///Malicious Insider Threat detection

Malicious Insider Threat detection

When it comes to the protection of sensitive assets, many only focus on defense against outside attacks such as malware, or data breaches. In reality, malicious insiders are posing the same amount of threat to your infrastructure as outsiders do.

Did you know that 53% of organizations confirmed they had fallen victim to an insider attack in the previous 12 months and 27% of organizations say insider attacks have become more frequent? (Source: Cybersecurity Insiders: 2019 Insider Threat Report)

The wide range of use cases included in LogPoint UEBA supports both the detection of attacks carried out but outside attackers and insiders residing within an organization, boosting analysts’ overall efficiency.

Mitigate user-based threats to privileged files with File Integrity Monitoring

LogPoint’s FIM application monitors any kind of access attempts to privileged file share systems and provides information on the type of access and the actions performed in the file. Additionally, the original and the altered checksums can also be compared to better understand access behavior.

SIEM use cases File Integrity Monitoring Screen K

Log sources: FIM

Detecting Lateral Movement

LogPoint UEBA uses a mix of endpoint, Active Directory, and repository data to scan for suspicious behaviors deviating from the baseline.

These include:

  • Login failed attempts on disabled accounts
  • Unusual activity by day of week or time of day
  • Unusual access to servers, file shares, applications or other resources
  • An unusually high amount of access to certain resources
  • Anomalous application usage and anomalous access patterns to storage

As LogPoint UEBA incorporates netflow analytics, new models scanning for an unusually high amount of connections by an endpoint or anomalous connections between endpoints, and unusual port scans will be added.

Example

Login failed attempts on disabled accounts

Login failed attempts on disabled accounts

Log sources: Windows Server, UEBA

Query

label=Login label=Fail sub_status_code=0xC0000072 | chart count() by user order by count()

Detecting Data staging and exfiltration

Compromised accounts or machines are usually trying to move data into staging areas where they can be easily withdrawn from the organization’s network. While preparing the data for removal, attackers will utilize tools such as PSExec or remote desktop tools. In this case, UEBA will detect and highlight anomalous staging and lateral movement including (the highly unusual) intra-workstation high volume data transfers, unusual protocol/port combinations and unusually high amounts of data access.

Examples

High outbound data transfer

LogPoint SIEM use cases: High Outbound Data Transfer

Log sources: Firewall, Proxy

Query

sent_datasize=* source_address IN HOMENET -destination_address IN HOMENET | timechart sum(datasize/1000/1000) as OutboundData | search OutboundData>10

Outbound data transfer by sources

Log sources: Firewall, Proxy

Query

source_address IN HOMENET -destination_address IN HOMENET sent_datasize=* | chart sum(sent_datasize/1000/1000) as OutboundData by source_address order by OutboundData desc

Compromise of privileged accounts

LogPoint UEBA is designed to identify privileged accounts and uses machine learning to do the rest. LogPoint’s UEBA continuously monitors privileged accounts to track and score activity time, authentication, access, application usage, and data movement. LogPoint UEBA then assigns a risk score to any account that deviates from the baseline, and if it continues to act anomalously, the risk score increases. In the meantime, LogPoint UEBA analytics visualize the account’s activity and alert the security analyst to validate the incident and quickly take action.

Example

Trend of failed authentication attempts

SIEM use cases: Trend of failed authentication attempts

Log sources: Windows Server

Query

label=Authentication label=Fail | timechart count()

Uncovering IoCs

Systems involved in any abnormal behavior can be easily enriched with Threat Intelligence feeds to check for the associated indicators of compromise. Furthermore, LogPoint provides you with the exact geographical location of the source of the attack.

Example

Indicators of compromise by geolocation

LogPoint SIEM use cases: Indicators of compromise by geolocation

Log sources: Firewall, Proxy, Threat Intelligence

Query

risk_score=* -source_address in HOMENET | process ti(source_address)|search et_ip_address=* OR cs_ip_address=*|rename et_ip_address as SourceAddress,cs_ip_address as SourceAddress | process geoip(SourceAddress) as country | chart count() by country, source_address order by count() desc limit 10