View
2
Download
0
Category
Preview:
Citation preview
Microsoft AdvancedThreat Analytics Overview
Michael HorákMainstream Technologies s.r.o.
24. 3. 2016
Agenda • ATA Overview
• ATA Deployment and Configuration
• Hacking Samples
• Business Notes
2
ATAOverview
• Why?
• The problem & The ATA
• ATA Introduction
• How ATA works
• ATA topology
• ATA Licensing
3
Sobering statistics
4
$3.5MThe average cost of a data breach to a company
243The average number of days that attackers reside within a victim’s network before detection
76%of all network intrusions are due to compromised user credentials
$500BThe total potential cost of cybercrime to the global economy
Changing nature of cyber-security attacks
5
Costing significant financial loss, impact to
brand reputation, loss of confidential data,
and executive jobs
Compromising user credentials in the vast
majority of attacks
Using legitimate IT tools rather than malware
– harder to detect
Staying in the network an average of eight
months before detection
Today’s cyber attackers are:
Changing nature of cyber-security attacks
6
Using legitimate IT tools rather than malware
– harder to detect
Costing significant financial loss, impact to
brand reputation, loss of confidential data,
and executive jobs
Compromising user credentials in the vast
majority of attacks
Staying in the network an average of eight
months before detection
Today’s cyber attackers are:
Changing nature of cyber-security attacks
7
Using legitimate IT tools rather than malware
– harder to detect
Staying in the network an average of eight
months before detection
Costing significant financial loss, impact to
brand reputation, loss of confidential data,
and executive jobs
Compromising user credentials in the vast
majority of attacks
Today’s cyber attackers are:
Changing nature of cyber-security attacks
8
Compromising user credentials in the vast
majority of attacks
Using legitimate IT tools rather than malware
– harder to detect
Staying in the network an average of eight
months before detection
Costing significant financial loss, impact to
brand reputation, loss of confidential data,
and executive jobs
Today’s cyber attackers are:
The problem
9
Traditional IT security tools are typically:
Designed to protect
the perimeter
Complex Prone to false
positives
When user credentials are
stolen and attackers are in the
network, your current
defenses provide limited
protection.
Initial setup, fine-tuning,
creating rules and
thresholds/baselines can
take a long time.
You receive too many reports
in a day with several false
positives that require valuable
time you don’t have.
The ATA
• History• 2010 – Aorato company was founded.
• Nov 2014 – Microsoft buys Aorato.
• Aorato‘s employees continue to work under MS label
• Aug 2015 – Microsoft ATA released.
• ATA = Advanced Threat Analytics• Powerfull security tool.
• Continuous development of new detection routines.
• „Easy“ to deploy.
• „Easy“ to configure.
10
Introducing MS Advanced Threat Analytics
11
An on-premises platform to identify advanced security attacks before they cause damage
Credit card companies
monitor cardholders’
behavior.
If there is any abnormal
activity, they will notify the
cardholder to verify charge.
Microsoft Advanced Threat Analytics brings this
concept to IT and users of a particular organizationComparison:
Introducing MS Advanced Threat Analytics
12
Behavioral
Analytics
Detection for known
attacks and issues
Advanced Threat
Detection
An on-premises platform to identify advanced security attacks before they cause damage
Advanced Threat Analytics Benefits
13
Detect threats fast with Behavioral Analytics
Adapt as fast as your enemies
Focus on what is important fast using the simple attack timeline
Reduce the fatigue of false positives
Prioritize and plan for next steps
No need for creating rules,
fine-tuning or monitoring a
flood of security reports, the
intelligence needed is ready to
analyze and self-learning.
ATA continuously learns from
the organizational entity
behavior (users, devices, and
resources) and adjusts itself to
reflect the changes in your
rapidly-evolving enterprise.
The attack timeline is a clear,
efficient, and convenient feed
that surfaces the right things
on a timeline, giving you the
power of perspective on the
“who-what-when-and how” of
your enterprise.
Alerts only happen once
suspicious activities are
contextually aggregated, not
only comparing the entity’s
behavior to its own behavior,
but also to the profiles of
other entities in its interaction
path.
