Friday, February 3, 2017

Using Analytics to Detect Evidence of Stolen Credential Use

Organizations are caught in a risky dilemma. CISO’s are authorizing broader deployment of endpoint security controls in an attempt to prevent ever increasing threats to valuable corporate or agency assets.  At the same time, security operation centers (SOCs) are straining to properly investigate inbound alerts.  As new controls are deployed throughout the network, the resulting number of alerts also increase. 

The most successful method used by hackers to achieve their malicious mission is to steal legitimate user credentials, particularly credentials that have super-user privileges, and masquerade as a trusted insider.  Attackers use various techniques to steal the logon id/password pairs of authorized personnel, such as phishing, social engineering, brute force attacks, etc.  Once in, they proceed with their network intrusion with confidence.  Endpoint security controls will not alert on the seemingly authorized activity and all of this “so called” normal activity will be buried in massive security logs.

Organizations trying to detect and mitigate the instances of stolen credentials have looked to traditional SIEM and newer User Behavior Analytics (UBA) vendors for solutions.  SIEMs primarily use Boolean algorithms to perform pattern matching on security log data and struggle to scale effectively to handle all of the enterprise log data.  SIEM’s one-to-one rigid rule approach is a dual edged sword.  On one side the correlation rules provide very precise criteria for what is or is not alert worthy.  This does show some reduction in false positives. On the other side, many breach events are missed by a SIEM when the attacker purposely uses slight variances in their behaviors to blend into normal event traffic flows.   This technique can allow the intruder to avoid one or more rule prerequisites of a SIEM correlation rule.  Correlation rules are notorious for being very high in maintenance of the many complex regex statements and queries that are necesary to keep up as attack vectors change over time.
Some examples of the types of activities that can be detected with Boolean (pattern matching) correlation rules:

  • Login - Successful Login From Multiple Sources (Detect Shared/Compromised Credential)
  • Login - Successful Login Followed by Possible Malicious Commands (Detect possible malicious commands immediately after login. i.e. create new super user, delete users, read protected files (passwords, database, etc)  
  • Login - Multiple Failed Login Attempts From Source (Detect Brute Force)
  • Login - Successful Login after Brute Force Login Attempts From Source (Detect Successful Brute Force)
  • Policy - Off-hours Compliance Activity to a Host (Credentials being used off hours)
  • Username = list of blacklisted users. (Detect usernames you know don’t exist or shouldn’t be used)
  • Account Lockout

UBA solutions often ride alongside SIEM implementations to provide the potential to detect some behaviors that can be missed by SIEMs alone by using behavior analytics to model normal and potentially malicious activity.  While this sounds promising, and has proven to show some successes, customers have to manage two enterprise caliber security monitoring consoles as well as two sources of alarms for the same log data feeds.  Behavior analytics solutions utilize advanced artificial intelligence algorithms to observe and measure security log data the context of user or system behavior.  By establishing baselines, behavior analytics can determine what is normal and abnormal day-to-day activity.  Not all abnormal behavior is bad, and not all seemingly normal behavior is good.  Hackers are also skilled at behavior profiling and do their best to ‘blend in’ with normal activity to avoid detection and extent their missions (i.e., dwell times).  Analytics engines must use scoring methods in conjunction with behavior modeling to flag potentially malicious activity to SOC analysts to investigate.
Some examples of the types of behaviors that can be detected using behavior analytics:

  • User logins from unusual locations and attempting to connect to systems never before accessed
  • User unsuccessfully attempts to login two times every night, then one night is successful
  • User activity matches learned bad behavior

A big gap in the blended use of SIEM and UBA solutions is, without integrated scoring, the SOC analyst has to do the work of reconciling whether the incidents generated by individual scoring methods from both systems are related or not, and to determine if they have the whole picture of an incident or not.  Also, headaches with scale and manageability will apply to both solutions.
Therefore, what is needed is a fully integrated single vendor solution that provides all of the benefits of Boolean (correlation) and machine learning (analytics) methods mentioned above for accurate incident creation.  One that provides incident validation by leveraging supervised and unsupervised ‘learning’ of what is good and bad behaviors by using artificial intelligence (AI) engines combined with machine learning to generate accurate behavior profiles, and effective baselines.  Such a solution presents:
  • Prioritized security incidents by utilizing an integrated incident scoring system
  • Shows full incident timelines in a single pane of glass 
  • A single enterprise security solution that can ingest all of the security event logs in real-time
  • Easy to manage analytics for users, applications, and assets
  • Simple to scale as environments change over time

Check out the eyeContm  solution at 

No comments:

Post a Comment