Skip to main content

General Documents

Detect Unusual Behavior of Users, Entities, and Respond

Abstract

Download PDF

Category: Data Enrichment and Threat Intelligence, Analytics and SIEM

Cyware Products Used:

  • Respond

  • Orchestrate

Third-Party Integrations Used:

  • Exabeam: User and Entity Behavior Analytics (UEBA) solution to detect abnormal and risky behavior by users, machines, and other entities on the corporate network.

Problem Statement

User and Entity Behavior Analytics (UEBA) solutions use analytics and advanced technologies to discover abnormal and risky behavior by users, machines, and other entities on the corporate network. The alerts created by UEBA solutions are considered highly critical because they correlate with the Security Incident and Event Management (SIEM) solution to generate analytics-based alerts. Hence, security teams must act upon UEBA alerts as quickly as possible.

Solution

The solution is to use Orchestrate playbooks to automate the response process. Let us consider an example where the compromised credential of an insider is used by an attacker to infiltrate an organization and compromise a privileged user account or trusted host on the network. UEBA helps to rapidly detect and analyze malicious activity that the attacker carries on via the compromised account. Furthermore, our solution allows security teams to automatically block the compromised user account on Active Directory and malicious IP address on the firewall.

Detect_Unusual_Behavior_of_Users__Entities__and_Respond.svg

How do we solve this problem?

For example where the compromised credential of an insider is used by an attacker to infiltrate an organization and compromise a privileged user account or trusted host on the network. The attacker uses the compromised credentials and logs in to VPN from Ukraine. Exabeam UEBA records this as malicious activity and onboards the incident to Respond.

  1. Retrieve UEBA Alerts: The playbook starts by retrieving the latest UEBA alerts from the Exabeam application and formats the data to onboard the alert as an incident in Respond. You can also use a preferred UEBA tool.

  2. Query SIEM: The playbook also queries the SIEM tool to get more details about the alert. For the insider compromised credentials example, the playbook retrieves important details such as the source IP address, location, etc.

  3. Verify Users Details in CMDB: The detected insider credentials are sent to Active Directory to find out if the user is a VIP user, Active user, or Inactive user.

  4. Create CFTR Incident: The alert is onboarded as an incident in Respond and the details retrieved from SIEM and CMDB are added to the incident notes. The incident is kept ready for manual review by analysts. While the analyst performs a manual review of the incident, the playbook also performs the below response and remediation actions.

  5. Block IP on Firewall: The playbook automatically blocks the identified source IP address and location on the firewall to make sure the attacker is denied access to the network.

  6. Reset Compromised Credentials: The playbook also sends a request to Active Directory to reset the compromised credentials and user session for the compromised credentials. This will terminate any sessions that the attacker has logged in using the compromised credentials.

  7. Notify Supervisor: The playbook drafts an email with the compromised user details and notifies the immediate supervisor.

Benefits
Defend IoT related Threats

Organizations deploy large fleets of IoT devices, often with minimal or no security measures. Attackers target IoT devices and use them to steal data or gain access to other IT systems. UEBA solutions can track connected devices, establish a behavioral baseline for each device or group of similar devices, and immediately detect if a device is behaving outside its regular boundaries. Additionally, security teams can block these threats using the proposed solution.

Detect Attacker Lateral Movement

Attackers tend to move through a network using different IP addresses, credentials, and machines, to compromise sensitive data or assets. UEBA and SIEM solutions work together to find out the lateral movement of attackers on the network. With the additional context provided by detection, security teams can respond effectively and stop the attacker from gaining additional access to the network.

Improved Defense

By integrating UEBA and SOAR capabilities, security teams can proactively detect and respond to complex security events and perform automated behavioral profiling while also enabling IT and security systems to mitigate incidents.