March 6, 2017 at 14:08Threat models based on user behavior analysis
More and more researchers, with whom we agree, say that the protection measures applied on the network perimeter (such as, for example, data leak prevention systems (DLP)) are ineffective - they do not help to preventively close the leak channel before it occurs.
The reasons for the mentioned inefficiency are both business continuity requirements (Russian companies also have a historically established psychological connection associated both with the reluctance to choose a model for supporting the implementation until the false positives are reduced to practically zero, and with the backlog of technical means in the past years, developed in the CIS, from foreign technology leaders, which does not allow the inclusion of leak prevention mechanisms, stopping at their detection *), and so that a leak detection occurs, often, either when it has already occurred, post factum or never at all, which will further worsen these statistics (and the detection of attacks by standard means does not occur faster than within an hour or more from the moment a significant event is received), or at that moment,
The stage at which the data leak occurs in the classification developed by Lockheed Martin to determine the stages of developing or occurring cyber attacks is called Exfiltration.
In total, Lockheed Martin identified and identified 8 different types of threats, distributed by the stages of their execution:
Reconnaisanse (Intelligence), Intrusion (Penetration), Exploitation (Exploitation of privileges / vulnerabilities) Misconduct (this stage includes 4 types of threats: Privilege escalation, Lateral movement (Obfocus or Search), Obfuscation, Denial of service], Exfiltration.
It is important to note that it is rarely possible to go to each subsequent stage immediately if several factors favorable to the offender do not coincide. Examples of such factors: knowledge of information about the company’s network structure, access to administrative privileges, open rdp port for access to any server on the firewall, undocumented specially left vpn channel - which is typical for insiders, or hackers using the information received from them .
Of course, “Tracking” can occur both before and after the denial of service, or receipt of confidential information, as well as the last two points can be carried out both in parallel and independently from each other, in random order. In each particular case, the chain may lose one of the links, or be limited to only one of the types of threats, for example, during the actions of a malicious or simply reckless insider.
True, it would be great if, without any configuration on your part, using predictive threat models, automatically analyzing the behavior of entities (such as user and computer accounts) throughout the company's infrastructure, the security system itself would notify you of potential threats : From CryptoLockers and compromised service accounts to disloyal users? All this can be detected and notified of all deviations in user behavior ** on observed resources.
Using our experience, we can now save you from constant “manual” analysis of file access logs, attempts to change privilege levels, and also make it possible to understand who illegally reads someone else’s, possibly even your, mail.
Thus, threat models, in our understanding, are accumulated ordered knowledge about the various stages, types and types of attacks, and they can be used to quickly respond to each of the described threats, without a long preliminary analysis of access logs by specialists with extensive experience in the field of cybersecurity and subsequent tuning of the event collection systems to correlation according to the criteria specified by the experts (which we are offered by the tools for collecting and correlating information security events - SIEM).
* And it’s good if the mechanism that detects the data leak does not have a last name, but only the product name and assembly number
** Hereinafter, by users we will, in most cases, understand entities such as user accounts and computers
Threat models that use behavioral analysis make it possible to quickly detect attacks in the early stages of development <it’s worth highlighting somehow, but I don’t really understand how> and provide context for more informed decisions, thanks to the collected metadata and information that happened earlier and is happening now on your file, mail servers, SharePoint, and in Active Directory or other LDAP directories with the participation of a specific user and others similar to him in the previous behavior.
Our advanced analysis of behavioral anomalies allows us to detect suspicious activity at each stage of a potential data leak: from primary intelligence to extracting it.
In addition, the existing mechanisms make it possible not only to warn about the threats described above, but also automatically, semi-automatically or manually, prevent the transition to further stages of the attack development chain, preventing it from reaching the final stage, without the need to independently study each actual threat in separately, and build profiles for it (perhaps without taking into account any unknown or accepted as insignificant factors) in the existing mechanisms for recording and correlating events.
Here are some of our most commonly used threat models by clients:
Deviation from normal behavior: access to confidential data
Retrieval: This may indicate an unauthorized attempt to gain access to assets containing confidential data. The user's actions are checked against his behavioral profile, and an alert is generated when a discrepancy is detected.
Deviation from normal behavior: atypical access to Exchange mailboxes
Extraction: It may indicate an unauthorized attempt to use the privileges of the service to gain access to the mailboxes of other users. The user's actions are checked against his behavioral profile, and an alert is generated when a discrepancy is detected.
Cryptovirus activity
Penetration: May indicate the presence of a ransomware virus.
Suspicious access: access to files containing information for accessing systems by an account of non-IT personnel responsible for these systems
. Privilege escalation : May indicate an unauthorized attempt to obtain data to access systems or cause access denial to them.
Modification: Critical elements of Group Policies
Exploitation of privileges / vulnerabilities: Can speak of unauthorized attempts to gain access by changing policies or using privileged security groups. It can also talk about attempts to prevent users from accessing systems, especially if a trigger occurred when changes were made outside the established change control policy.
Potentially used hacking software discovered
Exploitation of privileges / vulnerabilities: It may indicate attempts to install or use well-known hacker tools.
Membership change: administrative groups
Exploitation of privileges / vulnerabilities: It may indicate an unauthorized attempt to gain access by adding an account to privileged groups or to prevent administrators from responding promptly during an attack, especially if the change is performed outside the established change control policy.
Disabling or deleting a service account or administrator account
Exploiting privileges / vulnerabilities:It may indicate an unauthorized attempt to damage the infrastructure, prevent users from accessing systems, or cover up after performing malicious actions, especially if the change is carried out outside the established change control policy.
Multiple file openings, probably containing information for accessing systems
. Privilege escalation: May indicate an unauthorized attempt to upload data to access systems.
Found software used to analyze the network environment.
