Microsoft just announced that Microsoft Advanced Threat Analytics (ATA) is generally available.
What is Microsoft Advanced Threat Analytics (ATA)?
Microsoft Advanced Threat Analytics (ATA) helps IT departments identify advanced attacks with User and Entity Behavioral Analytics (UEBA).
ATA is an on-premises platform to help you protect your enterprise from advanced targeted attacks by automatically analyzing, learning, and identifying normal and abnormal entity (user, devices, and resources) behavior.
ATA runs in the background and automatically analyzes, learns, and identifies normal behavior on your network, alerting you to possible security concerns, including:
- Abnormal user behavior: ATA uses behavioral analytics and machine learning to uncover questionable activities and abnormal behavior such as anomalous logins, abnormal resource access, abnormal working hours, unknown threats, password sharing and lateral movement.
- Malicious attacks: ATA detects known malicious attacks almost instantly, including Pass-the-Ticket, Pass-the-Hash, Overpass-the-Hash, Forged PAC (MS14-068), Golden Ticket, skeleton key malware, reconnaissance, brute force, and remote execution.
- Known security issues and risks: ATA identifies known security issues, such as broken trust, weak protocols and known protocol vulnerabilities.
In this blog post, I will share with you step-by-step instructions on how to deploy and simulate ATA in your environment today.
Microsoft ATA is pretty simple architecture, it consists of two main components and a MongoDB base where the data is stored.
The two components are:
ATA Center performs the following functions:
- Manages ATA Gateway configuration settings
- Receives data from ATA Gateways
- Detects suspicious activities and behavioral machine learning engines
- Supports multiple ATA Gateways
- Runs the ATA Management console
- Optional: The ATA Center can be configured to send emails or send events to your Security Information and Event Management (SIEM) system when a suspicious activity is detected.
ATA Gateway performs the following functions:
- Captures and inspects domain controller network traffic via port mirroring
- Receive events from SIEM or Syslog server
- Retrieves data about users and computers from the domain
- Performs resolution of network entities (users and computers)
- Transfers relevant data to the ATA Center
- Monitors multiple domain controllers from a single ATA Gateway
I will use three virtual machines deployed on a single Hyper-V host: DC01, ATA-Center and ATA-Gateway.
ATA Center: we need two static IP addresses, one will be used by the ATA center service to communicate securely with the ATA gateways, and the second one will be used by the ATA console. The ATA console runs on Microsoft IIS.
ATA Gateway: we need two network adapters, one with IP Address for the ATA Gateway to communicate to the ATA center and devices on the network, and the second network card without IP Address for capturing the port mirrored network traffic of the domain controllers.
Network traffic to and from the domain controllers is one of the sources of information used by the ATA, to get this information we must configure port mirroring to copy the network traffic to and from the domain controller to the ATA Gateway. The domain controller is configured as the Source, this will copy all network traffic on the virtual switch to the virtual machine (ATA-Gateway) that is configured as destination.
The ATA Gateway is configured as the Destination.
Finally, we need a read only user in the domain. ATA requires a user account that has read access to the domain. ATA will use this user account to query the domain for information about entities in the domain including users and computers.
Login to the ATA Center server as administrator and launch the Microsoft ATA Center Setup.exe file.
Choose your preferred language and accept the end user license agreement.
In large deployments you’ll want the database and the database journal folders on separate physical drives.
Select the IP that the ATA Centers Service will be bound to, then select create self-signed certificate, self-signed certificates are for lab environments and testing only. However, in production deployments you should use certificates issued by your internal CA server, next select the IP that will be used by IIS for the ATA console. Then select create self-signed certificate, and lastly click Install.
When the installation is done, click Launch to connect to the ATA console.
Now you can login with the same username and password you used to install the MTA Center, the first time you login you’ll be prompted to enter the read only user and password and a fully qualified domain name or the FQDN of the domain, once you enter the username and password, click Save.
After saving the domain connectivity settings, you can now install the ATA gateway by downloading the ATA gateway setup package now.
Now, we are moving to the server where we will install the ATA Gateway.
Double click the Microsoft ATA Gateway setup .exe file to launch the installation for the ATA Gateway.
In the ATA gateway configuration section review the default location for the installation and then select create self-signed certificate.
Next, you’ll need to enter the username and password of the user who can access the ATA console. You can also enter a user who is a member of the total local administrators group or the Microsoft advanced trade analytics administrators group on the ATA Center server.
Now the installation will register the ATA Gateway with the ATA Center. Pull down the initial configuration and install the ATA Gateway service.
After the installation finishes, click Launch to connect to the ATA console and continue the configuring the ATA Gateway.
Login to the ATA Console and select the 3 dots on the toolbar, and then click Configuration.
On the gateway’s page, you will see the ATA gateway that was just installed, you’ll also see a alert that the ATA Gateway requires additional configuration.
This additional configuration is needed for the ATA Gateway to start collecting data. After the initial Synch completes, click on the gateway title and the setting section will automatically open.
You can add a Description for the ATA Gateway, enter the FQDN of the domain controller that will be monitored.
In this demo, the FQDN of my domain controller is DC01.VIRT.LAB. Choose which network adapter is configured as the port mirrored adapter, in my case it’s called (Capture). Lastly click Save.
At this point the ATA Gateway will pull down the updated configuration, you can now start to capture the port mirrored domain controller traffic.
To verify that ATA is working, you can search for various objects from the domain controller. simply enter the first few letters and the search will display all entities that match. I will select Super Virt user to see the profile created by ATA for that user.
In this demo I will simulate a sensitive Account Credentials Exposed
1. I will create and add a test user to the “Domain Admins” group
2. From a standalone server that have TCP connection to my DC, I will run ldp.exe
3. I will Choose: Connection –> Connect – and type the DC’s IP address
4. I will Choose: Connection –> Bind – and select the “Simple bind” option
5. Lastly, I will provide the credentials of the test user with the format: domain\username
We will wait a few seconds… Let’s login to the ATA Center Console and check.
Here you go, we have a suspicious activity logged
You can download the GA evaluation bits today and implement ATA in your organization.
Until then, Happy Threat Analytics