As described in my previous article, we added a few on-premises components to one of the demo environments, in order to build a Hybrid Identity solution that is similar to what we are seeing in most enterprise environments today. I have also provided some ideas on how this environment can be monitored from a services health and security perspective.
One of the solutions described included the collection of security event logs from Domain Controllers into Operations Management Suite (OMS), where these consolidated events can be further analyzed using Azure Log Analytics. In the example provided, I have outlined a simple solution for identifying brute force attacks by reviewing the failed login events. While this is important to know in order to design the protection for these assets, it is not very effective in protecting against attacks that are using already compromised credentials (e.g. the attacker already has access to a valid user and password) or for insider attacks (e.g. rogue employees).
These scenarios can pose several challenges for the traditional protection and detection solutions. Microsoft Advanced Threat Analytics (ATA) takes information from multiple data-sources, including analysis of network traffic related to authentication, events from Domain Controllers and logs from external SIEM systems, to learn the behavior of users and build a profile for each of them. That allows ATA to detect several attack vectors, including reconnaissance, credential compromise, lateral movement, privilege escalation, domain dominance, etc. The picture below outlines a typical “attack kill chain” and shows the sequence of events that are taking place during the attack:
More information about ATA capabilities can be found here.
In this article, I will provide an overview of the additional ATA components added to the demo environment, the key deployment steps and a few examples of how we can detect some common attack scenarios.
Solution design
The diagram below depicts the updated design of the Hybrid Identity solution deployed:
The newly deployed components are highlighted in green and they include the ATA Center server that receives data from the ATA Lightweight Gateways deployed on each Domain Controller. This eliminates the need for deploying dedicated servers with ATA Gateways and the configuration of port mirroring on the Domain Controllers. More info about the ATA architecture can be found here.
Key deployment steps
- First, we need to run the ATA sizing tool in our environment. This is an useful tool that can identify if our current configuration of the Domain Controllers is supporting the ATA requirements. For example, in our case, we had to upgrade the hardware configuration on 2 of the Domain Controller VMs:
In addition, it provides the sizing recommendations for the ATA Center server:
The ATA sizing tool will typically run for 24 hrs, so that it can gather some good sampling data.
- After the 2 VMs have been upgraded and a new VM for the ATA Center has been provisioned, the next step was to install the ATA solution. You can refer to this comprehensive document that describes the required steps of building a proof of concept environment for ATA.
- The first step in the deployment was to install the ATA Center:
The installation is straightforward and, once completed, it will ask for a service account that will be used to connect ATA to the AD domain (this should be just a regular domain user).
- Next, I have installed the ATA Lightweight Gateway agents on the Domain Controller and completed the configuration in the ATA Center:
As you can see, the deployment and configuration of ATA is pretty straightforward.
Attack simulation scenarios
Now let’s look at some common attack scenarios and how ATA can help to detect them.
- DNS Reconnaissance
DNS Reconnaissance can be used to obtain information on the DNS zones in the environment. We can do this by running the nslookup command:
Even tough the DNS server refused the attempted zone transfer (which is a good thing, from a security perspective), ATA has immediately raised an alert about it:
This kind of events can be an early indication of an attacker that managed to get into your environment and is trying to learn more about it by dumping the DNS records.
But the key question here is – would you have even known about this attempt without ATA? Unlikely, as this can be one of those events that, even if they are logged, it is probably not something that your system admins will check every day.
- SMB Session Enumeration against the DC
Another common attack scenario is to try to enumerate the NetBIOS sessions that are open on a machine, in order to find out what users have open connections. Domain Controllers are typical targets, as they will process Group Policies, so it is likely that there will be connections made to them by all domain users.
NetSess is a command line tool that can be used to enumerate NetBIOS sessions on a specified local or remote machine. We can use it to target one of the DCs in our test environment:
Again, ATA will catch this event and raise an alert:
- Remote execution attempts
This can be easily tested by using psexec.exe and targeting a DC:
Below is the corresponding alert in ATA:
- Connections using plain-text passwords
This will allow us to identify if there are any connections made that are sending domain credentials in plain-text (this is a common scenario for 3rd-party/in-house built apps that are using LDAP bind without securing the communication channels with the DC):
ATA uses also User and Entity Behavioral Analysis (UEBA), which is a powerful function that allows ATA to “learn” the typical behavior of your users over a period of time and then, it can raise alerts if there are suspicious changes. This is more difficult to simulate in a lab environment, as it requires a learning period, a number of at least 50 active user accounts in the domain, etc.
Another useful feature is the aggregation of the events across multiple users/computers/apps, which is then used to create a visual timeline with the suspicious events that are targeting a specific asset. This allows us to zoom-out from specific events and look at the “big picture” to help us in an investigation to understand the sequence of events, which may explain how the environment was breached. Here is the view of the suspicious events targeting the DC used during my previous tests:
For a more in-depth demonstration of how ATA can help in detecting a “real-world” attack and how it can be integrated with your SIEM solution, please check out the following video:
As the attacks become more and more sophisticated and cybersecurity becomes a top priority not only for the IT professionals and IT leaders, but even for CEOs, I think that it is critical to have the right tools to be able to protect, detect and respond to the cybersecurity threats today. As described in my last few articles on LinkedIn, Microsoft 365 (which includes Enterprise Mobility and Security, Office 365 and Windows 10 Enterprise) provides an integrated security solution that is powered by the Intelligent Security Graph, spanning across on-premises and Cloud services to protect your identities, end-points, apps and data.