advanced powershell chalk-talk (dsc) advanced powershell chalk-talk (dsc) author: brian wilhite...

Download Advanced PowerShell Chalk-Talk (DSC) Advanced PowerShell Chalk-Talk (DSC) Author: Brian Wilhite Subject:

Post on 21-Jul-2020

0 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • 200+ The median number of days that attackers reside within a victim’s network before detection.

    $3.8M The average cost of a data breach to a company in 2014 was US$3.8 million.

    81% In 81% of breaches, the affected organization did not detect the breach themselves but were notified by others.

    60% In 60% of breaches, attackers were able to compromise an organization within minutes.

  • Changing nature of cybersecurity attacks

    Costing significant financial loss, impact to

    brand reputation, loss of confidential data

    and executive jobs

    Compromising user credentials in the vast

    majority of attacks

    Today’s cyber attackers are:

    Staying in the network an average of eight

    months before detection

    Using legitimate IT tools rather than malware

    – harder to detect

  • Changing nature of cybersecurity attacks Today’s cyber attackers are:

    Costing significant financial loss, impact to

    brand reputation, loss of confidential data

    and executive jobs

    Compromising user credentials in the vast

    majority of attacks

    Staying in the network an average of eight

    months before detection

    Using legitimate IT tools rather than malware

    – harder to detect

  • Changing nature of cybersecurity attacks Today’s cyber attackers are:

    Costing significant financial loss, impact to

    brand reputation, loss of confidential data

    and executive jobs

    Compromising user credentials in the vast

    majority of attacks

    Staying in the network an average of eight

    months before detection

    Using legitimate IT tools rather than malware

    – harder to detect

  • Changing nature of cybersecurity attacks Today’s cyber attackers are:

    Costing significant financial loss, impact to

    brand reputation, loss of confidential data

    and executive jobs

    Compromising user credentials in the vast

    majority of attacks

    Staying in the network an average of eight

    months before detection

    Using legitimate IT tools rather than malware

    – harder to detect

  • Traditional IT security solutions are typically:

    Designed to protect

    the perimeter

    Complex Prone to false

    positives

    When user credentials are

    stolen and attackers are in the

    network, your current

    defenses provide limited

    protection.

    Initial setup, fine-tuning,

    creating rules, and

    thresholds/baselines can

    take a long time.

    You receive too many reports

    in a day with several false

    positives that require valuable

    time you don’t have.

  • ▪ Credit card companies

    monitor cardholders’

    behavior

    ▪ If there is any abnormal

    activity, they will notify the

    cardholder to verify charge

    Microsoft Advanced Threat Analytics brings this

    concept to IT and users of a particular organization Comparison:

    Email attachment

  • Behavioral

    Analytics

    Detection for known

    attacks and issues

    Advanced Threat

    Detection

    An on-premises solution to identify advanced security attacks before they cause damage

  • It learns and adapts

    It is fast It provides clear information

    Red flags are raised only when needed

    Why Microsoft Advanced Threat Analytics?

  • Key features

    ▪ Witnesses all authentication and authorization to the organizational resources within the corporate perimeter or on mobile devices

    Mobility support Integration to SIEM Seamless deployment

    ▪ Analyzes events from SIEM

    to enrich the attack timeline

    ▪ Works seamlessly with SIEM

    ▪ Provides options to forward

    security alerts to your SIEM

    or to send emails to specific

    people

    ▪ Utilizes port mirroring to allow seamless deployment alongside AD

    ▪ Non-intrusive, does not affect existing network topology

  • How Microsoft Advanced Threat Analytics works

    Analyze1 After installation: • Simple, non-intrusive port mirroring

    configuration copies all AD-related traffic

    • Remains invisible to the attackers

    • Analyzes all Active Directory network traffic

    • Collects relevant events from SIEM and

    information from Active Directory (titles,

    group memberships, and more)

  • How Microsoft Advanced Threat Analytics works

    ATA:

    • Automatically starts learning and profiling

    entity behavior

    • Identifies normal behavior for entities

    • Learns continuously to update the activities

    of the users, devices, and resources

    Learn2

    What is entity?

