Watch a demonstration of the ATA Console with an attack timeline in it.
- [Instructor] What I have on the screen here is the Advanced Threat Analytics console. This is where you'll come not only to configure ATA, but also to see any behaviors that it detects, or to respond to any alerts. The data that's shown on the screen is organized in a timeline format so that you can look chronologically at potential activities and suspicious behaviors that the ATA might detect. We'll start by scrolling all the way to the bottom and walk through what is potentially a compromise of an environment that ATA has detected.
The first alert that's shown on the screen is one that ATA is able to detect based on the network traffic that goes to the domain controllers. What it sees here, is that something running on this shared Admin server is using clear text LDAP binds. What that means is those LDAP binds are not protected by SSL and the usernames and passwords in them are exposed in clear text. Someone could potentially get these credentials if they're able to access that data on the network. ATA tells us not only the server that is causing this, but also the accounts that were potentially impacted, so that you can respond to that.
Next, another feature of ATA is something called a Honeytoken account. This is an account that you can create in AD, perhaps it has a particularly intriguing name, like superuser that should never actually be used. And you tell ATA about these by telling it that they're Honeytoken accounts. And when it sees anyone trying to log on to one of those accounts, or access a resource as that account, it generates an alert. Since this account is never supposed to be used, this is potentially a behavior that you need to investigate. Next, we have a potential attacker that's trying to learn more about the network.
And doing reconnaissance to figure out how they can move about the network. In this instance, they're using the capability of the kerberos protocol, which is fundamental that Active Directory to figure out if usernames are valid. You can see in this case, they tried to guess about 105 different accounts. You can see all the different choices that it made on the right, and it was successful with three specific accounts on the left. The attacker now knows these are valid usernames, to attempt to figure out the password too.
Next, now that the attacker has figured out valid usernames, it's going to see if they can't figure out valid passwords. In this case, the attacker is doing a brute force attack. By simply trying one password combination after another, for a specific user against the Domain Controller. We can see that in 450 attempts, the attacker was able to figure out the correct password for this user, and now has a set of valid credentials for the network. Now that the attacker has valid credentials, they can start putting them to work.
This is where ATA's machine learning behavior and capabilities come into play. Now that the attacker has these credentials they can start accessing different systems on the network. What you can see here, is based on ATA's understanding of what machines this user typically accesses, they've accessed two that are typical, but then there are six other machines that are atypical. That the user wouldn't typically access. And this is a really good sign that potentially that user's this account has been compromised. Finally, the attacker was able to get local Admin privileges on a specific machine.
And with local Admin privileges, the attacker is able to steal the credentials of other people that are logged on to that machine. This is where situations where domain Admins who log on to machines that aren't really there for running Active Directory, can put the entire environment at risk, because someone that simply has compromised a single server, can now compromise those Domain Administrator credentials and use that to move across the network. And that's exactly what's happened here. And specifically they're using what's called a Pass-the-Ticket Attack. And this allows an attacker to take stolen kerberos tickets and reuse them to access another resource as the user who's tickets were stolen.
Because the attacker was able to compromise Domain Admin credentials, it's now able to do practically anything on the network. And of course on of the first things you're going to want to do, is be able to compromise Active Directory itself, which as a Domain Admin you can inherently do. and what the attacker has done here, they've used those Domain Admin credentials to install something called PS Exec, which allows you to create remote processes on a Domain Controller. So while that attacker isn't physically on the Domain Controller, they can control it, and do things on that Domain Controller, and at this point they effectively own the network.
As you can see, ATA has provided a complete timeline of how this attack started, and working from the bottom up, we can see what happened, and how the attacker moved across the environment, escalated privileges, and compromised the entire environment.
- Authentication options with Azure AD
- Configuring Azure AD Connect for sync and authentication
- Securing remote access with the Azure Application Proxy
- Managing apps and devices with Intune
- Building and deploying a basic Intune policy for iOS or Android
- Protecting data beyond the firewall with Azure Information Protection (AIP)
- Configuring AIP classification labels and protection
- Integrating Exchange and SharePoint with AIP
- Managing risk with Advanced Threat Analytics
- Connecting Office 365 to cloud app security