Azure Advanced Threat Protection or Azure ATP
In this blog post, I will be introducing Azure Advanced Threat Protection or Azure ATP, a new cloud-based solution from Microsoft to provide advanced threat detection. In other blog posts, we will be talking about Azure ATP and Windows defender ATP integration, Azure ATP vs ATA, Azure advanced threat protection deployment and how Azure ATP can help detecting lateral movements.
How many ATPs we have till the moment?
Attacks are becoming more and more complicated, therefore to achieve good security, three things security professionals need to do:
- Understand how advance attacks work on-premises and on the cloud [which tools, techniques, etc.].
- Once the attack happened successfully, how the attacker start moving inside the network, and whether the attack propagates from on-premises to cloud resources [Lateral Movement]
- Build a security model or strategy to address those advance attacks.
Microsoft responded with their new Advance Threat Protection Security Model consisting of Office 365 ATP, Azure ATP and Windows Defender ATP.
- Office 365 ATP [You can think of this as 1st line of protection] : Zero-day attack and malware inspection received via email or uploaded to SharePoint online using Safe Attachment and Safe Links features.
- Windows ATP [You can think of this as 2nd line of protection]: device level protection on machines to detected advanced persistent malware, and provide post breach investigation and automated responses.
- Azure ATP [You can think of this as 3rd line of protection]: Allows IT Admins to monitor attackers who are inside a network (not malware), what they are doing/what they did and actions to take.
All those are licensed under E5 suite and they work together to protect your enterprise. These products provide defense in depth mechanism as per the following:
- Since most malware attacks come from email, then Office 365 ATP can be considered the first line of support.
- If Office 365 ATP fails to identify the malware, then the device endpoint Windows Defender ATP will try to catch the malware by identifying unusual right elevation or strange behavior on the machine.
- If identity theft was successful, then you can monitor how the attacker is using that identity to move from machine to another, through Azure ATP. That is, after successful credential theft, what activities the attacker is performing using that stolen identity.
Branding issue: Microsoft ATA and now Azure ATP?
If you’ve ever used Microsoft Advanced Threat Analytics or ATA before, you would be surprised or confused to hear about Azure Advanced Threat Protection or Azure ATP. They both serve the same purpose which is analyzing traffic coming from your on-premises domain controllers and detect anomalies.
I deployed Microsoft ATA in a big environment when ATA service was first announced, and I really liked the product. I was wondering if there would be a cloud offering for such a service, where the traffic from my domain controllers can be analyzed in the cloud, instead of maintaining the mongo DB on the ATA center on-premises. This is exactly what happened recently when Microsoft announced such offering under the name of Azure ATP.
In ATA world, you would have either ATA gateways (port mirroring for your domain controller) or ATA lightweight gateway agent deployed directly on your domain controllers. In both ways, traffic coming to your domain controllers will be captured and sent to a centralized on-premises server called ATA Center, that aggregate that traffic into an internal mongo database.
ATA Center as a Service
What Microsoft is doing now is offering that ATA center as a service in the cloud. So, traffic from your domain controllers (either from a gateway or agent on DC), will be sent directly to a cloud service to be analyzed, and no need to maintain the on-premise mongo database anymore, eliminated by that the role of ATA center.
For me, this is a better approach, as it allows for more integration with other Azure security products, and it reduces the maintenance work you should do to the on-premise ATA Center.
Instead of naming the cloud version of the ATA center as Azure ATA, Microsoft decided to name this offering Azure Advanced Threat Protection or Azure AP. This comes with Microsoft efforts to brand its new line of cloud security products like Windows [Windows Defender ATP], and in Office 365 [Office 365 ATP].
Azure ATP is considered a cloud-based evolution to the on-premises ATA solution. Both are fed by traffic from your on-premises domain controllers. Azure ATP will be able to detect newer threats and attack techniques more quickly than the on-premise ATA solution. You can read more about Azure ATP vs ATA here.
What Azure ATP really does?
I will give a very realistic example of how to think of Azure Advanced Threat Protection. Contoso is a very large enterprise with thousands of employees and offices around the world. They have just hired John as their new security specialist to detect advanced persistent threats inside their network.
