Azure ATP first impressions

Microsoft Advanced Threat Protection services getting the third piece in the puzzle with Azure ATP.

The ATP has three ATP services and for the first time a complete solution for Kill Chain scenario from the front with Office ATP through the machines with Windows Defender ATP and last part for identity with Azure ATP.
* There are other Microsoft cloud technologies that are performing ATP but isn’t part of the Kill Chain or integrate specifically with those ATP.

For those who are not familiar with the Microsoft ATP, there are two cloud services that have been working for a while and do an excellent job, the ATP services are:

Office ATP – an e-mail filtering service for Exchange Server and Exchange Online that adds client protections against malware, bad links, and malicious attachments with Safe Links and Safe Attachments features

Windows Defender ATP – is an agentless, behavior-based service built into Windows 10 that detects advanced threats and enables IT to more quickly pinpoint attacks that make their way onto the network. Windows Defender ATP offers centralized management, with dashboards that offer easy-to-read alerts, health and status updates, end-to-end views of the deployment, and recommendations for fixing security issues.

Azure ATP detects and helps investigate advanced attacks and insider threats across on-premises, cloud, and hybrid environments.
It’s Monitor your identity and network traffic. Identify and track malicious activity immediately.
End-to-end investigation experience. Pivot between an entity’s behavior across the organization and the behavior of a specific endpoint.

Cyber Kill Chain

The framework of the Kill Chain was developed\discovered in 2010. Since then, organizations of all sizes have been referencing this model to manage their information security. The framework is focused on protecting against Advanced Persistent Threats. This is a class of adversaries using advanced tools and techniques designed to defeat most conventional computer network defense mechanisms such as Anti-Virus and firewalls.

The Microsoft Global Incident Response and Recovery Team and Microsoft managed cyber threat detection service known as Enterprise Threat Detection Service identify and respond to thousands of targeted attacks per year. Based on Microsoft’s experience, the image below illustrates how most targeted cyber intrusions occur today.

How Targeted Cyber attacks occur

• Compromised Machine Targeted phishing attacks are crafted after hours of external recon of public information on the Internet. Phishing links can leverage vulnerabilities in unpatched browsers to gain remote access to a company’s internal computers.
• Internal Recon Advanced Persistent Threat starts is internal recon and attempts to pivot around the network while leveraging privilege escalation. An APT lives in an environment an average of 200 days before being discovered.
• Domain Dominance Local admin, then domain admin rights, is the last step before finding the Holy Grail, this allows attackers to recon the environment looking for sensitive assets and data if not isolated. Remote Code Execution is trivial with Domain Admin privileges. An APT may stay in the environment indefinitely until caught.

Microsoft Secure and Productive Enterprise Solutions

The Microsoft Secure and Productive Enterprise is a suite of product offerings that have been purposely built to disrupt this cyber attack kill chain while still ensuring an organization’s employees remain productive. Each of these technologies included in the solution is described below:

• Office 365 Advanced Threat Protection This technology is designed to disrupt the “initial compromise” stage and raise the cost of successfully using phishing attacks.
• Windows 10 Disrupts the compromised machine and lateral movement stages by raising the difficulty of successfully compromising and retaining control of a user’s PC.
• Microsoft Advanced Threat Analytics (the previous version of Azure ATP) Disrupts the lateral movement phase by detecting lateral movement attack techniques early, allowing for rapid response.
• Azure Security Center While Microsoft ATA detects cyberattacks occurring within an organization’s data centers, Azure Security Center extends this level of protection into the cloud.

The security stack is changing very fast and must deal with dynamic cyber wars and ‘’Advanced Persistent Threats.

• Advanced Targeted, coordinated and purposeful
• Persistent Month after month, year after year
• Threat Person with intent, opportunity and capability

Attackers must complete the following stages of Kill Chain to achieve their goals

The Azure ATP is the Microsoft cloud-hosted version of the Microsoft Advanced Threat Analytics product, a premises-based behavioral analysis solution.

ATP Signals

Microsoft’s ATP service has three times more users than all third-party competitors combined. Exchange Online Protection has a 99.9 percent malware catch rate, he added.

Microsoft’s ATP services actually trigger or detonate potential malware in a safe sandbox location to isolate threats, and the latency times associated with those detonations are now down to less than one-minute averages, he added.

The ATP services are bolstered by a signal from the Microsoft Intelligent Security Graph and Microsoft’s. The customer base is one of the largest in the world to pull such information. The service gets its information from the following sources:

• Over billion Windows devices
• 450 billion Azure user authentications
• 200-plus global cloud services
• 400 billion monthly analyzed Office 365 e-mails
• More than 18 billion scanned Bing pages

Protecting the Modern Perimeter

”The Perimeter is Gone and the time is to protect data without limits”

Identity protection is now a critical component in securing your front door to on-premises and cloud resources. With the increasing sophistication and funding of attackers by criminal enterprises and nation-states, tooling for detection and response to compromise has never been more important. Classification, labelling and protection of information is a critical aspect of security as organizations store and share information across services and with partners.

As we look to the future, the only way to protect data today is to adopt security that moves with the data whether inside or outside of the corporate network, across borders and enterprises, and throughout its lifecycle.
Azure ATP parses the authentication traffic from Active Directory, consumes event logs and DNS traffic, and listens to the network. Azure ATP uses this information to reduce false positives, aggregate results, and with confidence provide security detections across the kill-chain.

With Azure ATP no more Gateway just Sensor with major changes in performance

• New parsing platform
• Performance improvement x10
• CPU and Memory performance improvement with more than 70%! (compare to gateway)

Azure ATP first impressions

Azure ATP use  unique machine learning algorithms, world-class security research, breadth and depth of the critical security data available to Microsoft as a major enterprise vendor and based on Microsoft Intelligent Security Graph. It will help protect from both known and unknown attack vectors, detecting threats early in the kill chain before they mature into actual damage.

Azure ATP brings the capabilities of current on-premises behavioral analytics solution, Microsoft Advanced Threat Analytics, to the cloud. Building on the in-depth threat detection capabilities of ATA, Azure ATP will help our customers protect their identities across both their cloud and on-premises directories.

The Onboarding Process

The process to onboard Azure ATP is quick and simple and the first stage is:

• Create Workspace
• Connect to Active Directory
• Install the first Sensor

Collect and Analyze

Azure ATP collects information from different sources to build a picture of what’s happening on your network. The Azure ATP has a proprietary network parsing engine that captures network traffic and analyzes information from protocols such as Kerberos, DNS, RPC, NTML, and more. ATA monitors domain controllers using port mirroring, where a copy of all domain controller network packets are sent to an Azure ATP sensors. The collect and Analyze process based on:

• Port Mirroring or Sensor on DC’s
• L7 Deep Packet Inspection (DPI)Hybrid data sources
• Self-learning and profiling technology
• Patented IP resolution mechanism
• Unlimited scale powered by Azure

Detect

Azure ATP detects malicious activity by aggregating and correlating multiple data sources, network traffic, event logs, VPN data, and others – to create a coherent behavioral profile for each user. Malicious activity will typically generate anomalous behavior, raising a security alert.

Investigate

Azure ATP shows the attack as a contextual alert timeline, where each individual alert includes both description of the malicious activity that triggered it, as well as the required onward remediation and response steps.