The potential risks of a data breach cannot be ignored by organizations. According to IBM's Cost of a Data Breach 2022 report, the average loss an enterprise organization can experience due to a data breach has now reached a record number of $4.35 million USD. What's more, organizations that experience a data breach can risk having to pay hefty fines for violation of regulations surrounding the protection of sensitive data (such as employee or customer information), which can cause irreparable harm to the organization's reputation.
As cyber security attacks are becoming more and more advanced and severe, Microsoft has been continually developing solutions that organizations can utilize to combat even the most nefarious cyber attacks.
One such security solution is called Microsoft Advanced Threat Analytics, or ATA. This solution is included in Microsoft's Enterprise Mobility + Security (EMS) suite of business tools so that you have everything you need to secure your organization's devices.
Microsoft Enterprise Mobility + Security suite offers two different licensing options: E3 and E5.
The E3 license includes:
- Azure Active Directory Premium P1
- Microsoft Intune
- Azure Information Protection P1
- Advanced Threat Analytics
The E5 license includes:
- Azure Active Directory Premium P2
- Microsoft Intune
- Azure Information Protection P2
- Advanced Threat Analytics
- Microsoft Defender for Cloud Apps
- Microsoft Defender for Identity
The main difference between the Microsoft E5 License and the E3 license is that E3 is better suited for small or medium businesses, while E5 is a more robust security option for enterprise organizations. However, both licenses include Microsoft Advanced Threat Analytics, and the features of ATA don't change depending on the license you purchase.
However, it's important to note that mainstream support for ATA ended on January 12, 2021, although extended support will be available until January 2026. This seems to mean for E3 license users that while ATA will continue to be available for the foreseeable future, it's unclear if users will need to upgrade to E5 or purchase the newer Microsoft Defender for Identity (formerly Azure Advanced Threat Protection).
In the interim, though, Microsoft Advanced Threat Analytics seems to be available and up and running, as Microsoft still includes the program as a feature listed for both E3 and E5 on the Microsoft Enterprise Mobility + Security website.
While E3 and E5 offer a lot of different security features for organizations, for the purposes of this article, we'll focus on Advanced Threat Analytics and its specific features and benefits.
Overview of Microsoft Threat Analytics
Advanced Threat Analytics is an on-premises security solution built to handle the advanced and targeted cyber security threats, both internal and external, that enterprise organizations are likely to encounter. It includes various components to fight cyber security attacks, some requiring on-premises hardware.
By utilizing advanced anomaly detection, behavioral analytics, and threat intelligence (features we'll describe in more detail later in the article), Microsoft Advanced Threat Analytics can proactively assess your organization's security risks and provide the information you need to strengthen your security measures.
ATA technology utilizes the phases of the cyber-attack kill chain to detect potentially suspicious activities that could be happening on your organization's networks, as listed in the table below:
|
Type of activity |
Description |
|
Reconnaissance |
Like a person scoping out your house while you're on vacation, attackers use reconnaissance to stealthily gather information on your networks, including how the environments are built, what the different assets are, and which entities exist. This is the planning phase of an attack. |
|
Credential compromise |
Someone other than the authorized user may possess login information that can be used to access your organization's network. |
|
Lateral movement cycle |
The lateral movement cycle is when an attacker breached your network perimeter's defense and invests their time and effort in spreading their attack inside your network. |
|
Privilege escalation |
An attempt to abuse an error, bug, or glitch in an application, program, or system to gain access to sensitive information. |
|
Domain dominance |
During domain dominance, an attacker captures information about your network (e.g., entry points, credentials, techniques) that allows them to continue their attacks. |
How Microsoft Advanced Threat Analytics Works
By leveraging a proprietary (developed by Microsoft) network parsing engine to capture and breakdown the components of network traffic from multiple protocols (Kerberos, DNS, and RPC are a few examples), Microsoft Advanced Threat Analytics inspects this network data for the purpose of authentication, authorization, and information gathering.
