Understanding Insider Threats with UEBA

Insider threats pose significant risks to your organization. According to the Verizon 2016 Data Breach Investigations Report, “the actions of insiders are among the most difficult to detect” and “the majority of these incidents are taking months or longer to discover.” The key to defending against this class of threats is to understand the who, the why, and the when. Let’s look at those critical elements and what you can do to protect yourself.

The Who: Potential Threat Actors Within Your Organization

Insider threats can be anyone who has access to a business system, including internal permanent staff, contractors, temporary staff, partners, and former staff. This means that everyone, including managers and executives, should be equally scrutinized.

To make matters more complicated, these individuals can intentionally or unknowingly assist external parties in conducting activities against your organization. The Australian Government highlights two categories of employees who pose a threat as an insider in their insider threat security handbook.

  • The unintentional insider: “who inadvertently expose, or make vulnerable to loss or exploitation, privileged information, techniques, technology, assets or premises.”
  • The malicious insider: “who deliberately and willfully breach their duty to maintain the security of privileged information, techniques, technology, assets or premises.”

The vast number of suspects, as well as the fact that attacks can be intentionally or unintentionally committed, are among the reasons why insider threats are so difficult to detect. The good news is that you can add layers of intelligence to help you narrow down your area of focus.

The Why: Motivations for an Inside Threat Actor

Each attacker will have their own motivations and reasons for their deviance. Ultimately, there are many driving forces behind attacks. Find a few of the common reasons below.

Financial Gain

Financial gain has traditionally proven to be a leading factor behind many insider breaches. The financial gain can be small (such as a janitor selling a laptop on eBay in order to make a quick buck) or large (such as a lower-level staff selling personally identifiable information (PII) on the dark web).

Business Gain

Typically, sensitive intellectual property (IP) is the target for those motivated by business gain. IP can be used to boost product offerings, eliminate a competitive advantage, or assist a bad actor in a business deal. Not only can an insider threat help a competitive organization, but it can also leave the targeted business with significant expenses, lost productivity, and a damaged reputation.

Revenge

A person can become disgruntled and seek revenge for many reasons. Such reasons include job dissatisfaction, perceived inequity, disagreements with co-workers, or a potential layoff.

Ideology

Political, religious, and social beliefs can also be strong motivations for insider threats.

The When: An Insider Attack Can Happen at Any Time

A malicious insider will understand the vulnerabilities of an organization, as well as how and when they can be exploited. An insider threat can easily blend in to their normal working environment, until just the right moment, especially if they opt for the stealthy low-and-slow approach. Some cases of espionage have stayed under the radar for months and even years.

Ways to Protect Yourself from Insider Threats

Fortunately, many of the activities performed by a malicious insider can be detected and stopped by using a layered security approach. This layered approach should include the usual security defenses, such as network forensics, SIEM, IDS, and endpoint detection. However, it should also include security awareness training, policy enforcement, and auditing. Often companies that are breached by an insider threat have overlooked these security programs.

When facing insider threats, there are some points that you should think about when you are looking to heighten your security operations.

  • Data Management: Sensitive data stored on the internal network should be encrypted. Monitoring of exfiltration of sensitive data to an external USB drive should also be performed.
  • Privileged User Monitoring: Privileged user access should be tightly controlled and monitored. Only those that absolutely need to view sensitive information and systems should be granted access. Shared account usage should be fully eradicated.
  • Physical Access Controls: Physical areas containing sensitive and valuable equipment should be locked down and only accessible by approved staff.
  • Active Change Control Policy: While a change control policy won’t prevent insider attacks, it adds a level of accountability and ensures an audit trail is available should an investigation be warranted.
  • System Logging: Logging systems such as door access control systems, sensitive financial systems, high-value databases, mail servers, and directory service systems is imperative.
  • Employee Security Awareness: Enforcing regular security awareness training will help empower your staff to work with you to detecting and reporting unusual or suspicious behavior. Employees are the first line of defense for an organization and can work to significantly reduce security risks.

Beyond these tips, advanced behavioral analytics can go a long way to helping you detect and respond to insider threats. LogRhythm recently released an updated version of our User Threat Detection Module. The module includes advanced User and Entity Behavior Analytics (UEBA) that works to detect insider threat activity, as well as help track an attack progressing through the Cyber Attack Lifecycle stages.

