Microsoft AdvancedThreat Analytics Overview

Michael HorákMainstream Technologies s.r.o.

24. 3. 2016

Agenda • ATA Overview

• ATA Deployment and Configuration

• Hacking Samples

• Business Notes

2

ATAOverview

• Why?

• The problem & The ATA

• ATA Introduction

• How ATA works

• ATA topology

• ATA Licensing

3

Sobering statistics

4

$3.5MThe average cost of a data breach to a company

243The average number of days that attackers reside within a victim’s network before detection

76%of all network intrusions are due to compromised user credentials

$500BThe total potential cost of cybercrime to the global economy

Changing nature of cyber-security attacks

5

Costing significant financial loss, impact to

brand reputation, loss of confidential data,

and executive jobs

Compromising user credentials in the vast

majority of attacks

Using legitimate IT tools rather than malware

– harder to detect

Staying in the network an average of eight

months before detection

Today’s cyber attackers are:

Changing nature of cyber-security attacks

6

Using legitimate IT tools rather than malware

– harder to detect

Costing significant financial loss, impact to

brand reputation, loss of confidential data,

and executive jobs

Compromising user credentials in the vast

majority of attacks

Staying in the network an average of eight

months before detection

Today’s cyber attackers are:

Changing nature of cyber-security attacks

7

Using legitimate IT tools rather than malware

– harder to detect

Staying in the network an average of eight

months before detection

Costing significant financial loss, impact to

brand reputation, loss of confidential data,

and executive jobs

Compromising user credentials in the vast

majority of attacks

Today’s cyber attackers are:

Changing nature of cyber-security attacks

8

Compromising user credentials in the vast

majority of attacks

Using legitimate IT tools rather than malware

– harder to detect

Staying in the network an average of eight

months before detection

Costing significant financial loss, impact to

brand reputation, loss of confidential data,

and executive jobs

Today’s cyber attackers are:

The problem

9

Traditional IT security tools are typically:

Designed to protect

the perimeter

Complex Prone to false

positives

When user credentials are

stolen and attackers are in the

network, your current

defenses provide limited

protection.

Initial setup, fine-tuning,

creating rules and

thresholds/baselines can

take a long time.

You receive too many reports

in a day with several false

positives that require valuable

time you don’t have.

The ATA

• History• 2010 – Aorato company was founded.

• Nov 2014 – Microsoft buys Aorato.

• Aorato‘s employees continue to work under MS label

• Aug 2015 – Microsoft ATA released.

• ATA = Advanced Threat Analytics• Powerfull security tool.

• Continuous development of new detection routines.

• „Easy“ to deploy.

• „Easy“ to configure.

10

Introducing MS Advanced Threat Analytics

11

An on-premises platform to identify advanced security attacks before they cause damage

Credit card companies

monitor cardholders’

behavior.

If there is any abnormal

activity, they will notify the

cardholder to verify charge.

Microsoft Advanced Threat Analytics brings this

concept to IT and users of a particular organizationComparison:

Introducing MS Advanced Threat Analytics

12

Behavioral

Analytics

Detection for known

attacks and issues

Advanced Threat

Detection

An on-premises platform to identify advanced security attacks before they cause damage

Advanced Threat Analytics Benefits

13

Detect threats fast with Behavioral Analytics

Adapt as fast as your enemies

Focus on what is important fast using the simple attack timeline

Reduce the fatigue of false positives

Prioritize and plan for next steps

No need for creating rules,

fine-tuning or monitoring a

flood of security reports, the

intelligence needed is ready to

analyze and self-learning.

ATA continuously learns from

the organizational entity

behavior (users, devices, and

resources) and adjusts itself to

reflect the changes in your

rapidly-evolving enterprise.

The attack timeline is a clear,

efficient, and convenient feed

that surfaces the right things

on a timeline, giving you the

power of perspective on the

“who-what-when-and how” of

your enterprise.

Alerts only happen once

suspicious activities are

contextually aggregated, not

only comparing the entity’s

behavior to its own behavior,

but also to the profiles of

other entities in its interaction

path.

