7. $3.5M
Veri çalıntılarının bir kuruma
verdiği ortalama mali zarar:
3.5 milyon $
200+
Hacker'lar kurum ağına
girdikten sonra ortalama 200
gün boyunca fark edilmiyor
%75+
Saldırıların %75’inden fazlası
hacker’ların kimlik bilgilerini
çalması sonucu meydana
geliyor
$500B
Siber suçların küresel
ekonomiye verdiği mali zarar:
500 milyar $
8. Çok ciddi ekonomik zarara neden oldukları
gibi, kurumsal veri kaybına ve marka
değerinde zarara da yol açıyorlar
Saldırıların çoğunu kullanıcı kimliklerini
çalarak yapıyorlar
Malware yerine var olan BT araçlarını kullanıyorlar,
dolayısıyla fark edilmeleri zorlaşıyor
Kurum ağına girdikten sonra ortalama 8 ay
boyunca fark edilmiyorlar
Günümüzde siber saldırganlar;
9. Malware yerine var olan BT araçlarını kullanıyorlar,
dolayısıyla fark edilmeleri zorlaşıyor
Çok ciddi ekonomik zarara neden oldukları
gibi, kurumsal veri kaybına ve marka
değerinde zarara da yol açıyorlar
Saldırıların çoğunu kullanıcı kimliklerini
çalarak yapıyorlar
Kurum ağına girdikten sonra ortalama 8 ay
boyunca fark edilmiyorlar
Günümüzde siber saldırganlar;
10. Kurum ağına girdikten sonra ortalama 8 ay
boyunca fark edilmiyorlar
Çok ciddi ekonomik zarara neden oldukları
gibi, kurumsal veri kaybına ve marka
değerinde zarara da yol açıyorlar
Saldırıların çoğunu kullanıcı kimliklerini
çalarak yapıyorlar
Malware yerine var olan BT araçlarını kullanıyorlar,
dolayısıyla fark edilmeleri zorlaşıyor
Günümüzde siber saldırganlar;
11. Saldırıların çoğunu kullanıcı kimliklerini
çalarak yapıyorlar
Malware yerine var olan BT araçlarını kullanıyorlar,
dolayısıyla fark edilmeleri zorlaşıyor
Kurum ağına girdikten sonra ortalama 8 ay
boyunca fark edilmiyorlar
Çok ciddi ekonomik zarara neden oldukları
gibi, kurumsal veri kaybına ve marka
değerinde zarara da yol açıyorlar
Günümüzde siber saldırganlar;
12. Yalnızca çevresel
koruma yapıyorlar
Karmaşıklar Çok sayıda yanlış
uyarı veriyorlar
Kimlik bilgileri çalındıktan ve
saldırganlar ağ içine girdikten
sonra bu çözümler kısıtlı
koruma sağlıyorlar.
Kurulumu, ayarlanması,
öğrenilmesi zor ve uzun
sürüyor.
Çok fazla rapor üretiyorlar,
bunlar çoğunlukla vakit bulup
okuyamayacağınız kadar
karmaşık oluyorlar ve
içerilerinde çok sayıda yanlış
uyarı bulunuyor. Bunlar da
vakit kaybına sebep oluyor.
13. Gelişmiş güvenlik saldırılarını iş işten geçmeden fark etmenizi sağlayan kurum içi bir çözüm
Kredi kartı şirketleri kart
sahiplerinin davranışlarını
takip ediyor.
Eğer anormal bir davranış
fark edilirse, kart sahibi
aranıyor ve onaylaması
isteniyor.
