When looking at Cyberattacks that occurred over the last few years, while quite devastating, the good news (if you can call it that) was that they could be detected and mitigated. Once this happened, whatever pieces of evidence still remained could then be collected, and studied by a Forensics Investigations team in order to conduct a deep dive analysis to see what really occurred, how it happened, and what could be done in the future so that it would not happen again.

Of course, one of the biggest objectives at this point was to even determine whom the Cyberattacker was and bring him or her to justice.

However, given the Cyberattacks of today, this is becoming almost impossible. The Cyberattacker is literally taking their own sweet time to study their unsuspecting victim, finding their most vulnerable point of entry, and going in unnoticed.

From this point, the Cyberattacker can now stay for extended periods of time, for weeks and even months. The goal now is to take whatever digital assets are available and take them one bit at a time. Once they have achieved this task, the victim will not realize anything has happened until it is too late.

The Concept of Advanced Threat Protection

The Cybersecurity Industry is taking these kinds of new threats very seriously and has even introduced a new suite of solutions that can now, to varying levels, detect these kinds of advanced Malware, as depicted above. This is known as “Advanced Threat Protection”, or “ATP” for short, and it can be defined as follows:

“It defends against sophisticated malware or hacking-based attacks targeting sensitive data. Advanced threat protection solutions can be available as software or as managed services. ATP solutions can differ in approaches and components, but most include some combination of endpoint agents, network devices, email gateways, malware protection systems, and a centralized management console to correlate alerts and manage defenses.”

(SOURCE: 1).

There are three major objectives of an ATP solution in order to safeguard the Personal Identifiable Information (PII) and the databases that they reside in:

  • Early detection:
    This is obviously the most desired outcome. If a covert Malware can be detected before it breaks through the lines of defense of an organization, it can be quickly mitigated before it causes any sort of damage.
  • Adequate protection:
    If for some reason the Malware has broken through, the ATP solution must alert the IT Security staff immediately so that they can determine where it is at in the IT Infrastructure and contain it before it spreads itself to other areas.
  • Response:
    If the Malware has penetrated deep enough into the IT Infrastructure, the ATP solution once again, must provide enough real time alerts so that the IT Security staff can at least mitigate the threat, and over a period of time, remediate any damage that has been done to the digital assets, and implement corrective actions for the future.

Going Deeper into The Threat with An ATP Solution

The three objectives outlined in the last section can be further broken down into the following steps, as shown in this illustration:

(SOURCE: 2).

  • The Cache Lookup:
    This step determines if the file that is suspect contains a malicious payload or not.
  • Antivirus Scanning:
    Whichever Antivirus or Antimalware software application is used, the suspicious file is then run through to determine if there any signature profiles of it which match up against other known attack signatures.
  • Static Analysis:
    At this stage, the suspect file is then checked for any unknown structure or unusual instructions.
  • Dynamic Analysis:
    Once the suspect file has been studied through the above steps, the IT Security staff can then launch and execute it in a sandbox environment. The purpose here is to carefully examine in detail the malicious nature of the file, and the deadly repercussions it could have brought on if it was not detected by the ATP solution.

An ATP Solution: The Microsoft Defender ATP

One of the pioneering vendors in the creation and development of ATP solutions is Microsoft. Collectively, they have three different kinds, which include the following:

  • The Azure Advanced Threat Protection;
  • Windows Defender Advanced Threat Protection;
  • Office 365 Advanced Threat Protection.

Just recently, Microsoft announced that it will now create a version of the Windows Defender Advanced Threat Protection for Macintosh clients running the following operating systems:

  • The MacOS Mojave;
  • The MacOS High Sierra,
  • The MacOS Sierra.

At a high level, this ATP solution can do the following:

Run detailed scans for any Malware:

(SOURCE: 3).

Confirm any detected threats or anomalies:

(SOURCE: 3).

Take any sort of remediative action, such as quarantining or completely discarding the detected Malware:

(SOURCE: 3).

Detailed reports are also provided:

(SOURCE: 3).


It is important to note that the Windows Defender Advanced Threat Protection is run only on the endpoints of an IT Infrastructure. In other words, this ATP solution can only be installed and deployed on servers, workstations, and other types of wireless devices. This is illustrated below:

(SOURCE: 4).

Typically, one will find ATP solutions being run in these kinds of environments, where endpoints are at most risk:

  • Point of Sale (POS) Terminals: This is deemed to be one of the weakest areas in terms of security in the retail market segment. The most sought after “crown jewel” are the credit card/debit card numbers of unsuspecting victims.
  • The Banking Sector: In this market segment, DNS Cache Poisoning is the main threat vehicle used by the Cyberattacker. This occurs when the DNS settings are covertly reconfigured sending the customer to a spoofed website instead of the real one of the financial institution in question.
  • Ransomware: This is when a specialized Malware is deployed upon the endpoints, locking up the screen, and other mission critical files. Typically, the Cyberattacker will ask for a ransom, to be paid by a form of virtual currency, such as that of Bitcoin. Once they have received this, the Cyberattacker is then supposed to send back the victim a Decryption Algorithm in which they can unlock the screens and files on the endpoints. Unfortunately, this usually never happens.