Microsoft Advanced

Threat Analytics Overview

Michael Horák
Mainstream Technologies s.r.o.

24. 3. 2016
Agenda • ATA Overview
• ATA Deployment and Configuration
• Hacking Samples
• Business Notes

2
ATA • Why?
Overview • The problem & The ATA
• ATA Introduction
• How ATA works
• ATA topology
• ATA Licensing

3
Sobering statistics

243 76% $500B $3.5M

The average number of days of all network intrusions are The total potential cost of The average cost of a data
that attackers reside within a due to compromised user cybercrime to the global breach to a company
victim’s network before credentials economy
detection

4
Changing nature of cyber-security attacks
Today’s cyber attackers are:
Compromising user credentials in the vast
majority of attacks

Using legitimate IT tools rather than malware

– harder to detect

Staying in the network an average of eight

months before detection

Costing significant financial loss, impact to

brand reputation, loss of confidential data,
and executive jobs

5
Changing nature of cyber-security attacks
Today’s cyber attackers are:
Compromising user credentials in the vast
majority of attacks

Using legitimate IT tools rather than malware

– harder to detect

Staying in the network an average of eight

months before detection

Costing significant financial loss, impact to

brand reputation, loss of confidential data,
and executive jobs

6
Changing nature of cyber-security attacks
Today’s cyber attackers are:
Compromising user credentials in the vast
majority of attacks

Using legitimate IT tools rather than malware

– harder to detect

Staying in the network an average of eight

months before detection

Costing significant financial loss, impact to

brand reputation, loss of confidential data,
and executive jobs

7
Changing nature of cyber-security attacks
Today’s cyber attackers are:
Compromising user credentials in the vast
majority of attacks

Using legitimate IT tools rather than malware

– harder to detect

Staying in the network an average of eight

months before detection

Costing significant financial loss, impact to

brand reputation, loss of confidential data,
and executive jobs

8
The problem
Traditional IT security tools are typically:
Complex
Initial setup, fine-tuning,
creating rules and
thresholds/baselines can
take a long time.
9
Prone to false
positives
You receive too many reports
in a day with several false
positives that require valuable
time you don’t have.
Designed to protect
the perimeter
When user credentials are
stolen and attackers are in the
network, your current
defenses provide limited
protection.
The ATA
• History
• 2010 – Aorato company was founded.
• Nov 2014 – Microsoft buys Aorato.
• Aorato‘s employees continue to work under MS label
• Aug 2015 – Microsoft ATA released.

• ATA = Advanced Threat Analytics

• Powerfull security tool.
• Continuous development of new detection routines.
• „Easy“ to deploy.
• „Easy“ to configure.

10
Introducing MS Advanced Threat Analytics
An on-premises platform to identify advanced security attacks before they cause damage

Comparison: Microsoft Advanced Threat Analytics brings this

concept to IT and users of a particular organization

 Credit card companies

monitor cardholders’
behavior.
 If there is any abnormal
activity, they will notify the
cardholder to verify charge.

11
Introducing MS Advanced Threat Analytics
An on-premises platform to identify advanced security attacks before they cause damage

Behavioral Detection for known Advanced Threat

Analytics attacks and issues Detection

12
Advanced Threat Analytics Benefits
Detect threats
fast with
Behavioral
Analytics
No need for creating rules,
fine-tuning or monitoring a
flood of security reports, the
intelligence needed is ready to
analyze and self-learning.
13
Adapt as fast
as your
enemies
ATA continuously learns from
the organizational entity
behavior (users, devices, and
resources) and adjusts itself to
reflect the changes in your
rapidly-evolving enterprise.
Focus on what
is important
fast using the
simple attack
timeline
The attack timeline is a clear,
efficient, and convenient feed
that surfaces the right things
on a timeline, giving you the
power of perspective on the
“who-what-when-and how” of
your enterprise.
Reduce the Prioritize and
fatigue of false plan for next
positives steps
Alerts only happen once For each suspicious activity or
suspicious activities are known attack identified, ATA
contextually aggregated, not provides recommendations for
only comparing the entity’s the investigation and
behavior to its own behavior, remediation.
but also to the profiles of
other entities in its interaction
path.
Why Microsoft Advanced Threat Analytics?

