Advanced Threat Analytics tool to protect against attacks by APT

Microsoft, yet to Ignite three months ago has unveiled its latest action tools for advanced risk analysis-Microsoft Advanced Threat Analytics (ATA), which in August will be publicly made available to administrators who want to further protect sensitive corporate data.

The person responsible for the project management Advanced Threat Analytics is Idan Plotnik, founder and CEO of the Israeli company Aorato acquired in November 2014 year by Microsoft for 200 million dollars. With the acquisition of Aorato, Microsoft managed to make use of the patent and develop a tool based on machine learning and detection in real time any anomalies, which could indicate the potential activity of suspicious traffic network passing through firewalls, UTM devices and switches.

ATA to action uses a number of methods for the identification, reporting and warning against attacks in the working environment, before unknown "actions" will cause serious injury or wytransferowanie most confidential documents "on the outside". One of such methods is implemented scanning technology network packets DPI (Deep Packet Inspection), which is used against certain Internet providers. DPI operates at the application layer in the OSI network model (in this case "integrates" with network traffic with Active Directory) and allows you to detect and block packets with specific data or loads (payload) that use the traditional packet filtering does not could be identified.

ATA detects abnormal behavior, and actually running processes and services with the permissions of the current logged-on an employee account through behavioral analysis, which can act as a gatekeeper and warn against potential advanced network attacks. Suspicious activity is detected, eg. based on log on to applications/systems in inappropriate working hours or when sending passwords by various communication protocols. ATA, based on a saved analysis creates graphs and tells administrators, on which parts of the network infrastructure, particular attention should be paid.

ATA to action uses the analysis based on the detection rules advanced attacks in real time. According to Microsoft, the Advanced Threat Analytics tool is unable to detect the attacks Pass-the-Ticket, Pass-the-Hash, Overpass-the-Hash, Forged PAC (MS14-068), Remote execution, Golden Ticket, Skeleton key malware, Reconnaissance and Brute Force.

In addition, the ATA can identify badly configured devices for security and warn you suggest changing the settings, disable some ports, using recent and free from vulnerabilities, version of the protocols for the exchange of information.

Advanced Threat Analytics, in fact, is the server with the installed ATA collector sent packets from network switches. Supports mirroring datagrams and network monitoring. In turn, ATA Center is the solution Manager, through which it is possible to set up ATA and collecting data from ATA Gateway used for alerting and reporting.

And here is an example of the process of reconnaissance attack in which an attacker tries to log on through Kerberos authentication and authorization protocol. 58 users have been identified in Active Directory, but 34 actions are suspicious login attempts to a non-existent account, or an account "test".

The attacker tries to log on to existing accounts in AD guessing password predictive text.

Harvested password could allow an attacker to log on to different machines, however, attempts to log on to other computers have been identified by ATA.

ATA detects suspicious activity and suggests that the administrator credentials have been stolen and used to log on to the following resources.

Microsoft says that its solution is easy to install and use. The administrator does not need to create any rules or principles. Simply configure the appropriate forwarding datagrams with switches to ATA Gateway.

Advanced Threat Analytics tool is currently in the phase of Technical Preview and available for download at: -about 250 MB. The stable version is planned for the year 2015 sierpnień. ATA to installation requires Windows Server 2012.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.