Ken Paiboon 214.274.3436 ken@exabeam.com User Behavior Intelligence Fundamentals: Behaviors, Characteristics, and Facts Ken Paiboon 214.274.3436 ken@exabeam.com CONFIDENTIAL
“I personally apologize to each of you.” The Anthem Data Breach “…Attackers gained unauthorized access…” “…Information accessed may have included names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses, employment information, including income data…” “…Believe it happened over the course of several weeks beginning in early December 2014…” “…contacted the FBI / retained Mandiant…” “I personally apologize to each of you.”
What do these letters really tell us? We’re not completely sure WHEN, HOW, or for HOW LONG we’ve been breached We weren’t able to detect the data breach until well after the fact DBA witnessed own credentials used to execute the queries An attacker obtained credentials that allowed for unauthorized access Due to either technology or personnel limitations we’re not able to figure out what happened so we asked Mandiant in to manually piece together the story of what happened
The Pervasive Data Breach Problem 224 100% Average number of days the attacker was resident …of Breaches involved stolen credentials 224 – Mandiant report 2014 100% -- Mandiant report 2013 59,746 – News accounts 100% 59,746 …of the time evidence of the attack was in log data 1% of all suspicious alerts generated over 8 month attack at Neiman Marcus
What do these numbers tell us? 1 2 3 We have to know what to look for We get too many alerts We don’t get the full picture
We are focused on the attack chain phases… Where most of our detection effort and money goes Some detection effort and money goes here (DLP) Source: FireEye Mandiant APT1 report (Feb 2013)
…instead of what enables each phase POSSIBLE CREDENTIAL USE Initial Recon Initial Compromise Establish Foothold Escalate Privileges Internal Move Laterally Maintain Presence Complete Mission POSSIBLE CREDENTIAL USE Hours Weeks or Months Hours Source: FireEye Mandiant APT1 report (Feb 2013) CONFIDENTIAL
User Behavior Intelligence is the missing layer of detection after perimeter defenses Employees use credentials to access IT systems to create business value. Attackers use credentials to access systems to steal the business value employees create. Attackers and employees have divergent goals resulting in different behaviors and access characteristics.
Defining a UBI Solution User Behavior Intelligence Solutions Learns and remembers normal credential access behaviors and characteristics and score what’s anomalous Provide information about what’s normal user behavior as context Assemble the data into user sessions (log-on to log-off) Keep “state” on the user across identity and internet address switches Attributes security alerts to the credential (user) that was in use on the system when the alert occurred Creates efficiencies in security operations Fits into CDM capability Security Related Behavior Manage Accounts for People and Services (Phase2)
Undetected Attack: South Carolina IRS 13 AUGUST Spear Phishing 27 AUGUST VPN in with stolen credentials At various stages of this attack, important anomalies went unnoticed: VPN access off hours VPN access from new device Unusual access to servers Crawling of sensitive servers Copy of large DB backups 29-11 AUG/SEPT Server & App Recon 12 SEPTEMBER File Data Theft 13-14 SEPTEMBER Exfiltration CONFIDENTIAL
Undetected Attack: South Carolina IRS 13 AUGUST Spear Phishing 27 AUGUST VPN in with stolen credentials At various stages of this attack, important anomalies went unnoticed: VPN access from new device VPN access from outside US Unusual access to servers Crawling of sensitive servers Copy of large DB backups 29-11 AUG/SEPT Server & App Recon 12 SEPTEMBER File Data Theft 13-14 SEPTEMBER Exfiltration CONFIDENTIAL
Undetected Attack: South Carolina IRS 13 AUGUST Spear Phishing 27 AUGUST VPN in with stolen credentials At various stages of this attack, important anomalies went unnoticed: VPN access off hours VPN access from new device Unusual access to servers Crawling of sensitive servers Copy of large DB backups 29-11 AUG/SEPT Server & App Recon 12 SEPTEMBER File Data Theft 13-14 SEPTEMBER Exfiltration CONFIDENTIAL
Undetected Attack: South Carolina IRS 13 AUGUST Spear Phishing 27 AUGUST VPN in with stolen credentials At various stages of this attack, important anomalies went unnoticed: VPN access off hours VPN access from new device Unusual access to servers Crawling of sensitive servers Copy of large DB backups 29-11 AUG/SEPT Server & App Recon 12 SEPTEMBER File Data Theft 13-14 SEPTEMBER Exfiltration CONFIDENTIAL
Using behavior modeling to determine – Is it anomalous? System automatically asks access context questions Peer Group User Org VPN Access Example ISP ISP ISP Custom Algorithms Applied IP GEO GEO GEO VPN Login Time To Realm To Realm From Device To Server To Server CONFIDENTIAL
Understanding Normal as Context is Critical SIEMs are not engineered to surface abnormal from normal Important for a learning engine To learn or not to learn – that is the question Accounting for divergent behavior -- to a point Know when to say, “I can’t make a determination.” Data distribution and amounts
Example of a Proven UBI Approach IT SECURITY MACHINE DATA LOG MANAGEMENT ERP CMDB Research + Community Insights HRMS ITMS ACTIVE DIRECTORY USER BEHAVIOR INTELLIGENCE Extract & Enrich Session Tracking Behavior Analysis Risk Engine + + + Risk Scoring Incident Ranking Attack Detection SCORE 75 CONFIDENTIAL
Solving the IRS Example Using UBI QUESTION ANSWER RISK ACTIVITY TIMELINE 8:29AM Has Jerry connected during the weekend? Has Jerry used this device to connect to the VPN in the past? Has Jerry previously entered network from abroad? Has Jerry previously entered network from Romania? NO +10 NO +10 YES -5 NO +20 RISK TRACKING Risk score = 35 9:15AM Has Jerry connected to this server in the past? (x4) Has Jerry’s file share contained sensitive information? (x2) Has Jerry’s peer group accessed this server in the past? NO +40 YES +10 NO +5 Risk score = 90 SCORE 95 10:30AM Has Jerry crawled file shares? NO +5 Risk score = 95
UBI Summary Focuses the security team on what attackers want and use—credentials Extracts additional value from existing SIEM and log management data repositories Learns and remembers ‘normal’ user behaviors for individuals and peer groups Prioritizes security risks based based on transparent scoring of user activity outliers and business role context Security events seen in context – reduces false positives Scales to hundreds of thousands of users Detects cyber attacks and insider threats in real time
Q&A Thank You! www.exabeam.com