advanced powershell chalk-talk (dsc) · advanced powershell chalk-talk (dsc) author: brian wilhite...
TRANSCRIPT
200+The median number of days that attackers reside within a victim’s network before detection.
$3.8MThe average cost of a data breach to a company in 2014 wasUS$3.8 million.
81%In 81% of breaches, the affected organization did not detect the breach themselves but were notified by others.
60%In 60% of breaches, attackers were able to compromise an organization withinminutes.
Changing nature of cybersecurity attacks
Costing significant financial loss, impact to
brand reputation, loss of confidential data
and executive jobs
Compromising user credentials in the vast
majority of attacks
Today’s cyber attackers are:
Staying in the network an average of eight
months before detection
Using legitimate IT tools rather than malware
– harder to detect
Changing nature of cybersecurity attacksToday’s cyber attackers are:
Costing significant financial loss, impact to
brand reputation, loss of confidential data
and executive jobs
Compromising user credentials in the vast
majority of attacks
Staying in the network an average of eight
months before detection
Using legitimate IT tools rather than malware
– harder to detect
Changing nature of cybersecurity attacksToday’s cyber attackers are:
Costing significant financial loss, impact to
brand reputation, loss of confidential data
and executive jobs
Compromising user credentials in the vast
majority of attacks
Staying in the network an average of eight
months before detection
Using legitimate IT tools rather than malware
– harder to detect
Changing nature of cybersecurity attacksToday’s cyber attackers are:
Costing significant financial loss, impact to
brand reputation, loss of confidential data
and executive jobs
Compromising user credentials in the vast
majority of attacks
Staying in the network an average of eight
months before detection
Using legitimate IT tools rather than malware
– harder to detect
Traditional IT security solutions are typically:
Designed to protect
the perimeter
Complex Prone to false
positives
When user credentials are
stolen and attackers are in the
network, your current
defenses provide limited
protection.
Initial setup, fine-tuning,
creating rules, and
thresholds/baselines can
take a long time.
You receive too many reports
in a day with several false
positives that require valuable
time you don’t have.
▪ Credit card companies
monitor cardholders’
behavior
▪ If there is any abnormal
activity, they will notify the
cardholder to verify charge
Microsoft Advanced Threat Analytics brings this
concept to IT and users of a particular organizationComparison:
Email attachment
Behavioral
Analytics
Detection for known
attacks and issues
Advanced Threat
Detection
An on-premises solution to identify advanced security attacks before they cause damage
It learns and adapts
It is fast It provides clear information
Red flags are raised only when needed
Why Microsoft Advanced Threat Analytics?
Key features
▪ Witnesses all authentication and authorization to the organizational resources within the corporate perimeter or on mobile devices
Mobility support Integration to SIEM Seamless deployment
▪ Analyzes events from SIEM
to enrich the attack timeline
▪ Works seamlessly with SIEM
▪ Provides options to forward
security alerts to your SIEM
or to send emails to specific
people
▪ Utilizes port mirroring to allow seamless deployment alongside AD
▪ Non-intrusive, does not affect existing network topology
How Microsoft Advanced Threat Analytics works
Analyze1 After installation:
• Simple, non-intrusive port mirroring
configuration copies all AD-related traffic
• Remains invisible to the attackers
• Analyzes all Active Directory network traffic
• Collects relevant events from SIEM and
information from Active Directory (titles,
group memberships, and more)
How Microsoft Advanced Threat Analytics works
ATA:
• Automatically starts learning and profiling
entity behavior
• Identifies normal behavior for entities
• Learns continuously to update the activities
of the users, devices, and resources
Learn2
What is entity?
Entity represents users, devices, or resources
How Microsoft Advanced Threat Analytics works
Detect3 Microsoft Advanced Threat Analytics:
• Looks for abnormal behavior and identifies
suspicious activities
• Only raises red flags if abnormal activities are
contextually aggregated
• Leverages world-class security research to
detect security risks and attacks in near real
time based on attackers Tactics, Techniques
and Procedures (TTPs)
ATA not only compares the entity’s behavior
to its own, but also to the behavior of
entities in its interaction path.
