By Kacy Zurkus
Feb. 2, 2016
Compromised credentials are what make the job of hacking possible and profitable for intruders on a daily basis. To reveal what a major issue this is Rapid7 issued the new research report, Understanding User Behavior Analytics, which breaks down the different types of user activity, provides guidance around establishing a baseline of expected user behavior and explains how to understand anomalies in behavior.
Tod Beardsley, research manager at Rapid7, explained the field of UBAs and offered some insight on how they work in assessments, incident detection, and incident response.
UBA is its own field within security, and it is an approach that is very user-account focused. "It takes a look at user account activity because typically what attackers tend to do is once they compromise a computer via a low privilege user account, they look to escalate to something good on a local admin, then the domain admin," said Beardsley.
What works in the UBA approach is that these technologies notice when user accounts stray outside of the normal everyday use. "It takes historical data into account to say that a group of user accounts are used by humans, noting that they log in at this time, out at this time, and have low activity around this time," said Beardsley. User-account behavior is different because machines log in like clockwork and talk to all computers or one computer, so when they start straying, that's when they start alerting, Beardsley explained.
UBAs also offer different flexibility from a more traditional vulnerability and exploit detection system, said Beardsley, "Because it learns what is going on in your network already. Historical login data, where they login and off, when they start straying out of the box, that is built up through the machine learning features. Now you can tell things like maybe an account has been compromised by an external hacker or motive of what the users are doing."
Whether it's an intruder from the outside or an internal threat, or something a little less malicious like someone who is about to quit trying to download contact information, these anomalous behaviors are detected.
"We look at the account itself not so much the user behind it because the accounts are used by both humans and machines. To that end, we are not super focused on the human motivation even though we can make pretty good guesses," Beardsley said.
The problem in the security industry is the hole it has dug itself into: alert fatigue. "So many enterprises had no security and no monitoring, then they went and bought a product that generates alerts. Now they receive thousands of alerts and have no idea what's a good one. That's a bad solution," Beardsley said.