Virtual CISO

May 18 2016   4:57PM GMT

User Behavior Analytics (UBA) & Ransomware Analytics

Jeromie Jackson Jeromie Jackson Profile: Jeromie Jackson

Threat detection
Threat intelligence

User Behavior Analytics (UBA) enables organizations to identify suspicious activity based on how a user interfaces with systems and the environment.  Their typing style, most used commands, morning routine, the applications they use, the rate at which they work and many other facets can be analyzed to identify normal user behavior verses abnormal user behavior.  Many organizations have been victimized by ransomware like Cryptolocker, CTB Locker and others.  Using behavioral analytics these various attacks using ransomware, insider abuse, and compromised credentials can be mitigated.

User Behavior Analytics1

Use Cases

Security has a big data solution  Logs generated by operating systems, applications, security countermeasures, human interactions and the Internet-of-Things (IoT) make it impossible for individuals to look at rows and columns and gain deep insight into the data.  Visualizations and analytical models are the only way to identify the signal from the noise.  Security questions become much easier to answer as new visualizations give insight through the analysis.  Here are just a few of the security issues being solved with User Behavior Analytics (UBA):

  • Ransomware identification with compromise detection
  • Compromised account identification and misuse
  • Inappropriate use of assets
  • Video Analytics identifying security issues (prisoners running towards gates attacking perimeters, risks to critical infrastructure, smoke identified in the air)
  • Audio analytics to identify abnormal activity (breaking class, gun shots, screams)
  • Identification of hostile people, or intent, via text and semantic analysis

Data Sets

Threat Intelligence feeds are becoming increasingly popular in the security community.  Sharing information about attackers allows organizations to explicitly blacklist known bad actors, activity and applications.  While you may not work with foreign countries, you generally cannot block the entire country due to content distribution networks and Domain Name Services (DNS).  These feeds provide a similar blanket of coverage without interrupting business.  There are several types of feeds available.  Organizations or entities will collect logs from valid or honeypot locations to identify known attack sources.  Feeds documenting known attackers and malware are very common.  Sharing attack patterns and methods used by the attackers are now being communicated through several common threat syntax frameworks.  Here’s a short list of some of the most common elements found in a threat feed:

Indicators of Compromise

  • IP addresses
  • Domains
  • Hostnames
  • Email
  • URL
  • File Hashes: MD5, SHA1, SHA256, PEHASH, IMPHASH
  • CIDR Rules
  • File Paths
  • MUTEX name
  • CVE number

Threat Descriptions

Understanding where the attackers are coming from, the attack vectors they are using, what toolsets they are using are all valuable snippets of information.  Several syntax frameworks exist for describing cyber threat intelligence.  These solutions describe observables, indicators, incidents, tactics, exploit targets, courses of action, campaigns, and threat actors.

STIX Threat Architecture

STIX Threat Architecture

Analytical Functions

Histograms, trend lines, and pie charts can quickly identify potential areas of interest.  I have been using Tableau Software to quickly visualize datasets in Vertica, MS-SQL, Excel, and Hadoop through API datasets extractions.  There are a myriad of security related use-cases that benefit from these analytical techniques.  Some questions can be simply answered by knowing your average running totals such as:

  • Abnormal account activity
  • System access
  • Network usage
  • Disk usage
  • Methods of access
  • Location of Access

After spending several months studying data analytics with the University of Washington, here is a compilation of methods used to understand and gain insight from data:

·        Machine Learning ·        Bayesian
·        K-nearest neighbors ·        User Application Interaction Behavior
·        Supervised & Unsupervised learning ·        User Command Behaviors
·        Inductive Logic ·        User Keyboard Behaviors
·        Audio analytics ·        Weekly/Monthly Process
·        Photo & Video Analytics ·        User/Application/Destination Pairings
·        Predictive ·        East/West Traffic Analysis
·        Pearson- Identify Correlations ·        File/System/Network Service Use
·        Sentiment Analysis ·        Identify Users vs. computers
·        Geospacial- Location details ·        Event Correlation

Mitigating Ransomware through User Behavior Analytics

Through user behavior analytics, several organizations have been developing interesting ways to identify and respond to ransomware outbreaks in the environment.  We’ve been parachuting in and leveraging our complimentary Unstructured Data Risk Assessments to identify when a user is modifying an excessive number of files in a short period of time – this is a strong indicator of a ransomware infection.  By identifying the accounts spreading the infection, especially in an automated fashion, the outbreak can be significantly curtailed.

Today’s threat landscape requires a different set of security countermeasures.  Threat intelligence provides tremendous value as it is constantly updated, shared, and provides a hive-mentality that the good guys have been missing.  This in conjunction with the use of data analytics is allowing organizations to keep pace with the volume, variety and velocity of attacks occurring daily.  User behavior analytics is proving to be a powerful security weapon.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: