MICROSOFT ADVANCED THREAT ANALYTICS
#LSS35
ABOUT THE PANEL
Akin GumpJeremy Phelps - Direction of Information Security
Brian Cooke - Enterprise Applications Manager Bob Davis - Information Security Manager
Kraft & Kennedy, Inc.Dominick Ciacciarelli - Practice Architect
POLL
• How many people are familiar with Microsoft Advanced Threat Analytics?
• How many people have installed Microsoft Advanced Threat Analytics?
AGENDA
• Quick Overview• Deployment Considerations• Akin Gump’s ATA Story
– Deployment, Tuning & Threat Detection
ATA OVERVIEW
• What is Microsoft Advanced Threat Analytics?• What benefits can it provide?• What is so Analytical about ATA?
ATA IS NOT
• Border/Perimeter Security• Anti Virus/Malware Scanning• Network Protection Device• Silver Bullet
WHY ATA?
ANALYTICS???
BENEFITS OF ATA
DEPLOYMENT CONSIDERATIONS
• Licensing• Sizing• Deployment Models• Integration Considerations
LICENSING
• Per User/Device• Via Enterprise CAL suite• Through EMS or ECS Suites*
*You May Already Own It – Check your EA.
SIZING
• Use ATA Sizing tool – Don’t Guess• Traffic Drives Sizing• Traffic Influenced by AD Topology
DEPLOYMENT
DEPLOYMENT
AKIN’S ATA STORY
• 2016 – We passed• 2017 – Incorporated ATA into AD Redesign
INSTALLATION OVERVIEW
If you started installing ATA when this presentation began, you might be done by now.
• Preparation• Installation & Configuration• Console Layout
ATA ACTION CENTER CONSOLE
ATA HEALTH CENTER CONSOLE
ATA ALERTS
• System Health Alerts• Security Events
ATA SUSPICIOUS ACTIVITY ALERT
ATA SUSPICIOUS ACTIVITY ALERT
ATA HEALTH ALERT
TUNING – WEEK 1
High Alert “Malicious replication of directory services”
Medium Alerts“Reconnaissance using account enumeration”
“Unusual protocol implementation”“Reconnaissance using directory services enumeration”
“Sensitive account credentials exposed”
OVERALL IMPRESSIONS?
• Worth implementation, especially if you already own it.
• Can help clean up your AD environment and identify misconfigurations that could lead to compromise.
• Can potentially identify serious breaches including Golden / Silver tickets, that would be difficult to detect otherwise.
WEEK 1 - ACTIONABLE FINDINGS?
• Reconnaissance using account enumeration –Check with system owners, whitelist in ATA
• Unusual protocol implementation – Check with NAC vendor and verify traffic was expected, whitelist in ATA.
• Sensitive account credentials exposed –Configure applications to use secure LDAP
GREAT FOR AD QUERIES
Quick Search for AD User, Computers & Groups• General Account Information • Computers Recently Logged Onto • Recently Accessed Resources• Password Activity • Suspicious Activity• Recent Changes
ATA AS A RESEARCH TOOL
ATA AS A RESEARCH TOOL
Why are certain accounts considered sensitive?
This happens when an account is a member of certain groups which we designate as sensitive (for example: "Domain Admins").
WHAT THREATS DOES ATA LOOK FOR?
WHAT DOES MICROSOFT SAY?
ReconnaissanceReconnaissance using account enumeration
Net Session Enumeration Reconnaissance using DNS
Reconnaissance using directory services enumeration
Compromised CredentialsBrute force
Sensitive account exposed in plain text authenticationService exposing accounts in plain text authentication
Honey Token account suspicious activitiesUnusual protocol implementation
Malicious Data Protection Private Information RequestAbnormal Behavior
Lateral MovementPass the ticket / Pass the hash
Over-pass the hash Abnormal behavior
Privilege EscalationMS14-068 exploit (Forged PAC) MS11-013 exploit (Silver PAC)
Domain DominanceSkeleton key malware
Golden ticketRemote execution
Malicious replication requests
EXAMPLE 1
• Scenario – Reconnaissance using directory services enumeration
• Test – Use of “Net User /Domain” and “Net Group /Domain” commands to enumerate users and groups.
• Result - ATA picks up on the activity and alerts with PC name and User that ran the command.
EXAMPLE 2
• Scenario – Reconnaissance using SMB Session Enumeration
• Test – Run the Netsess tool against a domain controller to enumerate all NetBIOS sessions
• Result - ATA correctly identifies the machine and user running the command as well as all accounts that were potentially exposed.
EXAMPLE 3
• Scenario – Pass the hash exploits• Test – Use of Keimpx and Metasploit SMB
Login Check to spray hashes and open remote terminals.
• Result - Neither tool was identified by ATA. Local and Domain hashes were successfully and unsuccessfully passed without ATA alerting.
OUR TAKE ALWAYS
• Low TOC• Helpful Tool• Can Identify Noisy Events
– Configuration errors or – Rogue administrators or curios users
• Targeted Attacks?