For each suspicious activity or
known attack identified, ATA
provides recommendations for
the investigation and
remediation.
Why Microsoft Advanced Threat Analytics?
14
AdaptabilitySpeed Simplicity Accuracy
Key features
15
Witnesses all authentication and
authorization to the
organizational resources within
the corporate perimeter or on
mobile devices
Mobility support Integration to SIEM Seamless deployment
Works seamlessly with SIEM
Provides options to forward
security alerts to your SIEM or to
send emails to specific people
Functions as an appliance hardware
or virtual
Utilizes port mirroring to allow
seamless deployment alongside AD
Does not affect existing
network topology
How MS Advanced Threat Analytics works
16
Analyze1 After installation:
• Simple non-intrusive port mirroring
configuration copies all AD-related traffic
• Remains invisible to the attackers
• Analyzes all Active Directory traffic
• Collects relevant events from SIEM and
other sources
How MS Advanced Threat Analytics works
ATA:
• Automatically starts learning and profiling
entity behavior
• Identifies normal behavior for entities
• Learns continuously to update the activities
of the users, devices, and resources
Learn2
What is entity?
Entity represents users, devices, or resources
How MS Advanced Threat Analytics works
Detect3 Microsoft Advanced Threat Analytics:
• Looks for abnormal behavior and identifies
suspicious activities
• Only raises red flags if abnormal activities are
contextually aggregated
• Leverages world-class security research to
detect known attacks and security issues
(regional or global)
ATA not only compares the entity’s behavior to its own, but also to the behavior of entities in its interaction path.
How MS Advanced Threat Analytics works
Alert4
ATA reports all suspicious
activities on a simple,
functional, actionable
attack timeline
ATA identifies
Who?
What?
When?
How?
For each suspicious
activity, ATA provides
recommendations for
the investigation and
remediation.
How MS Advanced Threat Analytics works
20
Abnormal Behavior Anomalous logins
Remote execution
Suspicious activity
Security issues and risks Broken trust
Weak protocols
Known protocol vulnerabilities
Malicious attacks Pass-the-Ticket (PtT)
Pass-the-Hash (PtH)
Overpass-the-Hash
Forged PAC (MS14-068)
Golden Ticket
Skeleton key malware
Reconnaissance
BruteForce
Unknown threats
Password sharing
Lateral movement
Topology
21
Topology - Gateway
22
Captures and analyzes DC network
traffic via port mirroring
Listens to multiple DCs from multiple
domains on a single Gateway
Receives events from SIEM
Retrieves data about entities from the
domain
Performs resolution of network entities
Transfers relevant data to the ATA
Center
Topology - Center
23
Manages ATA Gateway configuration
settings
Receives data from ATA Gateways and
stores in the database
Detects suspicious activity and
abnormal behavior (machine learning)
Provides Web Management Interface
Supports multiple Gateways
ATA Licensing
24
ATADeployment and Configuration
• Installation & Configuration• ATA Center
• ATA Gateway• Port mirroring
• Service configuration
• Simple management using web browser
• MongoDB
• Performance monitoring
• Capacity planning
25
Installation – ATA Center
• Domain membership – YES or NO
• Disk sizing / DB placing
• Network Interfaces• IP addresses
• Ports
• Web Server certificates
• Local ATA Admins group
• Simple ATA Center setup
• ATA Center is a web application
26
Installation – ATA Center
27
Installation – ATA Gateway
• Domain membership – YES or NO
• Network Interfaces• 1x Management interface
• Multiple Capture interfaces
• Port mirroring configuration
• IP addresses
• Ports
• Windows Security Log Forwarding
• HW sizing
• Web Server certificates
• Simple ATA Gateway setup• Created on and downloadable from ATA Center
28
Installation – ATA Gateway
29
Installation – ATA Gateway
30
Configuration – ATA Gateway
31
Configuration – ATA Gateway
SPAN:
Limited to the sameswitch.
RSPAN (remote span):
Limited to multipleswitches in the same L2 network segment
ERSPAN (encapsulatedremote span):
Adds L3 (IP routing) support to RSPAN.
Uses Cisco GRE.