Meet John, the new security specialist
Imagine that we hired someone in the security team named John. We asked john to observe any suspicious activities, detect advanced threats, and alert us for any known security risks. If John is a professional security admin, he will go through systematical approach to reach this goal as per the following:
First Step: John will start studying and learning about entities in the directory
The first thing John might be doing is to get access to Active Directory, study its structure, and list all identity entities (users, groups, machines). John will spend a good time trying to understand entities (security principals), and for each entity, John might become extremely obsessed, and put a sticker for each of those entities on the wall, perhaps later to create an authentication and activity timeline for it.
Now John knows about everyone and every entity that can request an authentication token. Even a knowledge of all groups and nested groups, which can become handy later on when doing lateral movement exercise.
Step 2: John mark sensitive accounts
Now John knows about entities in the directory, and he wants to ask his manager or the identity team, about high value accounts in the company. Since his job is to protect the company against compromised identity, it would be smart to classify identities according to their values and access type.
Before going to ask his manager about which identities the company consider as high value (sensitive), he did his home work, and he identified any identity that is member of any of those groups, as a sensitive account:
- Power Users
- Account Operators
- Print Operators
- Backup Operators
- Remote Desktop Users
- Network Configuration Operators
- Incoming Forest Trust Builders
- Domain Admins
- Domain Controllers
- Group Policy Creator Owners
- read-only Domain Controllers
- Enterprise Read-only Domain Controllers
- Schema Admins
- Enterprise Admins
John did his homework, and he identified a good chunk of accounts that he think should be considered as sensitive accounts. John then had a meeting with his manager, which told him to consider the CEO and CFO accounts as sensitive accounts [Manual Entity Tagging in Azure ATP].
John now has a mission. He want to protect those sensitive accounts, and prevent a hacker from gaining access to one of those accounts. At his office, he has a very large wall with a sticker holding the name of each user, group and machine in Active Directory. He used Green stickers to mark those sensitive accounts. His wall looks like the below picture, with Steve, Bob and Layla marked as Sensitive Accounts with Green stickers, in purple stickers he lists all Groups, in yellow stickers he lists all Users, and in red stickers he lists all Machines including servers.
Step 3: Know your victims
John now knows the entities in the directory (stickers in the wall). He wants to be prepared in case one of those identities got compromised. John loves to watch law and order and Scandal TV series, and he remembers when Olivia Pope wants to help a victim, she puts his picture on the wall, and her team start gathering all information about that victim.
John takes his job seriously, so for each entity in the wall, he would gather the following information:
- Whether this is a sensitive account or not
- SamAccountName, UPN, CN, DN, SID
- Group Membership
- Organizational Structure (using the Manager attribute)
- Created On
- Email Address
- An indicator whether he knows that this identity is at risk (small red scary icon)
- Criminal record: any dirty information John might find about Alice (integration with Windows Defender ATP)
Just by looking at picture below, John can quickly know a lot about Alice Smith (a user in Contoso corporation). Imagine John is doing this to each identity in the whole directory. Seems like John has a lot of free time.
Step 3: Quick Security Assessment for each entity on the wall (directory)
Someone gave John a book back in the old days, listing all bad security practices when it comes to directory accounts. In this book, there is a chapter called (User Access Controls), listing all those controls, and whether it is a good idea to have certain configuration like (Password Never Expire).
The User Access Controls that John gathers about each entity are:
- Password never expire
- smartcard required
- empty password allowed
- cannot be delegated
- kerberos pre-authentication not required
- Trusted for delegation
- password expired
- plain text password stored
- DES encryption only
- Account disabled
So John added a new section in his entity profile, like the one we saw previously for Alice Smith. He now adds a purple sticker highlighting that Alice has Password Never Expire, which is highlighted here. In the future when John is investigating a security incident regarding Alice, he can quickly see that her account is vulnerable already due to this password expiry thing. He might also send a recommendation to the identity team to fix that immediately.
It is a great addition to the profile sticker for Alice, as within one look, John can see if her account is disabled, or if smart card is required for her account.
