Threat models based on user behavior analysis
More and more researchers, with whose opinion we agree, say that the protection measures applied on the network perimeter (such as, for example, data leakage prevention systems - DLP) are ineffective - do not help to close the leak channel proactively before it happens.
The reasons for the mentioned inefficiency are both business continuity requirements (Russian companies also have a historically established psychological link, connected both with the reluctance to choose the implementation support model until the moment when false alarms will be reduced to almost zero, and with the backlog of technical means in previous years, developed in the CIS, from foreign technological leaders, which does not allow for the inclusion of leakage prevention mechanisms, dwelling on their detection *), and o, that leak detection occurs, often, either when it has already occurred, after the fact or never, which further worsens the statistics (and the detection of attacks by standard means does not occur faster than within an hour or more after receiving a significant event), or at the moment when the data is about to leave the company's network - and there is no way to recognize the preparation of data for sending out (whether it be on the network, on a physical medium or in the gadget's photo gallery).
The stage at which data leakage occurs in the classification developed by Lockheed Martin for determining the stages of developing or occurring cyber attacks is called Data Extraction (Exfiltration).
In total, Lockheed Martin identified and identified 8 different types of threats, distributed by stages of their execution:
')
Reconnaisanse (Intrusion), Exploitation (Privilege / Vulnerability Exploitation) Misconduct (Incorrect Behavior) [this stage includes 4 types of threats: Privilege escalation, Lateral movement (Lift) or Obfuscation (“Tracing”), Denial of service (Denial of Service)], Exfiltration.
It is important to note that it is rarely possible to go to each subsequent stage immediately, if several factors favoring the violator do not coincide. Examples of such factors are: knowledge of information about the company's network structure, access to administrative privileges, open rdp port for access to any server on the firewall, undocumented specially left vpn channel - which is typical for insiders or hackers who use the information received from them .
Of course, “Tracing” can occur both before and after denial of service, or receiving confidential information, as well as the last two points can be carried out both in parallel and independently from each other, in an arbitrary order. In each case, the chain may lose any of the links, or be limited to only one of the types of threats, for example, during the actions of a malicious or just a careless insider.
True, it would be great if, without any configuration on your part, using predictive threat models, automatically analyzing the behavior of entities (such as user and computer accounts) throughout the entire infrastructure of the company, the protection system itself would alert you to potential threats. : from CryptoLockers and compromised service accounts to disloyal users? All this can be detected and notified of all deviations in user behavior ** on observable resources.
Using the accumulated experience, we can now save you from the constant "manual" analysis of access logs to files, attempts to change the level of privileges, and also give you the opportunity to understand who illegitimately reads someone else's, perhaps even your, mail.
Thus, threat models, in our understanding, are accumulated ordered knowledge of various stages, types and types of attacks, and they can be used to quickly respond to each of the described threats, without a long preliminary analysis of access logs by specialists with extensive experience in cybersecurity and the subsequent setting up of event collection systems for correlation according to the criteria specified by the specialists (which we are offered with tools for collecting and correlating information security events - SIEM).
* And it's good if the mechanism that detects a data leak has no surname, but only the product name and the build number
** Hereinafter, by users we will, in most cases, understand entities, such as user and computer accounts.
Threat models that use behavioral analysis make it possible to quickly detect attacks in the early stages of development <it’s worth highlighting, but I don’t really understand how> and provide context for making more informed decisions, thanks to the collected metadata and the information that happened earlier and is happening now on your file, mail servers, SharePoint and in Active Directory or other LDAP-directories with the participation of a particular user and other similar to him in the previous behavior.
Our advanced analysis of behavioral abnormalities allows us to notice suspicious activity at each stage of potential data leakage: from primary intelligence to retrieval.
In addition, the existing mechanisms allow not only to warn about the threats described above, but also in automatic, semi-automatic or manual mode to prevent the transition to further stages of the attack development chain, preventing it from reaching the final stage, without having to independently examine each actual threat in separately, and build profiles for it (possibly, without taking into account any unknown or accepted as insignificant factors) in the existing registration and correlation mechanisms of events.
