by Microsoft Advanced Threat Analytics (ATA) is an application to protect the organization against different cyber-attack threats faced by institutions. It provides security by warning about attacks on the corporate network. In other words, Microsoft’s IDS system can be called.
Microsoft ATA uses a network parsing engine to analyze and distinguish between packages by monitoring network traffic on protocols such as Kerberos, DNS, RPC, NTLM to detect abnormal situations occurring on the network. In addition, ATA collects information on these protocols. This information collection process is performed through Domain Controller, DNS servers, ATA Gateway, ATA Lightweight Gateway.
ATA obtains information from data sources by examining the logs and events on the system to analyze and learn the behaviour of users and entities in organizations. In this direction, it creates a behavioural profile. ATA obtains information about logs and events from structures such as SIEM Integration, Windows Event Forwarding (WEF) and Windows Event Collector.
Microsoft ATA predicts how attackers will gather information on the network, what systems to scan for vulnerabilities, and how attackers will progress as a result of scans. It obtains information about how an attacker will use various entry points and try to capture target systems. Thus, it can give an early warning during the attack. Microsoft ATA divides cyber attacks into three as Malicious attacks, Abnormal behaviours, Security issues and risks.
In malicious attacks, ATA clearly identifies suspicious situations and shows information about who is the suspect, who performed the incident, what the suspicious transaction was and how it was done, on the ATA web panel. The techniques described as malicious attacks are as follows:
- Pass The Ticket
- Pass The Hash
- Overpass The Hash
- Forged PAC (MS14-068)
- Golden Ticket
- Malicious Copies
- Discovery Studies
- Brute-Force Attack
- Remote Code Execution
In abnormal behaviours, ATA detects and reports suspicious activities and abnormal behaviours performed by users on the network by benefiting from machine learning. Examples of these abnormal behaviours include abnormal entries, unknown threats, password sharing, and changing sensitive groups.
Also, considering security problems and risks, breaking Trust structures, using weak protocols and known protocol vulnerabilities are among these problems and threats.
Microsoft ATA has strengthened its defence mechanism by looking at threats from an aggressive perspective. An attacker is also acting gradually to detect the stages of capturing a target domain network. An attacker’s data gathering from outside, discoveries and vulnerability determinations for the systems, infiltration attempts to the systems, local rights and authorization upgrades on the system after infiltration attempts, attempts to obtain the identity information of the domain admin user on the system, remote code execution operations, domain admin information It gradually detects the process of making discoveries with the domain controller machine. The phasing out of these processes is illustrated in figure 1. Microsoft ATA helps to prevent situations by detecting situations, behaviours and actions that may pose threats on this emerging chain of threats.
MICROSOFT ATA ARCHITECTURE
As shown below, Microsoft ATA can monitor Domain Controller network traffic by port mirroring an ATA Gateway with physical and virtual switches. If ATA Lightweight Gateway is added directly to the domain controller, there is no need for port mirroring. ATA can send Windows logs to any SIEM server or a Domain Controller machine. After logs are collected on SIEM servers, attacks and threats that pose a risk and analysis of relevant data are made. As a result of the analysis, it informs to take necessary security measures.
The units and components shown below show the process of sending the components within the Microsoft ATA structure to the ATA Center from the processing of the data collected on the network traffic.
MICROSOFT ATA Components
Microsoft ATA components consist of ATA Center, ATA Gateway and ATA Lightweight Gateway. ATA Center receives network traffic and Windows logs, SIEM related situations related to Domain Controller from the ATA Gateways and ATA Lightweight Gateways created. ATA Gateway is to enable the traffic coming from the domain controller to be uploaded to any server by port mirroring. ATA Lightweight Gateway is installed directly on the domain controller machine. Thus, there is no need to perform network operations such as port mirroring between the domain controller and any server by monitoring the network traffic on the domain controller. Finally, ATA Gateways and ATA Lightweight Gateways are created from a single ATA Center.
In addition, it can be used in Microsoft ATA setup as optional, using only ATA Gateway, using only ATA Lightweight Gateway or using both ATA Gateway and ATA Lightweight Gateway.
ATA Center
It takes the network traffic separated from ATA Gateway and ATA Lightweight Gateway and performs profiling. It collects information about the network and deterministic detection against attacks. It uses machine learning and behavioural algorithms to alert about abnormal behaviour determinations and suspicious situations.
