Join Pete Zerger for an in-depth discussion in this video How ATA Works, part of Microsoft Cybersecurity Stack: Advanced Identity and Endpoint Protection.
- [Instructor] Microsoft Advanced Threat Analytics is an on-premises platform that helps provide post-breach visibility into advanced cyberattacks and insider threats, detecting suspicious activities and malicious attacks through behavioral analytics. Using its propriety machine learning algorithms, ATA helps pinpoint suspicious activities in your systems by learning what comprises normal behavior, through profiling entity behavior in your environment and then knowing what to look for.
Based on a rolling baseline, ATA detects when behavior drifts outside of the range of what it's identified as normal. ATA then reports suspicious activities visually in a functional, actionable attack timeline. In each case where suspicious activity is detected, ATA offers recommendations for investigation and remediation. Optionally, you can configure ATA to send email alerts when it identifies suspicious behavior. There's actually no need for creating rules, fine tuning, or monitoring a flood of security reports, since the intelligence needed is built into ATA.
ATA actually brings machine learning in a box, and it also identifies known advanced attacks and security issues. It does take ATA about three weeks to learn what normal is in your environment, at which point it runs on a rolling three-week dataset. ATA takes information from multiple data sources in your environment, such as logs and events on your network, to learn the behavior of users and other entities in the organization, to build a behavioral profile about them.
ATA leverages a proprietary network parsing engine to capture and parse network traffic through multiple protocols such as Kerberos, DNS, RPC, NTLM, and several others, to capture authentication, authorization, and information. This info is collected by ATA via either port mirroring from domain controllers and DNS servers to the ATA gateway, or by deploying an ATA lightweight gateway directly on the domain controllers.
The lightweight gateway option is much more popular than port mirroring, simply because it's much easier to deploy. The ATA technology detects multiple suspicious activities focusing on several phases of the cyberattack kill chain, including reconnaissance, during which attackers are gathering information on how the environment is built. What are the different assets and entities that exist? And generally building their plan for the next phase of the attack. Lateral movement, during which an attacker invests time and effort in spreading their attack surface inside your network.
And finally, domain dominance, persistence, during which an attacker captures the information that allows them to resume their campaign using various sets of entry points, credentials, and techniques. These phases of a cyberattack are similar and predictable no matter what type of organization is under attack or what type of information is being targeted. ATA searches for three main types of attacks, malicious attacks, abnormal behavior, and security issues and risks.
Malicious attacks are detected deterministically by looking for the full list of known attack types, including pass-the-ticket, pass-the-hash, golden ticket, brute force, and a variety of others. Security issues and risks present data on known configuration issues, along with recommended remediation strategies. What's more important than ATA detecting these attacks is the context it provides in clearly visualizing who, what, when, and how.
For example, alerting you on which clients ATA suspects that a pass-the-ticket attack was attempted, and which account credentials it's passing. Questionable activities and abnormal behavior is detected in ATA by using behavioral analytics and leveraging machine learning to uncover questionable activities and abnormal behavior in users and devices in your network, including anomalous logons, unknown threats, password sharing, lateral movement, and modification of sensitive security groups.
You can view suspicious activities of this type in the ATA dashboard. For example, ATA alerts you when a single user accesses three computers that this user hasn't used before, which could signify a breach and lateral movement in progress. ATA also detects security issues and risks, including things like broken trust, weak protocols in-use, or known protocol vulnerabilities. You can view suspicious activities of this type in the ATA dashboard. In the following example, ATA is letting you know that there's a broken trust relationship between a computer in your network and the domain.
It's important to recognize that while ATA provides impressive functionality, this enhanced visibility is presenting potential activity after breach has occurred, highlighting the fact that this is but one tier in what should be a layered defense strategy for your identities and endpoints.
- Configuring virtual-based security
- Securing email
- Implementing post-breach defense
- Protecting the cloud with Azure AD
- Using Windows Defender ATP
- Managing privileged access in Azure