Malicious Insider Threat detection

When it comes to the protection of sensitive assets, many only focus on defense against outside attacks such as malware, or data breaches. In reality, malicious insiders are posing the same amount of threat to your infrastructure as outsiders do.

Did you know that 53% of organizations confirmed they had fallen victim to an insider attack in the previous 12 months and 27% of organizations say insider attacks have become more frequent? (Source: Cybersecurity Insiders: 2019 Insider Threat Report)

The wide range of use cases included in LogPoint UEBA supports both the detection of attacks carried out but outside attackers and insiders residing within an organization, boosting analysts’ overall efficiency.

LogPoint’s FIM application monitors any kind of access attempts to privileged file share systems and provides information on the type of access and the actions performed in the file. Additionally, the original and the altered checksums can also be compared to better understand access behavior.

Log sources: FIM

LogPoint UEBA uses a mix of endpoint, Active Directory, and repository data to scan for suspicious behaviors deviating from the baseline.

These include:

• Login failed attempts on disabled accounts
• Unusual activity by day of week or time of day
• Unusual access to servers, file shares, applications or other resources
• An unusually high amount of access to certain resources
• Anomalous application usage and anomalous access patterns to storage

Log sources: Windows Server, UEBA

label=Login label=Fail sub_status_code=0xC0000072 | chart count() by user order by count()

Compromised accounts or machines are usually trying to move data into staging areas where they can be easily withdrawn from the organization’s network. While preparing the data for removal, attackers will utilize tools such as PSExec or remote desktop tools. In this case, UEBA will detect and highlight anomalous staging and lateral movement including (the highly unusual) intra-workstation high volume data transfers, unusual protocol/port combinations and unusually high amounts of data access.

Log sources: Firewall, Proxy

sent_datasize=* source_address IN HOMENET -destination_address IN HOMENET | timechart sum(datasize/1000/1000) as OutboundData | search OutboundData>10

Log sources: Firewall, Proxy

source_address IN HOMENET -destination_address IN HOMENET sent_datasize=* | chart sum(sent_datasize/1000/1000) as OutboundData by source_address order by OutboundData desc

LogPoint UEBA is designed to identify privileged accounts and uses machine learning to do the rest. LogPoint’s UEBA continuously monitors privileged accounts to track and score activity time, authentication, access, application usage, and data movement. LogPoint UEBA then assigns a risk score to any account that deviates from the baseline, and if it continues to act anomalously, the risk score increases. In the meantime, LogPoint UEBA analytics visualize the account’s activity and alert the security analyst to validate the incident and quickly take action.

Log sources: Windows Server

label=Authentication label=Fail | timechart count()

Systems involved in any abnormal behavior can be easily enriched with Threat Intelligence feeds to check for the associated indicators of compromise. Furthermore, LogPoint provides you with the exact geographical location of the source of the attack.

Log sources: Firewall, Proxy, Threat Intelligence

risk_score=* -source_address in HOMENET | process ti(source_address)|search et_ip_address=* OR cs_ip_address=*|rename et_ip_address as SourceAddress,cs_ip_address as SourceAddress | process geoip(SourceAddress) as country | chart count() by country, source_address order by count() desc limit 10