User Behavior Analytics (UBA) enables organizations to identify suspicious activity based on how a user interfaces with systems and the environment. Their typing style, most used commands, morning routine, the applications they use, the rate at which they work and many other facets can be analyzed to identify normal user behavior verses abnormal user behavior. Many organizations have been victimized by ransomware like Cryptolocker, CTB Locker and others. Using behavioral analytics these various attacks using ransomware, insider abuse, and compromised credentials can be mitigated.
Security has a big data solution Logs generated by operating systems, applications, security countermeasures, human interactions and the Internet-of-Things (IoT) make it impossible for individuals to look at rows and columns and gain deep insight into the data. Visualizations and analytical models are the only way to identify the signal from the noise. Security questions become much easier to answer as new visualizations give insight through the analysis. Here are just a few of the security issues being solved with User Behavior Analytics (UBA):
- Ransomware identification with compromise detection
- Compromised account identification and misuse
- Inappropriate use of assets
- Video Analytics identifying security issues (prisoners running towards gates attacking perimeters, risks to critical infrastructure, smoke identified in the air)
- Audio analytics to identify abnormal activity (breaking class, gun shots, screams)
- Identification of hostile people, or intent, via text and semantic analysis
Threat Intelligence feeds are becoming increasingly popular in the security community. Sharing information about attackers allows organizations to explicitly blacklist known bad actors, activity and applications. While you may not work with foreign countries, you generally cannot block the entire country due to content distribution networks and Domain Name Services (DNS). These feeds provide a similar blanket of coverage without interrupting business. There are several types of feeds available. Organizations or entities will collect logs from valid or honeypot locations to identify known attack sources. Feeds documenting known attackers and malware are very common. Sharing attack patterns and methods used by the attackers are now being communicated through several common threat syntax frameworks. Here’s a short list of some of the most common elements found in a threat feed:
Indicators of Compromise
- IP addresses
- File Hashes: MD5, SHA1, SHA256, PEHASH, IMPHASH
- CIDR Rules
- File Paths
- MUTEX name
- CVE number
Understanding where the attackers are coming from, the attack vectors they are using, what toolsets they are using are all valuable snippets of information. Several syntax frameworks exist for describing cyber threat intelligence. These solutions describe observables, indicators, incidents, tactics, exploit targets, courses of action, campaigns, and threat actors.
Histograms, trend lines, and pie charts can quickly identify potential areas of interest. I have been using Tableau Software to quickly visualize datasets in Vertica, MS-SQL, Excel, and Hadoop through API datasets extractions. There are a myriad of security related use-cases that benefit from these analytical techniques. Some questions can be simply answered by knowing your average running totals such as:
- Abnormal account activity
- System access
- Network usage
- Disk usage
- Methods of access
- Location of Access
After spending several months studying data analytics with the University of Washington, here is a compilation of methods used to understand and gain insight from data:
|· Machine Learning||· Bayesian|
|· K-nearest neighbors||· User Application Interaction Behavior|
|· Supervised & Unsupervised learning||· User Command Behaviors|
|· Inductive Logic||· User Keyboard Behaviors|
|· Audio analytics||· Weekly/Monthly Process|
|· Photo & Video Analytics||· User/Application/Destination Pairings|
|· Predictive||· East/West Traffic Analysis|
|· Pearson- Identify Correlations||· File/System/Network Service Use|
|· Sentiment Analysis||· Identify Users vs. computers|
|· Geospacial- Location details||· Event Correlation|
Mitigating Ransomware through User Behavior Analytics
Through user behavior analytics, several organizations have been developing interesting ways to identify and respond to ransomware outbreaks in the environment. We’ve been parachuting in and leveraging our complimentary Unstructured Data Risk Assessments to identify when a user is modifying an excessive number of files in a short period of time – this is a strong indicator of a ransomware infection. By identifying the accounts spreading the infection, especially in an automated fashion, the outbreak can be significantly curtailed.
Today’s threat landscape requires a different set of security countermeasures. Threat intelligence provides tremendous value as it is constantly updated, shared, and provides a hive-mentality that the good guys have been missing. This in conjunction with the use of data analytics is allowing organizations to keep pace with the volume, variety and velocity of attacks occurring daily. User behavior analytics is proving to be a powerful security weapon.
Breach disclosures are hitting the news almost daily. Cryptolocker and other ransomware attacks are occurring at an alarming rate. IT executives and compliance personnel continue to be dismissed in the cleanup process. Organizations who have traditionally been lean on their security spend are now taking a good hard look at the security of their environments. Make sure your organization has taken appropriate steps to ensure your job, and your organization are not the next victims of cybersecurity breaches.
