Seeing red: 5 suspicious user behaviours

Bad actors often give signs that they’re up to no good. Learn to recognise the red flags.

By Bill Clark

Fri 29 Mar 2019 @ 15:00

Nothing comes for free. The great opportunities that the internet and online tools offer organisations also come with vulnerabilities.

Cyberattacks, when successful, can be blindingly quick. Verizon’s 2018 Data Breach Investigations Report found 87 per cent of successful breaches took just minutes – or seconds – to take place. Only three per cent of breaches were detected that quickly; most breaches (68 per cent) took months to detect.

The digital transformation organisations are undergoing today is increasing the potential vectors for attack, including Internet of Things, the cloud and software-defined wide-area networks (SD-WAN).

User and entity behaviour analytics (UEBA), which monitors systems for unusual patterns of activity, is a powerful tool for dealing with insider threats. And once an attacker has breached the perimeter, they’re an ‘insider’, albeit an uninvited one. Here are five red flags that UEBA will pick up to help you beat these attacks.

Detecting unusual account activity
Every user on a network has a unique pattern of activity. One might always log in 15 minutes before their designated start time, another, 10 minutes after. User A might always check their email before accessing their department’s shared calendar. User B might check the calendar first and email second. Patterns of activity allow a UEBA system to recognise when an account is behaving unusually. Whether it was hijacked by an outside attacker or a staff member is acting uncharacteristically, flagging and investigating such activity is essential.

Privilege abuse
Not all users are equal. Some, due to the nature of their jobs, require a higher level of privileges, giving them greater access to systems and files. These users represent an inviting target for cyberattacks and a much greater risk if they go rogue. Edward Snowden, the NSA contractor who exposed US government surveillance data, illustrates the damage highly privileged user can do. According to former NSA director Michael Rogers, technology can help address this threat: “AI and machine learning have great applicability here. In my experience, most organisations have actually access to more data then they truly understand, and they're not optimised to use it.”

Unusual database activity
Databases are the lifeblood of any organisation. Whether personnel files, customer data, billing, finance, research data, sales figures or marketing plans, the modern business is fuelled by data. This data is an inviting target. Look for unusual access patterns (time of day, origin of request, user requesting files for projects they don’t work on) as well as changes in the files. An increase in file size, for example, may represent the introduction of malicious code into your database, code that will spread and attack the network when that data is accessed. Substantial increases in database read volumes can also be an indicator that someone is trying to grab your data.

Unusual outbound network traffic
With the focus on guarding the perimeter and keeping attackers out of the network, it is easy to overlook what outbound network traffic says about network health and security. When an attack breaches an organisation, malicious software will often call back to control servers. UEBA can also identify the unusual traffic patterns of company data being exfiltrated.

Geographical anomalies
Cybercriminals may be based in companies overseas or may route their traffic through those countries to disguise their actual activity. An unhappy employee may send data to an external partner, either abroad or in another part of the country. Looking for atypical traffic origins and destinations can help identify a potential attack or data theft.

The power of UEBA

An effective UEBA solution works quickly and ceaselessly to identify patterns, grade threats and alert IT security personnel. Those staff will be able to use the data collected and sorted by the UEBA tool to assess and respond to the alert.

UEBA brings multiple benefits to improve your security maturity, including collecting and preparing data from diverse sources to provide clean sets for effective analytics and obtaining a true view of the identity of users and hosts – not just their disparate identifiers – and using artificial intelligence and machine learning technologies to improve time to detect and respond to threats.

Learn more

Learn more about how LogRhythm UEBA can help you address suspicious activity.