Microsoft Advanced Threat Analytics, bu konsepti BT’ye getiriyor
Aynı şunun gibi…
16. Mobil cihazlar üzerinden
kurumsal kaynaklara yapılan
erişim ve kimlik doğrulama
hareketlerinin tümünü izler
Mobil destek SIEM entegrasyonu Uyumlu kurulum
SIEM çözümleriyle uyumlu çalışır
Bu çözümlerden gelen logları da
saldırı zaman çizelgesine ekler
ATA’nın tespit ettiği güvenlik
uyarılarını SIEM çözümünüze
iletebilir veya belli kişilere email
göndertebilirsiniz
Fiziksel veya sanal makineler üzerinde
çalışabilen bir yazılım
Port mirroring teknolojisi sayesinde
Active Directory ile kusuruz uyum sağlar
Mevcut network topolojinize uyum sağlar,
izinsiz bir şekilde müdahale etmez
Önemli özellikler
17. Analiz eder1 Kurulumun ardından:
• Port mirroring teknolojisiyle tüm Active
Directory trafiğini kopyalar
• Saldırganlar fark edemez
• Tüm AD trafiğini inceler
• SIEM çözümlerinden etkinlikleri, AD’den
gerekli bilgileri alır (ünvanlar, grup üyelikleri
ve diğer bilgiler)
18. ATA:
• Objelerin davranışlarını otomatik olarak
öğrenmeye ve profillemeye başlar
• Objelerin normal davranışlarını tespit eder
• Sürekli bir şekilde öğrenir, objelerin
davranışlarında değişiklikler olduğunda
dağarcığındaki bilgileri günceller
Öğrenir2
Objeler nedir?
Kullanıcılar, cihazlar ve diğer kaynaklar
19. Fark eder3 Microsoft Advanced Threat Analytics:
• Anormal davranışları arar, şüpheli hareketleri
tespit eder
• Şüpheli hareketler, yalnızca farklı bağlamlar
içerisinde doğrulandıkları zaman uyarıya
dönüştürülür
• Dünyadaki güvenlik riskleri ve saldırılarıyla ilgili
geniş bir bilgi dağarcığı vardır. Saldırganların
taktiklerini, tekniklerini ve prosedürlerini (TTP)
inceleyerek riskleri ve saldırıları neredeyse
gerçek zamanlı olarak fark eder.
Objeleri yalnızca kendi içlerinde
değerlendirmez, ilişki içinde oldukları diğer
objelerin davranışlarıyla da kıyaslar.
20. Uyarır4
Şüpheli bulduğu
hareketleri basit ve
işlevsel bir zaman
çizelgesi üzerinde sunar,
bu çizelge üzerinde
aksiyon almak
kolaydır.
Şunları gösterir:
• Kim?
• Ne?
• Ne zaman?
• Nasıl?
Her şüpheli hareket
için, daha derin
incelemeye veya
çözüme yönelik
öneriler sunar
21. Abnormal resource access
Account enumeration
Net Session enumeration
DNS enumeration
Directory Services recon using SAM over RPC
Abnormal working hours
Brute force using NTLM, Kerberos or LDAP
Sensitive accounts exposed in plain text authentication
Service accounts exposed in plain text authentication
Honey Token account suspicious activities
Unusual protocol implementation
Malicious Data Protection Private Information (DPAPI) Request
Abnormal authentication
Abnormal resource Access
Pass-the-Ticket
Pass-the-Hash
Overpass-the-Hash
MS14-068 exploit (Forged PAC)
MS11-013 exploit (Silver PAC)
Skeleton key malware
Golden ticket
Remote execution
Malicious replication requests
Reconnaissance
Keşif
Lateral
Movement
Yanal
Haraket
Privilege
Escalation
Ayrıcalık
Yükseltme
Domain
Dominance
Etki Alanı Hakimiyeti
Compromised
Credential
Kimlik
Tehlikeleri
In this presentation we will tell you about a brand new Microsoft product that will help IT security professionals to identify security breaches before they cause damage: Microsoft Advanced Threat Analytics. This is a technology based on the recent acquisition of Aorato, an innovator in enterprise security.