32
• Port mirroring, also known as SPAN (Switch port Analyzer).
• May require considerable network configuration changes.
• Supported by Hyper-V, VMWare, Cisco (of course), etc.
Configuration – ATA Gateway
33
Configuration – ATA Gateway - Cisco
34
Configuration – ATA Gateway – Hyper-V
35
Configuration – ATA Gateway – Check
• Port mirroring checks• MS Network Monitor 3.x (is now the only supported capture tool on ATA Gateway)
• Performance Monitor
• Windows Security Log Forwarding checks• Event viewer on the source server (DC)
• Event viewer on the destination server (ATA Gateway)
36
Configuration – ATA Gateway – Check
37
Configuration – ATA Gateway – Check
38
Configuration – ATA Gateway – Check
39
Configuration – ATA Gateway – Check
40
Configuration – ATA Gateway – Detection
41
Configuration – ATA Gateway – CEIP
42
Configuration – NAT & DA exceptions
43
High-performance storage – MongoDB
44
Capacity Planning – Performance Monitor
45
Capacity Planning – Collecting PerfData
46
Capacity Planning – ATA Center
47
Capacity Planning – ATA Gateway
48
HackingSamples
• Obtaining credentials
• Pass-the-Hash Attack
• DCSync Attack (DRS-R)
• Pass-the-Ticket Attack
• Golden Ticket Attack
• Brute-Force Attack
• Remote Execution Attack
49
Obtaining credentials
• Workstations/Servers (Local/RDP)• Memory (User, Computer)
• Registry (Computer)
• Saved Credentials (DPAPI Backup Key required)
• Domain Controllers• Online (Memory, DRS-R)
• Offline (VHD, Backup)
• …
50
Pass-the-Hash Attack
51
DCSync Attack (DRS-R)
52
DCSync Detection
53
DCSync Detection using ATA (TBD)
54
Pass-the-Ticket Attack
55
Golden Ticket Attack
56
Brute-Force Attack
57
Remote Execution Attack
58
Business notes • Výhody ATA
• Pricing
• Sizing
• Rizika nasazení
59
Výhody řešení ATA
• Hotové řešení – podpora MS
• Nízká pracnost nasazení
• Analýza• Detekce známých útoků
• Heuristická behaviorální analýza
• Učící se funkce
• Detekční nástroje (značné omezení detekcí „false positive“)
• Alerting• Konzola (timeline)
• SIEM
• Emailové notifikace
60
ATA Pricing • EMS• $8,75 / month / user
• Pro 1500 uživatelů:• $157.500,- za rok
• ATA + Bonus:• Azure AD Premium
• Azure Rights Management Premium
• Intune
• Azure RemoteApp
• Windows Server CAL
• MIM CAL
61
• Stand-alone• $80,- / licence + SA
• Pro 1500 uživatelů:• $120.000,- za rok
ATA Server Sizing
62
• ATA Center:
• ATA Gateway:
Packets per
secondCPU (cores) Memory (GB) OS Storage (GB)
Database storage
per day (GB)
Database storage
per month (GB)IOPS
1,000 4 48 200 1.5 45 30 (100)
10,000 4 48 200 15 450 200 (300)
40,000 8 64 200 60 1,800 500 (1,000)
100,000 12 96 200 150 4,500 1,000 (1,500)
200,000 16 128 200 300 9,000 2,000 (2,500)
Packets per second CPU (cores) Memory (GB) OS storage (GB)
10,000 4 12 80
20,000 8 24 100
40,000 16 64 200
Rizika nasazení • Může si vyžádat pokročilejší konfiguraci aktivních síťových prvků (switchů)
• Může si vyžádat instalaci několika ATA Gateways (a tedy licencí Windows Server Standard nebo vyšších + HW kapacit)
• Výběr vhodného umístění v síti
• HW nároky
• Potřebný počet ATA Gateways – problematické zejména u klastrových prostředí (Hyper-V, VMWare, apod.)
63
OUTRO
64
Outro: Check Twitter
65
Outro: Check Twitter
66
67
„Jsme silní i tam,
kde jiným síly docházejí.“
Recommended