In this article I will explain the purpose and benefits of Microsoft Advanced Threat Analytics. A product that many organisations may be entitled to through their Office 365 SKU’s without realising it. I will detail the high-level purpose, deployment and configuration of ATA. With a comparison to Azure Advanced Threat Protection (Azure ATP)
The purpose of ATA
The product bridges an often-overlooked security gap within a network. What happens if my credentials fall into the wrong hands or a BYOD infected machine is on your network?
An attacker would begin by using tools to gain information about domain users and groups. The attacker will move laterally to resources in the environment. Traditional AV would not detect this behaviour or reconnaissance. After all it is a standard user querying DNS and Active Directory to find information. Similarly, users logging into resources they are allowed use would not be detected.
The attacker aims to exploit weak passwords and memory stored credentials. ATA detects well known tools and exploits used to achieve this (Pass the Hash, Golden Ticket).
This cycle is the “cyber-attack kill chain” which can be further understood by reading this Microsoft blog.
I have first-hand experience of this. While employed at a large global company, operations were halted for several weeks. This caused irreparable reputational damage and cost the company tens of millions of pounds. The company was infected with Petya ransomware disrupting multiple global data centres. The attacker gained elevated domain credentials then spread the ransomware payload.
How ATA works
ATA uses machine learning to map out known user behaviours over several days. Once this learning period is complete ATA will begin to alert on abnormal user behaviour. some examples include
- Unusual login times
- Impossible Geo
- Unusual resource access
- Abnormal resource login
ATA will alert immediately for known attacks against Active Directory and DNS. There is no learning period required to detect these attacks. The image below shows ATA alerting that a “pass-the-ticket” attack has taken place.
ATA does not take any remedial action on threats, it is purely an alerting tool. ATA monitors on-premises only. Azure Active Directory already has its own built in security tools.
As you can see ATA addresses a fundamental security gap left by traditional AV. User behaviour analysis is essential for visibility of reconnaissance taking place on a domain. Microsoft estimate that attackers spend an average of 200 days without being detected within a network.
How ATA is deployed
Advanced Threat Analytics is an on-premises tool. The ATA engine is installed on a windows server and is accessible via IIS once installed.
Download ATA from the Volume License Service Centre. If you purchased EMS E3 from the portal directly you need to call Microsoft to activate as it will not be there.
Run the ATA installer. I will assume you can decide where to install the application and if you want automatic updates or not.
ATA is installed as a web service in IIS. To open the application, browse to https://localhost on the ATA server then accept the SSL security warning. Of course, sort this with a public certificate for production.
There are two methods available to collect data from domain controllers
The gateway is installed as a separate server that makes use of port mirroring to capture all domain traffic. The gateway supports a throughput of 50,000 packets per second. The main advantage of the Gateway is that no extra resources are required from domain controllers.
ATA Lightweight Gateway:
The lightweight gateway is installed directly onto domain controllers. The agent is designed so that it will never exhaust the resources of a domain controller or interfere with its operation. Usually domain controllers will require slightly more memory and CPU to run the gateway. This is perfect for virtual environments where resources are flexible.
Organizations should use ATA lightweight gateways deployed on each Domain Controller. However larger enterprise environments may opt for an ATA gateway or a combination of both. Ensure Domain controllers are baselined for performance before the ATA lightweight gateway deployment.
Licensing and Azure ATP
ATA is included in the EMS E3 SKU. Many organizations are not fully utilising their EMS licenses due to an ambiguous matrix of available products and services. Many have simply purchased EMS for MDM/MAM. Others have EMS E3 included in their Enterprise Agreement but are unaware of the full benefits of the suite.
I have seen numerous blog posts and forum threads confusing ATA and Azure ATP. Azure ATP is simply a cloud SaaS version of the ATA console. There are no features in Azure ATP that are not in ATA. The Gateway still needs to be on-premises in Azure ATP.
To use Azure ATP you need EMS E5. To use ATA you need EMS E3. For the uplift in license level for zero added functionality it is not worth upgrading purely to get Azure ATP.
There will be some false positives at first, but ATA will give you an insight into account activity using machine learning to benchmark known behaviour. This will help to identify and reduce the amount of privileges administrators have.
If you have EMS E3 already you should deploy ATA to gain an insight into threats within your network. After all you are paying for it.
Here is a useful ATA playbook used to simulate attacks within your network. Use this to demonstrate how ATA will respond to well-known hacking tools.