Skip to content

Enterprise Mobility + Security


Today, we are pleased to announce the public release of Advanced Threat Analytics (ATA) v 1.7! This is a key release for ATA with several exciting features and improvements.

In my last blog post where I announced the ATA v 1.6 release, I shared that ATA has been monitoring over 5 million users and 10 million devices. Only four months after this release, as of today, I’m proud to share that ATA is monitoring over 10 million users and 21 million devices!

It’s so rewarding to see the fast adoption and the positive feedback we are getting from our customers and partners – Thank you!

New and updated detections

Attackers innovate, and so do we. Advanced attacks and insider threats are constantly evolving, and as a leading solution in the user and entity behavior analytics (UEBA) market, we keep innovating non-stop so we can help our customers to identify these attackers before they cause damage.

ATA focuses on detecting and investigating tactics, techniques, and procedures (TTPs) that are commonly used by attackers in their attack campaigns and on abnormal behaviors of entities (users, devices, resources) that indicate insider threats. Additionally, in each ATA release, we keep enhancing our engine to improve detections for known and unknown attacks and catch new attacks. Finally, we also make improvements in the infrastructure and the user experience.

Here is a list of all of the great new features, updates, and enhancements in v 1.7:

Enhancements in behavioral analytics and malicious attack detection

Detection of reconnaissance using directory services enumeration

As part of the reconnaissance phase, attackers gather information about the entities in the network using different methods. Directory services enumeration using the SAM-R protocol enables attackers to obtain the list of users and groups in a domain and understand the interaction between the different entities.

Pass-the-hash detection enhancements

To enhance pass-the-hash detection, we added additional behavioral models for the authentication patterns of entities. These models enable ATA to correlate entity behavior with suspicious NTLM authentications, and differentiate real pass-the-hash attacks from the behavior in false positive scenarios.

Pass-the-ticket detection enhancements

To successfully detect advanced attacks and pass-the-ticket attacks in particular, the correlation between an IP address and the computer account must be accurate. This is a challenge in environments where IP addresses change rapidly by design (for example Wi-Fi networks and multiple virtual machines sharing the same host). To overcome this challenge and improve the accuracy of the pass-the-ticket detection, ATA’s network name resolution (NNR) mechanism was improved significantly to reduce false positives.

Behavioral analytics enhancements

As a leader in the UEBA market, we’re constantly improving ATA’s abnormal behavior algorithms to better detect suspicious behavior patterns and insider threats. In this release, NTLM authentication data was added as a data source for the abnormal behavior detections, providing the algorithms broader coverage of entity behavior in the network.

Unusual protocol implementation enhancements

We are non-stop researching new malicious attacks both regionally and globally. We identified additional suspicious protocol patterns that are being used in attack campaigns. In this release, we added detections of unusual protocol implementation in Kerberos protocol, along with additional anomalies in the NTLM protocol. Specifically, these new anomalies for Kerberos are commonly used in over-pass-the-hash attacks.

Infrastructure

Role-based access control

In enterprises, many stakeholders are part of the lifecycle of any security product (for example, the IT Admin, SOC Analyst, CISO, etc.), and each of these stakeholders requires a different set of permissions. To address this, ATA is introducing a role-based access control (RBAC) capability. ATA v 1.7 includes three roles: ATA Administrator, ATA Analyst, and ATA Executive.

Windows Server 2016 and Windows Server core support

We heard your feedback! Now you can deploy the Lightweight Gateways on Domain Controllers running Server Core for Windows Server 2012 and Server Core for Windows Server 2012 R2. Additionally, this release supports Windows Server 2016 both for the Center and Gateway components of ATA.

User experience

Great user experience is always top of mind for the ATA team. In this release, the ATA configuration experience was redesigned for a better user experience and to better support environments with multiple Gateways. This release also introduces the Gateway update page for simpler, better management of automatic updates for the various Gateways.

Upgrade today

Upgrade to v 1.7 today and take advantage of these new features, detections, and enhancements. You can use Microsoft Update to automatically download ATA v 1.7 and seamlessly upgrade the ATA Center. After upgrading the ATA Center, you can configure the automatic upgrades of all ATA Gateways in your environment.

We know how much pain cyber-security attacks are causing you. As a team, our goal is to innovate and help you protect your organization from these advanced attacks.

If you are interested in the latest updates or improvements, please follow me on Twitter: @IdanPlotnik. All of our updates will be also published on the Enterprise Mobility + Security blog.

 

Idan Plotnik
Director of Advanced Threat Analytics
Microsoft Cloud + Enterprise Security Division