ABCs of UEBA: X is for eXfiltration

Yes, we did! X is a hard letter to find an appropriate UEBA word for so yes, we chose “eXfiltration” since the “e” is silent… and one of the top use cases for User and Entity Behavior Analytics (UEBA) is detecting and stopping data exfiltration in real-time.

Exfiltration is the unauthorized taking of data, usually by employees of the enterprise.  It rarely involves deleting data; rather, the employees make a copy of it, often for reasons of resale or revenge.  Employees typically have access rights to the data, in order to perform their jobs, but are planning to use the data in unauthorized ways.

And it doesn’t have to be just data.  Intellectual property (IP), such as new product designs, competitive information, and strategic plans can also be exfiltrated.  An employee may be planning to sell information to competitors or foreign governments, use it to blackmail other people in the company, or release it as an act of revenge against the company or an individual.

Methods of Data eXfiltration

Probably the easiest way on most networks to exfiltrate data is by use of a portable mass storage device, such as a USB thumb drive.  Unless an organization takes specific actions to disable the use of USB ports and devices, it may be simple enough to simply insert one into any network PC and download data in minutes.  It may also be possible to burn a DVD to get very high capacities of data.

But there are other ways of exfiltrating data.  You can log in from the outside, have the privileges to gain control over the desired data, and download that data to an external system.  Social engineering is a popular but low-tech way of exfiltration.  Here an unauthorized user or outside person convinces someone with legitimate access to share that access with them.  Often, they pose as an IT staff member or outside auditor, and claim there is a problem that the victim can help with.

Motivations for eXfiltrating Data

Exfiltration is a unique form of theft, in that data or IP is not physically stolen and missing from its repository.  There are also rare circumstances where it isn’t theft at all.  But whatever the genesis and motivation, all organizations have a need to understand what users are doing on their systems, and what information they are accessing.  Only by identifying and investigating unauthorized access of their data or IP can an organization ensure the integrity of its systems.

This is a potentially much larger problem than it was just a couple of years ago, because networks have become more dispersed yet more connected.  Tools such as Active Directory and LDAP (Lightweight Directory Access Protocol) enable users to be able to sign on to separate applications and databases with a single username and password.  Also, with more people working from home and other locations due to COVID-19, it becomes more difficult to rely on the location or the type of system that is accessing the data.

Monitor Systems and Networks for Data eXfiltration Attempts

Fortunately, there is a way of separating the wheat from the chaff, so to speak.  User and Entity Behavior Analytics (UEBA) is a way to discover attempted data exfiltration using analytical and predictive means.  UEBA lets enterprises analyze activities by authorized users, or on specific systems, to determine suspicious activities that can be followed up in more detail.

It typically involves a combination of machine learning (ML) models and data analytics.  Specific ML models observe the behavior of users, systems, and networks using readily available logs or system data, plus data from other sources.  This data is used to train various models to learn what is typical behaviors with users, networks, and systems.

In fact, under certain circumstances, these models can reach beyond day-to-day electronic data to get a clearer picture of behavior.  For example, if users hold a security clearance, they may have consented to ongoing personal finance monitoring or personal relationship monitoring.  The more data sources you can consume, the more likely you have a model that accurately reflects the activity on your systems.

Without using trained ML models, SOC analysts could identify hundreds of potential problems every single day.  Model training is necessary to help weed out these false positives.  Training with actual data and many potential ML models makes it possible to ensure your models perform exactly as expected.

Risk Scoring Data eXfiltration Activity

The result of a UEBA ML-based data analysis is a set of risk scores in a dashboard.  These risk scores provide a normalized number between 1 and 100 that represents the likelihood that a particular activity or set of related activities should be investigated further.  This is far more valuable than a large set of instances that don’t reflect with priority or seriousness, because SOC analysts can focus on a few potential problems that have the potential to impact the business the most.  By diving into summary data, analysts can quickly identify those problem areas by their risk score, then investigate details.  In many cases, they may also be able to pull in additional data, based on APIs to other security analytics tools.

UEBA solution technology lets organizations build ML models based on the data they are collecting on users, networks, and systems.  Having a large number of ML libraries, coupled with the ability to access many different data sources through API, makes an effective means of monitoring, identifying, and assessing potential exfiltration threats before they are carried out.

Deploy Gurucul UEBA to detect unauthorized movement of Intellectual Property / Customer Data / Sensitive Information outside the corporate environment through various egress channels, including:

  • Unusual Documents Printed
  • Email to competitors or personal Ids
  • Data upload to personal cloud storage sites
  • Abnormal data transfer to removeable media devices
  • Unusual movement of data to external unauthorized domains using FTP / SCP / other protocols

Prev: ABCs of UEBA: W is for Watchlist Next: ABCs of UEBA: Y is for Yield