Account hijacking takes place when your email address is the target of compromise by a criminal. The hacker then uses your compromised email account to impersonate you, the account owner. Your email account is linked to a number of online services including social networks and bank accounts. The hacker uses your credentials to retrieve your personal information and create new accounts, with the ultimate objective of performing transactions for financial gain. This happens very quickly. Before you know what is happening, your bank account has been drained or everyone connected to you on Instagram has received a request from someone posing as you to donate money to an illegitimate cause.
The most effective way to find accounts that have been hijacked is with User and Entity Behavior Analytics (UEBA). Why? Because as we’ve said before – you can steal an identity, but you can’t steal behavior.
Above all, the most common techniques hackers use to hijack accounts are phishing, password guessing, malware, malvertisements, and keystroke logging. Attackers also exploit vulnerabilities through attacks such as Pass-the-Hash (PtH), brute force and remote execution to gain access to user account credentials. Incredibly, phishing is still one of the most prevalent account hijacking techniques.
We live in a world where people are just used to clicking on things and feeling secure doing so. Attackers today are devising ingenious ways to encourage people to believe their email link is legitimate. It is highly unlikely that anyone reading this has never clicked on something at least once that they shouldn’t have.
There are four types of phishing tactics used in account hijacking. Each is an unconventional control that injects trust into email, versus reducing trust by educating users not to trust email. A phishing email taxonomy traditionally includes:
One of the Top 10 OWASP (Open Web Application Security Project) vulnerabilities is related to the ‘Broken Authentication and Session Management’ scenario. As a result, this is where hackers exploit Pass-the-Hash (PtH), Pass-the-Token (PtT), Brute Force and Remote Execution to gain access to user credentials (passwords and hash). Such attacks undergo detection using the underlying UEBA machine learning algorithms. They provide inspection on various parameters like timestamp, location, IP, device, transaction patterns, high-risk event codes and network packets. Tune them to identify any deviation from the normal behavior. This can be of a particular account and the corresponding transactions.
This facilitates detection of any potential account hijacking or account compromise scenarios based on anomalous behavior patterns such as: abnormal access to high-risk or sensitive objects, abnormal number of activities, requests in a short time frame, activity from terminated user accounts or dormant accounts, PtH attacks and session replay attacks. Anomalies identified via clustering machine learning models and outlier analysis inconsistent with a user or peers’ normal behaviors are given risk scores based on predictive analytics to drive alerts, actions and case tickets.
Benefits:
In this use case, UEBA builds and tracks the user session state. It does this even when a user navigates across heterogeneous resources. It also does this to applications using different accounts and devices at different times. Leveraging machine learning, UEBA dynamically builds session correlation attributes used to create session context to link any subsequent activities based on a confidence factor. This enables the identification of valid IP switching due to transitions between wired and wireless networks, a workstation and a handheld/mobile device, or accessing enterprise resources from various onsite locations or remotely over VPN.
UEBA has the ability to track user sessions across these various parameters. Therefore, ensuring a significant reduction in false positives while simultaneously delivering greater visibility into the sequence of events. It also provides the capability to drill down to specific activities performed by a user or entity while performing an investigation. This analysis also expedites the detection of session replay and hijacking attacks. It begins highlighting any anomalous activity from a user session or concurrent sessions from the same account.
Benefits:
Cloud Security Analytics addresses cloud account compromise, cloud account hijacking and cloud account sharing via API integration with SaaS applications, plus IaaS and PaaS. Visibility into Office 365 cloud applications leverages Microsoft Azure visibility for cloud infrastructure and platform information alongside cloud application activity data. The same applies to other popular cloud applications in AWS cloud environments. Moreover, identity and access management as a service (IDaaS) also plays a role for cloud environments.
The benefits of big data infrastructure with a flexible data model come into play. They develop API data connectors for cloud data ingestion that may mimic on-premises functions in numerous ways. In addition, utilizing advanced machine learning behavior models, cloud security analytics leverages this capability for cloud environments to detect account compromise, hijacking and sharing on-premises. The basic concepts of clustering and outlier algorithms to find anomalies based on normal baselines of the user and peers for predictive risk scores remains consistent with adjustments for data variety and quality. The data sources differ, and data ingestion is API-based for cloud environments.
Benefits:
In conclusion, account hijacking has devastating consequences. Let’s say a criminal compromises your account. Now he can change the password for your email account and other accounts linked to your email. He locks you out of all your services and applications in minutes. And, your social media profile is a victim of account compromise too. Now, the criminal can send your friends malicious links or files in an attempt to compromise their accounts. So, it’s a vicious cycle that can only be stopped with a mature UEBA solution.
Contact us today to find out more about Gurucul’s UEBA technology for detecting and stopping account hijacking.
Prev: ABCs of UEBA: G is for Gurucul Next: ABCs of UEBA: I is for Insider Threat
