Microsoft Advanced Threat Analytics — Use Case and Deployment Process
Advanced Persistent Threats (APTs) are long term intrusions in your network where attackers have gained access and take time to plan and gather information of your environment. Target credit card breach and AshleyMadison data breach are two notable and successful APT attacks. Microsoft Advanced Threat Analytics (ATA) is a set of networking monitoring tools combined with SIEM (security information and event management) systems and event log machine learning that helps protected against APTs and unknown threats.
Microsoft Advanced Threat Analytics a new security product by Microsoft that brings an Extra layer of security to an Entreprise. Microsoft Advanced Threat Analytics is deployed on-premise to protect an organization’s networks. Microsoft ATA uses data gathered by all the assigned ATA gateways, to detect suspicious activity and malicious attacks.
Architecture
ATA Center has two popular Deployment models.
- The Direct Deployment
- Port Mirror
I am of the opinion that the Direct deployment is the best and least stressful and you know the least stressful is really important, cause the faster you are done with one deployment the faster you can move on to your next deployment.
With the Direct Deployment model you download a lightweight Gateway (An Agent) unto the Server you want to protect with ATA. The agent downloaded on that server begins to read through the Event logs and and read the traffic going in and out of the Server. Think of it like wire-shark but in the background.
The Port Mirror option is a tad bit more complicated, Port mirror works without an agent on your system, rather it mirrors the network traffic going in and out of the Server. You will also need to ensure that SIEM logs replication is enabled.
Sizing up your Domain
Before deploying ATA into your Workspace you will need to size up your domain and have an understanding of the total data throughput of your servers.
Different environments have different needs, for some environments a simple virtual machine will be good enough for the entire domain while others will need at least 8 physical behemoth servers to process the traffic going through the different domains in the forest.
One thing that is important is; For every Domain in a forest there should be one ATA Center server. So if you operate a multi-domain Forest ensure to plan adequaltely for each of the Domains.
While sizing up your domain you also need to consider the resource utilization of your Domain Controller. The Lightweight Gateway has a lower limit threshold of 15% after which it will stop reporting to the ATA Center. This is a very important feature if you ask me, because at peak times you are rest assured that the Lightweight gateway will not use up the little resource left on your Server.
There is also a tool you can use to size up your domain, download it and run it for about 24hrs and it will give you a csv file showing the throughput and Performance data for all your domain controllers.
Deploying Microsoft Advanced Threat Analytics
Step 1:
Microsoft Advanced Threat Analytics will need to be deployed on a Server, so you can either choose to provision a physical Server (A Box) or provision it as a VM or Azure Iaas.
It is very important to size the Domain you are working with as this will infrom the specifications of your ATA Infrastructure.
In my most recent deployment of Microsoft ATA, i deployed it as an Hyper-V Virtual Machine. The specifications 8GB Ram, 400GB HDD and 6 cpu Cores OS: Windows Server 2016 Datacenter.
It is very important to note that if you are working in a multi forest environment, you will need to deploy One ATA Center for each forest.
You will also need to provision two Network ports. For Ingress and Egress traffic.
Installing the ATA Center is pretty easy and straight forward sort of a next, next, next… finish kind of thing.
Step 2:
Now you will need to provide a user account so ATA can easily access your Domain Controller. This User account need not be anything to complicated.
A simple standard user account with read level Security permissions will do.
Step 3:
After deploying your ATA Center and completing the basic installation, the next step is deploying your the gateway to your Domain Controllers.
You may choose to either use the Lightweight Gateway or the Standalone gateway depending on which of them serves you better.
In my most recent use case, i made use of a standalone gateway. You can download the install agent on the top left corner of the Gateway Tab on your ATA Homepage.
After downloading this agent you can copy it to the Domain controller you need to deploy it on and Install the executable.
After deploying the executable you will be told to choose either the Lightweight Gateway or Standalone. Like i stated earlier, research on the advantages of both of them and choose which of them best applies to your use case.
Ensure you install the gateways on ALL Domain controllers in your environment, including the DCs you have running on the Cloud.
Deployment Validation
You can Validate the deployment by doing a small test on any of your domain controllers.
Maybe Simulate a Golden Ticket attack using mimkiatz and observe it is flagged by ATA
or
Elevate a normal Server to a Domain Controller
Conclusion
Advanced Threat Analytics is a powerful tool every organization should have in their arsenal. I hope this short article helps you with deploying this amazing solution.
