Using UEBA to Gain Behavioral Intelligence

Behavioral anomalies in context provide a clearer picture of real risks within your organization.

We recently worked with a large online retailer to increase their security team’s visibility of insider threats, focusing on the endpoint. Like many companies, the retailer—let’s call them RetailCo—were specifically looking for incidences of data theft or unauthorized access, any activity that might indicate that an insider was (maliciously or accidentally) posing a security threat. Already a CrowdStrike customer, RetailCo was a perfect environment for Interset’s endpoint analytics.

Interset ingested RetailCo’s CrowdStrike Falcon endpoint detection and response (EDR) data, which provided detailed information about endpoint behavioral activity. Looking for behavioral anomalies among users and entities, we identified some troubling activities:

  • Some employees were using applications that were leaking sensitive data onto the Internet.
  • Some employees were running network monitoring tools.
  • There were multiple servers using cleartext passwords.
  • Bad IT hygiene was all over the place: unapproved third-party tools, installing games, using administrative accounts to do end-user activities—to name a few.

This analysis painted a clear and worrying picture of the risks that have been hiding in RetailCo’s endpoint activity. The information we gathered—and the broader understanding of risk within the enterprise that it affords—is what Interset refers to as behavioral intelligence, and it’s only truly made possible by user and entity behavioral analytics (UEBA).

Interset’s UEBA is designed to identify anomalies within an enterprise, and those anomalies—in context—form behavioral intelligence that offers greater risk visibility. Unlike threat intelligence, which formulates risk based on an organization as well as its industry, behavioral intelligence remains focused on the organization at hand. What are the risks that are relevant, real, and current within these four walls, so to speak? Behavioral intelligence is organization-specific and updated by real-time analytics that learns continuously and doesn’t go “stale.”

The “indicators” our technology detects are specific, measured activities, such as an increase in cleartext logins, a high volume of failed logins for a GUEST account across workstations, or a sudden spike in network login attempts to a Microsoft Outlook Web Access server. And these activities can often indicate a specific threat when taken in context. In our customer’s case, we observed activities like unusual processes running, a high volume or processes, the installation of suspicious applications, and an unusual number of failed logins. From these indicators, we were able to determine that password brute force activity was taking place.

The power behind Interset’s behavioral intelligence stems from the depth of our algorithms and how anomalies are presented—in context. The breadth of datasets that Interset supports, combined with being able to associate the disparate activities in those data sources to a single entity, provides a holistic view of the entity and truly meaningful behavioral intelligence.

At RetailCo, the behavioral intelligence we gleaned was made possible by the detection of numerous anomalies. In fact, we eventually observed activities that covered the gamut of the MITRE ATT&CK framework’s tactics and techniques, including:

  • Initial Access: Valid Accounts
  • Privilege Escalation: Valid Accounts
  • Credential Access: Brute Force, Credentials in files,
  • Lateral Movement: Remote Desktop Protocol, Windows Admin Shares, Windows Remote Management
  • Collection: Data Staged, Data from Local System
  • Exfiltration: Exfiltration Over Other Network Medium
  • Command and Control: Remote File Copy

…just to name a few. And ultimately, this information made a world of difference in helping RetailCo gain a more proactive security posture.

This is just one of the case studies in which we’ve seen immense success in facilitating behavioral intelligence. Contact us if you’re interested in a deeper dive into some of these examples and a demo of our UEBA for Crowdstrike service.