Functions:
- Manage ATA Gateway and ATA Lightweight Gateway configuration settings.
- Getting data from gateways.
- Detecting suspicious situations.
- Detect abnormal behaviour using ATA behavioural machine learning algorithms.
- Apply deterministic algorithms to detect advanced attacks.
Running the ATA Console. - Configuring it to send e-mail and events when a suspicious situation is detected.
ATA Center Main Components
Entity Receiver: Receives batch groups from all ATA Gateways and ATA Lightweight Gateways.
Network Activity Processor: Processes all network activities in each batch received.
Entity Profiler: Profiles all unique assets by traffic and events.
Center Database: Database management of the writing of network activities and events.
Database: ATA uses MongoDB to store all data on the system.
Detectors: Uses machine learning algorithms and deterministic rules to find suspicious situations and abnormal behaviour on the network.
ATA Console: It is used to configure ATA and monitor suspicious situations detected on the network. Even if ATA Center does not work, it works as long as it can communicate with the database.
One ATA Center can monitor an Active Directory Forest. Since there are multiple Active Directory Forests, an ATA Center must be created for each forest. The number of ATA Centers must be increased since a single ATA Center cannot carry a large Active Directory scope.
ATA Gateway
It receives network traffic and Windows logs and sends them to the ATA Center machine. ATA Gateway and ATA Lightweight Gateway have the same functions.
Functions:
- Capture and analyze Domain Controller network traffic. ATA Gateways are port mirroring, while ATA Lightweight Gateways examine local network traffic on the Domain Controller.
- It enables the transfer of Windows Events on SIEM or Syslog servers or domain controller using the Windows Event Forwarding feature.
- Retrieves data about Users and computers from the Active Directory domain.
- Realizes the resolution of network assets (users, groups, computers).
- Transfers the collected data to ATA Center.
- Multiple domain controller networks can be monitored with a single ATA Gateway, while a single domain controller network can be monitored with one ATA Lightweight Gateway.
ATA Gateway Main Components
Network Listener: Takes part in the separation of network traffic. The CPU size is important when creating the ATA Gateway and ATA Lightweight Gateway because the CPU is run too much in this process.
Event Listener: Captures and parses Windows events forwarded from a SIEM server on the network.
Windows Event Log Reader: Reads the Windows Event logs transmitted to the ATA Gateway and parses those related to the Domain Controller.
Network Activity Translator: Parsed traffic is converted into a logical representation of the traffic used by ATA.
Entity Resolver: Retrieves parsed data and resolve it with Active Directory to find credentials. It then matches the IP addresses found. It efficiently checks the network packet headers.
Entity Sender: Sends parsed and matched data to ATA Center.
ATA Lightweight Gateway
It was made as an alternative to ATA Gateway. After port mirroring, it analyzes the traffic on the Domain Controller machine locally and sends it to ATA Center.
Functions:
- It can review events locally without port mirroring.
- Domain Synchronizer Candidate is responsible for proactively synchronizing all assets from a given Active Directory domain. A Gateway is randomly selected from the list of candidates to act as Domain Synchronizer. By default, all ATA Gateways are candidates for domain synchronizers.
- Includes ATA, Lightweight Gateway, monitoring component that evaluates the available computing and memory capacity in the Domain Controller. It dynamically updates the CPU and memory usage quota every 10 seconds. In the case of exhaustion of resources, only partial traffic is monitored and “Dropped port mirrored network traffic” warning occurs.
NETWORK COMPONENTS
For Microsoft ATA, Port mirroring and Events are specified as network components.
Port mirroring
It performs operations using physical/virtual switches to make port mirroring for Domain Controller machines whose traffic will be monitored. Port mirroring directs the network traffic of all domain controllers to ATA Gateway, while a small percentage of this traffic is sent to ATA Center for analysis.
Events
Microsoft ATA needs Windows events coded 4776, 4732, 4733, 4728, 4729, 4756, 4757 to improve changes to Pash-the-Hash, Brute-Force, honey tokens and sensitive groups.
ATA Center Sizing
ATA Center requires at least 30 days of data for behaviour analysis on Microsoft ATA. After 30 days, the results of the behaviour analysis are compared with the available data to determine whether there is abnormal behaviour. ATA Center sizing conditions are shown below.