ATA uses the following processes to collect needed information from network traffic:
- Port mirroring from Domain Controllers and DNS servers to the ATA Gateway (receives network traffic and Windows Events from your network and processes it)
- Deploying an ATA Lightweight Gateway (LGW) directly on Domain Controllers (a Lightweight Gateway is installed directly on domain controllers to monitor traffic directly, and doesn't require a dedicated server or configuration of port mirroring)
Without getting too technical, the architecture of ATA monitors your domain controller network traffic by utilizing something called port mirroring, which sends a copy of network data packets seen on a switch port or virtual local area network (VLAN) to a network monitoring connection port. From there, ATA can leverage information from Windows events to paint a picture of activities taking place on the network and analyze the data for potential attacks or threats.
In other words, ATA gets information from different data sources in a given network, including logs and events, and uses that information to learn about user behavior and other entities in the organization to create a behavioral profile.
The "events and logs" that ATA can receive data from include:
- SIEM Integration (Stands for Security Information Event Management—a system that collects and integrates security-related information throughout an organization's IT infrastructure, thus assisting with ATA's ability to reveal patterns of activity that may indicate intrusion attempts)
- Windows Event Forwarding (WEF) (Reads any operational or administrative event log on a device and forwards it to a Windows Event Collector (WEC) server)
- Windows Event Collector (for the Lightweight Gateway)
Need Help with Microsoft Licensing?
Leave your Microsoft licensing, security, and software solutions to us so you can concentrate on moving your business forward.Drop Us a Line
Key Features of Microsoft Threat Analytics
By applying the principles of the cyber kill chain framework, Microsoft Advanced Threat Analytics utilizes a number of features to detect potential attacks, including anomaly detection, behavioral analysis, and threat intelligence.
Behavioral Analysis
The information regarding what users in your organization do, including what actions they typically take to access certain programs and applications, is extremely important information to Microsoft Advanced Threat Analytics.
If your organization is located in Washington State (along with all of your employees) and suddenly someone logs in from somewhere in Europe, that clearly indicates to the system that something could be amiss. Similarly, if a user logs in at a strange time—like in the middle of the night—ATA will detect that action and send an alert to take quick action.
In other words, ATA uses machine learning and behavioral analytics to understand what normal behavior is for your organization's network and what isn't. When abnormal behavior is detected, an alert is sent so that security and IT teams can take the appropriate action.
Anomaly Detection
Based on the information gleaned from behavioral analysis, ATA can determine what constitutes an anomalous activity on your organization's network. These anomalies include:
- Anomalous logins (logins coming from unknown sources, including unusual locations or unidentifiable users)
- Unknown threats
- Password sharing
- Lateral movement
- Modification of sensitive groups (ATA allows sensitivity tags to be assigned to different accounts and groups of users to enhance detections)
Earlier in this article, we mentioned various phases of an advanced attack, including reconnaissance, credential compromise, lateral movement, privilege escalation, and domain dominance. The aim of ATA is to detect these phases and provide comprehensive information on them so that action can be taken before they cause damage to your organization.
After logging into the ATA console, the Suspicious Activities Timeline can be viewed. The newest activities are listed at the top. Each activity will have the following information:
- The entities involved, including users, computers, servers, domain controllers, and resources.
- Times and the time frame when suspicious activity or activities occurred.
- The severity of the suspicious activity, rated as High, Medium, or Low.
- The status of the activity: Open, Closed, or Suppressed.