Alert4
ATA reports all suspicious
activities on a simple,
functional, actionable
attack timeline
ATA identifies:
Who?
What?
When?
How?
For each suspicious
activity, ATA provides
recommendations for
the investigation and
remediation
How Microsoft Advanced Threat Analytics works
Abnormal Behavior▪ Anomalous logins
▪ Remote execution
▪ Suspicious activity
Security issues and risks▪ Broken trust
▪ Weak protocols
▪ Known protocol vulnerabilities
Malicious attacks▪ Pass-the-Ticket (PtT)
▪ Pass-the-Hash (PtH)
▪ Overpass-the-Hash
▪ Forged PAC (MS14-068)
▪ Golden Ticket
▪ Skeleton key malware
▪ Reconnaissance
▪ BruteForce
▪ Unknown threats
▪ Password sharing
▪ Lateral movement
Captures and analyzes DC network
traffic via port mirroring
Listens to multiple DCs from a single
Gateway
Receives events from SIEM
Retrieves data about entities from the
domain
Performs resolution of network entities
Transfers relevant data to the ATA
Center
Topology - Gateway
Topology - Center
Receives data from ATA Gateways and
stores in the database
Detects suspicious activity and
abnormal behavior (machine learning)
Provides Web Management Interface
Supports multiple Gateways
Manages ATA Gateway configuration
settings
Event collectionIn addition to collecting and analyzing network traffic to and from the DCs, ATA can use Windows event 4776 to
further enhance ATA Pass-the-Hash detection. This can be received from your SIEM or by setting Windows Event
Forwarding from your DC. Events collected provide ATA with additional information that is not available via the DC
network traffic.
The ATA traffic flow
DCs
SIEM
DCs
ATA Gateway
Network Listener
Event Listener
Windows Event Log
Reader
Entity Resolver
Entity Sender
ATA Center
Entity Receiver
DatabaseDetection
EngineATA
Console
Mirror Traffic
(Full GW)
Event Forwarding
WEF
Parsed Traffic
Local Traffic
(LW GW)
ATA Center sizing
Packets per
second*CPU (cores**) Memory (GB)
Database
storage per day
(GB)
Database
storage per
month (GB)
IOPS***
1,000 2 32 0.3 9 30 (100)
10,000 4 48 3 90 200 (300)
40,000 8 64 12 360 500 (1,000)
100,000 12 96 30 900 1,000 (1,500)
400,000 40 128 120 1,800 2,000 (2,500)
* Total daily average number of packets-per-second from all domain controllers being monitored by all ATA Gateways.
** This includes physical cores, not hyper-threaded cores.
*** Average numbers (Peak numbers)
ATA Center sizing notes5/25/2017 34
Storage latency for
read/write activities
should be below 10ms.
FAQQ - Can ATA be configured to take action against a threat?
A - No – ATA detects the issue but it does not remove the need to perform a forensic analysis.
Q - Can I control the amount of time ATA retains information?
A - No – ATA only stores information about events it captures including user/device information from the domain. All other data is not stored in the DB.
Q - Can ATA be connected to my SIEM deployment
A - Yes – HP Arcsight, RSA Security Analytics, Splunk and Snare by default both consume and send data to SEIM solution
Q - Does ATA require an agent on my DC?
A - No – ATA uses network analysis to detect events
https://www.microsoft.com/en-
us/evalcenter/evaluate-microsoft-
advanced-threat-analytics
• OA - Deployment and Migration Assistance for Advanced Threat
Analytics (ATA)
• POP - Security Incident Management
• Secure Lateral Account Movement
• Offline Assessment for:• AD Security
• Windows Server
• Windows Client
• SQL
• Exchange
• SharePoint
• POP - Active Directory Delegation
• POP - Privileged Access Workstation (PAW)
• POP - Azure Active Directory: Multi-Factor Authentication (MFA)
• Cybersecurity Incident Response with Tactical Recovery Planning
• WorkshopPLUS - Windows Server 2012: Securing Windows
Server