ATA Center Sizing Features
| Packet/ Second in DCs | CPU (Physical Core) | Memory (GB) | Daily Database Storage (GB) | Monthly Database Storage (GB) | IOPS Average (Highest) |
| 1000 | 2 | 32 | 0.3 | 9 | 30(100) |
| 40000 | 4 | 48 | 12 | 360 | 500(750) |
| 200000 | 8 | 64 | 60 | 1800 | 1000(1500) |
| 400000 | 12 | 96 | 120 | 3600 | 2000(2500) |
| 750000 | 24 | 112 | 225 | 6750 | 2500(3000) |
| 1000000 | 40 | 128 | 300 | 9000 | 4000(5000) |
ATA Lightweight Gateway Sizing
ATA Lightweight Gateway sizing is done by taking into account the network traffic generated by the Domain Controller. It is in direct proportion to the amount of traffic. Sizing operations can be performed in accordance with the features specified in the table below.
ATA Lightweight Gateway Sizing Features
| Package / Seconds | CPU (Cores) | Memory (GB) |
| 1000 | 2 | 6 |
| 5000 | 6 | 16 |
| 10000 | 10 | 24 |
As the table shows, the total number of packets per second of traffic passing on the Domain Controller, the number of cores loaded by the Domain Controller and the total amount of memory installed. If the features specified in the Domain Controller machine are missing or missing, there is no change in the performance of the Domain Controller machine. However, ATA Lightweight Gateway may not work efficiently.
When running as a virtual machine, all memory should be allocated to the virtual machine. For best performance, it is necessary to set the Power option of ATA Lightweight Gateway to High Performance. At least 5 GB of space is required for ATA logs and performance logs. The recommended space is 10 GB. These adjustments also apply to the ATA Gateway.
ATA Gateway Sizing
It is necessary to pay attention to some features in ATA Gateway distributions. ATA can monitor the traffic of multiple domains in a forest on Active Directory. Multiple ATA deployments must be made to monitor the Domain Controller located on multiple AD Forests. Also, since ATA Gateways are not installed on the Domain Controller, they need to do operations like Port Mirroring. So you need to configure multiple ATA Gateway components for each data centre or branch. Required features for ATA Gateway Sizing are shown below.
ATA Gateway Sizing Features
| Package / Seconds | CPU (Core) | Memory (GB) |
| 1000 | 1 | 6 |
| 5000 | 2 | 10 |
| 10000 | 3 | 12 |
| 20000 | 6 | 24 |
| 50000 | 16 | 48 |
The features on the table are the sum of the average number of packets per second in Domain Controllers monitored by ATA Gateway and the total amount of Domain Controller and port mirroring traffic. Also, during Core usage, the hyper thread must be disabled. Real cores need to be counted.
MICROSOFT ATA REQUIREMENTS
In order for Microsoft ATA to work properly and smoothly, its system requirements must be met. It consists of Microsoft ATA, ATA Center, ATA Gateway and/or ATA Lightweight Gateway. In addition, Microsoft ATA is running on the Active Directory Forest structure and can be used in Windows 2003 and above.
ATA Center Requirements
ATA Center can be installed on Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 servers. ATA Center does not support Windows Server Core. It can work as a Workgroup member as well as working on a domain. The update with the code KB2319355 is required before installing on Windows 2012 R2 servers. The “Get-HotFix -Id kb2919355” cmdlet must be run to check for updates on Powershell.
Get-HotFix –Id kb2919355
If you are running ATA Center as a virtual machine, it can prevent database corruption that may shut down the server before creating a new checkpoint. When working on a physical server, Non-Uniform memory access (NUMA) must be disabled in the BIOS. Gateway is not supported in Multi-Process Group mode in Windows Server 2008 R2 and 2012. The ATA Center server, ATA Gateway and Domain Controller servers need to be synchronized within five minutes.
There must be at least one network adapter. ATA Center communicates with all IP addresses with port 443 open. ATA uses LDAP for checking credentials. Therefore, port 389 must be open. Signed certificates should be used to set up and deploy ATA faster. ATA does not support updating an existing certificate. However, a new certificate can be created. Since ATA version 1.8, ATA Gateways and Lightweight Gateways can manage their own certification processes without requiring administrator interaction.
ATA Gateway Requirements
Windows Server 2012 R2 is supported on servers like Windows Server 2016 and Windows Server 2019. It can be uploaded to a server as a domain controller or workgroup member. Before installing ATA Gateway on a machine with Windows Server 2012 R2, it should be checked whether the “Get-HotFix -Id kb2919355” command is run on Powershell and whether the update is installed. If the update is not installed, the update must be done before installing ATA Gateway. ATA’s binary files, ATA logs and storage of performance logs require at least 5 GB of space.
