Post on 23-Dec-2015
User Behavior Intelligence Fundamentals: Behaviors, Characteristics, and Facts
Ken Paiboon214.274.3436ken@exabeam.com
C O N F I D E N T I A L
The Anthem Data Breach
• “…Attackers gained unauthorized access…”
• “…Information accessed may have included names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses, employment information, including income data…”
• “…Believe it happened over the course of several weeks beginning in early December 2014…”
• “…contacted the FBI / retained Mandiant…”
“I personally apologize to each of you.”
What do these letters really tell us?
• We’re not completely sure WHEN, HOW, or for HOW LONG we’ve been breached
• We weren’t able to detect the data breach until well after the fact• DBA witnessed own credentials used to execute the queries
• An attacker obtained credentials that allowed for unauthorized access
• Due to either technology or personnel limitations we’re not able to figure out what happened so we asked Mandiant in to manually piece together the story of what happened
The Pervasive Data Breach Problem
100%
Ave ra ge n u m b e r o f d a y s t h e atta c ke r
w a s r e s i d e n t
100%… o f B r ea c h e s
i n vo l ve d sto l e n c r e d e n t i a l s
224
… o f t h e t i m e e v i d e n ce o f t h e
atta c k w a s i n l o g d ata
59,7461 % o f a l l s u s p i c i o u s
a l e r t s ge n e rate d o ve r 8 m o n t h atta c k atN e i m a n M a r c u s
What do these numbers tell us?
321
We have to know what to look for
We get toomany alerts
We don’t getthe full picture
We are focused on the attack chain phases…
S o u r c e : F i r e Ey e M a n d i a n t A P T 1 r e p o r t ( Fe b 2 0 1 3 )
Where most of our detection
effort and money goes
Some detection effort
and money goes here (DLP)
C O N F I D E N T I A L 7S o u r c e : F i r e Ey e M a n d i a n t A P T 1 r e p o r t ( Fe b 2 0 1 3 )
POSSIBLE CREDENTIAL USE
InitialRecon
Initial Compromise
EstablishFoothold
EscalatePrivileges
InternalRecon
MoveLaterallyMaintain
Presence
CompleteMission
Hours Weeks or Months Hours
…instead of what enables each phase
User Behavior Intelligence is the missing layer of detection after perimeter defenses
Employees use credentials to access IT systems to create business value.
Attackers use credentials to access systems to steal the business value employees create.
Attackers and employees have divergent goals resulting in different behaviors and access characteristics.
Defining a UBI Solution
User Behavior Intelligence Solutions• Learns and remembers normal credential access behaviors and
characteristics and score what’s anomalous• Provide information about what’s normal user behavior as context• Assemble the data into user sessions (log-on to log-off)• Keep “state” on the user across identity and internet address switches• Attributes security alerts to the credential (user) that was in use on
the system when the alert occurred• Creates efficiencies in security operations
Fits into CDM capability Security Related BehaviorManage Accounts for People and Services (Phase2)
C O N F I D E N T I A L
Undetected Attack: South Carolina IRS
At various stages of this attack, important anomalies went unnoticed:
• VPN access off hours
• VPN access from new device
• Unusual access to servers
• Crawling of sensitive servers
• Copy of large DB backups
Spear Phishing
VPN in withstolen credentials
Server & App Recon
File Data Theft
Exfiltration
13AU G U ST
27AU G U ST
29-11AU G / S E P T
12S E P T E M B E R
13-14S E P T E M B E R
10
C O N F I D E N T I A L
Undetected Attack: South Carolina IRSAt various stages of this attack, important anomalies went unnoticed:
• VPN access from new device
• VPN access from outside US
• Unusual access to servers
• Crawling of sensitive servers
• Copy of large DB backups
Spear Phishing
VPN in withstolen credentials
Server & App Recon
File Data Theft
Exfiltration
13AU G U ST
27AU G U ST
29-11AU G / S E P T
12S E P T E M B E R
13-14S E P T E M B E R
11
C O N F I D E N T I A L
Undetected Attack: South Carolina IRSAt various stages of this attack, important anomalies went unnoticed:
• VPN access off hours
• VPN access from new device
• Unusual access to servers
• Crawling of sensitive servers
• Copy of large DB backups
Spear Phishing
VPN in withstolen credentials
Server & App Recon
File Data Theft
Exfiltration
13AU G U ST
27AU G U ST
29-11AU G / S E P T
12S E P T E M B E R
13-14S E P T E M B E R
12
C O N F I D E N T I A L
Undetected Attack: South Carolina IRSAt various stages of this attack, important anomalies went unnoticed:
• VPN access off hours
• VPN access from new device
• Unusual access to servers
• Crawling of sensitive servers
• Copy of large DB backups
Spear Phishing
VPN in withstolen credentials
Server & App Recon
File Data Theft
Exfiltration
13AU G U ST
27AU G U ST
29-11AU G / S E P T
12S E P T E M B E R
13-14S E P T E M B E R
13
Using behavior modeling to determine – Is it anomalous?
C O N F I D E N T I A L 14
System automatically asks access context questions
To Server
From Device
IP
ISP
GEO
Time To Realm
ISP
GEO
To Realm
User PeerGroup
Org
ISP
GEOVPN Access
ExampleVPN Login
Custom Algorithms
Applied
To Server
Understanding Normal as Context is Critical
• SIEMs are not engineered to surface abnormal from normal
• Important for a learning engine• To learn or not to learn – that is the question
• Accounting for divergent behavior -- to a point
• Know when to say, “I can’t make a determination.”• Data distribution and amounts
C O N F I D E N T I A L
Example of a Proven UBI Approach
16
Extract & Enrich
SessionTracking
Behavior Analysis
Risk Engine
+ + +
SCORE
75Risk ScoringIncident RankingAttack Detection
IT SECURITY
MACHINE DATA
LOG MANAGEMENT
ERP CMDB
ACTIVE DIRECTORY
HRMS ITMSResearch + Community Insights
USER BEHAVIOR INTELL IGENCE
Solving the IRS Example Using UBIQU ESTION A NSWER R ISK
N O
N O
YES
N O
N O
YES
N O
N O
8:29AM
9:15AM
10:30AM
AC
TIV
ITY
TIM
ELIN
E
RIS
K T
RA
CK
ING
SCORE
95
Has Jerry connected during the weekend?
Has Jerry used this device to connect to the VPN in the past?
Has Jerry previously entered network from abroad?
Has Jerry previously entered network from Romania?
Has Jerry connected to this server in the past? (x4)
Has Jerry’s file share contained sensitive information? (x2)
Has Jerry’s peer group accessed this server in the past?
Has Jerry crawled file shares?
Risk score = 95
Risk score = 90
Risk score = 35
+10
+10
+20
-5
+40
+10
+5
+5
UBI Summary
• Focuses the security team on what attackers want and use—credentials• Extracts additional value from existing SIEM and log management data
repositories• Learns and remembers ‘normal’ user behaviors for individuals and peer
groups• Prioritizes security risks based based on transparent scoring of user activity
outliers and business role context• Security events seen in context – reduces false positives• Scales to hundreds of thousands of users • Detects cyber attacks and insider threats in real time
Q&AThank You!
www.exabeam.com