microsoft advanced threat analytics...
TRANSCRIPT
![Page 1: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/1.jpg)
Microsoft AdvancedThreat Analytics Overview
Michael HorákMainstream Technologies s.r.o.
24. 3. 2016
![Page 2: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/2.jpg)
Agenda • ATA Overview
• ATA Deployment and Configuration
• Hacking Samples
• Business Notes
2
![Page 3: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/3.jpg)
ATAOverview
• Why?
• The problem & The ATA
• ATA Introduction
• How ATA works
• ATA topology
• ATA Licensing
3
![Page 4: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/4.jpg)
Sobering statistics
4
$3.5MThe average cost of a data breach to a company
243The average number of days that attackers reside within a victim’s network before detection
76%of all network intrusions are due to compromised user credentials
$500BThe total potential cost of cybercrime to the global economy
![Page 5: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/5.jpg)
Changing nature of cyber-security attacks
5
Costing significant financial loss, impact to
brand reputation, loss of confidential data,
and executive jobs
Compromising user credentials in the vast
majority of attacks
Using legitimate IT tools rather than malware
– harder to detect
Staying in the network an average of eight
months before detection
Today’s cyber attackers are:
![Page 6: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/6.jpg)
Changing nature of cyber-security attacks
6
Using legitimate IT tools rather than malware
– harder to detect
Costing significant financial loss, impact to
brand reputation, loss of confidential data,
and executive jobs
Compromising user credentials in the vast
majority of attacks
Staying in the network an average of eight
months before detection
Today’s cyber attackers are:
![Page 7: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/7.jpg)
Changing nature of cyber-security attacks
7
Using legitimate IT tools rather than malware
– harder to detect
Staying in the network an average of eight
months before detection
Costing significant financial loss, impact to
brand reputation, loss of confidential data,
and executive jobs
Compromising user credentials in the vast
majority of attacks
Today’s cyber attackers are:
![Page 8: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/8.jpg)
Changing nature of cyber-security attacks
8
Compromising user credentials in the vast
majority of attacks
Using legitimate IT tools rather than malware
– harder to detect
Staying in the network an average of eight
months before detection
Costing significant financial loss, impact to
brand reputation, loss of confidential data,
and executive jobs
Today’s cyber attackers are:
![Page 9: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/9.jpg)
The problem
9
Traditional IT security tools are typically:
Designed to protect
the perimeter
Complex Prone to false
positives
When user credentials are
stolen and attackers are in the
network, your current
defenses provide limited
protection.
Initial setup, fine-tuning,
creating rules and
thresholds/baselines can
take a long time.
You receive too many reports
in a day with several false
positives that require valuable
time you don’t have.
![Page 10: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/10.jpg)
The ATA
• History• 2010 – Aorato company was founded.
• Nov 2014 – Microsoft buys Aorato.
• Aorato‘s employees continue to work under MS label
• Aug 2015 – Microsoft ATA released.
• ATA = Advanced Threat Analytics• Powerfull security tool.
• Continuous development of new detection routines.
• „Easy“ to deploy.
• „Easy“ to configure.
10
![Page 11: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/11.jpg)
Introducing MS Advanced Threat Analytics
11
An on-premises platform to identify advanced security attacks before they cause damage
Credit card companies
monitor cardholders’
behavior.
If there is any abnormal
activity, they will notify the
cardholder to verify charge.
Microsoft Advanced Threat Analytics brings this
concept to IT and users of a particular organizationComparison:
![Page 12: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/12.jpg)
Introducing MS Advanced Threat Analytics
12
Behavioral
Analytics
Detection for known
attacks and issues
Advanced Threat
Detection
An on-premises platform to identify advanced security attacks before they cause damage
![Page 13: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/13.jpg)
Advanced Threat Analytics Benefits
13
Detect threats fast with Behavioral Analytics
Adapt as fast as your enemies
Focus on what is important fast using the simple attack timeline
Reduce the fatigue of false positives
Prioritize and plan for next steps
No need for creating rules,
fine-tuning or monitoring a
flood of security reports, the
intelligence needed is ready to
analyze and self-learning.
ATA continuously learns from
the organizational entity
behavior (users, devices, and
resources) and adjusts itself to
reflect the changes in your
rapidly-evolving enterprise.
The attack timeline is a clear,
efficient, and convenient feed
that surfaces the right things
on a timeline, giving you the
power of perspective on the
“who-what-when-and how” of
your enterprise.
Alerts only happen once
suspicious activities are
contextually aggregated, not
only comparing the entity’s
behavior to its own behavior,
but also to the profiles of
other entities in its interaction
path.
For each suspicious activity or
known attack identified, ATA
provides recommendations for
the investigation and
remediation.
![Page 14: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/14.jpg)
Why Microsoft Advanced Threat Analytics?
