According to a survey, 25% of internal security incidents are attributed to information disclosure. Attackers, merely through information disclosure, without needing to resort to measures with obvious patterns, like password cracking, can further acquire sensitive information about users and enterprises. It should be noted that this kind of attack method has a high degree of anonymity, rendering pattern-based network traffic analysis and terminal security log analysis fruitless. Combining user entity behavior analysis (UEBA) with dissection of network traffic logs and terminal security logs, we can identify abnormal behaviors, associate the behaviors with attack alerts, and present readable threat event analysis, offering users a new approach to discovering stealthy threats.
“Butterfly Effect” of Information Disclosure
In the Internet + knowledge share era, the network is flooded with all sorts of information that can be easily collected by malicious attackers for exploitation. For individuals or enterprises, information disclosure tends to cause the “butterfly effect”. More often than not, attackers collect various types of information via social engineering before launching persistent attacks, possibly compromising a slew of assets. During a penetration test, we found a vulnerable interface via a code audit. Repeatedly invoking this interface, we obtained a lot of user passwords for access to common services, O&M services, and other sensitive services.
In addition to social engineering by external attackers, insiders like employees, contractors, partners, and suppliers with direct or indirect access to enterprise assets can also initiate attacks, for different reasons like carelessness-induced abuse, malicious operations, work conflicts, psychological satisfaction, and external inducement. These insider threats are especially difficult to detect. Therefore, during security operations, you need to have a good grasp of security defects in the system.
- Access not differentiated among accounts: As for account management, users with access to different services should be assigned different privileges and access scopes. Otherwise, improper privilege management or access scope misconfiguration (for instance, a common user has access to certain core assets) may introduce security risks. In addition, monitoring means should be differentiated among user roles.
- Business convenience placed above system complexity: As multiple business systems overlap each other, many necessary protection measures are given up for the sake of ease of use. In this case, inter-system lateral movement may bring security risks as one compromised system may affect others.
- Information sharing making way for effective communication: Knowledge bases built for information sharing, like wiki, inevitably involve sensitive information and sometimes even store data in plaintext. These bases, once exposed, may incur great security risks. Therefore, sensitive information must be securely kept and placed under security protection.
- Security policies in place for overall network monitoring but difficult to implement due to limited cost: For an enterprise with a large number of assets, it is an extremely challenging task to ensure effective monitoring for organization-wide user behaviors and asset activities, including remote login attempts of all users, access to sensitive information, and email reception by multiple IP addresses.
Attackers could leverage these defects to break system protections. Once infiltrating the system, attackers will conduct malicious activities by stealth for further penetration, posing serious consequences.
The “People-Asset-Behavior-Mitigate” protection framework, though not necessarily ensuring 100% security, can help users implement closed-loop security operations. In addition to providing fine-grained asset information, this framework, by integrating terminal monitoring and network traffic monitoring, provides in-depth behavior analysis of users and entities and correlates abnormal behaviors, threat incidents, and user identities. Also, this framework detects information disclosures and the resulting harm and handles the risks in time.
- Personnel management: Exercise security management for enterprise personnel and external personnel interacting with the enterprise, including employee identity confirmation (such as clearing information of resigned employees and undertaking background checks on to-be-hired employees) and account privilege management. Also, security awareness training and vetting should be conducted for employees and suppliers. Strict access control policies should be worked out for different services, systems, accounts, and personnel.
- Asset management: Determine the asset scope and identify key data and services, asset hazards, and their correlations. Some knowledge bases for information sharing may contain sensitive information. However, these bases, due to lack of information review mechanisms, are vulnerable to sensitive information disclosure that may lead to compromise of critical assets, jeopardizing the service quality.
- Behavior analysis: Complicated and elusive threats, though often with few attack signatures, still leave traces of abnormal access. Combining user behavior analysis and the defined access policies, this framework monitors the behavior process for anomaly discovery and analysis. High-quality access policies should fit in perfectly with customer’s business and provide fine-grained controls. Otherwise, real anomalies may be drowned out by a substantial number of false positives.
- Mitigation measures: Deal with malicious behaviors and educate careless personnel committing malicious behaviors. During offensive/defensive drills, improve the emergency handling capability and service recovery capability to reduce the Recovery Time Object (RTO) and Recovery Point Object (RPO).
User/Entity Behavior Analytics (UEBA)
Generally, the commonality among various types of insider threats is a deviation from the normal behavior of users/assets or their counterparts. Such deviation may result from fraud or malicious activities. Entity behaviors, especially malicious attacks against users, devices, system accounts, and privileged accounts, though less common, tend to persist over a long period of time and can finally be spotted. Therefore, it is possible to discover threats with good concealment and insider threats.
The key to detection of insidious threats and insider threats is to correlate users’ or entities’ behaviors with the context. For detection of suspicious behaviors, we need to, in close alignment with the customer’s business, predefine a traffic baseline and conduct traffic auto-learning consistently for each user, device, application, privileged account, and shared account. Also, we will give a score to the threat severity and credibility of the discovered abnormal behaviors and present such information for the enterprise to focus on top threats and take precautions.
UEBA provides a rich set of security analysis capabilities that allow customers to identify and handle threats as early as possible to mitigate potential hazards and risks. The following figure is a typical application scenario of UEBA.
UEBA Case Analysis
On the basis of the data storage model that accesses network traffic, host logs, 4A logs, and device-generated alerts in a uniform format, UEBA, along with attack identification and pre-research capabilities, can implement fine-grained log screening and association and scenario-based rapid traceback, allowing users to easily learn abnormal behaviors from logs and grasp the overall situation. Finally, UEBA provides in-depth correlative analysis of threats and presents scenario-based attack event illustration, giving users a clear picture of threat incidents.
For example, repeatedly invoking an interface that is vulnerable to information disclosure, an attacker can obtain massive account information and then use the obtained accounts to log in to different sensitive systems and knowledge bases to acquire a lot of sensitive information. With the obtained sensitive information, the attacker can even directly log in to the core business system. Through in-depth correlation of UEBA’s abnormal behavior analysis with alerts on remote login to devices, we can have a clear scenario-based threat description for identification of attack behaviors.
 2020, Forrester Security & Risk Conference, Trust Is The Vulnerability: Stopping Insider Threats With Zero Trust