Figure 1: Cyber Attack Lifecycle

Figure 1: Cyber Attack Lifecycle (Click on images to view larger.)

Let’s look at an example of the User Threat Detection Module in action.

How LogRhythm Can Help Detect and Respond to Insider Threats

In this use case, I have created a privileged user with the username eanderson and added it as a trusted system administrator.

Figure 2: Populated Privileged User List

Figure 2: Populated Privileged User List (Click on images to view larger.)

I then logged onto a server with the new account, modified account passwords, and did some other nefarious activities. Let’s walk through the use case as if I was a security analyst.

In the alarm viewer, I can see that AI Engine has detected the nefarious activity, initiating a high-priority progression alarm.

Figure 3: AI Engine Progression Alarm

Figure 3: AI Engine Progression Alarm (Click on images to view larger.)

A quick look into the alarm details revealed the privileged user in question, eanderson.

Figure 4: AI Engine Progression Alarm Details

Figure 4: AI Engine Progression Alarm Details (Click on images to view larger.)

A further drill down into the alarm displays the affected impacted users whose passwords were modified.

Figure 5: Drill Down Revealing Impacted Users

Figure 5: Drill Down Revealing Impacted Users (Click on images to view larger.)

Now that I understood which users were impacted, I used the pivot feature to go backwards in time and see what other activity this user was up to. The pivot revealed further classification and common events, as well as other metadata that can be further investigated.

Figure 6: Pivot to Reveal Relevant Alarm Metadata and Common Events

Figure 6: Pivot to Reveal Relevant Alarm Metadata and Common Events (Click on images to view larger.)

At this point, I opened a case then added all relevant artifacts and notes for my investigation. Back at the alarms tab, I was prompted with two additional alerts.

Figure 7: SOC Analyst Dashboard

Figure 7: SOC Analyst Dashboard (Click on images to view larger.)

I continued the investigation by selecting the next alarm in the timeline with a 97-risk rating, which indicated that a number of files were deleted by an admin.

Figure 8: AI Engine Alarm

Figure 8: AI Engine Alarm (Click on images to view larger.)

Alarm details revealed that the same user origin that modified the passwords also deleted sensitive files.

Figure 9: AI Engine Alarm Details Indicating User in Question

Figure 9: AI Engine Alarm Details Indicating User in Question (Click on images to view larger.)

Fortunately, real-time File Integrity Monitoring provided me with extra visibility into common file system activities, and I was quickly able to establish which specific file system objects were deleted.

Figure 10: Drill Down Revealing Affected Files

Figure 10: Drill Down Revealing Affected Files (Click on images to view larger.)

To confirm my results and add further information to the case, I also jumped into the third and final AI Engine alarm. This progression alarm indicated a progression through the Cyber Attack Lifecycle from target attainment to exfiltration/corruption/disruption.

Figure 11: AI Engine Progression Alarm

Figure 11: AI Engine Progression Alarm (Click on images to view larger.)

The final drill down into the progression rule immediately showed me the two rules that were responsible for the progression rule to fire, along with the ability to confirm the origin user that was the culprit of this malicious insider activity—eanderson, aka Elliot Anderson, aka Mr Robot.

Figure 12: Progression to Exfiltration/Corruption/Disruption Alarm Drill Down

Figure 12: Progression to Exfiltration/Corruption/Disruption Alarm Drill Down (Click on images to view larger.)

Once I was able to confirm the identity of the malicious user, I automatically neutralized the insider threat and closed off the case.

Detecting Insider Threats Is Simplified with LogRhythm

In this use case, I was able to stop Mr. Robot from wreaking havoc on my environment. This insider threat was quickly detected and neutralized by utilizing many pre-built features, including File Integrity Monitoring, privileged user and group lists, User Threat Detection Module, and a centralized web console.

If you are interested in learning more about stopping insider threats and detecting stolen accounts, download our UEBA Datasheet or read one of the blogs listed below!

-AC

More from Andrew Costis

Detecting the BlackNurse DDoS Attack with Network Monitor

Who is Listening in on Your Network?

User Threat Detection—There’s a Module for That

Friend or Foe? A Use Case on How to Detect an Insider Threat

A Practical Approach to Effective Security Analytics