Here are some of our most frequently used threat models for clients:
Deviation from normal behavior: access to confidential data
Extract: Can speak of an unauthorized attempt to gain access to assets containing sensitive data. User actions are checked against his behavioral profile, and an alert is created when a discrepancy is found.
Deviation from normal behavior: atypical access to Exchange mailboxes
Extract: Can talk about an unauthorized attempt to use service privileges to gain access to other users' mailboxes. User actions are checked against his behavioral profile, and an alert is created when a discrepancy is found.
Cryptovirus activity
Penetration: May indicate the existence of an extortion virus.
Suspicious access: access to files containing information for access to systems, an account of non-IT-personnel responsible for these systems
Privilege escalation : May indicate an unauthorized attempt to obtain data for access to systems or cause a denial of access to them.
Modification: Critical Elements of Group Policies
Privilege / Vulnerability Exploitation: Can talk about unauthorized attempts to gain access by changing policies or using privileged security groups. It may also talk about attempts to prevent users from accessing systems, especially if the triggering occurred when changes were made outside the established change control policy.
Detected software potentially used for hacking
Privilege / Vulnerability Exploitation: Can talk about attempts to install or use well-known hacker tools.
Membership Change: Administrative Groups
Privilege / Vulnerability Exploitation: Can talk about an unauthorized attempt to gain access by adding an account to privileged groups or prevent prompt administrative responses by administrators during an attack, especially if the change is performed outside the established change control policy.
Deactivate or delete a service account or administrator account
Privilege / Vulnerability Exploitation: Can talk about an unauthorized attempt to damage infrastructure, prevent users from accessing systems, or cover traces after performing malicious actions, especially if the change is performed outside the established change control policy.
Multiple openings of files likely containing information for accessing systems
Privilege escalation: Can talk about an unauthorized attempt to upload data to access systems.
Detected software used for network analysis
Intelligence: May indicate the presence of unauthorized tools used to scan the corporate network, including the search for vulnerabilities.
The reasons for the mentioned inefficiency are both business continuity requirements (Russian companies also have a historically established psychological link, connected both with the reluctance to choose the implementation support model until the moment when false alarms will be reduced to almost zero, and with the backlog of technical means in previous years, developed in the CIS, from foreign technological leaders, which does not allow for the inclusion of leakage prevention mechanisms, dwelling on their detection *), and o, that leak detection occurs, often, either when it has already occurred, after the fact or never, which further worsens the statistics (and the detection of attacks by standard means does not occur faster than within an hour or more after receiving a significant event), or at the moment when the data is about to leave the company's network - and there is no way to recognize the preparation of data for sending out (whether it be on the network, on a physical medium or in the gadget's photo gallery).
The stage at which data leakage occurs in the classification developed by Lockheed Martin for determining the stages of developing or occurring cyber attacks is called Data Extraction (Exfiltration).
In total, Lockheed Martin identified and identified 8 different types of threats, distributed by stages of their execution:
')
Reconnaisanse (Intrusion), Exploitation (Privilege / Vulnerability Exploitation) Misconduct (Incorrect Behavior) [this stage includes 4 types of threats: Privilege escalation, Lateral movement (Lift) or Obfuscation (“Tracing”), Denial of service (Denial of Service)], Exfiltration.
It is important to note that it is rarely possible to go to each subsequent stage immediately, if several factors favoring the violator do not coincide. Examples of such factors are: knowledge of information about the company's network structure, access to administrative privileges, open rdp port for access to any server on the firewall, undocumented specially left vpn channel - which is typical for insiders or hackers who use the information received from them .
Of course, “Tracing” can occur both before and after denial of service, or receiving confidential information, as well as the last two points can be carried out both in parallel and independently from each other, in an arbitrary order. In each case, the chain may lose any of the links, or be limited to only one of the types of threats, for example, during the actions of a malicious or just a careless insider.
What do we call threat models ?
