Join Pete Zerger for an in-depth discussion in this video Deploy ATA in six steps, part of Microsoft Cybersecurity Stack: Advanced Identity and Endpoint Protection.
- Now we're going to walk through some of the key points of deploying Microsoft Advanced Thread Analytics as part of a post-breach defense strategy. Now this process is technically seven steps but I'm going to assume you've downloaded the media and installed the ATA Center already which gives us our portal and our basis for configuration. This is a pretty uneventful process and in steps two through seven here we're really just going to focus on some of the how's and why's of configuring ATA. So I'll go to the console, to the portal of my new ATA deployment here and in step two, we'll provide a username and a password to connect to our active directory forest.
So in the ATA portal here, I'll browse over to this vertical ellipsis. I will select configuration, and under data sources I'll go to directory services. I want to enter here a username and a password with read-only permissions to active directory. I'm going to use that test connection option to make sure that my password is correct and once I hit save, I'll get a little welcome message indicating we're successful in that step. Now in step three, we'll download the ATA gateway setup package.
This is how we'll install our gateway or lightweight gateway, now when you install that gateway role on a domain controller it's going to spot that and configure for the lightweight role. Again that lightweight gateway role is very popular because it eliminates the need for port forwarding where we have the event locally on the domain controller so in that respect it's quite popular and I've seen that work very well in some reasonably large environments where we used that lightweight gateway role on a domain controller in each site.
Do let the ATA sizing tool be your guide though. You never want to deploy an undersized solution that's not going to perform well. So you install those gateway roles again that's a fairly simple process and you'll repeat that for as many gateways as are appropriate for your environment. With the sizing tool again being your guide. So after the installation of our gateway or lightweight gateway we'll configure the ATA gateway settings in step five. So in the console again that same configuration menu where we are right now, we can look at some settings on our gateway.
So one setting in particular we need to look at is the domain synchronizer candidate role. So that's what synchronizes ATA with our active directory forest to get up to date information on our entities, our users, our computers our groups. A lightweight gateway is not a domain synchronizer candidate by default so by clicking on the name of that lightweight gateway, I can then toggle this switch to make it a candidate, and you want one preferably two if you have a couple close to you ATA center there.
Now in step six, we'll configure event collection. So to enhance detection capabilities ATA needs a few additional Windows events. 4776 and handful of others, which are listed in the documentation by the way. Now these can either be read automatically by the ATA lightweight gateway role or if we're not deploying the lightweight role it can be forwarded to the ATA gateway in one of two ways. By configuring the gateway to listen for your security information event management event or by configuring Windows event forwarding.
Another reason that lightweight gateway role is popular because it just eliminates another step. But as a tip you want to configure that to forward at least event ID 4776 to the IP address of one of your gateways if you're using the full gateway role. Simply because it improves ATA's capability to identify lateral movement which is going to be a factor in attacks like pass-the-hash or pass-the-ticket. So in step seven, we'll configure IP address exclusions and a honeytoken user.
So we'll configure these conclusions down here in the detection area. So I'll click on exclusions and you'll notice that there are a number of types of exclusion. For example, a pass-the-ticket exclusion might be your NAT device, a network address translation device, AKA a proxy server. Another one is a DNS reconnaissance exclusion which could be a security scanner that uses a DNS as a scanning mechanism. This exclusion, these exclusions really, help ATA ignore scanners and proxies that raise red flags but aren't actually a threat.
Now ATA also enables configuration of a honeytoken user, and if we go to detection general we see the honeytoken option here. So a honeytoken account is really a trap for malicious actors. Any authentication associated with this account that's normally unused is going to trigger an alert. So I create a honeytoken user. I make it just a normal user and I give it a name like Super User for example, and I say, I hit add and then save and I now have a honeytoken user and, should any activity be associated with that, we'll receive an alert.
And we can also configure ATA to send us reports. If you would like those reports to be sent to you on a regular basis we do need to configure a mail server. And those are some the key points right there but we'll add our honeypot user and now we'll let ATA do it's work over the next three weeks to establish the baseline of normal in our environment. And those are the basics of ATA deployment.
- Configuring virtual-based security
- Securing email
- Implementing post-breach defense
- Protecting the cloud with Azure AD
- Using Windows Defender ATP
- Managing privileged access in Azure