Günümüzde siber ataklar şekil değiştiriyor
Saldırıların %75’inden fazlası hacker’ların kimlik bilgilerini çalması sonucu meydana geliyor
Kimlik her zamankinden daha büyük bir önem taşıyor
Eskiden saldırganlar malware veya virüs kullanırlardı, şimdi kimlik bilgileri kullanılıyor
İçeri girdikten sonra saldırganlar ortalama 8 ay fark edilmeden kalıyorlar
Sonuçta çok ciddi zararlara neden oluyor: ekonomik zarar, kurumsal veri kaybı, marka değeri kaybı…
We are all aware of the advanced cyber security attacks that are taking place : we have seen several examples in the last couple years with Target, Premera, JP Morgan Chase, Anthem Blue Cross, Sony. Almost every day now in news, we are seeing new, sophisticated cybersecurity attacks. Most of us got our credit cards changed even without asking for it in the last year. Some of us have been a victim of identity theft. In the past we have been shredding credit card statements but now our information is out there anyway.
The fact of the matter is the frequency and sophistication of cybersecurity attacks is getting worse.
Today, the topic of cyber-security has moved from IT and the datacenter to the highest levels of the boardroom and event to the White House. Attacks and threats have grown substantially more sophisticated in frequency and severity. We would like to share some sobering, eye opening statistics regarding these cyber security attacks:
Over 75% of the network intrusions are tracked back to compromised (weak or exploited) user credentials. We have several devices and we are accessing corporate resources from a variety of devices. Users and user credentials remain to be the most important blind spot in the advanced attacks.
We think we can catch these attackers, right? Wrong. The median number of days the attackers reside within a victim’s network before detection. As one of the IT directors I had a discussion mentioned, they are not coming into our networks with bombs, explosive materials anymore. They use chopsticks and toothpicks. They law low.
The cost of these attacks to the global economy and to a company is significant. It is estimated that the total potential cost of cybercrime to the global economy is $500B. The average cost of a data breach to a company is $3.5Million and that is only the top of the iceberg.
200+ days: The average number of days that attackers reside within a victim’s network before detection
76% of all network intrusions are due to compromised user credentials
(Source: Verizon 2013 Data Breach Investigation Report)
$500B The total potential cost of cybercrime to the global economy
(Source: CSIS-McAfee Report)
$3.5M The average cost of a data breach to a company
(Source: Ponemon Institute Releases 2014 Cost of Data Breach)
Günümüzde siber ataklar şekil değiştiriyor
Saldırıların %75’inden fazlası hacker’ların kimlik bilgilerini çalması sonucu meydana geliyor
Kimlik her zamankinden daha büyük bir önem taşıyor
Eskiden saldırganlar malware veya virüs kullanırlardı, şimdi kimlik bilgileri kullanılıyor
İçeri girdikten sonra saldırganlar ortalama 8 ay fark edilmeden kalıyorlar
Sonuçta çok ciddi zararlara neden oluyor: ekonomik zarar, kurumsal veri kaybı, marka değeri kaybı…
We are all aware of the advanced cyber security attacks that are taking place : we have seen several examples in the last couple years with Target, Premera, JP Morgan Chase, Anthem Blue Cross, Sony. Almost every day now in news, we are seeing new, sophisticated cybersecurity attacks. Most of us got our credit cards changed even without asking for it in the last year. Some of us have been a victim of identity theft. In the past we have been shredding credit card statements but now our information is out there anyway.
The fact of the matter is the frequency and sophistication of cybersecurity attacks is getting worse.
Today, the topic of cyber-security has moved from IT and the datacenter to the highest levels of the boardroom and event to the White House. Attacks and threats have grown substantially more sophisticated in frequency and severity. We would like to share some sobering, eye opening statistics regarding these cyber security attacks:
Over 75% of the network intrusions are tracked back to compromised (weak or exploited) user credentials. We have several devices and we are accessing corporate resources from a variety of devices. Users and user credentials remain to be the most important blind spot in the advanced attacks.