True, it would be great if, without any configuration on your part, using predictive threat models, automatically analyzing the behavior of entities (such as user and computer accounts) throughout the entire infrastructure of the company, the protection system itself would alert you to potential threats. : from CryptoLockers and compromised service accounts to disloyal users? All this can be detected and notified of all deviations in user behavior ** on observable resources.
Using the accumulated experience, we can now save you from the constant "manual" analysis of access logs to files, attempts to change the level of privileges, and also give you the opportunity to understand who illegitimately reads someone else's, perhaps even your, mail.
Thus, threat models, in our understanding, are accumulated ordered knowledge of various stages, types and types of attacks, and they can be used to quickly respond to each of the described threats, without a long preliminary analysis of access logs by specialists with extensive experience in cybersecurity and the subsequent setting up of event collection systems for correlation according to the criteria specified by the specialists (which we are offered with tools for collecting and correlating information security events - SIEM).
* And it's good if the mechanism that detects a data leak has no surname, but only the product name and the build number
** Hereinafter, by users we will, in most cases, understand entities, such as user and computer accounts.
Why is it important?
Threat models that use behavioral analysis make it possible to quickly detect attacks in the early stages of development <it’s worth highlighting, but I don’t really understand how> and provide context for making more informed decisions, thanks to the collected metadata and the information that happened earlier and is happening now on your file, mail servers, SharePoint and in Active Directory or other LDAP-directories with the participation of a particular user and other similar to him in the previous behavior.
Our advanced analysis of behavioral abnormalities allows us to notice suspicious activity at each stage of potential data leakage: from primary intelligence to retrieval.
In addition, the existing mechanisms allow not only to warn about the threats described above, but also in automatic, semi-automatic or manual mode to prevent the transition to further stages of the attack development chain, preventing it from reaching the final stage, without having to independently examine each actual threat in separately, and build profiles for it (possibly, without taking into account any unknown or accepted as insignificant factors) in the existing registration and correlation mechanisms of events.
Examples
Here are some of our most frequently used threat models for clients:
Deviation from normal behavior: access to confidential data
Extract: Can speak of an unauthorized attempt to gain access to assets containing sensitive data. User actions are checked against his behavioral profile, and an alert is created when a discrepancy is found.
Deviation from normal behavior: atypical access to Exchange mailboxes
Extract: Can talk about an unauthorized attempt to use service privileges to gain access to other users' mailboxes. User actions are checked against his behavioral profile, and an alert is created when a discrepancy is found.
Cryptovirus activity
Penetration: May indicate the existence of an extortion virus.
Suspicious access: access to files containing information for access to systems, an account of non-IT-personnel responsible for these systems
Privilege escalation : May indicate an unauthorized attempt to obtain data for access to systems or cause a denial of access to them.
Modification: Critical Elements of Group Policies
Privilege / Vulnerability Exploitation: Can talk about unauthorized attempts to gain access by changing policies or using privileged security groups. It may also talk about attempts to prevent users from accessing systems, especially if the triggering occurred when changes were made outside the established change control policy.
Detected software potentially used for hacking
Privilege / Vulnerability Exploitation: Can talk about attempts to install or use well-known hacker tools.
Membership Change: Administrative Groups
Privilege / Vulnerability Exploitation: Can talk about an unauthorized attempt to gain access by adding an account to privileged groups or prevent prompt administrative responses by administrators during an attack, especially if the change is performed outside the established change control policy.
Deactivate or delete a service account or administrator account
Privilege / Vulnerability Exploitation: Can talk about an unauthorized attempt to damage infrastructure, prevent users from accessing systems, or cover traces after performing malicious actions, especially if the change is performed outside the established change control policy.
Multiple openings of files likely containing information for accessing systems
Privilege escalation: Can talk about an unauthorized attempt to upload data to access systems.
Detected software used for network analysis
Intelligence: May indicate the presence of unauthorized tools used to scan the corporate network, including the search for vulnerabilities.
Source: https://habr.com/ru/post/323336/
All Articles