Understanding Microsoft Advanced Threat Analytics (ATA) Basics

Microsoft's Advanced Threat Analytics (ATA) is an on-premises platform for protecting enterprise customers from cyberattacks and insider threats. ATA collects information from multiple data-sources (e.g. logs and events) on the network to create a behavioral profile of users. As users work on the network, ATA captures and parses the network traffic from protocols, such as DNS, Kerberos, NTLM etc. By learning how users behave, it's able to understand the patterns and detect suspicious activities. In this article, I will cover a brief summary of information from Microsoft's Advanced Threat Analytics Documentation.

ATA License

Microsoft customers who have an Enterprise Agreement can download the ATA software from Microsoft Volume Licensing Center (VLSC). Those customers who obtained license for Enterprise Mobility + Security (EMS) either through the Office 365 portal themselves, or with the help of a cloud solution partner, should contact Microsoft Customer Support to activate ATA.

Focus on Certain Phases of Cyberattack Kill Chain

ATA offers protection for several phases of a cyberattack kill chain, such as reconnaissance, credential compromise, lateral movement, privilege escalation, domain dominance, etc. The following three phases of cyberattack are of particular interest because Microsoft believes these three apply to practically all types of organizations and data.

1. Reconnaissance Used by attacker to gather information about the targeted network and environment.
2. Lateral movement cycle Used by attacker to focus efforts on infiltrating the network.
3. Domain dominance (persistence) Used by attacker to gather information that is used to continue the attack through various techniques and entry points.

Focus on Three Types of Attack

What ATA does is look for certain types of attacks. Primarily it focuses on the following three major types of attacks: Malicious attacks It specifically looks for attacks, such as:

• Pass-the-Ticket (PtT)
• Pass-the-Hash (PtH)
• Overpass-the-Hash
• Forged PAC (MS14-068)
• Golden Ticket
• Malicious replications
• Reconnaissance
• Brute Force
• Remote execution

Abnormal behavior It uses behavioral analytics and machine learning to see if any activities or behavior of the users and devices is out of the ordinary. It looks for suspicious activities, such as:

• Anomalous logins
• Unknown threats
• Password sharing
• Lateral movement
• Modification of sensitive groups

Security issues and risks ATA looks for security issues that stand out. For example, most computers on a typical Active Directory network are joined to the domain. This offers security and protects the network resources from unauthorized access. If the trust relationship between a computer and domain is broken, network administrators cannot apply domain group policies to that computer and the users may be denied access to the computer. These are serious matters so ATA will warn you about such activities. To protect your network, ATA will detects things, such as:

• Broken trust
• Weak protocols
• Known protocol vulnerabilities

Personal Data in ATA

Active Directory secures network assets by authenticating users on the network and restricts unauthorized access to resources. Data in ATA is retrieved from user profiles in Active Directory. When you make changes to the user data in Active Directory, the information is synchronized with ATA. If you know how the User Profile Service (UPS) works in SharePoint Server, you will have no difficulty in understanding the concept in ATA. The Active Directory connector in UPS service synchronizes changes to the user profile in Active Directory (e.g. updated telephone number) to SharePoint. You can open the user profile of an individual user on the SharePoint Server and view his/her personal data that was added to the Active Directory. Similarly, in ATA you can use the ATA Center to open the user (or device) profile page and view the user's personal data. Any updates to the data in Active Directory will be reflected here. When you delete a user account in Active Directory, the user's data in ATA is not deleted. It's kept for security investigation. You could, however, permanently delete user data in ATA. For more information on deleting personal data visit ATA data security and privacy. I wanted to share some of the ATA basics in this article so this is just scratching the surface. There is a whole lot more to know before planning and deploying ATA in an environment. The links in the next section will help if you would like to consider deploying ATA.

Useful Links

Here are some links provided by Microsoft that you may find useful to learn more about ATA.

• Advanced Threat Analytics Documentation
• ATA Architecture
• ATA Prerequisites
• Troubleshooting Known Issues

Thanks for reading my article. If you are interested in IT training & consulting services, please reach out to me. Visit ZubairAlexander.com for information on my professional background.

---

Copyright © 2018 SeattlePro Enterprises, LLC. All rights reserved.