Step 4: Asking the HR for criminal records
John want to be perfect in his job, and he do not mind for outside help. for each profile in his wall, he would ask the HR department, about any external information that can help John investigate any identity issues. It would be great to learn that Alice is under HR investigation because she did something bad and HR might fire her soon. John can use this feedback to make an argument that since she is about to be fired, she might do bad thing and compromise other identities.
I reality, this is mapped to Azure ATP and Windows Defender ATP integration, where Azure ATP profile page for an entity will the risk level of that entity from the Windows Defender ATP perspective.
Step 5: Asking the networking team for logs
John now understands the environment. His wall is full with profiles and he has a good understanding for each and every user, group or machine in the directory.
John would ask the networking team to send him a copy of all network traffic coming to all domain controllers. John also wants a copy of the event viewer on domain controllers. If john knows that there is a SIEM deployed in the network, he won’t mind getting data from there also.
Step 6: Understanding the behavior of people and entities
In the real world, there is something called Criminal Psychology, which is defined as the study of the wills, thoughts, intentions, and reactions of criminals and all that partakes in the criminal behavior.
You can see in famous movies and TV series that investigators try to understand how the killer is thinking, what he likes, what his childhood looks like, does he love to make public appearance or not. They start to create a model or psychological profile for him to anticipate his next move.
As John loves that kind of TV investigation techniques, he started to build a psychological profile for each entity in the directory, based on the logs he has.
For Alice Smith for example, he started to observe her authentication behavior like:
- What machines she usually logs on to?
- What resources she usually access (SPNs)?
- What times of the day and what days on the week she usually logs on to the corporate network?
- What other entities log on to machines that Alice logs on to?
- Since Alice is part of the marking team, and Bob is also in the same team, then John can state that they usually access the same resources like the marketing file share servers.
John starts learning the behavior of Alice, and he starts building a model that can anticipate any anomalies based on her normal day-to-day behavior. John also will keep updating the model for Alice, so that if Alice started to use a new machine, the model will adapt to reflect that this is a normal behavior.
Now if John sees that Alice start accessing abnormal resources from a machine that John knows Alice does not log on to frequently, John can sense that something is wrong. This is exactly a detective work that we see in movies, like when the security guy notices that someone is using his access card to access the management floor in the building on Saturday night. He can quickly identify this as abnormal action and act accordingly.
In the picture below, we can see the continuously updated model that John maintains about Alice Smith. He knows what resources she usually access and what machines she used to access these resources. If Alice accessed the archive server for example, and Bob (who worked with Alice) usually accesses this server, then John can assume this is a normal behavior from Alice, given the behavior of her peers.
Step 6: Detection of advanced attacks and security risks
John has a list of things that he knows should be considered suspicious, like if he sees a replication request from a non-domain controller machine, or when someone is doing reconnaissance using account enumeration. Those are known indicator of a cyber attack, and John knows well how to look for those indicators. A complete list of those indicators (suspicious activities) are listed here
Step 7: Advanced Threat Detection
By now, John knows everything about the company, people and devices, their habits and behavior, and he knows well how to detect suspicious behavior. This allows John to do comprehensive investigation of anything that might be considered slightly abnormal in the network.
John is investigating a user called Kit, who works in the marketing team with Emma and Peter. He usually uses his laptop and works all working days but never on Saturday night. John just noticed couple of abnormal activities regarding Kit’s identity:
- Many failed logon attempts happened recently for Kit.
- His user logged on to a machine that he never logged on to before.
- His credentials are seen on Maisie’s machine [Pass the Ticket or Pass the Hash]
- He’s trying to access the HR server which he never accessed before. This is something that is not usual for him and for his marketing team. That is, neither Emma nor Peter accessed that server before.
John has all the information he needs to detect such anomaly and raise an alert. Thanks to Azure ATP and Windows defender ATP integration, John can dig deeper to Kit’s laptop and see if there is a malware on his machine and perhaps on Maisie’s laptop.
