Detect active network reconnaissance with Microsoft Defender for Endpoint

Detect active network reconnaissance with Microsoft Defender for Endpoint

Many customers have placed their trust in Microsoft Defender for Endpoint in order to help them protect, detect, and respond to threats that have emerged throughout this period of change. It is a diverse landscape that forces us to reconsider how we protect our most prized assets from borderless threat actors in IT environments that can no longer remain exclusively protected behind a network perimeter.

Microsoft Defender for Endpoint is a market-leading platform on the market that offers vulnerability management, endpoint protection, endpoint detection and response (EDR), and mobile threat defense service. It is a true game-changer in the security services industry and one that provides visibility in a uniform and centralized reporting platform. Defender for Endpoint can be quickly scaled on-demand across heterogeneous network environments and to begin collating telemetry data directly from managed endpoints for true enterprise-wide visibility.

While we had highlighted the value of parsing Windows Defender Firewall with Advanced Security log files on an endpoint, the approach provides a somewhat limited view of the overall threat landscape. Microsoft Defender for Endpoint can overcome these constraints as it continuously collects a wide variety of telemetry data from all managed endpoints. A security operations analyst can use this telemetry data to create detailed custom reports which can scale across the enterprise, empowering the team to perform rapid and effective isolation of malicious hosts in the network.

The Microsoft Defender for Endpoint advanced threat hunting feature can be used to detect network reconnaissance by searching for common characteristics of a scan such as those of time, source address, destination address, TCP/IP port, and network type. For example, we can check whether a single IP address is attempting to connect to a wide range of ports on a specific host in a short period of time in much the same way as found within Windows Defender Firewall with Advanced Security—except we now have enterprise-wide coverage within an instant. It is an extremely flexible solution that can be tailored to support almost any use case.

We believe that Microsoft Defender For Endpoint is a great place to start and one which could prove to be the difference between disrupting an attacker from performing active network reconnaissance and being the victim of a malicious zero-day targeted attack.

To learn more about Microsoft Security solutions:

Contact Us 


No Comments

Sorry, the comment form is closed at this time.