Looking to protect your enterprise from data threats? Consider utilizing Microsoft Advanced Threat Analytics! Advanced Threat Analytics (ATA) is an on-premises solution designed to safeguard organizations against a variety of advanced, targeted cyber-attacks and insider threats.
ATA observes network traffic within a domain controller system by making use of port mirroring, which directs the data to an ATA Gateway through physical or virtual switches. If one opts to deploy the ATA Lightweight Gateway directly on the domain controllers, it eliminates the need for port mirroring.
Furthermore, ATA has the capability to utilize Windows events, which can be forwarded either directly from the domain controllers or from an SIEM (Security Information and Event Management) server, for the purpose of analyzing the data to detect attacks and threats.
Want to learn more about Microsoft ATA? Continue reading!
Microsoft ATA: What does it do?
Microsoft Advanced Threat Analytics technology identifies numerous suspicious activities, with a particular emphasis on various stages of the cyber-attack kill chain, which include:
● Reconnaissance: At this stage, attackers collect data about the structure of the environment, the assets present, and the entities involved. This is typically where attackers formulate plans for their subsequent attack phases.
● Lateral Movement Cycle: During this phase, attackers dedicate time and effort to expanding their attack reach within a network.
● Domain Dominance: In this stage, attackers obtain information that enables them to continue their campaign by utilizing a range of entry points, credentials, and techniques.
These stages of a cyber attack exhibit consistency and predictability, irrespective of the company's nature or the specific data being targeted. The purpose of these detections is to identify advanced attacks and insider threats proactively, preventing harm to an organization. Detection at each stage reveals multiple suspicious activities specific to that stage, with each suspicious activity linked to various potential attack scenarios.
Microsoft ATA: What are the types of attacks it looks for?
ATA seeks out three primary categories of attacks, which include:
1. Malicious Attacks
Malicious attacks are identified through a deterministic approach, which involves searching for a comprehensive range of established attack types, such as Pass-the-Ticket (PtT), Pass-the-Hash (PtH), Overpass-the-Hash, Forged PAC (MS14-068), Golden Ticket, Malicious replications, etc. ATA identifies these questionable actions and presents the information in the ATA Console, providing a transparent overview that includes details about the Who, What, When, and How of these activities.
2. Abnormal Behavior
ATA employs behavioral analytics and harnesses Machine Learning to uncover unusual activities and irregular behavior in users and devices within a network, which encompass unusual login patterns, unidentified threats, password sharing, lateral movement, and changes to sensitive groups. You can review suspicious activities of this nature within the ATA Dashboard.
3. Security Issues & Risks
ATA also identifies security concerns and vulnerabilities, such as compromised trust, vulnerable protocols, and recognized protocol weaknesses. You can access information about these suspicious activities via the ATA Dashboard.
Microsoft ATA: How does it work?
Microsoft Advanced Threat Analytics utilizes an exclusive network parsing engine to intercept and analyze network traffic encompassing various protocols, such as Kerberos, DNS, RPC, and NTLM, among others for activities related to authentication, authorization, and data collection. This data is acquired by ATA through:
● The process of port mirroring that redirects network traffic from Domain Controllers and DNS servers to the ATA Gateway.
● The implementation of an ATA Lightweight Gateway (LGW) directly on Domain Controllers.
ATA aggregates data from various sources within a network, including logs and events, to understand the behaviors of users and other entities within the organization. It creates a behavioral profile based on this information. ATA is capable of receiving events and logs through:
● Incorporation with Security Information and Event Management (SIEM) systems.
● Windows Event Forwarding (WEF)
● Windows Event Collector when using the Lightweight Gateway
Microsoft ATA: What are the issues to be aware of?
➔ If you transition from ATA 1.7 to ATA 1.8 directly, bypassing the initial update of the ATA Gateways, you won't be able to migrate to ATA 1.8. To proceed, it's imperative to first update all the Gateways to either version 1.7.1 or 1.7.2 before upgrading the ATA Center to version 1.8.
➔ Opting for a complete migration can result in a substantial duration, which largely depends on the size of the database. During the selection of migration options, take note of the displayed estimated time before making your choice.
So, if you are in search of a specialized Microsoft solution partner for security and modern work, who can efficiently and expeditiously implement the right security and productivity tools, such as Microsoft Advanced Threat Analytics, Advanced Threat Protection, Microsoft Sentinel Workshop, and others, look no further than adaQuest!
Comments