The usual authentication challenge on our internal domains consists of a username and password. Once a user successfully authenticates into our Active Directory, we don’t spend any more time “profiling” that user to see if their behavior is normal. Are they doing what we expect them to do, and if not what are they doing?
ATA looks to build out a behavior profile pattern, and when it identifies that a user has been compromised, it records where a user has been, on what machines and where a likely attacker is going. The first question you may ask is how? Aren’t there thousands of different types of attacks? Yes, there are, but they all follow three stages, and it’s the behavior in these three phases that ATA is looking for.
When we take a typical use case of a user, enabling a macro or downloading something dangerous through email, a three-phased approach is taken once the initial payload has been delivered. The attacker starts with a stored hash attack on the compromised device. They then start a “Reconnaissance” phase, trying to learn anything useful about your environment. They are trying to find out your IP addressing, your DC’s, default gateway etc. At this phase a Pass-the-Hash style attack may be used to move to machines with other user accounts, usually referred to as “Lateral Movement”. When on a high-value target, they will then move onto the last phase of “Dominance”.