Mastering Defense and Understanding Offense: Approach of Detecting Abnormal Attack Behaviors

Mastering Defense and Understanding Offense: Approach of Detecting Abnormal Attack Behaviors

agosto 29, 2023 | NSFOCUS

In offensive and defensive exercises, attackers will use various attack methods to maximize their objectives, including not only common attack methods but also complex attacks. Phishing email is popular among attackers as the most commonly used and low-cost attack method. Attackers typically use a variety of techniques and deception to send emails with malicious attachments or induced links to trick recipients into obtaining sensitive information, login credentials, or performing malicious operations. Common channels for sending phishing emails include:

  • Attackers setting up mailbox servers without permission
  • Send phishing emails through mailbox accounts registered on public mail servers or compromised internal mailbox accounts of organizations

Because attackers constantly improve their strategies to trick users, traditional rule-based or signature-based detection methods can hardly cope with dynamic and evolving phishing emails.

Enhancing Phishing Mail Protection with UEBA Technology

UEBA (User and Entity Behavior Analytics) technology provides a new method for phishing mail protection. The UEBA baseline analysis refers to the establishment of a legal working behavior pattern of the system or network, which defines normal system or network behavior as a benchmark through observation and analysis of actual conditions. Based on this benchmark, anomalous or possible attack behaviors will be detected. The advantage of UEBA analysis is that it can accurately detect various malicious attack means. It has high intelligence and self-learning ability to automatically learn new network behavior data and continuously improve the model, meaning that it can effectively detect unknown attacks.

Figure 1 User and Entity Behavior Analytics (UEBA)

UEBA on NSFOCUS Intelligent Security Operations Platform (ISOP) establishes a benchmark by learning users’ behavior patterns and habits in daily email communication, taking email accounts and IP addresses as analysis objects, collecting historical data of email communication, detecting abnormalities that deviate from the normal behavior pattern by dynamically monitoring users’ email behavior in real time, and sending alerts to help security operations teams take timely actions to fend off phishing attacks.

Figure 2 Phishing Email Detection Process

UEBA Case Studies

Case 1:


In an attack and defense drill of a customer, the attacker side did the following actions:

1. The attacker side obtained the mailbox domain name in an organization through social engineering;

2. The attacker side created a phishing email to lure the recipient to click and modify the email password, and changed the FROM field in the header of the email to forge the sender address of the email into the intranet mailbox of the organization, so that the recipient would trust the email source; 3. The attacker sends a pre-made phishing email to a recipient in the organization.

Fast Analysis and Response

The UEBA engine of NSFOCUS ISOP detected that the above email activity deviated from the normal email behavior model learned in history, and generated an alert of “Phishing Activity: FROM Header Forgery” quickly. The defender side checked this alert on the ISOP platform and found that the suffix of the email sender was inconsistent with the suffix of the forged sender’s address as shown in the event details payload, and the email subject and body induced the recipient to change the mailbox password. These details proved it was a fraudulent phishing email.

The defender quickly responded to the incident and reminded the recipient not to click on this phishing email, so as to prevent further spread of attacks and effectively prevent subsequent harm of this phishing email.

Case 2:


An internal account of a customer was stolen. The thief used this controlled account to access sensitive system data and transmit data.

Quick Alert, Block, and Retrospection

The UEBA engine of NSFOCUS ISOP detected abnormal behaviors exceeding 5 times the historical baseline and generated an alert for the critical event. The security analysts of the customer quickly stopped the loss through the one-click block, and then took deep analysis of this incident by retrospection of the attack path.

Case 3:


In an attack and defense drill of a customer, a non-target system was exploited through a risky service port by the attacker side. With that, the attacker side obtained a large number of users’ passwords, which were applied to other internal systems and further obtained a large amount of sensitive information.

Accurate Behavior Analytics

UEBA of NSFOCUS ISOP immediately generated alerts and notified the defender side automatically when it detected the abnormal behavior of a user accessing a rarely used service port many times.


The UEBA engine of NSFOCUS ISOP uses behavior baseline analysis to monitor and analyze network behaviors in real time. By comparing with the pre-set and self-learning baseline, the system can identify abnormal behaviors that do not conform to expected behaviors, including known and unknown attack behaviors. The UEBA engine protects organizations from abnormal behaviors, helps them discover security weaknesses, and improves overall security.