If you ask penetration testers what the easiest path into a target is, the chances are very, very good that they’ll say “users.” If you ask malicious actors – if you could find one who was willing to answer, that is – chances are good they would say the same thing. With the exception of the occasional zero-day exploit, or old and unpatched exploit, attacks against an organization’s users are the most frequent vector. You need to be able to monitor user behavior to detect and stop advanced cyberattacks that target users continuously.
The reality is that users are only Human. As such, users are subject to the usual Human failings and foibles. They get tired. They get distracted. They get lonely. They get careless. They are subject to flattery, threats, confusion, and a myriad of other things that come with being organic social beings. And all that boils down to Humans being the weakest link in almost every organization’s security chain.
That said, users can also be an organization’s first line of defense. A security conscious user that recognizes a suspicious email, or even unusual activity at their office, and alerts security operations could be what stops an attacker from successfully breaching their target. That comes down to user education and, at least as important, a security conscious culture where they work. With the right training and attitude, user behavior can go from being part of the threat surface to a robust layer of defense.
In an ideal world we’d have just that. All our colleagues would be adequately trained and could consistently identify and avoid the social engineering, spear phishing, and cast-netting attempts that came their way. Cast-netting, for those who may not have heard the term, refers to phishing attacks that are limited to a single organization. They don’t care who in the organization they get, much like throwing a net into a small pond. These are more focused than Spear phishing, which targets a single person, and can be very effective for an attacker.
But, as we know, our users are Human. Fallible, deceivable, imperfect, Humans.
What that means is that we will have threat actors abusing our users to get into our environments. It’s happened before, in some very high-profile cases, and it will happen again. Bad people do bad things, and our users take the brunt of it. And this doesn’t even go into the cases where the users are the malicious actors. Being able to monitor user behavior is key to identifying and stopping malicious insiders as well as cybercriminals who have compromised a user’s legitimate account.
Intentionally, or not, the Insider Threat use case is still a major issue. Users who have chosen to do something bad have a leg up on the baddie who’s leveraged social engineering or phishing to grab a user’s identity. They’re already inside. They know at least some of the defenses and can try and work around them, and they know where at least some, if not all, of their targets are. No need for a sneaky search through the archives to find the Holocron. They know where it’s stored. They will only be caught if you can detect when their user behavior changes from normal to nefarious.
This all boils down to our need to build defenses that can handle cases where the users, one of the assets we’re trying to protect, is the source of the threat.
Fortunately, we have a number of tools that help protect us from user compromise. For example, multi-factor authentication can help prevent credential abuse if the user has their credentials phished, social engineered, or otherwise acquired by someone who shouldn’t have them. Identity and Access Management (IAM) systems work hand in hand with MFA to make sure users are really who they say they are.
Data Loss Protection (DLP) systems or Digital Loss Prevention, if you prefer, can help keep malicious actors from absconding with the organization’s crown jewels, while deception technologies can keep an attacker from finding them in the first place by sending them on a wild goose chase.
There’s malware and anti-virus prevention tools to go with Endpoint Detection and Response (EDR) to help protect the endpoints. And finally, where we tie them all together, in User and Entity Behavior Analytics. This is where we proactively monitor user behavior in real-time with advanced security analytics to detect when a user’s behavior changes – and potentially becomes a threat.
Users, and the systems, or “entities” they work with, all have distinct behaviors they exhibit day to day as they do what they do. Everything from when and where they log in from, to what systems they interact with, to the assets they normally access or create, form a baseline. And when we see deviations from that baseline, we recognize it, classify it, and assign a risk score to reflect just how much of a risk that unusual user behavior represents.
It’s said you can steal a user’s credentials, but you can’t steal user behavior. Likewise, when an insider decides to do something nefarious, they’re going to act differently from how they normally act. In either case, they are doing something unusual and that’s what gives them away. User behavior can be identified as being anomalous by seeing how users and entities interact in context with an advanced security analytics tool.
Our users can be our scariest attack surface or our first line of defense. Gurucul UEBA solutions help on either end, by recognizing when something’s gone wrong and helping see the subtle patterns when everything else is going right.
Prev: ABCs of UEBA: T is for Time Next: ABCs of UEBA: V is for Vulnerability