Security analysis with Microsoft Advanced Threat Analytics
Under the Radar
Microsoft Advanced Threat Analytics (ATA) is an extension of the Enterprise Mobility Suite (EMS). The purpose of this on-premises system is to detect suspicious activities on the network that potentially stem from attackers. ATA's focus is attacks on user login data, which explains why the software keeps a close eye on Active Directory (AD) domain controllers. The service is not designed just to protect endpoints such as smartphones or tablets, but also internal networks in Active Directory trees and in Microsoft Azure and Azure Active Directory.
In releasing ATA, Microsoft aims to give enterprises a tool that will protect networks against attacks through a variety of attack vectors. In most companies, users can access the enterprise data with an increasing number of devices and connections. Only a centralized tool like ATA is capable of keeping track of all these devices and detecting attacks quickly.
Setting up the tool is very easy; the network is analyzed immediately after its installation. You install a service that monitors the network and a central acquisition service that prepares the information. The installation can be on dedicated servers or on a server with other roles. Once you install and set up ATA – which should take around 10 minutes – the system starts to analyze the network. If a trojan program or an attacker attempts to read usernames from AD, for example, the tool will detect it and issue an alert in the web interface.
Hidden Attacks on the Network
What kind of attacks does ATA protect you against? According to Microsoft, 76 percent of all attacks on internal networks rely on stolen login credentials. For example, if a user logs on to the file server from their laptop, a large volume of data is transferred. If the user then accesses other services with their credentials, such as SharePoint, CRM, or other solutions, Active Directory creates tickets (hashes) to grant access.
If this information gets into the wrong hands, attackers can use the stolen credentials to access the network. It is possible to sniff a ticket, for example, from an infected computer – after all, Windows stores the data in RAM. This affects not only your own login data but also credentials belonging to other users – especially administrators – who can access the PC for maintenance purposes or to share files.
If an attacker sniffs an administrator's login credentials, the threat from the attack grows significantly. In both cases, attackers can access not only the services that the user regularly uses but also other systems on the network that the user does not normally access. These attacks are invisible – no data is destroyed or PCs bricked – the data is simply stolen. The situation can continue for a period of months without administrators, firewalls, or anti-virus scanners noticing anything. Currently, almost no solutions exist to protect enterprises from this kind of attack.
Once attackers have found active accounts, they can also try to brute-force the passwords of these accounts (Figure 1). Again, ATA detects this action immediately and alerts in detail, telling you the client that launched the attack, which domain controller is being used, and which user accounts are affected. Once the attacker has succeeding in stealing a password, he or she can log on to PC systems. Again, ATA detects this – showing all of these activities in an easily understandable way.
Deep Packet Inspection and SIEM
ATA aims not only to prevent attacks on the network but also to mitigate attacks that have already happened – identifying vulnerabilities and informing administrators of compromised networks and stolen user credentials. Protecting the network against attackers is the task of firewalls, antivirus scanners, and other security solutions. It is only when they fail that ATA enters the game; its task is then to detect ongoing break-ins and alert the responsible administrators.
To do so, the tool provides a web interface and offers the option of sending email or managing syslogs once it identifies an attacker. Many administrators use logfiles and network monitoring based on special tools to keep an eye on their networks. These methods, however, are no longer sufficient, and they are very inefficient in terms of analysis.
ATA uses machine learning technologies and real-time analysis of network transactions to detect attackers – even if they launch more complex attacks. Anomalies are detected by means of Deep Packet Inspection (DPI), which collates the network traffic in Active Directory and the data of Security Information and Event Management (SIEM) systems for analysis. These approaches collect information, evaluate the information, and alert as needed. The alerts can in turn be analyzed by ATA. This method also applies to information from syslog servers that is normally too complex for manual analysis. This collaboration is not mandatory, but it is the best possible approach.
In this way, ATA detects suspicious user actions (e.g., unusual login times on the computer) that indicate infected computers. Thanks to advance analysis, ATA also detects pass-the-hash (PtH) attacks mentioned earlier. These attacks do not target passwords directly; rather, they go after the hashes that Active Directory creates after a user has authenticated.
Attackers sniff these hashes and thus receive user or administrative privileges. This kind of attack is difficult to detect and remains unnoticed in most companies without solutions like ATA. This also applies to well-known variants like pass-the-ticket, overpass-the-hash, forged PAC (MS14-068), remote execution, golden ticket, skeleton key malware, reconnaissance, and brute force attacks.
ATA not only detects ongoing attacks, but also finds vulnerabilities that make attacks probable. For example, the tool detects user accounts belonging to system services that use passwords in the clear, incorrect trust relationship settings, and vulnerabilities in protocols and their interfaces.
Information Kept Simple
One of ATA's benefits is that you do not fully need to understand the variegated and complex attack vectors yourself as an administrator. ATA handles the network analysis and notifies you of all incidents. The interface for this is kept very simple and is easily understood by administrators who are not security experts.
There is also no need to define rules, install agents, or implement complex security scenarios to use ATA. The application analyzes domain controllers and networks for suspicious activity and gives you a level of detail that allows you to act on the information. Check out the AD developer blog to see what an attack can look like and how ATA reveals it to you [1].
The first step is for ATA to analyze the entire data traffic in the AD environment and the user access. All actions of the servers and users are logged, measured, and investigated. On the basis of this information, ATA then learns what a normal transaction looks like and which approaches are atypical and suspicious on the network. Then, based on its analyses, ATA can detect attacks on the network and discover the precise sequence of the attacks and their times. Attacks are reported to the administrators and countermeasures are launched. You are given a precise timeline of information, revealing when the suspicious activities occurred. For example, you can see when a user with a compromised account and computer accessed resources, and what these resources were.
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.