IT Blog

Identity & Access Management

What is Advanced Threat Analytics?

What is Advanced Threat Analytics?

Advanced Threat Analytics (ATA) is an on-premises platform that helps protect your enterprise from multiple types of advanced targeted cyber-attacks and insider threats.

How ATA works

ATA leverages a proprietary network parsing engine to capture and parse network traffic of multiple protocols (such as Kerberos, DNS, RPC, NTLM, and others) for authentication, authorization, and information gathering. This information is collected by ATA via either:

  • Port mirroring from Domain Controllers and DNS servers to the ATA Gateway and/or
  • Deploying an ATA Lightweight Gateway (LGW) directly on Domain Controllers

ATA takes information from multiple data sources, such as logs and events in your network, to learn the behavior of users and other entities in the organization, and build a behavioral profile about them. ATA can receive events and logs from:

  • SIEM Integration
  • Windows Event Forwarding (WEF)
  • Directly from the Windows Event Collector (for the Lightweight Gateway)

For more information on ATA architecture, see ATA Architecture.

What does ATA do?

ATA technology detects multiple suspicious activities, focusing on several phases of the cyber-attack kill chain including:

  • Reconnaissance, during which attackers gather information on how the environment is built, what the different assets are, and which entities exist. They generally build their plan for the next phases of the attack.
  • Lateral movement cycle, during which an attacker invests time and effort in spreading their attack surface inside your network.
  • Domain dominance (persistence), during which an attacker captures the information allowing them to resume their campaign using various sets of entry points, credentials, and techniques.

These phases of a cyber attack are similar and predictable, no matter what type of company is under attack or what type of information is being targeted. ATA searches for three main types of attacks: Malicious attacks, abnormal behavior, and security issues and risks.

Malicious attacks are detected deterministically, by looking for the full list of known attack types including:

  • Pass-the-Ticket (PtT)
  • Pass-the-Hash (PtH)
  • Overpass-the-Hash
  • Forged PAC (MS14-068)
  • Golden Ticket
  • Malicious replications
  • Reconnaissance
  • Brute Force
  • Remote execution

Demo Of ATA: https://www.youtube.com/watch?v=RAS-TI6PUrg

Leave a Reply

Your email address will not be published. Required fields are marked *