User Behavior Analytics: A complement to baseline hygiene

Compromised credentials are what make the job of hacking possible and profitable for intruders on a daily basis. To reveal what a major issue this is Rapid7 issued the new research report, Understanding User Behavior Analytics, which breaks down the different types of user activity, provides guidance around establishing a baseline of expected user behavior and explains how to understand anomalies in behavior. 

Tod Beardsley, research manager at Rapid7, explained the field of UBAs and offered some insight on how they work in assessments, incident detection, and incident response.

UBA is its own field within security, and it is an approach that is very user-account focused. “It takes a look at user account activity because typically what attackers tend to do is once they compromise a computer via a low privilege user account, they look to escalate to something good on a local admin, then the domain admin,” said Beardsley. 

[ ALSO ON CSO: User entity behavior analytics, next step in security visibilty ]

What works in the UBA approach is that these technologies notice when user accounts stray outside of the normal everyday use. “It takes historical data into account to say that a group of user accounts are used by humans, noting that they log in at this time, out at this time, and have low activity around this time,” said Beardsley.  User-account behavior is different because machines log in like clockwork and talk to all computers or one computer, so when they start straying, that’s when they start alerting, Beardsley explained.

UBAs also offer different flexibility from a more traditional vulnerability and exploit detection system, said Beardsley, “Because it learns what is going on in your network already. Historical login data, where they login and off, when they start straying out of the box, that is built up through the machine learning features. Now you can tell things like maybe an account has been compromised by an external hacker or motive of what the users are doing.”

Whether it’s an intruder from the outside or an internal threat, or something a little less malicious like someone who is about to quit trying to download contact information, these anomalous behaviors are detected. 

“We look at the account itself not so much the user behind it because the accounts are used by both humans and machines. To that end, we are not super focused on the human motivation even though we can make pretty good guesses,” Beardsley said.

The problem in the security industry is the hole it has dug itself into: alert fatigue. “So many enterprises had no security and no monitoring, then they went and bought a product that generates alerts. Now they receive thousands of alerts and have no idea what’s a good one. That’s a bad solution,” Beardsley said. 

Most IT and security professionals will tend to be pretty comfortable with maybe four alerts in a day, said Beardsley. That’s about an hour of work. “If they start getting more than 10, people are not paying attention. We try to solve that by weighting and building out a better profile,” he continued. 

So what’s the general response to an alert? “You’ll start with an account lockout, lock the account and then launch the investigation. Drill down to what the account has been doing for the last hour, the last day, the last few days, Beardsley said. 

The investigation is intended to detect malicious behavior before it becomes a problem. Those who have already been breached know the pitfalls of not monitoring their networks, as the people who don’t do this type of monitoring tend to have attackers lurking around for more than 200 days.

Locking out an account for maybe an hour is not the end of the world, said Beardsley, but it can save anywhere from a couple of months to several months of an attacker lurking on the inside.

When a criminal gains access through a person’s account, that tends to mean that they have given up their user account credentials. Remind users that passwords need to be complex and changed often. “Easy to remember is easy to extract. I strongly recommend machine generated passwords that people don’t know so that they can’t give them up,” said Beardsley.

It’s also important to keep in mind that no product or platform is a panacea. Every network should have baseline protections, firewalls, intrusion prevention system, and “get your pen tests—it’s good hygiene,” said Beardsley. As with other security tools, UBAs are a complementary approach that augment a baseline of cyber hygiene.