Security Vision
In today's digital world, cyber security is becoming a top priority for organisations of all sizes. The growing number of attacks, the increasing sophistication of attack tactics, and the lack of skilled professionals pose trivial security challenges. Traditional defences based on static rules and signatures are often insufficiently effective against new, untypical threats. In such circumstances, User Entity and Behavior Analytics (UEBA) mechanisms come to the rescue, which use behavioural analytics in combination with various auxiliary engines (correlation rules, mathematical statistics methods) to detect anomalies in the actions of users and sets of different systems. In this article, we will take a closer look at how UEBA helps to combat atypical attacks, as well as provide real-world attack examples and detection scenarios using Security Vision UEBA as an example.
Figure 1 - Mechanism of UEBA operation
UEBA core capabilities
UEBA is based on analysing the behaviour of users and entities (such as systems, devices, applications, accounts, processes) to identify anomalies. Using machine learning and mathematical models, such systems generate baseline profiles of normal behaviour and compare them to current actions, identifying potential threats.
Figure 2 - ML model interaction diagram
The main capabilities of UEBA include:
1. Incident Prioritisation: UEBA systems help relieve the burden on security analysts by automatically highlighting the most critical incidents, allowing them to focus on the most significant threats.
Figure 3 - Incident Prioritisation
2. Threat Detection: UEBA can detect complex and atypical attacks, including credential compromise, insider threats and external attacks.
Figure 4 - General incident card with accumulation of events
3. Incident Investigation: By combining event data with contextual information, UEBA simplifies incident investigation and speeds up the response process.
Figure 5 - Single Investigation and Response Tool (Graph)
4. Incident Response: By providing detailed information about the affected areas, UEBA facilitates prompt and effective response to attacks.
Scenarios for using UEBA to detect attacks
User credential compromise
Credential compromise is one of the most common threats in today's cyberspace. Attacks such as phishing, pass-the-hash or bruteforce techniques aim to capture user credentials. An example of such an attack is the Uber incident in 2016, where hackers gained access to credentials by using phishing and applying the data to unauthorised logins. UEBA is able to detect such actions by detecting deviations from normal user behaviour, such as logging in from an unusual IP address or attempting to access data that the user has not previously requested.
Figure 6 - Attack Scenario - Illegitimate logon to a Linux server with an enterprise system from the guest segment
Attacks on privileged users
Privileged accounts, such as administrators or database operators, are an attractive target for attackers because of their high level of access to critical systems. In 2021, there have been several attacks on companies using SolarWinds, where attackers were able to access privileged user credentials and use them for lateral moves within the network. UEBA helps detect such attacks by analysing privileged users' activities and identifying anomalous operations, such as attempting to access uncharacteristic systems or executing unusual commands.
Attacks on executive assets
Senior executives, such as CEOs and CFOs, are often the target of attacks aimed at stealing sensitive data or financial fraud. In 2018, there were several incidents where attackers used phishing attacks to get executives to approve large financial transfers. UEBA can detect such attacks by monitoring the activity of executives' assets and signalling suspicious activities, such as accessing systems after hours or attempting to transfer large sums to unknown accounts.
Figure 7 - Attack Scenario - Phishing
Insider Threats
Insider threats represent one of the most difficult attack categories to detect. In 2017, a Bupa employee illegally copied and sold personal customer data using his legitimate credentials. UEBA enables detection of such threats by analysing user behaviour and detecting actions outside of their normal activities, such as bulk copying of data or attempts to transfer data to external resources.
Examples of using UEBA to prioritise and investigate incidents
Account Lockout
Account lockout is a frequent incident that can be caused by either user error or hacking attempts. In large organisations, investigating the cause of a lockout can take a significant amount of time. UEBA can automate this process by quickly determining whether a lockout is the result of an error or signals compromised credentials.
Creating new accounts
The creation of new accounts can be used by attackers to gain a foothold in the network after the initial breach. For example, in the case of the 2013 attack on Target, attackers used compromised access to create new accounts and secure long-term access to the company's network. UEBA is able to monitor such events and identify anomalies in the account creation process, signalling a potential attack.
Account Sharing
Sharing credentials between employees is a security policy violation that can lead to data breaches or other incidents. For example, in the case of Capital One Bank in 2019, unauthorised access was gained through an account that multiple employees had access to. UEBA helps identify instances of credential sharing and respond to such breaches in a timely manner.
Examples of attacks detected by UEBA include
DLL Hijacking and DLL Sideloading
These attack techniques involve replacing legitimate DLLs with malicious ones, allowing attackers to gain control of the system. One of the most famous cases of this technique was the Kaseya hack in 2021, when the REvil encryptor used DLL Sideloading to distribute malware. UEBA can help detect such attacks by monitoring the loading of rare or unusual libraries, especially if they are loaded into system processes.
Lateral movement through named pipes
Attackers often use named pipes to move covertly within a network and escalate privileges. An example of such an attack is the Cobalt Strike tool, which actively uses named pipes for lateral movement. UEBA can detect such attacks by building profiles of normal system behaviour and identifying deviations, such as the creation of rare or unusual named pipes.
Suspicious calls to external domains
Attackers often use legitimate web services, such as Pastebin or GitHub, to pass commands and control malware. An example of this activity is using Pastebin to store C&C commands that are then uploaded to compromised systems. UEBA helps to detect such attacks by monitoring accesses to rare or suspicious domains, especially if they come from users who do not normally access such resources.
Conclusion
User Entity and Behaviour Analytics (UEBA) technologies provide powerful tools for detecting, investigating and responding to today's cyber threats, and with the Security Vision platform, this mechanism is turbo-enhanced with all the benefits of a SOAR system. Unlike traditional rule-based and signature-based security methods, UEBA uses behavioural analytics to detect anomalies, enabling more effective detection of atypical attacks such as credential compromise, privileged user attacks and insider threats. Examples of real-world attacks, such as the use of DLL Hijacking techniques or lateral moves through named pipes, demonstrate the importance and necessity of incorporating UEBA into modern security systems. With the ever-increasing sophistication of cyber threats, UEBA is becoming a key element to ensure the robust defence of corporate networks.
.jpg)
.jpg)
