05 Feb UEBA Detects Attackers Establishing Persistence
In today’s blog, we will look at how UEBA tools detect attackers who’ve initially penetrated the network and are attempting to establish persistence by expanding their foothold and making sure they can get back in later.
If you’ve been following recent blogs, you will have seen our discussions about successful attackers generally progressing through 5 attack stages. We’ve covered how UEBA is used to detect attacks during stage 1) reconnaissance and scanning; and stage 2) gaining access to privileged accounts.
Now let’s touch on how UEBA helps detect and thwart cyber criminals who are advancing to stage 3) establishing persistence.
Once an attacker begins active reconnaissance and scanning or taking steps to gain and use advanced privileges they start leaving tracks that can reveal their presence. So they’re keen to establish multiple ways they can get back into the system should their primary method(s) be blocked.
Adding additional privileged users to the system is one way attackers establish persistence. But this will likely be detected if the security staff is paying attention in this area, and they should be. Escalating privileges of existing user accounts is much less likely to get noticed by the security staff or traditional security systems. Better yet for the attacker, leveraging access through existing service accounts (which typically already have high level privileges) will have a much stronger chance of staying undetected. Similarly, starting dormant service accounts and using them to gain access will often go unnoticed.
To help establish persistence hackers will also frequently replace the operating system’s daemons, services or system agents with hacked versions of the same. These imposter processes often include back doors, spyware, outbound transmitting capability, and covert functions to automatically restore privileged accounts and other hacking tools should they be discovered and removed.
Hackers may also remove security patches, or install old and vulnerable versions of applications or processes that they can later exploit to regain access if necessary.
Since Fortscale can monitor and analyze the normal behaviors of all users including administrators, the above activities to establish persistence will likely be detected as anomalies. For example, new users are often added by a central HR system or by the business owners of the application. New software and patches are applied by specific individuals or special systems. If the hackers perform these functions using any but the normal accounts and methods they will be caught by the UEBA system. The challenge for hackers is that it’s 1) extremely difficult to know who is normally responsible for all of these activities; and 2) to have stolen credentials for each of them; and 3) to use those credentials without detection. So much of what cyber criminals do at this stage will be revealed as anomalies and generate alerts, allowing the security staff to see the full picture and take appropriate action to halt the attack.
Next time I’ll cover the 4th stage of a typical data breach: How Fortscale’s UEBA can help detect criminal activity during the actual attack phase.
Contact us to learn more.