Azure ATP Overview: Part 1 of 2
Let’s face it…Microsoft has not been historically known for security. Why would they? From the creation of Office and Active Directory, their focus for an enterprise was productivity and letting the customer configure their own security. There was a time I could not say Microsoft and Security in the same sentence. However, with the relevance of the cloud, Microsoft is now responsible for the infrastructure that customers are using for their productivity and development apps. So now instead of security being an afterthought, Microsoft has a security first mindset. This begins with Microsoft’s Intelligent Security Graph. However, a vast majority of customers are in a hybrid environment for their infrastructure and may be there for some time. A major component of any Microsoft infrastructure is Active Directory. Securing and monitoring domain controllers in a cloud or hybrid environment greatly expands the boundaries of what to secure. Microsoft’s solution to this is Azure Advanced Threat Protection.
Azure Advanced Threat Protection (Azure ATP) is a behavior analytics cloud solution and is essentially the cloud version of Advanced Threat Analytics (ATA). Both Azure ATP and ATA helps protect your environment from multiple types of advanced targeted attacks and insider threats; however, Azure ATP is meant for hybrid environments. Both have very similar designs and functions. Below is the architecture of Azure ATP. Again, it is basically the same as ATA, except the Azure ATP keeps the workspace in Azure Cloud. ATA required a dedicated server for the ATA Center workspace that had massive resource requirements. Additionally, ATA was part of the Enterprise Mobility + Security (EMS) E3 bundled license. Azure ATP requires the EMS E5 license.
Azure ATP Components
- Azure ATP Workspace Management Portal: Central management interface that allows you to create workspaces and integration to other Microsoft services, such as Windows Defender ATP
- Azure ATP Workspace Portal: Primary administrative interface that receives data from all sensors and gives a space to monitor, manage, and investigate data.
- Azure ATP Sensor: Lightweight agent installed directly on a domain controller to monitor and report traffic.
- Azure ATP Standalone Sensor: Full agent installed on a dedicated server that can monitor traffic from multiple domain controllers. This is an alternative to those that do not wish to install an agent directly on a domain controller
Azure ATP uses proprietary analytical algorithms to capture and parse data from domain controllers or standalone sensors to detect and investigate for certain malicious behaviors related to authentication and authorization of services. Azure ATP can learn the behavior of users and build a profile to determine typical use. Azure ATP can also receive information from other data sources such as events and logs via:
- SIEM Integration
- Windows Event Forwarding (WEF)
- Directly from the Windows Event Collector
- RADIUS Accounting from VPNs
Azure ATP helps to detect and prevent malicious attacks. Malicious attacks are detected by predictive as well as via abnormal behavior analytics. The results can be a true positive, benign true positive (such as penetration testing), or false positive. Azure ATP requires at least 2 or more weeks after deployment to capture enough data to positively identify real attacks. The full list of known attack types includes:
- Pass-the-Ticket (PtT)
- Pass-the-Hash (PtH)
- Forged PAC (MS14-068)
- Golden Ticket
- Malicious replication
- Directory Service Enumeration
- SMB Session Enumeration
- DNS Reconnaissance
- Horizontal Brute Force
- Vertical Brute Force
- Skeleton Key
- Unusual Protocol
- Encryption Downgrade
- Remote execution
- Malicious Service Creation
For a full description of known attack types see https://docs.microsoft.com/en-us/azure-advanced-threat-protection/suspicious-activity-guide.
For most of deployments, Microsoft has designed Azure ATP sensors to be directly installed on domain controllers. Azure ATP Sizing Tool (http://aka.ms/aatpsizingtool) is a simple tool that Microsoft provides to assist in determining whether you can install the lightweight sensor or require a standalone sensor. The tool can be run by a domain admin on any domain-joined workstation that has network access to all the domain controllers. It runs for 24 hours and gathers performance metrics during that time including CPU/Memory utilization and IOPS all to determine the type of sensor required. The results are calculated into an Excel file for review. This will let you know which domain controllers are supported and if any additional requirements are needed, just as additional resources.