Get-HotFix -Id kb2919355
For best performance, the power option on the ATA Gateway should be set to high performance. Synchronization must be done within five minutes. At least one Management adapter and a Capture adapter are required. The management adapter is used for corporate communication. In the ATA Gateway domain network, it can be configured automatically. The capture adapter, on the other hand, monitors traffic from the domain controller and domain network. Port 135 (RPC) and NetBIOS port 137 must be open inbound for the ATA Gateway to operate smoothly.
ATA Lightweight Gateway Requirements:
It supports Domain Controller servers such as Windows Server 2008 R2 SP1 (excluding Server Core), Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 (except Server Nano). The Domain Controller can be read-only. Before installing ATA Gateway on a machine with Windows Server 2012 R2, the command “Get-HotFix -Id kb2919355” should be run on Powershell and check if the update is installed. For Windows Server 2012 R2 Server Core, it is necessary to update with the command “Get-HotFix –Id kb3000850”. If the update is not installed, the update must be done before installing ATA Gateway. Because .NET Framework 4.6.1 was installed during the update, it may cause the Domain Controller server to restart. ATA’s binary files, ATA logs and storage of performance logs require at least 5 GB of space.
Get-HotFix -Id kb2919355 Get-HotFix –Id kb3000850
Requires at least 2 cores and 6 GB of RAM in the Domain Controller machine. For best performance, the power option must be marked as high performance. Like other servers, it needs to be synchronized within five minutes. ATA Lightweight Gateway does not support Windows Server 2008 R2 Domain Controller servers when Broadcom Network Adapter Teaming is active. In order for the ATA Lightweight Gateway to operate smoothly, port 135 (RPC) and port 137 should be open inbound.
Microsoft ATA Setup
Before installing Microsoft ATA, its requirements must be completed completely. After checking whether the server where the ATA will be installed needs updating, it should be downloaded from the Microsoft ATA site. The installation file shown below was downloaded and run from the Microsoft website.
In the picture below, .NET is installed. Your machine can automatically reboot as a result of .NET installation.
The picture below shows the language selection feature of ATA. We will install version 1.9.7312 of ATA. In addition, we can specify in which language ATA should be used.
The picture below shows the license terms. By stating that we will use ATA under these license terms, the “I accept the Microsoft Software License Terms” field should be marked and click on the “Next” button.
Automatic update adjustment of ATA is recommended. If Microsoft Update is automatically checked on your computer, your computer will perform updates to ensure safe and trouble-free operation.
The picture below shows the directory where the installation files are installed by default and the directory where the database (MongoDB) files will be installed. In addition, the certificate used must be marked for creation. A new certificate must be created before the certificate expires. The installation process is started by clicking the “Install” button.
The picture below shows the installation process of MongoDB and Microsoft ATA installations.
The following picture shows the completion of the installation process. As shown, the installation of Microsoft ATA has been successfully completed.
The installation continues in 3 stages as shown in the picture below. First of all, credentials and domain name information are needed to link ATA with the existing domain. These operations are shown in the picture of ATA’s connection to the domain.
As shown in the picture below, the test connection of the ATA with the domain has been successfully completed. Save this process by clicking the “Save” button.
You can download the ATA Gateway installation file by clicking on the Gateway Setup button to be installed on the Domain Controller machine as shown in the picture below. It includes ATA Gateway and ATA Lightweight Gateway installation files in the downloaded installation file.
ATA Lightweight Gateway 1.9.7312 version will be installed on the Domain Controller machine by starting the installation of the ATA Gateway Setup file downloaded in the image below. The language to be used by ATA Lightweight Gateway should be selected as shown.
In the picture below, there are notifications to check whether the ATA Lightweight Gateway meets the minimum requirements during the installation. It also provides warnings and notifications regarding its installation on a Domain Controller machine on Vmware. If these requirements are met, you can install by clicking the “Next” button.
The following image shows the directory where the configuration files required for the Gateway installation will be installed. After these processes, the installation can be started by clicking the “Install” button.
The following picture shows the installation process. ATA Lightweight Gateway is installed as shown.
Finally, this image can be obtained after the installation is completed in the image below. As can be seen, the ATA Lightweight Gateway, which was established, started to operate. The installation was successfully completed without any errors.
