Understanding Microsoft Advanced Threat Analytics (ATA) Basics
Microsoft’s Advanced Threat Analytics (ATA) is an on-premises platform for protecting enterprise customers from cyberattacks and insider threats. ATA collects information from multiple data-sources (e.g. logs and events) on the network to create a behavioral profile of users. As users work on the network, ATA captures and parses the network traffic from protocols, such as DNS, Kerberos, NTLM etc. By learning how users behave, it’s able to understand the patterns and detect suspicious activities. In this article, I will cover a brief summary of information from Microsoft’s Advanced Threat Analytics Documentation.
ATA License
Microsoft customers who have an Enterprise Agreement can download the ATA software from Microsoft Volume Licensing Center (VLSC). Those customers who obtained license for Enterprise Mobility + Security (EMS) either through the Office 365 portal themselves, or with the help of a cloud solution partner, should contact Microsoft Customer Support to activate ATA.
Focus on Certain Phases of Cyberattack Kill Chain
ATA offers protection for several phases of a cyberattack kill chain, such as reconnaissance, credential compromise, lateral movement, privilege escalation, domain dominance, etc. The following three phases of cyberattack are of particular interest because Microsoft believes these three apply to practically all types of organizations and data.
- Reconnaissance
Used by attacker to gather information about the targeted network and environment. - Lateral movement cycle
Used by attacker to focus efforts on infiltrating the network. - Domain dominance (persistence)
Used by attacker to gather information that is used to continue the attack through various techniques and entry points.
Focus on Three Types of Attack
What ATA does is look for certain types of attacks. Primarily it focuses on the following three major types of attacks:
Malicious attacks
It specifically looks for attacks, such as:
- Pass-the-Ticket (PtT)
- Pass-the-Hash (PtH)
- Overpass-the-Hash
- Forged PAC (MS14-068)
- Golden Ticket
- Malicious replications
- Reconnaissance
- Brute Force
- Remote execution
Abnormal behavior
It uses behavioral analytics and machine learning to see if any activities or behavior of the users and devices is out of the ordinary. It looks for suspicious activities, such as:
- Anomalous logins
- Unknown threats
- Password sharing
- Lateral movement
- Modification of sensitive groups
Security issues and risks
ATA looks for security issues that stand out. For example, most computers on a typical Active Directory network are joined to the domain. This offers security and protects the network resources from unauthorized access. If the trust relationship between a computer and domain is broken, network administrators cannot apply domain group policies to that computer and the users may be denied access to the computer. These are serious matters so ATA will warn you about such activities. To protect your network, ATA will detects things, such as:
- Broken trust
- Weak protocols
- Known protocol vulnerabilities
Personal Data in ATA
Active Directory secures network assets by authenticating users on the network and restricts unauthorized access to resources. Data in ATA is retrieved from user profiles in Active Directory. When you make changes to the user data in Active Directory, the information is synchronized with ATA. If you know how the User Profile Service (UPS) works in SharePoint Server, you will have no difficulty in understanding the concept in ATA. The Active Directory connector in UPS service synchronizes changes to the user profile in Active Directory (e.g. updated telephone number) to SharePoint. You can open the user profile of an individual user on the SharePoint Server and view his/her personal data that was added to the Active Directory. Similarly, in ATA you can use the ATA Center to open the user (or device) profile page and view the user’s personal data. Any updates to the data in Active Directory will be reflected here. When you delete a user account in Active Directory, the user’s data in ATA is not deleted. It’s kept for security investigation. You could, however, permanently delete user data in ATA. For more information on deleting personal data visit ATA data security and privacy.
I wanted to share some of the ATA basics in this article so this is just scratching the surface. There is a whole lot more to know before planning and deploying ATA in an environment. The links in the next section will help if you would like to consider deploying ATA.
Useful Links
Here are some links provided by Microsoft that you may find useful to learn more about ATA.
- Advanced Threat Analytics Documentation
- ATA Architecture
- ATA Prerequisites
- Troubleshooting Known Issues
Thanks for reading my article. If you are interested in IT training & consulting services, please reach out to me. Visit ZubairAlexander.com for information on my professional background. |
Copyright © 2018 SeattlePro Enterprises, LLC. All rights reserved.