Microsoft Advanced Threat Analytics v1.6 Now Available


Merhaba

Microsoft’un gelişmiş güvenlik yazilimi olan Microsoft Advanced Threat Analytics yeni versiyonu olan Microsoft Advanced Threat Analytics 1.6 sürümünü duyurdu. Daha önce Microsoft Advanced Threat Analytics 1.5 olarak kullanmış olduğumuz Microsoft Advanced Threat Analytics yeni versiyonu ile birlikte bir çok yeni özelliği ile kullanımıza sunuldu.

Download Microsoft Advanced Threat Analytics linkinde indirebilirsiniz.

Microsoft Advanced Threat Analytics 1.6 sürümünün yeni özellikleri aşağıdaki gibidir.

What’s new in the ATA 1.6 update?What’s new in ATA version 1.6 | Microsoft Advanced Threat Analytics

The update to ATA 1.6 provides improvements in the following areas:

  • New detections
  • Improvements to existing detections
  • The ATA Lightweight Gateway
  • Automatic updates
  • Improved ATA Center performance
  • Lower storage requirements
  • Support for IBM QRadar

New detections

    • Malicious Data Protection Private Information Request Data Protection API (DPAPI) is a password-based data protection service. This protection service is used by various applications that store user’s secrets, such as website passwords and file-share credentials. In order to support password-loss scenarios, users can decrypt protected data by using a recovery key which does not involve their password. In a domain environment, attackers can remotely steal the recovery key and use it to decrypt protected data on all domain joined computers.
    • Net Session Enumeration Reconnaissance is a key stage within the advanced attack kill chain. Domain Controllers (DCs) function as file servers for the purpose of Group Policy Object distribution, using the Server Message Block (SMB) protocol. As part of the reconnaissance phase, attackers can query the DC for all active SMB sessions on the server, allowing them to gain access to all users and IP addresses associated with those SMB sessions. SMB session enumeration can be used by attackers for targeting sensitive accounts, helping them move laterally across the network.
    • Malicious replication requests In Active Directory environments, replication happens regularly between Domain Controllers. An attacker can spoof an Active Directory replication request (sometimes impersonating a Domain Controller) allowing the attacker to retrieve the data stored in Active Directory, including password hashes, without utilizing more intrusive techniques like Volume Shadow Copy.
    • Detection of MS11-013 vulnerability There is an elevation of privilege vulnerability in Kerberos which allows for certain aspects of a Kerberos service ticket to be forged. A malicious user or attacker who successfully exploits this vulnerability can obtain a token with elevated privileges on the Domain Controller.
    • Unusual protocol implementation Authentication requests (Kerberos or NTLM) are usually performed using a standard set of methods and protocols. However, in order to successfully authenticate, the request must meet only a specific set of requirements. Attackers might implement these protocols with minor deviations from the standard implementation in the environment. These deviations might indicate the presence of an attacker attempting to execute attacks such as Pass-The-Hash, Brute Force and others.

Improvements to existing detections

ATA 1.6 includes improved detection logic that reduces false-positive and false-negative scenarios for existing detections such as Golden Ticket, Honey Token, Brute Force and Remote Execution. 

The ATA Lightweight Gateway

This version of ATA introduces a new deployment option for the ATA Gateway, which allows an ATA Gateway to be installed directly on the Domain Controller. This deployment option removes non-critical functionality of the ATA Gateway and introduces dynamic resource management based on available resources on the DC, which makes sure the existing operations of the DC are not affected. The ATA Lightweight Gateway reduces the cost of ATA deployment. At the same time it makes deployment easier in branch sites, in which there is limited hardware resource capacity or inability to set up port-mirroring support. For more information about the ATA Lightweight Gateway, see ATA architecture

For more information about deployment considerations and choosing the right type of gateways for you, see ATA capacity planning

Automatic updates

Starting with version 1.6, it is possible to update the ATA Center using Microsoft Update. In addition, the ATA Gateways can now be automatically updated using their standard communication channel to the ATA Center.

Improved ATA Center performance

With this version, a lighter database load and a more efficient way of running all detection enables many more domain controllers to be monitored with a single ATA Center.

Lower storage requirements

ATA 1.6 necessitates ignificantly less storage space to run the ATA Database, now requiring only 20% of the storage space used in previous versions.

