One of the products that Microsoft produce that I am a big fan of is Microsoft Advanced Threat Analytics. I discovered this product 2ish years ago now, and immediately fell in love with it. Since then it has been improved drastically and includes tools to highlight Lateral Movement paths to your domain admin accounts (bloodhound?). ATA comes as part of the Enterprise Mobility Suite E3 offering so if you have this (a good way to get MFA amongst other things), I would recommend deploying ATA. It relies on a central server and then either gateway servers with network port mirroring enabled from the domain controllers, or a lightweight gateway client deployed on the domain controllers directly.
ATA works by recording and analysing network traffic to detect Pass The Hash attacks, reconnaissance attacks, brute force attacks and various other things. The tool works by using behaviour monitoring and analysis, looking for things out of the ordinary. The tool isn’t just sales fluff. Using ATA, I have detected pentesters gaining access. One thing to be aware of if you deploy it, for the first month it will be relatively quiet. ATA/AATP spends a month learning what is normal before alerting on some potential attacks. Other attacks (such as replicating the domain) trigger immediately.
From experience, in a relatively small environment (circa 1500 users), the server didn’t need to be too large. With a larger environment (circa 4500 users), the main ATA server has had to have multiple increases in size to cope with the load. Now, Microsoft offer Azure Advanced Threat Protection, which is basically ATA in the cloud! This can be licensed with either EMS E5 (nearly twice the price of E3) or as a standalone product.
Using AATP rather than ATA has a couple of benefits. First of all, MS have to worry about the server processing all the data. Second, the development of AATP and updates appears to be a lot faster than ATA. Third, AATP integrates with Windows Defender Advanced Threat Protection so when alerts occur you can start hunting out what caused them.
There are a couple of things to be aware of if you have multiple forests in your environment. First of all, each forest requires its own ATA Server or AATP workspace and there is no cross forest reporting. Second, if you are using AATP, you can only have a maximum of 2 workspaces on an AATP tenant.
I will attempt to do a more in-depth blog post about these products in the future. If you have access to either of these products via EMS E3 (Advanced Threat Analytics) or EMS E5 (Azure Advanced Threat Protection), I’d say get this deployed ASAP