For each suspicious activity or

known attack identified, ATA

provides recommendations for

the investigation and

remediation.

Why Microsoft Advanced Threat Analytics?

14

AdaptabilitySpeed Simplicity Accuracy

Key features

15

Witnesses all authentication and

authorization to the

organizational resources within

the corporate perimeter or on

mobile devices

Mobility support Integration to SIEM Seamless deployment

Works seamlessly with SIEM

Provides options to forward

security alerts to your SIEM or to

send emails to specific people

Functions as an appliance hardware

or virtual

Utilizes port mirroring to allow

seamless deployment alongside AD

Does not affect existing

network topology

How MS Advanced Threat Analytics works

16

Analyze1 After installation:

• Simple non-intrusive port mirroring

configuration copies all AD-related traffic

• Remains invisible to the attackers

• Analyzes all Active Directory traffic

• Collects relevant events from SIEM and

other sources

How MS Advanced Threat Analytics works

ATA:

• Automatically starts learning and profiling

entity behavior

• Identifies normal behavior for entities

• Learns continuously to update the activities

of the users, devices, and resources

Learn2

What is entity?

Entity represents users, devices, or resources

How MS Advanced Threat Analytics works

Detect3 Microsoft Advanced Threat Analytics:

• Looks for abnormal behavior and identifies

suspicious activities

• Only raises red flags if abnormal activities are

contextually aggregated

• Leverages world-class security research to

detect known attacks and security issues

(regional or global)

ATA not only compares the entity’s behavior to its own, but also to the behavior of entities in its interaction path.

How MS Advanced Threat Analytics works

Alert4

ATA reports all suspicious

activities on a simple,

functional, actionable

attack timeline

ATA identifies

Who?

What?

When?

How?

For each suspicious

activity, ATA provides

recommendations for

the investigation and

remediation.

How MS Advanced Threat Analytics works

20

Abnormal Behavior Anomalous logins

Remote execution

Suspicious activity

Security issues and risks Broken trust

Weak protocols

Known protocol vulnerabilities

Malicious attacks Pass-the-Ticket (PtT)

Pass-the-Hash (PtH)

Overpass-the-Hash

Forged PAC (MS14-068)

Golden Ticket

Skeleton key malware

Reconnaissance

BruteForce

Unknown threats

Password sharing

Lateral movement

Topology

21

Topology - Gateway

22

Captures and analyzes DC network

traffic via port mirroring

Listens to multiple DCs from multiple

domains on a single Gateway

Receives events from SIEM

Retrieves data about entities from the

domain

Performs resolution of network entities

Transfers relevant data to the ATA

Center

Topology - Center

23

Manages ATA Gateway configuration

settings

Receives data from ATA Gateways and

stores in the database

Detects suspicious activity and

abnormal behavior (machine learning)

Provides Web Management Interface

Supports multiple Gateways

ATA Licensing

24

ATADeployment and Configuration

• Installation & Configuration• ATA Center

• ATA Gateway• Port mirroring

• Service configuration

• Simple management using web browser

• MongoDB

• Performance monitoring

• Capacity planning

25

Installation – ATA Center

• Domain membership – YES or NO

• Disk sizing / DB placing

• Network Interfaces• IP addresses

• Ports

• Web Server certificates

• Local ATA Admins group

• Simple ATA Center setup

• ATA Center is a web application

26

Installation – ATA Center

27

Installation – ATA Gateway

• Domain membership – YES or NO

• Network Interfaces• 1x Management interface

• Multiple Capture interfaces

• Port mirroring configuration

• IP addresses

• Ports

• Windows Security Log Forwarding

• HW sizing

• Web Server certificates

• Simple ATA Gateway setup• Created on and downloadable from ATA Center

28

Installation – ATA Gateway

29

Installation – ATA Gateway

30

Configuration – ATA Gateway

31

Configuration – ATA Gateway

SPAN:

Limited to the sameswitch.

RSPAN (remote span):

Limited to multipleswitches in the same L2 network segment

ERSPAN (encapsulatedremote span):

Adds L3 (IP routing) support to RSPAN.

Uses Cisco GRE.