From there, security professionals have the ability to:
- Share the suspicious activity information with others in your organization via email
- Export the information to Excel
Threat Intelligence
Microsoft Advanced Analytics utilizes threat intelligence to identify inevitable cyber security attacks that would happen for an organization, including common attack types:
|
Cyber Attack Type |
Description |
|
Pass-the-Ticket (PtT) |
A credential theft technique that uses stolen Kerberos tickets to authenticate a domain without needing the account's password. |
|
Pass-the-Hash (PtH) |
The attacker captures a password's hash (instead of the actual characters) and then uses that hash to pass an authentication check and get lateral access to networked systems. |
|
Overpass-the-Hash |
Enables an attacker to bypass a user account's NTLM hash into the Kerberos authentication provider by combining pass-the-hash and pass-the-ticket techniques. |
|
Forged PAC (MS14-068) |
An older security issue that exploited a vulnerability with how the Domain Controller validated group membership in Kerberos tickets. Microsoft has since patched this vulnerability. |
|
Golden Ticket |
A golden ticket is when a threat actor attempts to gain unlimited access to an organization's entire network by accessing user data stored in Microsoft Active Directory (AD). |
|
Malicious replications |
With the necessary permissions, attackers can create a replication request, which allows them to access and retrieve data stored in AD, including password hashes. |
|
Brute Force |
A hacking method that uses trial and error to crack passwords, login credentials, and encryption keys. |
|
Remote execution |
When an attacker accesses a target system and makes changes remotely, regardless of where the device is located. In other words, they can push malware to gain control over a machine. |
Benefits of Microsoft Advanced Threat Analytics
As technology becomes more sophisticated, cyber-attacks are also becoming more severe. Having an effective threat analytics and reporting program like ATA assists your organization in better identifying threats and breaches before they become a problem. Further, the information captured can be used to dynamically create better and more effective solutions for mitigating these threats.
The benefits of using Microsoft Advanced Threat Analytics as your cyber security threat analytics and reporting solution are as follows:
Improved Threat Detection
Rather than being another security application that constantly sends red flags about false positives, Microsoft Advanced Threat Analytics utilizes the context behind behavioral data so that it can more easily determine the difference between an actual threat and a simple error or unintended action. Since 61% of all breaches involve compromised user credentials, the ability to gather, analyze, and draw insights from behavioral data is essential for a cyber threat intelligence analytics program.
Suspicious activity in ATA is classified in the following ways:
- True positive: A malicious action detected by Microsoft Advanced Threat Analytics.
- Benign true positive: An action detected by ATA that is a real action but is not malicious in nature.
- False positive: A false alarm means the activity did not happen.
Faster Incident Response
By utilizing around-the-clock analysis that's powered by Microsoft's proprietary algorithm and the behavioral analytics engine, ATA is continuously working to identify any suspicious activity in your network so that action can be taken immediately.
By providing an event timeline via a clearly and logically laid out dashboard, ATA shows you the who, what, when, and how of various events and activities without you having to sift through a mountain of information to find the most important alerts. ATA also recommends the next action that IT teams should take based on the information it gathered, helping these teams to be more productive.
Reduced Risk of Data Breaches
Microsoft Advanced Threat Analytics utilizes historical behavioral data to build its alerts and actions. Then, based on this information, the software makes a decision as to whether an event or action is a legitimate security breach or just another operation.
Further, if ATA does trigger an alert, it provides comprehensive reporting that provides a detailed description of what the alert was, who was involved in the event, and, most importantly, whether the event was a success or a failure.
ATA continuously learns from your organization's users, devices, programs, and applications to make better detections over time. In essence, as cyber-attacks get more advanced, the threat detection ability of Advanced Threat Analytics also increases.
Microsoft Advanced Threat Analytics Licensing
If you already have an active Enterprise Agreement through Microsoft, you can download ATA directly from the Microsoft Volume Licensing Center (VLSC).
EMS users should already have access to Microsoft Advanced Threat Analytics for the foreseeable future. If a license was acquired for EMS through the Microsoft 365 portal or through the Cloud Solution Partner (CSP) licensing model and access to ATA isn't available, then you'll need to contact Microsoft Support to activate the license.
FAQ
The following are frequently asked questions regarding Microsoft Advanced Threat Analytics and cyber security threats in general.