Without a centralized set of security directives organizations haphazardly address security where needs are identified. Overlapping controls, multiple systems to support the same function and dispersed management causes significant inefficiency. Organizations who align their information security program to a control framework are able to align regulations and industry requirements and security goals to deliver efficient, optimized and prudent information security programs.
Controls consist of 5 facets. Policy describes management expectations through security directives. Procedures describe how these directives are to be implemented within the organization. Implementation details need to ensure all in-scope systems are covered and no weak-links in the chain exist. Testing of the control needs to occur on a regular basis to ensure it continues to work as intended. Training is required to educate users and administrators to ensure policies and procedures are upheld. By focusing on controls that address breach detection, incident response, and end-user training organizations can dramatically reduce the cost, effort, exposure and impact of breaches.
Detection is key. Attackers on average are lurking within an organization’s environment for 205 days before being discovered, and 69% of the victims learn about the compromise by a third party (1). Several technologies have evolved to mitigate the risk including advanced malware detection systems such as (Companies), threat lists including (Lists) and advanced analytics (Examples).
Incident response is a critical component to a quality information security program. Today people understand it is not if but when they will be breached. Being able to quickly identify, triage, mitigate, and restore services to proper working order is vital to reducing the cost of an incident. It is highly recommended to use a well-known framework as opposed to rolling your own to ensure you cover all the bases and mitigate previously identified risks. We have been working extensively with the NIST CyberSecurity Framework along with the NIST Incident Response Guide & SANS Institute recommendations to assist customers with preparing for the breach.
Testing & Training
For two consecutive years more than two-thirds of incidents that comprise the Cyber-Espionage pattern have featured phishing (2). An overall information security awareness training program should be developed. Education of both business and technical staff is required to ensure controls are implemented as intended. I recommend implementing information security awareness training calendar to ensure security remains top of mind for all parties. Leveraging multiple vehicles such as online messages, newsletters, posters, email, training sessions, table top exercises, penetration test and social engineering emphasize the users need to remain diligent with their information security roles.
There seems to be significant movement towards focusing on the data as opposed to the pipes and servers. Through the use of encryption, tokenization and other techniques compromise of the data, even when the servers are compromised, is mitigated. We are also seeing many customers assess both their structured and unstructured environment to determine where sensitive data and risks reside. Leveraging automated taxonomy and data classification techniques we are assisting many to put both of the data silos in a risk portfolio. If you do not know where your sensitive data resides you cannot appropriately secure it. We are also seeing significant interest in the PCI environments where organizations are looking to tokenize credit card to mitigate requirements for PCI DSS.
I will use any customer example to describe how important it is to be prepared with adequate logging facilities prior to increase. We had a customer visited by several FBI agents on a Friday afternoon informing them they were leaking significant amounts of proprietary data about the products they manufacturer to a destination in a foreign country. Needless to say this was not the customer but an attacker siphoning intellectual property. Parachuted into the event, we identified the breach was originating with valid credentials through a VPN connection. Our next step was to identify where this inbound connection went within the network. We asked the customer for their logs – they had none. The results was a $246,000 service engagement to have a troop of senior engineers ascertain the damage. Do not be like this customer. If you do not have centralized log aggregation and archiving get some immediately!
There are 4 ways to respond to risk: Mitigation, Avoidance, Transference, and Acceptance. Mitigation includes applying best practices, removing default passwords and configurations and implementing countermeasures to mitigate the risk to an acceptable level. Avoidance would be staying away from the potential risk all together. Transfer is the migration the risk to an external party. This may in the form of cyber Insurance, managed services and cloud offerings. Finally, accepting the risk says the business owners are willing to accept the risk and roll-the-dice. Depending on the risk and the industry each of these mitigation techniques have their place.
As with most disasters and security incidents, it is much better to prepare as opposed to attempting to triage under high-stress without plans. By implementing a control framework and risk portfolio organizations are able to prudently maximize their human and monetary resources. A quality Incident Response Plan that has been vetted and tested will significantly improve recovery times. Finally, ensure you are testing and training your users consistently to ensure security remains top-of-mind. Security is complex and always evolving- leverage frameworks and testing your defenses are some of the best methods to ensure your organization is prepared.
(1) Mandiant M-Trends 2015 Report
(2) Verizon 2015 Breach Report