Roughly 108 days ago, Microsoft released its Advance Threat Protection service into preview for its eager enterprise customers looking to an early look at latest productivity, security, and device management capabilities coming to Windows 10.
Now, three months later, Microsoft’s threat analytics team has felt confident enough in the feedback they’ve received to release its Advance Threat Analytics (ATA) v 1.7 for public consumption. Alongside the public release of ATA comes an update to the service that includes:
Enhancements in behavioral analytics and malicious attack detection
Detection of reconnaissance using directory services enumeration
As part of the reconnaissance phase, attackers gather information about the entities in the network using different methods. Directory services enumeration using the SAM-R protocol enables attackers to obtain the list of users and groups in a domain and understand the interaction between the different entities.
Pass-the-hash detection enhancements
To enhance pass-the-hash detection, we added additional behavioral models for the authentication patterns of entities. These models enable ATA to correlate entity behavior with suspicious NTLM authentications, and differentiate real pass-the-hash attacks from the behavior in false positive scenarios.
Pass-the-ticket detection enhancements
To successfully detect advanced attacks and pass-the-ticket attacks in particular, the correlation between an IP address and the computer account must be accurate. This is a challenge in environments where IP addresses change rapidly by design (for example Wi-Fi networks and multiple virtual machines sharing the same host). To overcome this challenge and improve the accuracy of the pass-the-ticket detection, ATA’s network name resolution (NNR) mechanism was improved significantly to reduce false positives.
Behavioral analytics enhancements
As a leader in the UEBA market, we’re constantly improving ATA’s abnormal behavior algorithms to better detect suspicious behavior patterns and insider threats. In this release, NTLM authentication data was added as a data source for the abnormal behavior detections, providing the algorithms broader coverage of entity behavior in the network.
Unusual protocol implementation enhancements
We are non-stop researching new malicious attacks both regionally and globally. We identified additional suspicious protocol patterns that are being used in attack campaigns. In this release, we added detections of unusual protocol implementation in Kerberos protocol, along with additional anomalies in the NTLM protocol. Specifically, these new anomalies for Kerberos are commonly used in over-pass-the-hash attacks.
In addition to the updates, ATA v 1.7 also enables support for Windows Server 2016 and Windows Server core as well as Role-based access control, thanks to the feedback from customers during its preview period.
Microsoft is enabling an automatic download of ATA v 1.7 and the ATA Center through Microsoft Update. Configuration of auto upgrades for ATA Gateways can be done in the ATA Center after upgrading.
For those interested, Microsoft’s Cloud and Enterprise Security Division is encouraging the following of @IdanPlotnik on Twitter or update information at the Enterprise Mobility + Security blog for more details.