Intelligence: It may indicate the presence of unauthorized tools used to scan the corporate network, including for vulnerabilities.
The reasons for the mentioned inefficiency are both business continuity requirements (Russian companies also have a historically established psychological connection associated both with the reluctance to choose a model for supporting the implementation until the false positives are reduced to practically zero, and with the backlog of technical means in the past years, developed in the CIS, from foreign technology leaders, which does not allow the inclusion of leak prevention mechanisms, stopping at their detection *), and so that a leak detection occurs, often, either when it has already occurred, post factum or never at all, which will further worsen these statistics (and the detection of attacks by standard means does not occur faster than within an hour or more from the moment a significant event is received), or at that moment,
The stage at which the data leak occurs in the classification developed by Lockheed Martin to determine the stages of developing or occurring cyber attacks is called Exfiltration.
In total, Lockheed Martin identified and identified 8 different types of threats, distributed by the stages of their execution:
Reconnaisanse (Intelligence), Intrusion (Penetration), Exploitation (Exploitation of privileges / vulnerabilities) Misconduct (this stage includes 4 types of threats: Privilege escalation, Lateral movement (Obfocus or Search), Obfuscation, Denial of service], Exfiltration.
It is important to note that it is rarely possible to go to each subsequent stage immediately if several factors favorable to the offender do not coincide. Examples of such factors: knowledge of information about the company’s network structure, access to administrative privileges, open rdp port for access to any server on the firewall, undocumented specially left vpn channel - which is typical for insiders, or hackers using the information received from them .
Of course, “Tracking” can occur both before and after the denial of service, or receipt of confidential information, as well as the last two points can be carried out both in parallel and independently from each other, in random order. In each particular case, the chain may lose one of the links, or be limited to only one of the types of threats, for example, during the actions of a malicious or simply reckless insider.
What do we call threat models ?
True, it would be great if, without any configuration on your part, using predictive threat models, automatically analyzing the behavior of entities (such as user and computer accounts) throughout the company's infrastructure, the security system itself would notify you of potential threats : From CryptoLockers and compromised service accounts to disloyal users? All this can be detected and notified of all deviations in user behavior ** on observed resources.
Using our experience, we can now save you from constant “manual” analysis of file access logs, attempts to change privilege levels, and also make it possible to understand who illegally reads someone else’s, possibly even your, mail.
Thus, threat models, in our understanding, are accumulated ordered knowledge about the various stages, types and types of attacks, and they can be used to quickly respond to each of the described threats, without a long preliminary analysis of access logs by specialists with extensive experience in the field of cybersecurity and subsequent tuning of the event collection systems to correlation according to the criteria specified by the experts (which we are offered by the tools for collecting and correlating information security events - SIEM).
* And it’s good if the mechanism that detects the data leak does not have a last name, but only the product name and assembly number
** Hereinafter, by users we will, in most cases, understand entities such as user accounts and computers
Why is it important?
Threat models that use behavioral analysis make it possible to quickly detect attacks in the early stages of development <it’s worth highlighting somehow, but I don’t really understand how> and provide context for more informed decisions, thanks to the collected metadata and information that happened earlier and is happening now on your file, mail servers, SharePoint, and in Active Directory or other LDAP directories with the participation of a specific user and others similar to him in the previous behavior.
Our advanced analysis of behavioral anomalies allows us to detect suspicious activity at each stage of a potential data leak: from primary intelligence to extracting it.
In addition, the existing mechanisms make it possible not only to warn about the threats described above, but also automatically, semi-automatically or manually, prevent the transition to further stages of the attack development chain, preventing it from reaching the final stage, without the need to independently study each actual threat in separately, and build profiles for it (perhaps without taking into account any unknown or accepted as insignificant factors) in the existing mechanisms for recording and correlating events.
Examples
Here are some of our most commonly used threat models by clients:
Deviation from normal behavior: access to confidential data
Retrieval: This may indicate an unauthorized attempt to gain access to assets containing confidential data. The user's actions are checked against his behavioral profile, and an alert is generated when a discrepancy is detected.
Deviation from normal behavior: atypical access to Exchange mailboxes
Extraction: It may indicate an unauthorized attempt to use the privileges of the service to gain access to the mailboxes of other users. The user's actions are checked against his behavioral profile, and an alert is generated when a discrepancy is detected.
Cryptovirus activity
Penetration: May indicate the presence of a ransomware virus.
Suspicious access: access to files containing information for accessing systems by an account of non-IT personnel responsible for these systems
. Privilege escalation : May indicate an unauthorized attempt to obtain data to access systems or cause access denial to them.
Modification: Critical elements of Group Policies
Exploitation of privileges / vulnerabilities: Can speak of unauthorized attempts to gain access by changing policies or using privileged security groups. It can also talk about attempts to prevent users from accessing systems, especially if a trigger occurred when changes were made outside the established change control policy.
Potentially used hacking software discovered
Exploitation of privileges / vulnerabilities: It may indicate attempts to install or use well-known hacker tools.
Membership change: administrative groups
Exploitation of privileges / vulnerabilities: It may indicate an unauthorized attempt to gain access by adding an account to privileged groups or to prevent administrators from responding promptly during an attack, especially if the change is performed outside the established change control policy.
Disabling or deleting a service account or administrator account
Exploiting privileges / vulnerabilities:It may indicate an unauthorized attempt to damage the infrastructure, prevent users from accessing systems, or cover up after performing malicious actions, especially if the change is carried out outside the established change control policy.
Multiple file openings, probably containing information for accessing systems
. Privilege escalation: May indicate an unauthorized attempt to upload data to access systems.
Found software used to analyze the network environment.
Intelligence: It may indicate the presence of unauthorized tools used to scan the corporate network, including for vulnerabilities.