Speed Adaptability Simplicity Accuracy

14
Key features
Mobility support
 Witnesses all authentication and
authorization to the
organizational resources within
the corporate perimeter or on
mobile devices
15
Integration to SIEM
 Works seamlessly with SIEM
 Provides options to forward
security alerts to your SIEM or to
send emails to specific people
Seamless deployment
 Functions as an appliance hardware
or virtual
 Utilizes port mirroring to allow
seamless deployment alongside AD
 Does not affect existing
network topology
How MS Advanced Threat Analytics works

1 Analyze After installation:

• Simple non-intrusive port mirroring
configuration copies all AD-related traffic
• Remains invisible to the attackers
• Analyzes all Active Directory traffic
• Collects relevant events from SIEM and
other sources

16
How MS Advanced Threat Analytics works

2 Learn ATA:
• Automatically starts learning and profiling
entity behavior
• Identifies normal behavior for entities
• Learns continuously to update the activities
of the users, devices, and resources

What is entity?
Entity represents users, devices, or resources
How MS Advanced Threat Analytics works

3 Detect Microsoft Advanced Threat Analytics:

• Looks for abnormal behavior and identifies
suspicious activities
• Only raises red flags if abnormal activities are
contextually aggregated
• Leverages world-class security research to
detect known attacks and security issues
(regional or global)

ATA not only compares the entity’s

behavior to its own, but also to the
behavior of entities in its interaction path.
How MS Advanced Threat Analytics works

4 Alert
ATA reports all suspicious ATA identifies For each suspicious
activities on a simple, Who? activity, ATA provides
functional, actionable What? recommendations for
attack timeline When? the investigation and
How? remediation.
How MS Advanced Threat Analytics works
Security issues and risks
 Broken trust
 Weak protocols
 Known protocol vulnerabilities

Malicious attacks
 Pass-the-Ticket (PtT)
 Pass-the-Hash (PtH)
 Overpass-the-Hash
 Forged PAC (MS14-068)
 Golden Ticket
 Skeleton key malware
 Reconnaissance
 BruteForce

Abnormal Behavior
 Anomalous logins  Unknown threats
 Remote execution  Password sharing
 Suspicious activity  Lateral movement

20
Topology

21
Topology - Gateway
Captures and analyzes DC network
traffic via port mirroring
Listens to multiple DCs from multiple
domains on a single Gateway

Receives events from SIEM

Retrieves data about entities from the

domain

Performs resolution of network entities

Transfers relevant data to the ATA

Center

22
Topology - Center
Manages ATA Gateway configuration
settings
Receives data from ATA Gateways and
stores in the database
Detects suspicious activity and
abnormal behavior (machine learning)

Provides Web Management Interface

Supports multiple Gateways

23
ATA Licensing

24
ATA • Installation & Configuration
Deployment and • ATA Center
• ATA Gateway
Configuration • Port mirroring
• Service configuration
• Simple management using web browser
• MongoDB
• Performance monitoring
• Capacity planning

25
Installation – ATA Center
• Domain membership – YES or NO
• Disk sizing / DB placing
• Network Interfaces
• IP addresses
• Ports

• Web Server certificates

• Local ATA Admins group
• Simple ATA Center setup
• ATA Center is a web application

26
Installation – ATA Center

27
Installation – ATA Gateway
• Domain membership – YES or NO
• Network Interfaces
• 1x Management interface
• Multiple Capture interfaces
• Port mirroring configuration
• IP addresses
• Ports

• Windows Security Log Forwarding

• HW sizing
• Web Server certificates
• Simple ATA Gateway setup
• Created on and downloadable from ATA Center

28
Installation – ATA Gateway

29
Installation – ATA Gateway

30
Configuration – ATA Gateway

31
Configuration – ATA Gateway
• Port mirroring, also known as SPAN (Switch port Analyzer).
• May require considerable network configuration changes.
• Supported by Hyper-V, VMWare, Cisco (of course), etc.