What is the Difference Between Advanced Threat Analytics and Defender for Identity?
ATA is a standalone, on-premises security solution with various components, including the ATA center, which requires dedicated on-premises hardware.
Defender for Identity, on the other hand, is a cloud-based security solution that leverages on-premises Active Directory signals. Defender is a highly scalable solution that is updated frequently by Microsoft.
Microsoft detects an astronomical 1.5 million nefarious attempts to access its cloud computing operations on any given day.
By defending against these attacks, Microsoft security researchers keep millions of emails, files, and other information stored in their data centers safe and learn more about how security breaches are attempted. This allows Microsoft to build more effective security solutions for both themselves and their users.
What is the Difference Between the ATA Sensor and the Defender Sensor?
Both cyber security software offerings utilize sensors, which are technologies that capture data from various sources to determine threats.
In addition to ATA's sources, Defender for Identity can use additional data sources, such as Event Tracing for Windows (ETW), which enables Defender for Identity to provide additional security detections.
The features that are available for Defender for Identity include:
- Support for multi-forest environments, which provides increased visibility for organizations across AD forests.
- Microsoft secure posture assessments to identify common misconfigurations and exploitable components, then provide recommendations to mitigate these risks and reduce attacks.
- UEBA capabilities provide insights into individual user risk through under-investigation priority scoring.
- Defender for Identity also natively integrates with Microsoft Defender for Cloud Apps (also included in Microsoft E5 licenses) and Azure AD Identity Protection to provide a hybrid view of the events taking place in on-premises and hybrid environments.
- Defender for Identity contributes alert and threat data to Microsoft 365 Defender to support a more holistic and robust approach to cyber security.
What Are Different Types of Cyber Threat Analytics?
There are various different types of threat analytics that organizations can utilize to strengthen their cyber security defense objectives. These include:
Cyber Threat Intelligence Analytics
Threat intelligence refers to data that is collected, processed, and analyzed to understand better a cyber attacker's motives, what systems and networks they are targeting, and what behaviors they display. By understanding the behaviors and motivations behind a cyber attack, IT teams can take quicker action while at the same time making more informed decisions to be more proactive instead of reactive when it comes to mitigating cyber threats.
Insider Threat Analytics
As you can probably imagine, an insider threat originates from within the organization rather than outside. If a former employee or contractor isn't removed from the network properly, or an employee is accidentally granted access to a part of the network or a system that they should have access to, there is a potential that a security breach can happen.
Insider threats cause up to 60% of data breaches, but most cyber security strategies, policies, and systems are focused on external threats. This can leave organizations vulnerable to attacks from "inside the house."
Because Microsoft Advanced Threat Analytics analyzes all behavioral data, regardless of whether it's coming from an internal or external source, internal threats can be detected just as easily as external threats. This allows for a more holistic view of an organization's cyber security and helps security and IT teams be more prepared to take action when needed.
Conclusion
Even though Microsoft Advanced Threat Analytics is actively being replaced by Microsoft Defender Identity, its core components are still being used for Defender Identity today, just in a cloud-based formation.
The behavioral analytics functionality of ATA is key in helping organizations understand the difference between the regular actions of their users compared to the malicious actions of threat actors. By understanding this difference, security and IT teams can be empowered with the ability to create better policies, procedures, and automated actions to secure potential threats before they become major problems.
With that being said, tackling cyber threats when technology and methods of attack are becoming increasingly advanced requires a comprehensive security plan. Amaxra shares Microsoft's approach with zero-trust security. The basic principle behind zero-trust security is that all activity, even those of trusted users, is a potential security breach. With that perspective in mind, controls can be put in place that consider identities, endpoints, applications, and data to offer the best protection against cyber threats.
Check out Amaxra's security options today to learn more about how your organization can build a robust cybersecurity strategy to mitigate risks.
Get Started Today
We'll build a secure and complete Microsoft software solution for your business while you concentrate on what's important.