Microsoft ATA (Advance Threat Analytics)

Afternoon all, im looking for a little advice on the Microsoft ATA solution. I have a client that has asked me to review the tool and implement it the network if appropriate. At present we have this in a Proof of Concept environment but i am having trouble getting anything to report back that is of any use (it notes new machines and users etc..)

Microsoft seem to have very little information on the tool and have not managed to come back with much useful information (they just keep providing web links to articles) we have the following setup in place at present:

Center Server: Virtual Server 2012 R2
Light Gateway: Virtual Server 2012 R2
Light Gateway: Azure Server 2012 R2
Light Gateway: Virtual Server 2008 R2

We have had limited feedback from the console on things that are happening within the network (but we did receive today on exposed credentials in clear text) so we know it is reporting things back. I wondered if anyone had used this before and could expand on the following:

  • How long is the learning period for the system
  • Will i be able to track access events (user/engineers accessing servers/shares they shouldnt
  • User account privileges (can i see if someone is given additional rights)
  • New administrator level account tracking

I would like to know how useful the system is in auditing the local network to offer feedback on potential security issues or will i need to review somthing like ManageEngine AdAudit?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
The learning phase really depends on the size of the network but primarily it is for the log and event that are sent over to the ATA center server. There need to be substantial amount of the collection before it can make sense of the alerts. As the network should supposed be noisy, you are really looking at within 1-2 days to learn and stabilised the assessment. But it is always best to give more time like a week for you to tune any false positive ..

Tracking access event is included and is likely to be low impact event detected. It covers broadly suspicious activities that can lead to attacks designed for malicious users or software to gain access to organizational data.suspicious activities that can lead to attacks designed for malicious users or software to gain access to organizational data. For example
Over-pass the hash Over-pass the hash are attacks in which the attacker uses a stolen NTLM hash to authenticate with Kerberos, and obtain a valid Kerberos TGT ticket, which is then used to authenticate as a valid user and gain access to resources on your network.
Escalation of privileges is included as in it may be in the form of stealing authentication ticket, like these cases
MS14-068 exploit (Forged PAC) Forged PAC are attacks in which the attacker plants authorization data in their valid TGT ticket in the form of a forged authorization header that grants them additional permissions that they weren't granted by their organization. In this scenario the attacker leverages previously compromised credentials, or credentials harvested during lateral movement operations.

MS11-013 exploit (Silver PAC) MS11-013 exploit attacks are an elevation of privilege vulnerability in Kerberos which allows for certain aspects of a Kerberos service ticket to be forged. A malicious user or attacker who successfully exploited this vulnerability could obtain a token with elevated privileges on the Domain Controller. In this scenario the attacker leverages previously compromised credentials, or credentials harvested during lateral movement operations.
New Admin account to track is a bit tricky as it does not track such creation but there is one use case to use honey account which is not supposed to be used but attacker actually assume the account to access resource, and this may be a form of "creation" thru the impersonating of existing privileged accounts
credentials in plain text, ATA alerts you so that you can update the service configuration.
Honey Token account suspicious activities Honey Token accounts are dummy accounts set up to trap, identify, and track malicious activity that attempts to use these dummy accounts. ATA alerts you to any activities across these Honey Tokens accounts.
I have not fully run the solution though internal has interest to go into such use case validation

Use case -
Best Practice -

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Threat Management Gateway (TMG)

From novice to tech pro — start learning today.