SPAN: RSPAN (remote span): ERSPAN (encapsulated

Limited to the same Limited to multiple remote span):
switch. switches in the same L2 Adds L3 (IP routing)
network segment support to RSPAN.
Uses Cisco GRE.

32
Configuration – ATA Gateway

33
Configuration – ATA Gateway - Cisco

34
Configuration – ATA Gateway – Hyper-V

35
Configuration – ATA Gateway – Check
• Port mirroring checks
• MS Network Monitor 3.x (is now the only supported capture tool on ATA Gateway)
• Performance Monitor

• Windows Security Log Forwarding checks

• Event viewer on the source server (DC)
• Event viewer on the destination server (ATA Gateway)

36
Configuration – ATA Gateway – Check

37
Configuration – ATA Gateway – Check

38
Configuration – ATA Gateway – Check

39
Configuration – ATA Gateway – Check

40
Configuration – ATA Gateway – Detection

41
Configuration – ATA Gateway – CEIP

42
Configuration – NAT & DA exceptions

43
High-performance storage – MongoDB

44
Capacity Planning – Performance Monitor

45
Capacity Planning – Collecting PerfData

46
Capacity Planning – ATA Center

47
Capacity Planning – ATA Gateway

48
Hacking • Obtaining credentials
Samples • Pass-the-Hash Attack
• DCSync Attack (DRS-R)
• Pass-the-Ticket Attack
• Golden Ticket Attack
• Brute-Force Attack
• Remote Execution Attack

49
Obtaining credentials
• Workstations/Servers (Local/RDP)
• Memory (User, Computer)
• Registry (Computer)
• Saved Credentials (DPAPI Backup Key required)

• Domain Controllers
• Online (Memory, DRS-R)
• Offline (VHD, Backup)

• …

50
Pass-the-Hash Attack

51
DCSync Attack (DRS-R)

52
DCSync Detection

53
DCSync Detection using ATA (TBD)

54
Pass-the-Ticket Attack

55
Golden Ticket Attack

56
Brute-Force Attack

57
Remote Execution Attack

58
Business notes • Výhody ATA
• Pricing
• Sizing
• Rizika nasazení

59
Výhody řešení • Hotové řešení – podpora MS
ATA • Nízká pracnost nasazení
• Analýza
• Detekce známých útoků
• Heuristická behaviorální analýza
• Učící se funkce
• Detekční nástroje (značné omezení detekcí
„false positive“)
• Alerting
• Konzola (timeline)
• SIEM
• Emailové notifikace

60
ATA Pricing • EMS • Stand-alone
• $8,75 / month / user • $80,- / licence + SA
• Pro 1500 uživatelů: • Pro 1500 uživatelů:
• $157.500,- za rok • $120.000,- za rok
• ATA + Bonus:
• Azure AD Premium
• Azure Rights
Management
Premium
• Intune
• Azure RemoteApp
• Windows Server CAL
• MIM CAL

61
ATA Server Packets per
• ATA Center:
CPU (cores) Memory (GB) OS Storage (GB)
Database storage Database storage
IOPS

Sizing
second per day (GB) per month (GB)

1,000 4 48 200 1.5 45 30 (100)

10,000 4 48 200 15 450 200 (300)

40,000 8 64 200 60 1,800 500 (1,000)

100,000 12 96 200 150 4,500 1,000 (1,500)

200,000 16 128 200 300 9,000 2,000 (2,500)

• ATA Gateway:
Packets per second CPU (cores) Memory (GB) OS storage (GB)

10,000 4 12 80

20,000 8 24 100

40,000 16 64 200

62
Rizika nasazení • Může si vyžádat pokročilejší konfiguraci
aktivních síťových prvků (switchů)
• Může si vyžádat instalaci několika ATA
Gateways (a tedy licencí Windows Server
Standard nebo vyšších + HW kapacit)
• Výběr vhodného umístění v síti
• HW nároky
• Potřebný počet ATA Gateways – problematické
zejména u klastrových prostředí (Hyper-V,
VMWare, apod.)

63
OUTRO

64
Outro: Check Twitter

65
Outro: Check Twitter

66
 „Jsme silní i tam,
kde jiným síly docházejí.“
67