What’s Microsoft Advanced Threat Analytics?
Advanced Threat Analytics (ATA) is an on-premises platform that helps protect your enterprise from multiple types of advanced targeted cyber attacks and insider threats. Advanced Threat Analytics (ATA) leverages a proprietary network parsing engine to capture and parse network traffic of multiple protocols (such as Kerberos, DNS, RPC, NTLM, and others) for authentication, authorization, and information gathering. This information is collected by ATA via:
- Port mirroring from Domain Controllers and DNS servers to the ATA Gateway and/or
- Deploying an ATA Lightweight Gateway (LGW) directly on Domain Controllers
ATA takes information from multiple data-sources, such as logs and events in your network, to learn the behavior of users and other entities in the organization, and builds a behavioral profile about them. ATA can receive events and logs from:
- SIEM Integration
- Windows Event Forwarding (WEF)
- Directly from the Windows Event Collector (for the Lightweight Gateway)
Microsoft Advanced Threat Analytics Architecture
ATA monitors your domain controller network traffic by utilizing port mirroring to an ATA Gateway using physical or virtual switches. If you deploy the ATA Lightweight Gateway directly on your domain controllers, it removes the requirement for port mirroring. In addition, ATA can leverage Windows events (forwarded directly from your domain controllers or from a SIEM server) and analyze the data for attacks and threats. This section describes the flow of network and event capturing and drills down to describe the functionality of the main components of ATA: the ATA Gateway, ATA Lightweight Gateway (which has the same core functionality as the ATA Gateway), and the ATA Center.
Microsoft Advanced Threat Analytics Components
ATA consists of the following components:
- ATA Center
The ATA Center receives data from any ATA Gateways and/or ATA Lightweight Gateways you deploy.
- ATA Gateway
The ATA Gateway is installed on a dedicated server that monitors the traffic from your domain controllers using either port mirroring or a network TAP.
- ATA Lightweight Gateway
The ATA Lightweight Gateway is installed directly on your domain controllers and monitors their traffic directly, without the need for a dedicated server or configuration of port mirroring. It is an alternative to the ATA Gateway.
An ATA deployment can consist of a single ATA Center connected to all ATA Gateways, all ATA Lightweight Gateways, or a combination of ATA Gateways and ATA Lightweight Gateways.
What Does ATA Do?
ATA technology detects multiple suspicious activities, focusing on several phases of the cyber-attack kill chain including:
- Reconnaissance, during which attackers gather information on how the environment is built, what the different assets are, and which entities exist. Typically, this is where attackers build plans for their next phases of attack.
- Lateral movement cycle, during which an attacker invests time and effort in spreading their attack surface inside your network.
- Domain dominance (persistence), during which an attacker captures the information that allows them to resume their campaign using various sets of entry points, credentials, and techniques.
These phases of a cyber attack are similar and predictable, no matter what type of company is under attack or what type of information is being targeted. ATA searches for three main types of attacks: Malicious attacks, abnormal behavior, and security issues and risks.
Malicious attacks are detected deterministically, by looking for the full list of known attack types including:
- Pass-the-Ticket (PtT)
- Pass-the-Hash (PtH)
- Forged PAC (MS14-068)
- Golden Ticket
- Malicious replications
- Brute Force
- Remote execution
Abnormal behavior is detected by ATA using behavioral analytics and leveraging Machine Learning to uncover questionable activities and abnormal behavior in users and devices in your network, including:
- Anomalous logins
- Unknown threats
- Password sharing
- Lateral movement
- Modification of sensitive groups
ATA also detects security issues and risks, including:
- Broken trust
- Weak protocols
- Known protocol vulnerabilities
ATA Deployment Overview
ATA Capacity Planning
ATA Sizing Tool helps you determine how many ATA servers are needed to monitor your network. It helps you figure out how many ATA Gateways and/or ATA Lightweight Gateways you need and the server capacity for your ATA Center and ATA Gateways.