Brief introduction to ATP

I’m sure that most of the people have been listening the word ATP, but what it is? In this blog post, I will try to introduce it…

But first things first, what is ATP? is a new cloud-based solution from Microsoft to provide advanced threat detection. So being said that, let’s begin with the explanation:

Working in IT, we know that attacks are becoming more and more complicated, therefore to achieve good security, three things security professionals need to do:

  • Understand how advance attacks work on-premises and on the cloud (tools, techniques…)
  • Once the attack happened successfully, how the attacker start moving inside the network, and whether the attack propagates from on-premises to cloud resources (what is known as Lateral Movement)
  • Build a security model or strategy to address those advance attacks.

To protect ourselves from those kind of attacks, Microsoft responded with their new Advance Threat Protection Security Model consisting of Office 365 ATP, Azure ATP and Windows Defender ATP.

  • Office 365 ATP (let’s thinks as a 1st line of protection): Zero-day attack and malware inspection received via email or uploaded to SharePoint online using Safe Attachment and Safe Links features.
  • Windows ATP (2nd line of protection): device level protection on machines to detected advanced persistent malware, and provide post breach investigation and automated responses.
  • Azure ATP (3rd line of protection): Allows IT Admins to monitor attackers who are inside a network (not malware), what they are doing/what they did and actions to take.

The problem (for most companies) is that all those features are licensed under E5 suite (or M365) and they work together to protect your enterprise. These products provide defense in depth mechanism as per the following:

  • Since most malware attacks come from email, then Office 365 ATP can be considered the first line of support.
  • If Office 365 ATP fails to identify the malware, then the device endpoint Windows Defender ATP will try to catch the malware by identifying unusual right elevation or strange behavior on the machine.
  • If identity theft was successful, then you can monitor how the attacker is using that identity to move from machine to another, through Azure ATP. That is, after successful credential theft, what activities the attacker is performing using that stolen identity

That’s all, till next post!

Advanced Threats Protection for Microsoft Teams

The inclusion of O365 ATP is a a great tool in included inside the Security and Compliance Center it allows to analyze deeply URL’s and attachments before letting end-users accessing it, the bad part, it is included in E5 O365 licenses, if you want to learn more about ATP check the following link: https://support.office.com/en-us/article/Office-365-Advanced-Threat-Protection-e100fe7c-f2a1-4b7d-9e08-622330b83653?ui=en-US&rs=en-US&ad=US

To enable ATP for SharePoint and Teams, go to the Security and Compliance administration center (https://protection.office.com/) and then go to Threat Management,

atp1 atp2

Then check the box Turn on ATP for SharePoint, OneDrive and Microsoft Teams to enable ATP for these workloads

atp3

Then it make take up to 30 minutes to be completed. Once ATP detects a malicious file a notification will be displayed on the SharePoint web page and blocks access to the infected file

atp4

As administrator you can also create an alert to get notified when an infected file is detected on SharePoint, OneDrive or Teams.

While still in the Security and Compliance portal, reach out to the Alerts\Alert policies section

atp5

And create a new alert policy with the following settings:

  • Name: name the alert policy as you want
  • Severity: set the severity as you wish (between low, medium and high)
  • Category: Threat management
  • Activity is: Detected malware in file
  • Leave other settings as default
  • and finally define the recipient(s) for this alert

atp6atp7atp8