Windows Server 2019 – Advanced Threat Analytics

How to install Ubuntu Server 19.10

In my opinion, one of the coolest security features to come out of Microsoft over the past few years is Advanced Threat Analytics (ATA), and yet I hardly hear anyone talking about it. It’s not a feature or function built into the Windows Server OS, not yet anyway, but is an on-premises software that rides on top of Windows to produce some amazing functionality. Essentially, what ATA does is monitor all of your Active Directory traffic, and warns you of dangerous or unusual behavior in real time, immediately as it is happening.

The idea of ATA is pretty simple to understand and makes so much common sense that it’s something we are all going to wonder why it took so long to put into place. The reason for that, though, is because under the hood the processing and learning that ATA is doing is very advanced. Yes, I said learning. This is the coolest part of ATA. You configure your network so that all of the traffic flowing in or out of your Domain Controllers also lands onto the ATA system. The most secure way to accomplish this is at the networking level, establishing port mirroring so that all of the Domain Controller packets also make their way to ATA, but at a level that an attacker would not be able to see. This way, even if someone nefarious is inside your network and is on the lookout for some kind of protections working against them, ATA remains invisible to their prying eyes. However, port mirroring that traffic is something that smaller companies may not be able to do, or may be too complex for an initial setup, and so a second option exists to install an ATA lightweight agent right onto the Domain Controllers themselves. This agent then sends the necessary information over to the ATA processing servers.

In either case, those ATA processing servers receive all of this data, and start finding patterns. If Betty uses a desktop computer called BETTY-PC and a tablet called BETTY-TABLET, ATA will see that pattern and associate her user account with those devices. It also watches for her normal traffic patterns. Betty usually logs in around 8 a.m. and her traffic usually stops somewhere around 5 p.m. She typically accesses a few file servers and a SharePoint server. After a week or so of collecting and monitoring data, ATA has a pretty good idea of Betty’s standard MO.

Now, one night, something happens. ATA sees a bunch of password failures against Betty’s account. That in itself might not be something to get too excited about, but then all of a sudden Betty logs into a terminal server that she doesn’t typically access. From there, her credentials are used to access a Domain Controller. Uh oh, this clearly sounds like an attack to me. With the tools built into Active Directory that we currently have at our disposal, what do we know? Nothing, really. We might see the password failures if we dig into the event logs, and based on that we could try poking around other servers’ event logs in order to find out what that account was accessing, but we really wouldn’t have any reason to suspect anything. This could be the beginning of a very large breach, and we would never see it. Thankfully, ATA knows better.

The management interface for ATA is like a social media feed, updated almost in real time. During the events I have just laid out, if we had been looking at the ATA media feed, we would have seen all of these items, which I pointed out happen, as they happened, and it would be immediately obvious that someone compromised Betty’s account and used it to gain access to a Domain Controller. There has never been a technology that watches Active Directory traffic so intensely, and there has certainly never been anything that learns patterns and behavioral diversions like this. It is truly an amazing technology, and I don’t say that only because I happen to know the guys who built it. But since I do, I can tell you that they are brilliant, which is already pretty obvious since Microsoft scooped them up.

At this point, ATA is still new enough that most of the IT community hasn’t had any interaction with it, and I strongly encourage you to change that. It may save your bacon one day. The following is a screenshot of the ATA web interface so you can get a visual on that social media-style feed. This screenshot was taken from a Microsoft demo where they purposefully stole the Kerberos ticket from a user, and then utilized it on another computer in order to access some confidential files that only Demi Albuz should have been able to access. While ATA did not stop this activity, it immediately—and I mean within seconds—alerted inside this feed to show the Pass-the-Ticket Attack:

Here’s another example where a user named Almeta Whitfield suddenly accessed 16 computers that she does not usually access, another big red flag that something is going on with her user account:

For more information or to get started using ATA, make sure to check out the following link:

Comments are closed.