14
AdaptabilitySpeed Simplicity Accuracy
![Page 15: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/15.jpg)
Key features
15
Witnesses all authentication and
authorization to the
organizational resources within
the corporate perimeter or on
mobile devices
Mobility support Integration to SIEM Seamless deployment
Works seamlessly with SIEM
Provides options to forward
security alerts to your SIEM or to
send emails to specific people
Functions as an appliance hardware
or virtual
Utilizes port mirroring to allow
seamless deployment alongside AD
Does not affect existing
network topology
![Page 16: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/16.jpg)
How MS Advanced Threat Analytics works
16
Analyze1 After installation:
• Simple non-intrusive port mirroring
configuration copies all AD-related traffic
• Remains invisible to the attackers
• Analyzes all Active Directory traffic
• Collects relevant events from SIEM and
other sources
![Page 17: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/17.jpg)
How MS Advanced Threat Analytics works
ATA:
• Automatically starts learning and profiling
entity behavior
• Identifies normal behavior for entities
• Learns continuously to update the activities
of the users, devices, and resources
Learn2
What is entity?
Entity represents users, devices, or resources
![Page 18: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/18.jpg)
How MS Advanced Threat Analytics works
Detect3 Microsoft Advanced Threat Analytics:
• Looks for abnormal behavior and identifies
suspicious activities
• Only raises red flags if abnormal activities are
contextually aggregated
• Leverages world-class security research to
detect known attacks and security issues
(regional or global)
ATA not only compares the entity’s behavior to its own, but also to the behavior of entities in its interaction path.
![Page 19: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/19.jpg)
How MS Advanced Threat Analytics works
Alert4
ATA reports all suspicious
activities on a simple,
functional, actionable
attack timeline
ATA identifies
Who?
What?
When?
How?
For each suspicious
activity, ATA provides
recommendations for
the investigation and
remediation.
![Page 20: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/20.jpg)
How MS Advanced Threat Analytics works
20
Abnormal Behavior Anomalous logins
Remote execution
Suspicious activity
Security issues and risks Broken trust
Weak protocols
Known protocol vulnerabilities
Malicious attacks Pass-the-Ticket (PtT)
Pass-the-Hash (PtH)
Overpass-the-Hash
Forged PAC (MS14-068)
Golden Ticket
Skeleton key malware
Reconnaissance
BruteForce
Unknown threats
Password sharing
Lateral movement
![Page 21: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/21.jpg)
Topology
21
![Page 22: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/22.jpg)
Topology - Gateway
22
Captures and analyzes DC network
traffic via port mirroring
Listens to multiple DCs from multiple
domains on a single Gateway
Receives events from SIEM
Retrieves data about entities from the
domain
Performs resolution of network entities
Transfers relevant data to the ATA
Center
![Page 23: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/23.jpg)
Topology - Center
23
Manages ATA Gateway configuration
settings
Receives data from ATA Gateways and
stores in the database
Detects suspicious activity and
abnormal behavior (machine learning)
Provides Web Management Interface
Supports multiple Gateways
![Page 24: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/24.jpg)
ATA Licensing
24
![Page 25: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/25.jpg)
ATADeployment and Configuration
• Installation & Configuration• ATA Center
• ATA Gateway• Port mirroring
• Service configuration
• Simple management using web browser
• MongoDB
• Performance monitoring
• Capacity planning
25
![Page 26: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/26.jpg)
Installation – ATA Center
• Domain membership – YES or NO
• Disk sizing / DB placing
• Network Interfaces• IP addresses
• Ports
• Web Server certificates
• Local ATA Admins group
• Simple ATA Center setup
• ATA Center is a web application
26
![Page 27: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/27.jpg)
Installation – ATA Center
27
![Page 28: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/28.jpg)
Installation – ATA Gateway
• Domain membership – YES or NO
• Network Interfaces• 1x Management interface
• Multiple Capture interfaces
• Port mirroring configuration
• IP addresses
• Ports
• Windows Security Log Forwarding
• HW sizing
• Web Server certificates
• Simple ATA Gateway setup• Created on and downloadable from ATA Center
28
![Page 29: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/29.jpg)
Installation – ATA Gateway
29
![Page 30: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/30.jpg)
Installation – ATA Gateway
30
![Page 31: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/31.jpg)
Configuration – ATA Gateway
31
![Page 32: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/32.jpg)
Configuration – ATA Gateway
SPAN:
Limited to the sameswitch.
RSPAN (remote span):
Limited to multipleswitches in the same L2 network segment
ERSPAN (encapsulatedremote span):
Adds L3 (IP routing) support to RSPAN.
Uses Cisco GRE.
32
• Port mirroring, also known as SPAN (Switch port Analyzer).
• May require considerable network configuration changes.
• Supported by Hyper-V, VMWare, Cisco (of course), etc.
