-Virus to detect and analyze malware and detect, block, and analyze intrusion attempts. The second will explain how to configure and use Windows Defender SmartScreen to scan for and block connections to known phishing and malware infected websites. The procedure should also describe how SmartScreen is used to block potentially malicious applications and application downloads.

Instructions

Part (a): Using Windows Defender AV to Detect and Analyze Threats

1. Investigate the use of Windows Defender AV to detect and analyze potential viruses, spyware, and other forms of malware. Your investigation should include researching best practices for configuring and using the scanning, detection, and analysis capabilities for this host-based anti-malware software. At a minimum, your research should address the following
   1. Update requirements for anti-virus definition files
   2. Configuration requirements to enable real-time scanning
   3. Procedures for conducting full system scans
   4. Fast or quick scan for high vulnerability areas of the system
   5. Removable media scanning
   6. Reviewing scan results including reviewing any quarantined files or detected malware
2. Identify how the tool could be used during the incident response and recovery process (it may be useful in more than one phase). Typical uses include:
   1. Detecting malware at the point of entry to the system (e.g. in an email message or web page)
   2. Detecting intrusion attempts in real-time
   3. Analyzing files and file systems to detect and identify malware
   4. Quarantining files suspected of carrying threat payloads
   5. Deleting Infected Files
   6. Scanning removable media
   7. Reviewing Windows Event Log entries to find relevant ID’s and incident reporting information

Part (b): Using Windows Defender SmartScreen

1. Identify how the tool could be used during the incident response and recovery process (it may be useful in more than one phase). Typical uses include:
   1. Detect and block known bad websites
   2. Detect and block know bad application downloads and installation attempts
   3. Detect and report suspicious websites, web pages, and file downloads
   4. Reviewing Windows Event Log entries to find relevant ID’s and incident reporting information
2. Write a guidance document that identifies the tool, explains the capabilities it provides, and then lists and briefly describes the recommended uses as documented by Microsoft (2017a, 2017b, 2017, c, 2017d). Add a list of resources that can be consulted for additional information. Next, summarize the procedures required to perform the tasks listed under item b.1 (do not provide step-by-step instructions). Close your guidance document with a Notes / Warnings / Restrictions section that answers the question “Is there anything else the incident responder needs to be aware of when using or configuring this tool?”