User behavior analytics is key to identifying nefarious use of insider credentials
Almost all data breaches involve use of legitimate logon credentials. Guarding against these “insider threats” requires the ability to detect when cybercriminals are using stolen credentials. Sadly, traditional network security tools are not effective in identifing or mitigating these threats. However, a new breed of user behavior analytics solutions has been designed for this specific purpose and is proving effective.
The expression “insider threat” usually conjures up images of rogue employees or criminally minded contractors or business partners that are authorized to access company data. But the term is also used in a much broader sense to mean any threat or attack that abuses the logon credentials or privileges of legitimate employees or other insiders.
It’s true that employees or other insiders can often be traced to a data breach. In addition to disgruntled or malicious individuals intentionally stealing information, security misconfigurations, negligence in following company policies, succumbing to phishing or social engineering attacks, or other unintentional acts often result in theft of sensitive information.
However, the largest and most damaging data breaches are generally at the hands of outside hackers, organized crime, opposing governments, competitors or hacktivists. While they are not insiders themselves, these criminals almost always depend on obtaining logon credentials belonging to insiders, especially those that have administrative privileges. The number one objective of a cybercriminal is to obtain logon credentials for individuals with access to sensitive data. Once that has been accomplished, the imposter poses as a privileged insider, penetrates the system and copies the information he’s after.
Whether by outsiders or from within, the unauthorized or negligent use of insider logon credentials and privileges are the common denominators in nearly all cybercrimes. Any associated hazard can be viewed as an insider threat.
Given this broader definition of insider threats, there are numerous activities related to the use of logon credentials and user activities that must be monitored to guard against cybercrime. Here are some of the more common behaviors that indicate the use of stolen credentials or other unauthorized and suspicious insider threats. A good user behavior analytics solutions will need to detect each of these:
* Suspicious geolocation sequence. Many users work from multiple remote locations, such as their homes, hotels, airport kiosks, satellite offices and customer locations. When accounts are used to logon from remote locations, enterprises need to determine if they are legitimate users or remote attackers who have managed to obtain valid user credentials. Monitoring the geolocation of each access attempt and validating it against what’s physically possible given the time elapsed since a connection from another location, as well as verifying what is normal behavior for the legitimate account owner is critical in determining if user credentials have been stolen and are being used by remote hackers.
* Compromised service account. Service accounts are used by operating systems and various applications to perform automated background tasks. These accounts, usually unmonitored, own high access rights and are under constant risk of attack and compromise. Their activity should be monitored to ensure they are not accessing systems they shouldn’t be, or transmitting data to unauthorized recipients, etc.
* Exfiltration attempts. Data exfiltration is a big concern in many organizations. Detecting data leaks has become more difficult as additional technologies and methods to transfer data emerge. Monitoring for abnormal user behavior such as accessing data that’s not normally dealt with by the user, or transmitting data to unusual destinations can detect data exfiltration attempts.
* Credential sharing. Studies show that more than 20% of employees share their passwords with someone else, even though it’s strictly against policy. Monitoring for simultaneous, remote, or unusual usage of user accounts can help detect and mitigate credential sharing.
* Snooping users. In search of sensitive or valuable data, rogue insiders and malicious outsiders scan corporate systems hoping to find and access information they can sell or use for their own gain. Detecting and investigating such unusual user behavior can ward off impending cybercrimes.
* Departing employee. Employees who are preparing to leave an organization may pose a security threat. Even though departing employees may carry a high risk of data exfiltration and even sabotage, very few tools can effectively monitor their actions and detect suspicious behavior. Security personnel need to implement solutions designed to specifically and automatically monitor the accounts of departing employees and raise alerts if their behavior is suspicious.
* Privileged account abuse. Since privileged accounts are the prize possession for cybercriminals, monitoring their use for unusual behavior is extremely important. Automated, remote or simultaneous access can indicate an insider threat, as can unusual login times, systems accessed, and data transmissions.
* Unauthorized third party access (business partners and other suppliers). Contractors, business partners, and other service providers often have access to sensitive corporate data. However, they are not usually subject to the same security practices and policies as the hosting enterprise. As a result, applications or devices may become infected with malware designed to steal logon credentials. It’s especially incumbent on the hosting enterprise to monitor the behavior of all third party users.
* Network misconfiguration. By monitoring normal user behavior, an anomalous act can often detect an improperly configured security setting. For example, if an employee accesses a system that’s outside of their normal work pattern, it often indicates a hole in the security policies or settings. Correcting the misconfigurations in a timely manner can prevent imminent and future attacks.
Detecting insider threats is essential in today’s environment and doing so calls for the diligent use of a number of cybercrime prevention techniques. Whether it’s a malicious employee or an outsider using compromised credentials, businesses must be on alert and maintain vigilant monitoring, focusing their attention internally on user behavior and suspicious activity to thwart potential insider attacks.
Fortscale is a provider of User Behavior Analytics security solutions for Fortune 2000 companies. Before founding Fortscale, Tendler was a lead agent of the 8200, the cyberwarfare division of the Israeli Defense Forces. He is a serial entrepreneur and a recognized expert in the fields of cybersecurity and threat intelligence.