Due to the changing nature of Cyber Security threats for the last couple of years and the focus on compromising User credentials and identity with different type of attacks as Pass the Hash the need for a new proactive security tool as Microsoft Advanced Threat Analytics (ATA) was a must to be added to any corporate arsenal of tools to detect such type of attacks.

Microsoft Advanced Threat Analytics tool analyze data from three data sources (Active Directory Database, Active Directory Traffic and SIEM solutions) and learn about the entities in your organization and their behavior and then start to detect suspicious events.

Microsoft ATA targets three categories of Risks

  1. Security Issues and Risks (Broken Trust, Weak Protocols and known Protocol vulnerabilities)
  2. Malicious Attacks (Pass the Hash, Pass the Ticket, BruteForce……..etc)
  3. Abnormal Behavior (Suspicious activities, Password sharing, lateral movement…….etc)
Microsoft Recommends around 3-4 weeks for the ATA engine to learn about your environment and start detecting abnormal behavior, latest MS Office well this is for the 3rd category (abnormal Behavior), as for the first and second category (Security Risk and Malicious attacks) this will be done instantly after installation of ATA (Real time)
There are two components in ATA (Gateway and Center), Gateway collects all data using port mirroring and its sent to the Center where all processing occurs.
Gateway

  1. Capture Data from DCs via Port Mirroring
  2. Listen to Multiple DCs from Multiple Domains
  3. Receive Event from SIEM
  4. Retrieve data from entities in domain
  5. Perform name resolution of network entities
  6. Transfer Relevant data to ATA Center
Center
  1. Manage ATA Gateway Configuration Setting
  2. Receive data from ATA Gateway and store in DB
  3. Detect Suspicious activity and abnormal behavior (Machine Learning)
  4. Provide Web Management Interface
  5. Support Multiple Gateways
What is the ATA Pre-deployment Checklist ?
  1. Configure Port Mirroring from DCs (Domain Controllers) to ATA Gateway.
  2. Create domain User (Read only)
  3. KB2919355/KB2919442 installed on the Gateway machine or VM
  4. ATA Center has 2 static IP addresses
  5. Optional – Deploy Certificates from your internal PKI. For demo only you can use self signed certificates.
  6. ATA Gateway has 2 NICs (Network Cards)
  7. ATA Gateway Account either Local admin account on the ATA Gateway server or member of the ATA built-in Group
In Part 2 I will start deploying ATA and configuring both Gateway and Center machines/VMs.

You can check part 2 from the following link

http://itcalls.blogspot.com.eg/2016/04/microsoft-advanced-threat-analytics-ata_19.html