Welcome to computer viruses, Trojan horse, rootkits, Backdoors, worms, ransomware, scareware, rogue security software, scamware, crapware, malware, adware, spyware, riskware, grayware, unwanted software, and many, many other threats.

And they are getting more and more sophisticated. Scared?

The cyber-security landscape has changed a lot in the past years. Have you also adapted to it? You can speak of a revolution of cyber threats. Cybercrime has moved on to cyber-espionage, cyber-warfare, and cyber-terror. Where former attackers focused on Fortune 500 companies, you see attackers now go after any target, all verticals, all supply chains, subcontractors, small businesses, and line-level individuals. Malware and vulnerabilities have moved on to credential theft at a large scale and advanced persistent threats. You need to combat this revolution, and it is a very challenging task.

The following figure shows the evolution of attacks:

In the past, attacks were frequently run by what we call script kiddies, who were mostly unskilled individuals using scripts and programs developed by others. Their attacks were unsophisticated and mostly motivated by mischief or fame. The most impact was made by Blaster and Slammer in this time.

Since 2005, organized crime came more and more into the game. Their attacks were more sophisticated and differentiated. New threats such as ransomware, click fraud, and identity theft became commonplace. They are motivated by monetizing cybercrime. Since 2010, we've seen an upcoming trend of CryptoLockers. The organized crime scene even provides 24/7 hotlines if you become a victim of such CryptoLockers and you have problems entering the paid unlock key.

Since 2012, we speak of now in terms of cyber threats. We know nation states, terror groups, and activists are also a threat. They use very sophisticated and well-sourced attacks. They have different motives such as IP theft, damage, disruption, and revenge. In the past, it took several days to weeks from planning to exploit. Today, it takes only hours or days, and we speak of zero-day exploits.

We need a new approach to addressing threats. The economic model of attacks needs to be ruined. No more scaling and large attack styles. We need to break the attack playbooks. Each attack needs to be unique and time consuming again. And we need to eliminate all actual vectors of attack. To this effect, four main pillars for threat protection have been named:

Device protection
Threat resistance
Identity protection
Information protection

When observing typical attack timelines, the average time between first host compromise and domain admin compromise is only 24-48 hours. But it takes between 11-14 months to detect the attack. So we need to redefine the defense stack in pre-breach and post-breach environments and assume a breach at some point. So there is a fifth pillar called breach detection, investigation, and response.

Device protection is aimed at improving your hardware protection. Hackers could easily drop malware such as a rootkit onto your device and compromise your device before the OS is started. You can compare such a rootkit with a hypervisor, and if it is well written, the OS will not be able to detect it at all. Well-known things such as Trusted Platform Module (TPM), Unified Extensible Firmware Interface (UEFI), secure boot, and Early Launch Antimalware (ELAM) functionality can help protect your device integrity and protect your OS before it starts. New security has been added to Windows 10 with virtualization-based security containers and new biometric sensors for two-factor authentication.

Threat resistance is aimed at hardening your OS against viruses, Trojans, and other malware. Well-known things such as the SmartScreen reputation filter, client firewall, and Windows Defender anti-malware can hardly keep up with around 390,000 new malware programs that are created each day. New security was introduced in Windows 10 with Device Guard, a tamper-proof advanced AppLocker, WDAG, and secure OS containers for applications such as Edge, and Edge has been hardened further by limiting its access to certain dynamic-link libraries (DLL) APIs and removing outdated and security-critical technology.

Identity protection is aimed at getting rid of passwords and protecting secondary credentials with the new security of Windows Hello and Credential Guard. This defends against Pass-the-Hash (PtH) attacks with the help of a secure OS container using VBScript. Together with Windows Hello and next-generation credential services, the attack surface is further limited and sensitive information is protected.

Information protection is aimed at protecting information as long it resides in the device to protect against loss or theft and to protect data when transferring between devices. Well-known solutions such as BitLocker and BitLocker to Go are combined with new Windows 10 security with the new BitLocker Algorithm XTS and Windows Information Protection a.k.a. Enterprise Data Protection, and a good combination of Encrypted File System (EFS) and Rights Management System (RMS) with easy boundary definition and B2B support in a transparent container for all sensitive data.

In the modern world of cyber threats, we must assume the potential for a breach. So breach detection, investigation and response is aimed at detecting these breaches faster and starting countermeasures as soon as possible. With improved Windows 10 security with more granular conditional access, new Device Health Attestation (DHA), and Windows Defender Advanced Threat Protection (ATP) on the client side, this post-breach protection should be enhanced. On the server side, the addition of Microsoft Advanced Threat Analytics (ATA) will help us detect suspicious behavior. ATP and ATA will be covered in another chapter.

Let's have a look at the new Windows 10 security features.