Caught in the act: Spotting suspicious user activity with behavioural analytics
August 3, 2020
Samantha Humphries, Security Strategist at SIEM provider Exabeam, explains how behavioural profiling can be used to detect hard-to-spot cyber threats.
The majority of traditional security systems are only capable of detecting existing ‘known’ threats, via specific detection signatures or through pre-defined correlation rules created by security teams. While this can offer a useful layer of protection for many organisations, in today’s threat landscape, it’s not enough by itself to stop the growing number of more sophisticated attacks appearing on a near-daily basis.
Fortunately, the data security industry is also evolving and behavioural profiling offers a powerful tool that can be used to fight back against previously unknown threats. Just like a security guard who sees something amiss and goes to take a closer look, behavioural profiling helps automated security systems spot suspicious activity within users’ accounts, networks or devices, and bring it to the attention of security professionals who would otherwise be none the wiser.
Behavioural profiling in cuber security
Behavioural profiling uses advanced analytics and machine learning to analyse large amounts of security data and establish benchmarks for ‘normal’ user and system behaviour. Doing so makes it much easier for anomalous behaviour to be spotted, which is often indicative of compromised systems or accounts, even in progress cyber-attacks. By bringing such behaviour to the attention of security teams, attacks can be identified, contained and stopped much earlier, and system vulnerabilities can be remediated, preventing similar attacks in future.
To detect anomalies, behavioural analysis focuses the following key activity areas:
Network activity: Any part of the network that sends or receives traffic at unusual volumes, using different patterns or with unfamiliar payloads, could represent an anomaly.
Devices and usage: A user logging in from an unknown device represents an anomaly, which could be an attacker using compromised credentials, or a legitimate user on an unsecured laptop/PC. Behavioural analysis can also identify if a user is operating their device in unusual ways, such as logging in at different times to normal, from strange locations/IP addresses, or even typing at different speeds to normal, all of which suggest something could be amiss.
Ports and applications: A server connecting to a port or system (internal or external) that it does normally, or a user signing in to applications they’ve never used before should immediately raise a red flag, particularly if said port or application can be used to transfer data outside the company.
User entity behaviour analytics
User entity behaviour analytics (UEBA) is a powerful security solution with behavioural profiling and analysis at its core. It employs automated anomaly detection to alert security teams to suspicious behaviour by comparing users to their baseline behaviour, the behaviour of their peers/co-workers, and/or comparing IT system and network activity to established ‘normal’ activity.
A key aspect of UEBA is the use of thresholds to denote when an anomaly becomes a genuine security threat. For example, if an employee who typically starts work every day at 9 am logs in one morning at 8 am, this could be considered anomalous behaviour, but is it so unusual that it warrants a security investigation?
To make that distinction, a UEBA tool can analyse a variety of different behaviours together and assign the anomaly a unique risk score, which indicates just how far the activity deviates from the norm. Only when the score goes above a certain threshold does it trigger an alert calling for further investigation, saving security teams a great deal of time. For example, if the aforementioned employee logs in an hour earlier than usual, but also on a different device and from a different location, this is a much stronger indicator that something strange is going on, leading to a much higher risk score.
UEBA vs traditional cyber security solutions
Below are three examples of common threats in the modern security landscape that UEBA tools can identify but traditional cyber security solutions would be likely to miss:
Data theft: When data is transferred outside an organisation, it could be a user connecting to a legitimate external service, an attacker transferring stolen data, or malware communicating with a command and control centre. UEBA systems analyse data transfer and identify if the destination is legitimate and if the data transferred makes sense for the current user and context.
Compromised user credentials: An attacker who's using compromised user credentials, can easily stay under the radar of many traditional solutions. However, UEBA will quickly expose them by identifying deviations from the real credential owner’s behaviour (as detailed above).
Insider threats: Malicious insiders are an increasing concern for many organisations. Furthermore, their legitimate credentials and system access make them almost impossible to catch using traditional security tools. Fortunately, UEBA solutions can detect when a user is performing risky or unusual activities, such as escalation of privileges, accessing strange applications or transferring data they shouldn’t be, all of which may signal malicious behaviour.
Like it or not, the cyber-threat landscape is becoming increasingly sophisticated. New threats are emerging almost daily that can bypass traditional security tools, rendering them virtually useless.
Fortunately, innovative new solutions such as UEBA are helping security professionals fight back against attackers, malicious insiders, and cyber criminals, using behavioural profiling and analytics to identify anomalous activity that would previously have gone undetected. In doing so, they can spot attacks much faster and help teams put a stop to them before significant damage is caused.
Samantha Humphries is a Security Strategist at SIEM provider Exabeam. She has 20 years of experience in cyber security, and has defined strategy for multiple security products and technologies, helped hundreds of organisations of all shapes, sizes, and geographies recover and learn from cyberattacks, and trained anyone who’ll listen on security concepts and solutions.
At Exabeam she has responsibility for EMEA, Data Lake, plus anything that has “cloud” in the name. She writes articles for various security publications and is a regular speaker and volunteer at industry events, including BSides, IPExpo, CyberSecurityX, The Diana Initiative, and Blue Team Village (DEFCON).