MICROSOFT ADVANCED THREAT ANALYTICS

#LSS35

ABOUT THE PANEL

Akin GumpJeremy Phelps - Direction of Information Security

Brian Cooke - Enterprise Applications Manager Bob Davis - Information Security Manager

Kraft & Kennedy, Inc.Dominick Ciacciarelli - Practice Architect

POLL

• How many people are familiar with Microsoft Advanced Threat Analytics?

• How many people have installed Microsoft Advanced Threat Analytics?

AGENDA

• Quick Overview• Deployment Considerations• Akin Gump’s ATA Story

– Deployment, Tuning & Threat Detection

ATA OVERVIEW

• What is Microsoft Advanced Threat Analytics?• What benefits can it provide?• What is so Analytical about ATA?

ATA IS NOT

• Border/Perimeter Security• Anti Virus/Malware Scanning• Network Protection Device• Silver Bullet

WHY ATA?

ANALYTICS???

BENEFITS OF ATA

DEPLOYMENT CONSIDERATIONS

• Licensing• Sizing• Deployment Models• Integration Considerations

LICENSING

• Per User/Device• Via Enterprise CAL suite• Through EMS or ECS Suites*

*You May Already Own It – Check your EA.

SIZING

• Use ATA Sizing tool – Don’t Guess• Traffic Drives Sizing• Traffic Influenced by AD Topology

DEPLOYMENT

DEPLOYMENT

AKIN’S ATA STORY

• 2016 – We passed• 2017 – Incorporated ATA into AD Redesign

INSTALLATION OVERVIEW

If you started installing ATA when this presentation began, you might be done by now.

• Preparation• Installation & Configuration• Console Layout

ATA ACTION CENTER CONSOLE

ATA HEALTH CENTER CONSOLE

ATA ALERTS

• System Health Alerts• Security Events

ATA SUSPICIOUS ACTIVITY ALERT

ATA SUSPICIOUS ACTIVITY ALERT

ATA HEALTH ALERT

TUNING – WEEK 1

High Alert “Malicious replication of directory services”

Medium Alerts“Reconnaissance using account enumeration”

“Unusual protocol implementation”“Reconnaissance using directory services enumeration”

“Sensitive account credentials exposed”

OVERALL IMPRESSIONS?

• Worth implementation, especially if you already own it.

• Can help clean up your AD environment and identify misconfigurations that could lead to compromise.

• Can potentially identify serious breaches including Golden / Silver tickets, that would be difficult to detect otherwise.

WEEK 1 - ACTIONABLE FINDINGS?

• Reconnaissance using account enumeration –Check with system owners, whitelist in ATA

• Unusual protocol implementation – Check with NAC vendor and verify traffic was expected, whitelist in ATA.

• Sensitive account credentials exposed –Configure applications to use secure LDAP

GREAT FOR AD QUERIES

Quick Search for AD User, Computers & Groups• General Account Information • Computers Recently Logged Onto • Recently Accessed Resources• Password Activity • Suspicious Activity• Recent Changes

ATA AS A RESEARCH TOOL

ATA AS A RESEARCH TOOL

Why are certain accounts considered sensitive?

This happens when an account is a member of certain groups which we designate as sensitive (for example: "Domain Admins").

WHAT THREATS DOES ATA LOOK FOR?

WHAT DOES MICROSOFT SAY?

ReconnaissanceReconnaissance using account enumeration

Net Session Enumeration Reconnaissance using DNS

Reconnaissance using directory services enumeration

Compromised CredentialsBrute force

Sensitive account exposed in plain text authenticationService exposing accounts in plain text authentication

Honey Token account suspicious activitiesUnusual protocol implementation

Malicious Data Protection Private Information RequestAbnormal Behavior

Lateral MovementPass the ticket / Pass the hash

Over-pass the hash Abnormal behavior

Privilege EscalationMS14-068 exploit (Forged PAC) MS11-013 exploit (Silver PAC)

Domain DominanceSkeleton key malware

Golden ticketRemote execution

Malicious replication requests

EXAMPLE 1

• Scenario – Reconnaissance using directory services enumeration

• Test – Use of “Net User /Domain” and “Net Group /Domain” commands to enumerate users and groups.

• Result - ATA picks up on the activity and alerts with PC name and User that ran the command.

EXAMPLE 2

• Scenario – Reconnaissance using SMB Session Enumeration

• Test – Run the Netsess tool against a domain controller to enumerate all NetBIOS sessions

• Result - ATA correctly identifies the machine and user running the command as well as all accounts that were potentially exposed.

EXAMPLE 3

• Scenario – Pass the hash exploits• Test – Use of Keimpx and Metasploit SMB

Login Check to spray hashes and open remote terminals.

• Result - Neither tool was identified by ATA. Local and Domain hashes were successfully and unsuccessfully passed without ATA alerting.

OUR TAKE ALWAYS

• Low TOC• Helpful Tool• Can Identify Noisy Events

– Configuration errors or – Rogue administrators or curios users

• Targeted Attacks?