![Page 33: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/33.jpg)
Configuration – ATA Gateway
33
![Page 34: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/34.jpg)
Configuration – ATA Gateway - Cisco
34
![Page 35: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/35.jpg)
Configuration – ATA Gateway – Hyper-V
35
![Page 36: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/36.jpg)
Configuration – ATA Gateway – Check
• Port mirroring checks• MS Network Monitor 3.x (is now the only supported capture tool on ATA Gateway)
• Performance Monitor
• Windows Security Log Forwarding checks• Event viewer on the source server (DC)
• Event viewer on the destination server (ATA Gateway)
36
![Page 37: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/37.jpg)
Configuration – ATA Gateway – Check
37
![Page 38: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/38.jpg)
Configuration – ATA Gateway – Check
38
![Page 39: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/39.jpg)
Configuration – ATA Gateway – Check
39
![Page 40: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/40.jpg)
Configuration – ATA Gateway – Check
40
![Page 41: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/41.jpg)
Configuration – ATA Gateway – Detection
41
![Page 42: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/42.jpg)
Configuration – ATA Gateway – CEIP
42
![Page 43: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/43.jpg)
Configuration – NAT & DA exceptions
43
![Page 44: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/44.jpg)
High-performance storage – MongoDB
44
![Page 45: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/45.jpg)
Capacity Planning – Performance Monitor
45
![Page 46: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/46.jpg)
Capacity Planning – Collecting PerfData
46
![Page 47: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/47.jpg)
Capacity Planning – ATA Center
47
![Page 48: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/48.jpg)
Capacity Planning – ATA Gateway
48
![Page 49: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/49.jpg)
HackingSamples
• Obtaining credentials
• Pass-the-Hash Attack
• DCSync Attack (DRS-R)
• Pass-the-Ticket Attack
• Golden Ticket Attack
• Brute-Force Attack
• Remote Execution Attack
49
![Page 50: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/50.jpg)
Obtaining credentials
• Workstations/Servers (Local/RDP)• Memory (User, Computer)
• Registry (Computer)
• Saved Credentials (DPAPI Backup Key required)
• Domain Controllers• Online (Memory, DRS-R)
• Offline (VHD, Backup)
• …
50
![Page 51: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/51.jpg)
Pass-the-Hash Attack
51
![Page 52: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/52.jpg)
DCSync Attack (DRS-R)
52
![Page 53: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/53.jpg)
DCSync Detection
53
![Page 54: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/54.jpg)
DCSync Detection using ATA (TBD)
54
![Page 55: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/55.jpg)
Pass-the-Ticket Attack
55
![Page 56: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/56.jpg)
Golden Ticket Attack
56
![Page 57: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/57.jpg)
Brute-Force Attack
57
![Page 58: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/58.jpg)
Remote Execution Attack
58
![Page 59: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/59.jpg)
Business notes • Výhody ATA
• Pricing
• Sizing
• Rizika nasazení
59
![Page 60: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/60.jpg)
Výhody řešení ATA
• Hotové řešení – podpora MS
• Nízká pracnost nasazení
• Analýza• Detekce známých útoků
• Heuristická behaviorální analýza
• Učící se funkce
• Detekční nástroje (značné omezení detekcí „false positive“)
• Alerting• Konzola (timeline)
• SIEM
• Emailové notifikace
60
![Page 61: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/61.jpg)
ATA Pricing • EMS• $8,75 / month / user
• Pro 1500 uživatelů:• $157.500,- za rok
• ATA + Bonus:• Azure AD Premium
• Azure Rights Management Premium
• Intune
• Azure RemoteApp
• Windows Server CAL
• MIM CAL
61
• Stand-alone• $80,- / licence + SA
• Pro 1500 uživatelů:• $120.000,- za rok
![Page 62: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/62.jpg)
ATA Server Sizing
62
• ATA Center:
• ATA Gateway:
Packets per
secondCPU (cores) Memory (GB) OS Storage (GB)
Database storage
per day (GB)
Database storage
per month (GB)IOPS
1,000 4 48 200 1.5 45 30 (100)
10,000 4 48 200 15 450 200 (300)
40,000 8 64 200 60 1,800 500 (1,000)
100,000 12 96 200 150 4,500 1,000 (1,500)
200,000 16 128 200 300 9,000 2,000 (2,500)
Packets per second CPU (cores) Memory (GB) OS storage (GB)
10,000 4 12 80
20,000 8 24 100
40,000 16 64 200
![Page 63: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/63.jpg)
Rizika nasazení • Může si vyžádat pokročilejší konfiguraci aktivních síťových prvků (switchů)
• Může si vyžádat instalaci několika ATA Gateways (a tedy licencí Windows Server Standard nebo vyšších + HW kapacit)
• Výběr vhodného umístění v síti
• HW nároky
• Potřebný počet ATA Gateways – problematické zejména u klastrových prostředí (Hyper-V, VMWare, apod.)
63
![Page 64: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/64.jpg)
OUTRO
64
![Page 65: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/65.jpg)
Outro: Check Twitter
65
![Page 66: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/66.jpg)
Outro: Check Twitter
66
![Page 67: Microsoft Advanced Threat Analytics Overviewdownload.microsoft.com/documents/cs-cz/enterprise/... · Changing nature of cyber-security attacks 5 Costing significant financial loss,](https://reader031.vdocuments.net/reader031/viewer/2022022609/5b91c37609d3f2c05d8c4fc2/html5/thumbnails/67.jpg)
67
„Jsme silní i tam,
kde jiným síly docházejí.“