32

• Port mirroring, also known as SPAN (Switch port Analyzer).

• May require considerable network configuration changes.

• Supported by Hyper-V, VMWare, Cisco (of course), etc.

Configuration – ATA Gateway

33

Configuration – ATA Gateway - Cisco

34

Configuration – ATA Gateway – Hyper-V

35

Configuration – ATA Gateway – Check

• Port mirroring checks• MS Network Monitor 3.x (is now the only supported capture tool on ATA Gateway)

• Performance Monitor

• Windows Security Log Forwarding checks• Event viewer on the source server (DC)

• Event viewer on the destination server (ATA Gateway)

36

Configuration – ATA Gateway – Check

37

Configuration – ATA Gateway – Check

38

Configuration – ATA Gateway – Check

39

Configuration – ATA Gateway – Check

40

Configuration – ATA Gateway – Detection

41

Configuration – ATA Gateway – CEIP

42

Configuration – NAT & DA exceptions

43

High-performance storage – MongoDB

44

Capacity Planning – Performance Monitor

45

Capacity Planning – Collecting PerfData

46

Capacity Planning – ATA Center

47

Capacity Planning – ATA Gateway

48

HackingSamples

• Obtaining credentials

• Pass-the-Hash Attack

• DCSync Attack (DRS-R)

• Pass-the-Ticket Attack

• Golden Ticket Attack

• Brute-Force Attack

• Remote Execution Attack

49

Obtaining credentials

• Workstations/Servers (Local/RDP)• Memory (User, Computer)

• Registry (Computer)

• Saved Credentials (DPAPI Backup Key required)

• Domain Controllers• Online (Memory, DRS-R)

• Offline (VHD, Backup)

• …

50

Pass-the-Hash Attack

51

DCSync Attack (DRS-R)

52

DCSync Detection

53

DCSync Detection using ATA (TBD)

54

Pass-the-Ticket Attack

55

Golden Ticket Attack

56

Brute-Force Attack

57

Remote Execution Attack

58

Business notes • Výhody ATA

• Pricing

• Sizing

• Rizika nasazení

59

Výhody řešení ATA

• Hotové řešení – podpora MS

• Nízká pracnost nasazení

• Analýza• Detekce známých útoků

• Heuristická behaviorální analýza

• Učící se funkce

• Detekční nástroje (značné omezení detekcí „false positive“)

• Alerting• Konzola (timeline)

• SIEM

• Emailové notifikace

60

ATA Pricing • EMS• $8,75 / month / user

• Pro 1500 uživatelů:• $157.500,- za rok

• ATA + Bonus:• Azure AD Premium

• Azure Rights Management Premium

• Intune

• Azure RemoteApp

• Windows Server CAL

• MIM CAL

61

• Stand-alone• $80,- / licence + SA

• Pro 1500 uživatelů:• $120.000,- za rok

ATA Server Sizing

62

• ATA Center:

• ATA Gateway:

Packets per

secondCPU (cores) Memory (GB) OS Storage (GB)

Database storage

per day (GB)

Database storage

per month (GB)IOPS

1,000 4 48 200 1.5 45 30 (100)

10,000 4 48 200 15 450 200 (300)

40,000 8 64 200 60 1,800 500 (1,000)

100,000 12 96 200 150 4,500 1,000 (1,500)

200,000 16 128 200 300 9,000 2,000 (2,500)

Packets per second CPU (cores) Memory (GB) OS storage (GB)

10,000 4 12 80

20,000 8 24 100

40,000 16 64 200

Rizika nasazení • Může si vyžádat pokročilejší konfiguraci aktivních síťových prvků (switchů)

• Může si vyžádat instalaci několika ATA Gateways (a tedy licencí Windows Server Standard nebo vyšších + HW kapacit)

• Výběr vhodného umístění v síti

• HW nároky

• Potřebný počet ATA Gateways – problematické zejména u klastrových prostředí (Hyper-V, VMWare, apod.)

63

OUTRO

64

Outro: Check Twitter

65

Outro: Check Twitter

66

67

„Jsme silní i tam,

kde jiným síly docházejí.“