ABCs of UEBA: S is for Sabotage

Sabotage is the worst type of cyberattack. Stealing data is one thing, and it’s a bad thing. But sabotaging data is an entirely separate category of attack. It takes a certain kind of threat actor to be deliberately destructive. And it takes a really advanced User and Entity Behavior Analytics (UEBA) product to detect and stop cybercriminals and insiders who are intent on sabotaging company data or IP.

Do You Really Want to Hurt Me?

One of the dictionaries[1] definitions of sabotage is “sabotage (verb): to intentionally damage or destroy something, for example equipment or a system, that belongs to someone else, so that it cannot be used.” There are others, mostly pertaining to its context in a military or conflict context, but they all boil down to the basic “deliberately breaking something that belongs to someone else so that they can’t use it themselves.”  The reason or circumstance isn’t important.  It’s the act of deliberate destruction that matters.

While many cyberattacks do damage their target, the damage is often a side effect of the attack rather than the end goal.  The intent is different.  Ransomware, for example, damages the target’s files by encrypting them.  But the intent of a ransomware attack is typically to hold the data hostage until the victim ponies up the ransom to get it back.  It’s kidnapping data rather than destroying it.  Extortion rather than murder.

Still, it can be argued that some ransomware attacks count as sabotage, as the attackers would give the victim a faulty key that wouldn’t decrypt the damaged data.  Even if they paid up, they didn’t get their data back.  But the intention was, at least in theory, to get the ransom rather than to deliberately destroy the data.

Nation State Attackers: Your Intent is Showing

In contrast, the NotPetya ransomware attack in 2017 is often considered to be an act of politically motivated sabotage, with the ransomware aspect a deliberate ruse as there was, by design, no way to recover files encrypted in the attack.

That intent is what separates a more common ransomware or other malware attack from an act of sabotage.  This was the case with the Stuxnet malware in 2010.  It was designed to target the SCADA systems specifically used in Iran’s uranium enrichment program at the time.

Both NotPetya in 2018 and Stuxnet are usually attributed to State or State Sponsored threat actors, pursuing a specific geopolitical agenda.  They are cases where sabotage was the technical means to a political end, but they are not the only cases.  Individuals and organizations have engaged in cyber-sabotage many times, for many reasons, against many targets.

Don’t Assume Your Defenses are Sufficient

From the perspective of defense, there are some differences in detail between a common criminal attack, be it for data theft, ransomware, or fraud, and a specific act of sabotage.  For example, a saboteur is often more interested in getting in and planting their malicious wares than they are in extracting data, though sabotage may only be one aspect of a larger multi-faceted attack.  That means the same defensive tools, policies, and procedures you use against common criminals can be equally effective against a saboteur.

Historically, users are a large part of the threat surface, regardless of the attacker’s intent. So, as always, defense starts with an educated user base.  The more they know, the better equipped they are to resist common user-focused attack vectors.  And, as they say, knowing is half the battle.   Education is just the start, of course.  Solid policies around remote access and resource entitlements is another part, along with multi-factor authentication.  All cybersecurity tools that can reduce the chance of an attacker leveraging a user’s access to plant destructive malware.   Reducing the users as a threat surface also makes it easier for the more technical perimeter defenses – your firewalls, VPN concentrators, etc. – to keep the bad guys out.

On the inside, because we must assume they will get in in spite of our best efforts, defenses on the endpoints can prevent an attacker from spreading beyond their initial foothold.

Purely technical measures, such as anti-virus and anti-malware, exist that are designed to thwart an attack by identifying malicious software and stopping it in its tracks.  Unfortunately, advanced attackers like the State and State sponsored threats, are apt to employ zero-day attacks which can all too often bypass conventional endpoint security measures.

Let’s Put a Stop to This!

However, User and Entity Behavior Analytics (UEBA), as part of a comprehensive security analytics platform, can reduce the risk from an attacker who’s breached the perimeter, compromised a user account, or who is a malicious insider – a notable risk when it comes to sabotage.

It’s said you can steal a user’s identity, but you can’t steal their behavior.  Almost the same applies when it comes to malicious software.  While a zero-day exploit may bypass defenses designed to recognize malicious code, you can’t hide what it’s doing when it activates.  By focusing on the behaviors displayed by users, hosts, and any other “entity” in the environment, it’s possible to quickly identify an attack before it can do serious harm.  This is especially useful when the source of the attack is someone already inside the organization.

There are additional advantages as well.  By using machine learning to drive the analysis, the system can adapt to the environment.  As the system determines what’s normal, it can more rapidly identify outlying behaviors and present a unified risk assessment on each asset in the environment, whether it’s a system, a person, or resource.  It also enables risk-based access controls, that improve security for valuable assets without imposing frustrating additional steps on the users.

Ultimately, risk scores derived from behavioral analysis let the Security Operations team quickly identify and react to the most serious threats using manual or automated processes.  Whether the attacker is a cybercriminal engaging in petty larceny or a State actor trying to sabotage the factory floor, their behaviors give them away.


Prev: ABCs of UEBA: R is for Risk Next: ABCs of UEBA: T is for Time