Azure ATP automates John’s work
The company cannot afford to pay John and his big team their salaries anymore. Bad news for John and his team who are working 24/7 to observe, learn and detect anomalies. The company is replacing John’s team with a new super computer that can do machine learning and AI with the power of cloud computing. The new super computer is called Azure Advanced Threat Protection and it does the following:
1 – COLLECT PHASE
Azure ATP needs to collect logs from your on-premises domain controllers and/or your SIEM if you have one. Azure ATP will do layer 7 Deep Packet Inspection (DPI). Therefore, when Azure ATP sees a Kerberos authentication request, it extracts who is the user account that is authenticating, what SPN being used, type and strength of the encryption being used, and more. Azure ATP can also read logs from your VPN device (using RADIUS Accounting logs) to give you better insights about who is connecting remotely, from where, and what times. Azure ATP in the future will be able to collect logs from other external resources including cloud resources (think about the ability to integrate logs from on-premises DCs and from Azure AD).
2 – ANALYZE & LEARN PHASE
Next, Azure ATP will try to profile entities (user accounts and machines) according to the logs it collected before. Azure ATP learns what is considered a normal behavior for each user and for the whole organization, by learning when each user logged on, from where, and what resources they actually accessed. This profile information can be handy in the future for detection.
A big challenge here is how to map a network IP that Azure collected from “phase 1” to a device name “hostname”. Since Azure ATP monitors traffic going to domain controllers, it can only see the source IP for the traffic. From the other side, Kerberos tickets contain hostnames and not IP addresses. Azure ATP thus need to do a name resolution to resolve IP addresses to hostnames, so that it can correlate data and identify suspicious activities.
Let me give you an example of how important IP resolution for detection. Suppose that Azure ATP sees that the IP 10.10.10.1 is performing Active Directory Replication request. Azure ATP knows that this request is legitimate only if it comes from a domain controller. The problem is that Azure ATP knows only the hostname for all domain controllers and not their IP addresses. Without a proper IP resolution to map an IP to a device, there is no way for Azure ATP to identify this as suspicious or not.
Finally, Azure ATP is a cloud service that is competently re-engineered for scale and integration. Azure ATP and Windows defender ATP integration is a natural and powerful integration between a identity and device detection engines.
3 – DETECT [ ABNORMAL BEHAVIOR + SUSPICIOUS ACTIVITIES]
Now that Azure ATP collected the logs, and learned about entities, it can now detect abnormal behavior and suspicious activities. Abnormal behaviors are statistical models or machine learning models where Azure ATP learns how entities normally operate within the organization, what are the normal resources they are accessing, what are the normal devices they are using. Then, Azure ATP can detect abnormal behavior by comparing the users’ behavior to themselves, to their peers and to the whole organization, in order to understand what is normal and detect the abnormal.
[ABNORMAL ACTIVITY EXAMPLE]: if a user is usually logging in from three devices, then when that user start authenticating from dozen of devices which is what usually happen during lateral movement, then Azure ATP detects that as abnormal behavior.
[SUSPICIOUS ACTIVITY EXAMPLE]: Suspicious activities are activities that should not really happen in a normal organization, like replication requests coming from non-domain controllers. This is actually a technique that is being used by attackers in order to steal directory data and credentials.
So, how Azure ATP builds those suspicious activities? Microsoft has a big security research activity team that is constantly looks at information available in the security market and learns what techniques are being used by attackers. The second source comes from the fact that Microsoft has the Intelligent Security Graph that can help their security engineers understand how organizations normally work, and based on that, create a suspicious detection feed to Azure ATP.
4 – ALERT & INVESTIGATE
Once a detection is made, Azure ATP notifies the security teams by several means like email notifications, and also show those alerts on the Azure ATP portal in the form of an intuitive attack timeline that provides all the information about what happened actually in terms of detection. Also, each alert has a dedicated alert page that gives you detailed information about that alert, so that you can quickly decide if this is a true positive alert or something that can be dismissed.
There a lot of features and things you can do with Azure Advanced Threat Protection like defining sensitive accounts, configuring honeytoken accounts, download reports, integrate with syslog, and more. There is also a reference of all speciousness activities that Azure ATP can detect. My favorite suspicious activities are [Abnormal Sensitive Group Modification] and [Golden Ticket].