We think we can catch these attackers, right? Wrong. The median number of days the attackers reside within a victim’s network before detection. As one of the IT directors I had a discussion mentioned, they are not coming into our networks with bombs, explosive materials anymore. They use chopsticks and toothpicks. They law low.
The cost of these attacks to the global economy and to a company is significant. It is estimated that the total potential cost of cybercrime to the global economy is $500B. The average cost of a data breach to a company is $3.5Million and that is only the top of the iceberg.
200+ days: The average number of days that attackers reside within a victim’s network before detection
76% of all network intrusions are due to compromised user credentials
(Source: Verizon 2013 Data Breach Investigation Report)
$500B The total potential cost of cybercrime to the global economy
(Source: CSIS-McAfee Report)
$3.5M The average cost of a data breach to a company
(Source: Ponemon Institute Releases 2014 Cost of Data Breach)
Günümüzde siber ataklar şekil değiştiriyor
Saldırıların %75’inden fazlası hacker’ların kimlik bilgilerini çalması sonucu meydana geliyor
Kimlik her zamankinden daha büyük bir önem taşıyor
Eskiden saldırganlar malware veya virüs kullanırlardı, şimdi kimlik bilgileri kullanılıyor
İçeri girdikten sonra saldırganlar ortalama 8 ay fark edilmeden kalıyorlar
Sonuçta çok ciddi zararlara neden oluyor: ekonomik zarar, kurumsal veri kaybı, marka değeri kaybı…
We are all aware of the advanced cyber security attacks that are taking place : we have seen several examples in the last couple years with Target, Premera, JP Morgan Chase, Anthem Blue Cross, Sony. Almost every day now in news, we are seeing new, sophisticated cybersecurity attacks. Most of us got our credit cards changed even without asking for it in the last year. Some of us have been a victim of identity theft. In the past we have been shredding credit card statements but now our information is out there anyway.
The fact of the matter is the frequency and sophistication of cybersecurity attacks is getting worse.
Today, the topic of cyber-security has moved from IT and the datacenter to the highest levels of the boardroom and event to the White House. Attacks and threats have grown substantially more sophisticated in frequency and severity. We would like to share some sobering, eye opening statistics regarding these cyber security attacks:
Over 75% of the network intrusions are tracked back to compromised (weak or exploited) user credentials. We have several devices and we are accessing corporate resources from a variety of devices. Users and user credentials remain to be the most important blind spot in the advanced attacks.
We think we can catch these attackers, right? Wrong. The median number of days the attackers reside within a victim’s network before detection. As one of the IT directors I had a discussion mentioned, they are not coming into our networks with bombs, explosive materials anymore. They use chopsticks and toothpicks. They law low.
The cost of these attacks to the global economy and to a company is significant. It is estimated that the total potential cost of cybercrime to the global economy is $500B. The average cost of a data breach to a company is $3.5Million and that is only the top of the iceberg.
200+ days: The average number of days that attackers reside within a victim’s network before detection
76% of all network intrusions are due to compromised user credentials
(Source: Verizon 2013 Data Breach Investigation Report)
$500B The total potential cost of cybercrime to the global economy
(Source: CSIS-McAfee Report)
$3.5M The average cost of a data breach to a company
(Source: Ponemon Institute Releases 2014 Cost of Data Breach)
Günümüzde siber ataklar şekil değiştiriyor
Saldırıların %75’inden fazlası hacker’ların kimlik bilgilerini çalması sonucu meydana geliyor
Kimlik her zamankinden daha büyük bir önem taşıyor
Eskiden saldırganlar malware veya virüs kullanırlardı, şimdi kimlik bilgileri kullanılıyor
İçeri girdikten sonra saldırganlar ortalama 8 ay fark edilmeden kalıyorlar
Sonuçta çok ciddi zararlara neden oluyor: ekonomik zarar, kurumsal veri kaybı, marka değeri kaybı…
We are all aware of the advanced cyber security attacks that are taking place : we have seen several examples in the last couple years with Target, Premera, JP Morgan Chase, Anthem Blue Cross, Sony. Almost every day now in news, we are seeing new, sophisticated cybersecurity attacks. Most of us got our credit cards changed even without asking for it in the last year. Some of us have been a victim of identity theft. In the past we have been shredding credit card statements but now our information is out there anyway.