Support for IBM QRadar

ATA now can now receive events from IBM’s QRadar SIEM solution, in addition to the previously supported SIEM solutions.

Microsoft Advanced Threat Analytics 1.5 sürümünü Microsoft Advanced Threat Analytics 1.6 sürümünü yükseltme adimlari aşağıdaki gibidir.

To see what is new in this version see: what’s new in ATA version 1.6

ATA update to 1.6 migration guide | Microsoft Advanced Threat Analytics

The update to ATA 1.6 provides improvements in the following areas:

  • New detections
  • Improvements to existing detections
  • The ATA Lightweight Gateway
  • Automatic updates
  • Improved ATA Center performance
  • Lower storage requirements
  • Support for IBM QRadar

Updating ATA to version 1.6

NOTE

If ATA is not installed in your environment, download the full version of ATA which includes version 1.6 and follow the standard installation procedure described in Install ATA.

If you already have ATA version 1.5 deployed, this procedure will walk you through the steps necessary to update your deployment.

Follow these steps to update to ATA version 1.6:

    1. Download update 1.6
      In this version of, the same installation file (Microsoft ATA Center Setup.exe) is used for installing a new deployment of ATA and for upgrading existing deployments.
    2. Update the ATA Center
    3. Download the updated ATA Gateway package
    4. Update the ATA Gateways
      IMPORTANT

      Update all the ATA Gateways to make sure ATA functions properly.

Step 1: Update the ATA Center

    1. Back up your database: (optional)
      • If the ATA Center is running as a virtual machine and you want to take a checkpoint, shut the virtual machine down first.
      • If the ATA Center is running on a physical server, follow the recommended procedure to back up MongoDB.
    2. Run the installation file, Microsoft ATA Center Setup.exe, and follow the instructions on the screen to install the update.

      a. ATA 1.6 requires .Net Framework 4.6.1 to be installed. If not already installed, ATA installation will install .Net Framework 4.6.1 as part of the installation

      NOTE

      The installation of .Net Framework 4.6.1 may require restarting the server. ATA installation will proceed only after the server was restarted.

      b. On the Welcome page, select your language and click Next.

      c. Read the End User License Agreement and if you accept the terms, click Next.

      d. It is now possible to use Microsoft Update for ATA to remain up-to-date. In the Microsoft Update page, select Use Microsoft Update when I check for updates recommended). 

      Keep ATA up to date image

      This will adjust the Windows settings to enable updates for other Microsoft products (including ATA), as seen here.

      Windows auto-update image

      e. Before installation begins, ATA will perform a readiness check. Review the results of the check to make sure the prerequisites are configured successfully and that you have the at least the minimum amount of disk space.

      ATA readiness check image

      f. Click Update. After you click Update, ATA is offline until the update procedure is complete.

    3. After updating the ATA Center, the ATA Gateways will report that they are now outdated.

      Outdated gateways image

IMPORTANT
    • Update all the ATA Gateways to make sure ATA functions properly.

Step 2. Download the ATA Gateway setup package

After configuring the domain connectivity settings, you can download the ATA Gateway setup package.

To download the ATA Gateway package:

    1. Delete any previous versions of the ATA Gateway package you previously downloaded.
    2. On the ATA Gateway machine, open a browser and enter the IP address you configured in the ATA Center for the ATA Console. When the ATA Console opens, click on the settings icon and select Configuration.

      Configuration settings icon

    3. In the ATA Gateways tab, click Download ATA Gateway Setup.
    4. Save the package locally.

The zip file includes the following:

    • ATA Gateway installer
    • Configuration setting file with the required information to connect to the ATA Center

Step 3: Update the ATA Gateways

    1. On each ATA Gateway, extract the files from the ATA Gateway package and run the file Microsoft ATA Gateway Setup.exe.
      NOTE

      You can also use this ATA Gateway package to install new ATA Gateways.

    2. Your previous settings will be preserved, but it may take a few minutes until for the service to restart.
    3. Repeat this step for all other ATA Gateways deployed.
NOTE

After successfully updating an ATA Gateway, the outdated notification for the specific ATA Gateway will be resolved.

You will know that all the ATA Gateways have been successfully updated when all the ATA Gateways report that they are successfully synced and the message that an updated ATA Gateway package is available is no longer displayed.

Updated gateways image

For information on how to migrate from ATA version 1.5 to ATA version 1.6 see: the ATA migration guide.