UEBA, It's Just a Use Case

"UEBA, it’s just a use case." – Netenrich CISO Chris Morales

He’s not wrong. But I’d take it a step further. User entity and behavior analytics (UEBA) is just a set of patterns applied to the right log sources and linked together.

UEBA incorporates insider risk, privileged account monitoring, and monitoring for compromised accounts. When done right, the goal is to find changes of behavior that indicate intentional or unintentional misuse of data.

Learning normal and finding weird

I’ve talked about “learning normal and finding weird” for years. It’s what we try to do in a SOC. In tools before machine learning, it meant hard-coding everything a SOC analyst learned into filters on what to ignore and what to prioritize. Today, machine learning and pattern recognition mean earlier detection and less manual coding.

In my prior post, I tried to explain why patterns are better than rules for detecting threats. It doesn’t mean there are only five detection rules, but it does mean there are five patterns, usually with several variations applied to each log source that cover what you’d otherwise need 500 rules to cover.

UEBA really focuses on three of the five patterns.

• Rare events. User did something they’ve never done before.
• Spike in events. User did something in an unusual quantity.
• Peer anomaly. User did something no one else like them has done before.

Individually, no single event really stands out, but a combination of events does. I grew up watching “Sesame Street,” where I learned to look for the one thing that isn’t like the others. And from baseball, “Three strikes, you’re out!”

Consider the following threat scenarios to see how to look for patterns and apply the three strikes’ principle.

Threat Scenario 1: Flight Risk – Financial Theft

Your current CFO isn’t happy. His bonus wasn’t what he’d hoped for. So, he decides to get a new job and give himself the bonus he wanted anyway.

Events:

• HR pay stub/bonus low.

• Email from your CFO to a competitor’s domain.

• Proxy – Upload of resume to competitor’s domain.

• CFO creates a new pay-to account.

• CFO authorizes a check to new account. 

Actions:

• Disable his account.

• Transfer the money back from that new account.

• Fire CFO.

• Block email and posts to competitor domain.

Threat Scenario 2: Data Exfiltration – Intentional Insider

Your least favorite, chronically unhappy sysadmin, Jane, just got a performance review and is not happy.

Events:

• HR - Jane got a bad employee review.

• Jane just spiked in nasty posts about the company (ZeroFox social media data).

• Jane copied 3,000,000 files to a USB drive.

Actions:

• Disable Jane’s account.

• Have HR call Jane in for “discussions” and to bring all digital media.

Threat Scenario 3: Financial Theft – Intentional Insider

Consider a scenario where an IT admin's account has been compromised. Detectable non-malware events: User logs in from never-before-seen country. User does a transaction he’s never done before in a wire transfer banking application to a destination account that no one at the company has ever used before. The amount exceeds similar users’ (peer groups/department/title/location) learned daily/weekly/monthly known transfer amounts. $1M is gone.

Events:

• User login from rare country.

• Unusual transaction.

• Unusual account — peer anomaly.

• Unusual amount — spike.

Actions:

• Block foreign country.

• Disable user account.

Threat Scenario 4: Ransomware

A user is enticed to click on a malicious website. “Download the Coolest Game EVER Here!” “Nigerian Prince Wants to Send YOU Money!” Pick your favorite. Study after study shows as high as a 3% click-through rate regardless of how ridiculous most of us think a link’s enticement may be. Free malware with download.

Events:

• Proxy data — User accesses uncategorized (new/not yet classified) URL/website.

• Process data — User’s machine runs a never-before-seen executable from a temp path or runs an MSI install from a remote IP:path (Sysmon, OSQuery, FIM, EDR).

• Windows/SharePoint/OneDrive – User begins to encrypt files (3x more than any prior day).

  • Windows Events 4663 attempt, 4656 modify, 4658 close, if file and folder auditing had been enabled (object modified).

Actions:

• Disable user account.

• Isolate compromised host.

• Delete all similar emails.

As you can see, a single event may not stand out, but once you begin stitching events together, the threats become more obvious. In my next blog, I’ll delve further into the importance of situational awareness to find patterns and provide more detail on which log sources you should apply UEBA to.