The fact of the matter is the frequency and sophistication of cybersecurity attacks is getting worse.
Today, the topic of cyber-security has moved from IT and the datacenter to the highest levels of the boardroom and event to the White House. Attacks and threats have grown substantially more sophisticated in frequency and severity. We would like to share some sobering, eye opening statistics regarding these cyber security attacks:
Over 75% of the network intrusions are tracked back to compromised (weak or exploited) user credentials. We have several devices and we are accessing corporate resources from a variety of devices. Users and user credentials remain to be the most important blind spot in the advanced attacks.
We think we can catch these attackers, right? Wrong. The median number of days the attackers reside within a victim’s network before detection. As one of the IT directors I had a discussion mentioned, they are not coming into our networks with bombs, explosive materials anymore. They use chopsticks and toothpicks. They law low.
The cost of these attacks to the global economy and to a company is significant. It is estimated that the total potential cost of cybercrime to the global economy is $500B. The average cost of a data breach to a company is $3.5Million and that is only the top of the iceberg.
200+ days: The average number of days that attackers reside within a victim’s network before detection
76% of all network intrusions are due to compromised user credentials
(Source: Verizon 2013 Data Breach Investigation Report)
$500B The total potential cost of cybercrime to the global economy
(Source: CSIS-McAfee Report)
$3.5M The average cost of a data breach to a company
(Source: Ponemon Institute Releases 2014 Cost of Data Breach)
Several research companies have done analysis on these advanced attacks. Interestingly, these attacks have a lot in common.
User credentials are remaining to be the blind spot. Most of the advanced attacks include (it is estimated to be over 75%) stolen user credentials.
Attackers first reach out to non privileged users (they can even be vendors) and they use those credentials to access privileged accounts (liked admins) to breach sensitive information.
When we talk to IT professionals we still see that, the users are the key blind spot in any organization. They know that they don’t change their passwords.
Users are not as concerned in IT security as much as IT does. This is a huge pain point and blind spot.
Attacks and attackers’ ways are more sophisticated. Hackers are using legitimate IT tools more than malware. Malware is their last resort. Accordingly they are harder to detect.
And they law low in the network. They stay in a network on average of eight months before detection.
Attacks leave a huge damage behind. Financial loss, impact to the brand reputation, loss of confidential data , executives losing their jobs.
This is the new level of terrorism.
All organizations working under the assumption of a breach. There is no single organization claiming that they are not breached or they think they are not an interesting target. Smaller organizations are concerned even more as they are serving large clients which makes them an interesting target and they don’t have necessarily have the esources that large organizations have for IT Security.
Designed to protect the perimeter - Yalnızca çevresel koruma yapıyorlar – Networks are like M&Ms - hard to crack, but once you're inside, it's easy to manouver. Ağ içine girildikten sonra bir işlevleri kalmıyor.
Unfortunately,
The traditional IT security solutions are not matching up to the task.
They provide limited protection against sophisticated cyber-security attacks when user credentials are stolen. Initial set up, creating rules, and fine-tuning are cumbersome and may take years. Every day, you receive several reports full of false positives. Most of the time, you don’t have the resources to review this information and even if you could, you may still not have the answers, since these tools are designed to protect the perimeter, primarily stopping attackers from gaining access.
The question remains: how do you find the attackers—before they cause damage?
Today’s complex cyber-security attacks require a different approach.
Aorato (Israeli start-up, MS acquired in Nov 2014) bu teknoloji üzerine inşa edildi
On-prem bir çözüm. Kurum içindeki Domain Controller’lar ile çalışıyor (Azure AD değil)
Analoji: kredi kartı şirketleri normalden daha yüksek bir harcama yaparsanız sizi arıyor…
That is why we are introducing Microsoft Advanced Threat Analytics, an innovative technology based on the acquisition of Aorato, innovator in enterprise security.
