Microsoft 365 Security Administration:MS-500 Exam Guide
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Identifying the organizational needs for Azure ATP

To identify your organization's needs in relation to Azure ATP, we first need to examine, in greater detail, exactly what Azure ATP is and what it can do. Essentially, Azure ATP is a security solution that is designed for use in hybrid cloud environments, where you have a mixture of on-premises and cloud users, data, and resources.

Azure ATP can monitor your on-premises domain controllers to identify and investigate advanced threats and compromised identities by using machine learning and behavioral algorithms to do the following:

  • Identify suspicious activity.
  • Detect and identify advanced attacks and malicious activities.
  • Protect Azure Active Directory (Azure AD) identities and credentials.
  • Provide incident reports.

Azure ATP can create behavioral profiles for your users and diligently analyze user activities and events to detect any advanced threats, compromised users, and malicious insiders that could threaten your organization. The information gathered by Azure ATP provides recommended security best practices and helps you significantly reduce the areas that are vulnerable to attack.

Let's look at Azure ATP in more detail, starting with how you can identify suspicious activity.

Understanding suspicious activity

Let's first examine what represents suspicious user activity from an Azure ATP perspective. To further understand this concept, you must first have an awareness of the cyber-attack kill chain, which is a series of steps to trace the progress of a cyber-attack from the beginning (which is referred to as the reconnaissance stage) to the end (which results in unauthorized data exfiltration).

Azure ATP focuses on the phases of the kill chain to detect suspicious activities, which can include the following:

  • Reconnaissance: The attacker gathers information about the environment after gaining initial access.
  • Lateral movement: The attacker works patiently to spread their attack and gain elevation of privileges.
  • Domain dominance (persistence): The attacker gains control of your environment and ensures that they have multiple points of entry to the environment.

It is crucial to understand these phases of the kill chain in order to identify suspicious activities in your Microsoft 365 environment.

Next, let's look at how we can identify advanced attacks and malicious activities.

Exploring advanced attacks and malicious activities

By focusing on the phases of the kill chain, Azure ATP can protect your environment from attack vectors before they cause any damage or disruption. Decoy accounts can be set up and used to track any malicious activities within your environment and generate security alerts that can include the following:

  • Suspected identity theft using pass-the-ticket
  • Suspected identity theft using pass-the-hash
  • Suspected brute force attacks
  • Reconnaissance using Domain Name System (DNS)
  • Unusual protocols
  • Suspicious service creation

The malicious activities listed here are only a few of the many that can generate security alerts within Azure ATP.

Important note

Please see the References section at the end of this chapter for links to further information and greater details on the available Azure ATP security alerts.

Understanding the Azure ATP architecture

Before you can start working with Azure ATP, it is important to have an understanding of the Azure ATP architecture. Azure ATP is a combination of services and components that work together to provide your Microsoft 365 tenant with comprehensive protection from modern threats and attacks that may target your environment. The following diagram shows the architecture of Azure ATP:

Figure 6.1 – The Azure ATP architecture

Azure ATP can function to protect your hybrid identity by leveraging three key components, as follows:

  • The Azure ATP portal: This is where you create your Azure ATP instance, as well as monitor and address any threats that have been reported.
  • The Azure ATP sensor: This is installed onto your on-premises domain controllers and is used to monitor domain controller traffic.
  • The Azure ATP cloud service: This runs on Azure infrastructure and shares data using Microsoft's intelligent security graph. The cloud service can connect Azure ATP to Windows Defender ATP.

When you create your Azure ATP instance using the Azure ATP portal, this enables you to integrate with Microsoft security services, configure your Azure ATP sensor settings for your domain controllers, and review the data retrieved by these sensors to interpret any suspicious and malicious activities.

The Azure ATP sensor can monitor on-premises domain controller ingress and egress traffic. It receives events from domain controllers, which can include information about on-premises users and computers. The information gathered is passed on to the Azure ATP cloud service.

So, how does this information help you to understand and plan for your organization's needs for Azure ATP deployment? Essentially, we can break this down by answering the following questions:

  • What do you need to protect?
  • How can you protect it?
  • How can you be certain that the protection you have applied is working?

The simple answers to these questions are as follows:

  • You need to protect your Microsoft 365 hybrid cloud users and resources by deploying an Azure ATP instance in the Azure ATP portal.
  • You can apply protection by installing Azure ATP sensors onto your on-premises domain controllers.
  • You can verify that the protection is working by diligently monitoring Azure ATP events and alerts to review and respond to any potentially suspicious and malicious activities.

It is Microsoft's recommended best practice to deploy Azure ATP in three stages.

Stage 1

The following steps should be completed for stage 1 of deploying Azure ATP:

  1. Set up Azure ATP to protect primary environments. Azure ATP can be deployed quickly to configure immediate protection.
  2. Set sensitive accounts and honeytoken accounts (a honeytoken account is an account specifically set up to trap malicious actors).
  3. Review reports and potential lateral movement paths.
Stage 2

The following steps should be completed for stage 2 of deploying Azure ATP:

  1. Protect all domain controllers and forests in your organization.
  2. Monitor all alerts and investigate any lateral movement or domain dominance.
  3. Use the security alert guide to understand threats.
Stage 3

The following step should be completed for stage 3 of deploying Azure ATP: Integrate Azure ATP alerts into your security operation's workflows if applicable.

Important note

For detailed guidance on implementing Azure ATP in line with Microsoft best practice, please refer to the An overview of Azure ATP link that is included in the References section at the end of this chapter

So, the preceding steps will help you understand the principles of Azure ATP and show you how you can prepare to configure it. Now, you are ready to set up your Azure ATP instance and start taking advantage of the various features and capabilities of the product.

上一章目录下一章