Skip to main content

General Documents

Automatically Detect Account Takeover Attacks and Respond Effectively

Abstract

Download PDF

Category: Analytics and SIEM, Data Enrichment and Threat Intelligence

Cyware Products Used:

  • Respond

  • Intel Exchange

  • Orchestrate

Third-Party Integrations Used:

  • Active Directory: To retrieve user information and supervisor information using compromised credentials.

  • Splunk SIEM: To identify hits to ‌suspicious IOCs and get the system and user logs.

  • Splunk UBA: To detect and notify compromise of privileged and regular accounts by external, malicious entities.

Problem Statement

Leaked or stolen credentials are the most common attack vector companies face and they pose a critical risk to organizations. Once an attacker gets access to stolen user credentials, they sell the credentials in the cybercrime underground or use them to compromise an organization’s network. These credentials are often used for account takeover attacks, exposing organizations to breaches, ransomware, domain impersonation, etc.

Solution

A common trace across various forms of account takeover threats is the deviation in the usual behavior of a user or an asset. This deviation indicates fraudulent or malicious activity, which acts as the key to detecting account takeover attacks using user entity and behavior analytics (UEBA) solutions.

Cyware offers an automated solution to detect and respond to account takeover attacks by combining UEBA solutions and Orchestrate playbooks.

Automatically_Detect_Account_Takeover_Attacks_and_Respond_Effectively.svg

How do we solve this problem?

  1. Detect UBA Alerts: The solution starts by detecting account takeover attempts detected by the UBA solution.

  2. Get Additional Details: The playbook also retrieves additional details of the attack such as system information, username, IP address, and hostname.

  3. Create Incident In CFTR: The playbook now collates the alert details from the UBA solution and creates an incident in Respond for investigation and response.

  4. Enrichment: The playbook performs the following enrichment and analysis to find out more details about the attack.

    1. Enrich User Details: The compromised credentials are sent to Active Directory to verify if the compromised user's email address is still active. The playbook also verifies if the compromised password matches your organization’s password policy. The report from Active Directory is updated to the Respond incident.

    2. Enrich IOCs: The IOCs identified in the alert are sent to Intel Exchange for enrichment. The enrichment results are updated to the Respond incident.

    3. Enrich using SIEM: The host details are sent to the Splunk SIEM tool to retrieve details such as hits to the IOC, and user access logs. This is used to find out if the user has accessed any unauthorized data or performed a malicious activity. The details are updated to the Respond incident.

  5. Risk Level: Based on the enrichment results, the playbook analyses the severity of the incident and assigns a risk level.

    1. Malicious: If the risk level is identified as malcious, then the playbook performs the following actions automatically.

      1. Resets the user credentials and disables the account in Active Directory.

      2. Blocks the IOCs on the Firewall and Proxy solutions.

      3. Collects the evidence and the compromise logs and updates the details of the Respond incident.

    2. Non-Malicious: If the risk level is identified as non-malicious, then the playbook performs the following actions.

      1. Updates the Respond incident with the learnings and closure comments and assigns to an analyst for verification and closure.

      2. Closes the UBA alert.

Benefits

Respond Effectively to Attacks

The solution combines advanced threat intelligence automation and enrichment of high-fidelity threat intelligence data to enable analysts to respond effectively to targeted account takeover attacks.

Real-time Intelligence

The solution can proactively detect and respond to account takeover attacks by automatically collecting, aggregating, and analyzing data from an unrivaled range of sources. This helps the solution to take informed decisions to defend against the threat.

Incident Learnings

The playbook not only ‌helps the organization respond to account takeover threats but also helps capture the learnings from the incidents to put in place long-term strategic controls. This helps organizations to defend against any such future attempts by using the unique capabilities of the fusion center.