To explain the concept on a high level, we would like to use an analogy:
We are all credit card holders. If we travel to another location, especially to another country, it is in our travel check list to give a call to our bank to tell them they are going to be seeing some charges from another country. For instance if my credit card company starts to see some charges from South Africa, although I am normally located in Redmond Washington, they will give me a call and ask whether I am really travelling, whether this is somebody using my credential or whether it is me. If it is not me, they will block my card and send me a new card. They will also notify me if there is an abnormal activity in my credit card. If they say see a charge of 3,000 in a single transaction, they may send me an alert.
Microsoft Advanced Threat Analytics is bringing this concept in a more advanced way to the employees, vendors and IT departments of organizations. Microsoft Advanced Threat Analytics, in short ATA, is an on premises platform helping IT to protect their enterprise from the advanced attacks by automatically analyzing, learning, and identifying normal and abnormal entity (user, devices and resources) behavior.
How?
Nasıl yapıyor?
Behavioral analytics (davranışsal analiz). Seni tanıyor ve normalde nasıl davrandığını biliyor, farklı davrandığında uyanıyor. Çünkü saldırgan senin kimliğin arkasında saklanıyor olabilir.
Dünyada bilinen saldırı tiplerini ve güvenlik konularını biliyor, dağarcığına ekliyor. Ve şüpheli hareketleri analiz ederken bunları aklının bir köşesinde tutuyor. Bu bilgiler çözümün içerisinde zaten built-in.
Bu iki yöntemi birleştirerek gelişmiş saldırıları fark edebiliyor
Microsoft Advanced Threat Analytics uses behavioral analysis to understand what a normal entity behavior is. For instance lets say Ben has three devices (one Windows laptop, Windows phone and a Surface device) He accesses corporate resources from these devices and he primarily spends time in Cloud and Enterprise Marketing resources. By leveraging Machine Learning ATA identifies what is normal behavior for Ben and other entities in his interaction map. If tomorrow, Ben starts to access corporate resources from 50 different devices in 3 different continents it will raise a red flag as this is anomaly to his normal behavior.
After discussions with customers and analysis of advanced attacks, it is clear that:
Using only machine learning algorithms in User Behavioral Analytics is not enough to detect advanced attacks: In most cases, the algorithms will detect anomalies after the fact, and the attacker might already be gone. The way to detect advanced attacks, is through the combination of detecting security issues and risks, attacks in real-time based on TTPs, and behavioral analysis leveraging Machine Learning algorithms
That is why Microsoft Advanced Threat Analytics marries behavioral analytics with detection for known malicious attacks (pass the hash, pass the ticket, over pass the hash) and security issues and risk to provide a comprehensive solution.
Also:
Data sources are key elements in this magic of detecting advanced attacks.
Just analyzing logs will only tell you half of the story and in the worst case scenario will provide you false positives. The real evidence is located in the network packets. This is why you need the combination of deep packet inspection (DPI), log analysis, and information from the Active Directory to detect advanced attacks.
There are other solutions in the marketplace, you will ask why you should choose Microsoft Advanced Threat Analytics.
Let us tell you why we think you’ll love it:
It is fast
Traditional IT security tools provide limited protection when sophisticated security breaches occur or when user credentials are stolen. Initial setup, creating rules, and fine-tuning can be cumbersome and take years. With Microsoft Advanced Threat Analytics, the intelligence is built in and once it’s installed, it is continuously learning and improving. No need to create rules, thresholds, or baselines and then fine-tune. ATA analyzes the behaviors among users, devices, and resources—as well as their relationship to one another—and can detect suspicious activity and known attacks fast.