    Entity represents users, devices, or resources

  • How Microsoft Advanced Threat Analytics works

    Detect3 Microsoft Advanced Threat Analytics: • Looks for abnormal behavior and identifies

    suspicious activities

    • Only raises red flags if abnormal activities are

    contextually aggregated

    • Leverages world-class security research to

    detect security risks and attacks in near real

    time based on attackers Tactics, Techniques

    and Procedures (TTPs)

    ATA not only compares the entity’s behavior

    to its own, but also to the behavior of

    entities in its interaction path.

  • Alert4

    ATA reports all suspicious

    activities on a simple,

    functional, actionable

    attack timeline

    ATA identifies:

    Who?

    What?

    When?

    How?

    For each suspicious

    activity, ATA provides

    recommendations for

    the investigation and

    remediation

    How Microsoft Advanced Threat Analytics works

  • Abnormal Behavior ▪ Anomalous logins

    ▪ Remote execution

    ▪ Suspicious activity

    Security issues and risks ▪ Broken trust

    ▪ Weak protocols

    ▪ Known protocol vulnerabilities

    Malicious attacks ▪ Pass-the-Ticket (PtT)

    ▪ Pass-the-Hash (PtH)

    ▪ Overpass-the-Hash

    ▪ Forged PAC (MS14-068)

    ▪ Golden Ticket

    ▪ Skeleton key malware

    ▪ Reconnaissance

    ▪ BruteForce

    ▪ Unknown threats

    ▪ Password sharing

    ▪ Lateral movement

  • Captures and analyzes DC network

    traffic via port mirroring

    Listens to multiple DCs from a single

    Gateway

    Receives events from SIEM

    Retrieves data about entities from the

    domain

    Performs resolution of network entities

    Transfers relevant data to the ATA

    Center

    Topology - Gateway

  • Topology - Center

    Receives data from ATA Gateways and

    stores in the database

    Detects suspicious activity and

    abnormal behavior (machine learning)

    Provides Web Management Interface

    Supports multiple Gateways

    Manages ATA Gateway configuration

    settings

  • Event collection In addition to collecting and analyzing network traffic to and from the DCs, ATA can use Windows event 4776 to

    further enhance ATA Pass-the-Hash detection. This can be received from your SIEM or by setting Windows Event

    Forwarding from your DC. Events collected provide ATA with additional information that is not available via the DC

    network traffic.

  • The ATA traffic flow

    DCs

    SIEM

    DCs

    ATA Gateway

    Network Listener

    Event Listener

    Windows Event Log

    Reader

    Entity Resolver

    Entity Sender

    ATA Center

    Entity Receiver

    Database Detection

    Engine ATA

    Console

    Mirror Traffic

    (Full GW)

    Event Forwarding

    WEF

    Parsed Traffic

    Local Traffic

    (LW GW)

  • ATA Center sizing

    Packets per

    second* CPU (cores**) Memory (GB)

    Database

    storage per day

    (GB)

    Database

    storage per

    month (GB)

    IOPS***

    1,000 2 32 0.3 9 30 (100)

    10,000 4 48 3 90 200 (300)

    40,000 8 64 12 360 500 (1,000)

    100,000 12 96 30 900 1,000 (1,500)

    400,000 40 128 120 1,800 2,000 (2,500)

    * Total daily average number of packets-per-second from all domain controllers being monitored by all ATA Gateways.

    ** This includes physical cores, not hyper-threaded cores.

    *** Average numbers (Peak numbers)

  • ATA Center sizing notes 5/25/2017 34

    Storage latency for

    read/write activities

    should be below 10ms.

  • FAQ Q - Can ATA be configured to take action against a threat?

    A - No – ATA detects the issue but it does not remove the need to perform a forensic analysis.

    Q - Can I control the amount of time ATA retains information?

    A - No – ATA only stores information about events it captures including user/device information from the domain. All other data is not stored in the DB.

    Q - Can ATA be connected to my SIEM deployment

    A - Yes – HP Arcsight, RSA Security Analytics, Splunk and

Recommended

View more >