03 Feb Early Attack Phases and UEBA – Getting Administrator Privileges
Today, I want to write about how UEBA tools can be used to detect emerging data breaches very early on in the attack cycle – when attackers are first obtaining root or administrator level privileges.
In my previous blog, we discussed the principle that successful cyber attacks generally progress through 5 stages: 1) reconnaissance and scanning, 2) gaining access to privileged accounts, 3) establishing persistence, 4) the actual attack, and 5) covering tracks. But more importantly, we addressed how UEBA can be very effective in detecting developing cyber attacks – even during the initial reconnaissance and scanning stage of the attack cycle.
So moving on to the 2nd phase in the attack cycle, in today’s post we will briefly address how UEBA detects an emerging data breach when cyber criminals first gain or attempt to get administrative level privileges.
With knowledge of at least some of the hosts, applications, vulnerabilities, and non-privileged logon credentials gathered during the reconnaissance and scanning phase, attackers will turn their attention to getting root or administrator privileges. There are dozens of ways that this can be done. Hacking tools like John the Ripper can usually determine privileged passwords if password files have been obtained. Key loggers can be installed in the host or the users’ PCs. Holes in the kernel or O/S can be exploited – sometimes granting root or admin privileges without having to learn a password. Services can often be hacked and a local exploit used to escalate privileges. Savvy insiders with physical access can usually get passwords to privileged accounts within a minute or two. In some cases, network sniffers like dumpcap can capture credentials when users login.
When activities like the above are performed, a good UEBA system like Fortscale will detect any act that appears anomalous. Since the overall objectives of a cybercriminal are prohibited, much of what they attempt to do are anomalies and will be revealed. As examples, if an attacker compromises a service account, any attempt to use it would be a gross anomaly and immediately exposed. Or if a particular user account is suddenly engaged in an attempted connection to resources that have never before been accessed, this too would be detected. If tools like dumpcap are installed to capture network traffic and passwords, the installation would be unusual for most accounts and generate an alert so the security staff can take action to halt the attack.
If a cyber crook is successful in gaining privileged access, Fortscale’s UEBA capabilities will still spot their criminal activities early on. They will likely begin installing additional malware and hacking tools, or adding more user accounts. The assailants will also be inclined to start probing the network from within, accessing other networks, hosts, databases, applications, and files that are out of the norm, even for administrators. Given the appropriate logs as input into the UEBA system, all of these activities can be detected and halted at the onset.
As an illustration of the importance of UEBA and the above principles, one need only look at the huge breach experienced by the Office of Personnel Management (OPM). Investigators learned that very early in the attack the intruders downloaded manuals about OPM’s internal assets – an unusual act even for privileged users, but one that disclosed vulnerabilities and details regarding OPM’s systems. This data would have been key to the success of the breach. The downloading of the manuals was present in system logs but the logs were not evaluated. Had OPM utilized effective UEBA tools, this terrible breach might have been halted at the very beginning – long before any real damages were done.
In summary, effective UEBA tools like Fortscale can be very good at detecting when malicious individuals first attempt to obtain advanced privileges. This ability to catch cyber thieves early in the attack cycle is very significant.
Next time we’ll discuss how UEBA and Fortscale can detect malicious activity during the 3rd phase of the attack cycle – establishing persistence.
Contact us to learn more.