It is adaptive to the changing nature of cyber-security attacks
In a world of constantly-evolving cyber tactics, you have to adapt as fast as your attackers. Once it’s installed, ATA is continuously analyzing and learning entity behavior. ATA adapts to changes, but identifies abnormal behavior with its proprietary algorithm and reports anomalies. ATA is the only user behavior analytics solution today that will dynamically prompt the user for inputs, and automatically adjusts its learning and detection capabilities.
It provides clear, actionable information on a simple attack timeline
Your job is already challenging without monitoring several security reports and false positives. The attack timeline was created for simplicity. It surfaces important, relevant events in real time in a convenient way. While the technology is sophisticated, the report is clear, functional, and also actionable with recommendations and next steps.
Red flags are raised only when needed
Microsoft Advanced Threat Analytics is a system that cuts through the chaos and shows the most relevant attack data instead of false positives. Microsoft Advanced Threat Analytics contextually aggregates suspicious activities before alerts are issued.
Some key features to mention:
Mobility supportNo matter where your corporate resources reside—within the corporate perimeter, on mobile devices, or elsewhere—ATA witnesses authentication and authorization. This means that external assets like devices and vendors are as closely monitored as internal assets.
Integration to SIEM
ATA works seamlessly with SIEM after contextually aggregating information into the attack timeline. It can collect specific events that are forwarded to ATA from the SIEM. Also, you can configure ATA to send an event to your SIEM for each suspicious activity with a link to the specific event on the attack timeline.
Seamless Deployment
ATA functions as an appliance, either hardware or virtual. It utilizes port mirroring to allow seamless deployment alongside Active Directory without affecting existing network topology. It automatically starts analyzing immediately after deployment. You don’t have to install any agents on the domain controllers, servers or computers.
The ATA system continuously goes through four steps to ensure protection:
Step 1: Analyze
After installation, by using pre-configured, non-intrusive port mirroring, all Active Directory-related traffic is copied to ATA while remaining invisible to attackers. ATA uses deep packet inspection technology to analyze all Active Directory traffic. It can also collect relevant events from SIEM (security information and event management) and other sources.
Step 2: Learn
ATA automatically starts learning and profiling behaviors of users, devices, and resources, and then leverages its self-learning technology to build an Organizational Security Graph. The Organizational Security Graph is a map of entity interactions that represent the context and activities of users, devices, and resources.
Step 3: Detect
After building an Organizational Security Graph, ATA can then look for any abnormalities in an entity’s behavior and identify suspicious activities—but not before those abnormal activities have been contextually aggregated and verified. ATA leverages years of world-class security research to detect known attacks and security issues taking place regionally and globally. ATA will also automatically guide you, asking you simple questions to adjust the detection process according to your input.
While the hope is that this stage is rarely reached, ATA is there to alert you of abnormal and suspicious activities. To further increase accuracy and save you time and resources, ATA doesn’t only compare the entity’s behavior to its own, but also to the behavior of other entities in its interaction path before issuing an alert. This means that the number of false positives are dramatically reduced, freeing you up to focus on the real threats.
At this point, it is important for reports to be clear, functional, and actionable in the information presented. The simple attack timeline is similar to a social media feed on a web interface and surfaces events in an easy-to-understand way
Reconnaissance via Net Session enumeration
DC, GPO özelliği nedeni ile bir file server gibi hizmer vermekte olup istemciler GPO ayarlarını almak için SMB üzerinden DC lere bağlanmaktadır. Kötü niyetli kişiler keşif çalışmasında bu alanı kullanıp DC’ den o andaki tüm session’ lar için kullanıcı adı ve ip bilgisi isteyebilirler.
At preview, the ATA Gateway can monitor the network traffic via port mirroring of up to four domain controllers. The ATA Gateway will send the relevant information to the ATA Center for additional analysis. The ATA Center can manage multiple ATA Gateways. At preview, the ATA Center is limited to monitor a single domain and up to 10 mixed loaded domain controllers. Microsoft Advanced Threat Analytics will provide more scale at general availability.