Microsoft ATA (Advance Threat Analytics)

ncomper
ncomper used Ask the Experts™
on
Afternoon all, im looking for a little advice on the Microsoft ATA solution. I have a client that has asked me to review the tool and implement it the network if appropriate. At present we have this in a Proof of Concept environment but i am having trouble getting anything to report back that is of any use (it notes new machines and users etc..)

Microsoft seem to have very little information on the tool and have not managed to come back with much useful information (they just keep providing web links to articles) we have the following setup in place at present:

Center Server: Virtual Server 2012 R2
Light Gateway: Virtual Server 2012 R2
Light Gateway: Azure Server 2012 R2
Light Gateway: Virtual Server 2008 R2

We have had limited feedback from the console on things that are happening within the network (but we did receive today on exposed credentials in clear text) so we know it is reporting things back. I wondered if anyone had used this before and could expand on the following:

  • How long is the learning period for the system
  • Will i be able to track access events (user/engineers accessing servers/shares they shouldnt
  • User account privileges (can i see if someone is given additional rights)
  • New administrator level account tracking

I would like to know how useful the system is in auditing the local network to offer feedback on potential security issues or will i need to review somthing like ManageEngine AdAudit?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Exec Consultant
Distinguished Expert 2018
Commented:
The learning phase really depends on the size of the network but primarily it is for the log and event that are sent over to the ATA center server. There need to be substantial amount of the collection before it can make sense of the alerts. As the network should supposed be noisy, you are really looking at within 1-2 days to learn and stabilised the assessment. But it is always best to give more time like a week for you to tune any false positive ..

Tracking access event is included and is likely to be low impact event detected. It covers broadly suspicious activities that can lead to attacks designed for malicious users or software to gain access to organizational data.suspicious activities that can lead to attacks designed for malicious users or software to gain access to organizational data. For example
Over-pass the hash Over-pass the hash are attacks in which the attacker uses a stolen NTLM hash to authenticate with Kerberos, and obtain a valid Kerberos TGT ticket, which is then used to authenticate as a valid user and gain access to resources on your network.
Escalation of privileges is included as in it may be in the form of stealing authentication ticket, like these cases
MS14-068 exploit (Forged PAC) Forged PAC are attacks in which the attacker plants authorization data in their valid TGT ticket in the form of a forged authorization header that grants them additional permissions that they weren't granted by their organization. In this scenario the attacker leverages previously compromised credentials, or credentials harvested during lateral movement operations.

MS11-013 exploit (Silver PAC) MS11-013 exploit attacks are an elevation of privilege vulnerability in Kerberos which allows for certain aspects of a Kerberos service ticket to be forged. A malicious user or attacker who successfully exploited this vulnerability could obtain a token with elevated privileges on the Domain Controller. In this scenario the attacker leverages previously compromised credentials, or credentials harvested during lateral movement operations.
New Admin account to track is a bit tricky as it does not track such creation but there is one use case to use honey account which is not supposed to be used but attacker actually assume the account to access resource, and this may be a form of "creation" thru the impersonating of existing privileged accounts
credentials in plain text, ATA alerts you so that you can update the service configuration.
Honey Token account suspicious activities Honey Token accounts are dummy accounts set up to trap, identify, and track malicious activity that attempts to use these dummy accounts. ATA alerts you to any activities across these Honey Tokens accounts.
I have not fully run the solution though internal has interest to go into such use case validation

Use case - https://docs.microsoft.com/en-us/advanced-threat-analytics/understand-explore/ata-threats
Best Practice - https://blogs.technet.microsoft.com/enterprisemobility/2016/06/10/best-practices-for-securing-advanced-threat-analytics/

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial