UEBA Detects Attacks at Initial Reconnaissance & Scanning

01 Feb UEBA Detects Attacks at Initial Reconnaissance & Scanning

LinkedInTwitterFacebookGoogle+Share

Years ago I saw a Black Hat presentation that outlined the various phases of a successful attack. I don’t recall the author’s name, but I remember distinctly the 5 different phases he outlined. They stuck in my mind because he claimed that all successful attacks will proceed through each of these 5 stages. Initially I thought that was a pretty bold concept and probably incorrect, but after a bit of thought I was won over to the idea. Years later I still subscribe to this convention, and this morning’s research confirmed that it’s still a sound principle in the eyes of a lot of security professionals.

The theory states that the 5 phases of a successful attack are:

  1. Reconnaissance and scanning
  2. Gaining access to privileged accounts
  3. Establishing persistence
  4. The actual attack
  5. Covering tracks

The presumption is that for every successful cybercrime, the hacker, whether from inside or outside the organization, will methodically proceed through each of the above 5 steps.

I find this fascinating, especially when one considers how User and Entity Behavior Analytics (UEBA) can be applied during each of these 5 attack phases to detect developing, occurring, and post cybercrime activity. So I’ve decided to dedicate a number of blogs to the various hacking phases and how UEBA can be used in each.

To kick things off, in today’s blog let’s look at how UEBA can be applied during the first stage of a cyber attack – the reconnaissance and scanning phase. Of course a small blog post can only address a fraction of what actually goes on, but hopefully it will give you some new things to think about.

Reconnaissance / Scanning and UEBA

At this first stage of an assault, attackers are focused on reconnaissance and scanning activities to determine the victim’s network composition. This phase can take days, weeks, or even months. While the overall objective may be vandalism, denial of service, or more commonly the theft of data, to carry out these dark deeds criminals must first understand the network, its assets, and its vulnerabilities. They also need user logon credentials. So during this stage attackers are looking for data like:

  • Network address ranges
  • Host names
  • Structure of the applications and back-end severs
  • Which hosts are exposed to the Internet, or can be accessed from various LANs
  • Installed Applications and databases on each host
  • What services are running on each host, computer, or resource
  • Operating system and application version information
  • The patch state of the various hosts and of the applications
  • Existing vulnerabilities in hosts, applications, and available services
  • Logon conventions, usernames, user account information, and ideally – logon credentials.

During this reconnaissance and scanning phase of an attack, malicious individuals will typically use hacking tools like Nmap, Nessus, Wireshark, Superscan, Wapiti, Metasploit and many others to gather as much of the above information as they can. These tools perform ping sweeps and port scans to obtain IP addresses, host names, installed applications, running services, vulnerabilities, and lots of other data.

When hackers run these tools, good routers, firewalls, intrusion detection systems, and other security systems can detect, log, and sometimes alert on the scanning activity (e.g., one IP to many IPs on a single port, scanning IPs across multiple or all ports, sequential or random scanning of a range of IPs by a single or multiple IPs, etc.).

Ideally, security analysts check all such alerts to determine what type of reconnaissance and scanning is being performed and the threat level to the network. If there’s sufficient malicious activity or if it’s originating from dubious geographical locations, associated IP addresses and user accounts can be blocked. This is part of the game the security staff plays every day. Unfortunately, this can be a tremendous amount of work because often the analysts must evaluate individual alerts and logs from various systems and manually piece them together to create a complete picture. This not only takes a great deal of time, it requires a very skilled security professional. It’s hard to do and it’s easy to miss a developing data breach.

In addition to gathering intelligence about the network, cybercriminals will frequently launch phishing and related attacks in order to seduce an employee or insider into making an ill-fated click – resulting in a malware infection that captures the victim’s logon credentials the next time they connect. While obtaining credentials for a privileged account would be ideal, the hacker’s goal at this point is to just get access at any level. Unless they really luck out, escalating to root or admin level privileges will come in a later stage in the attack cycle.

Other prize possessions during this phase are password files. Directory and other enterprise level password files are preferred because they can contain vast numbers of user credentials. But attackers are also happy to get password files from individual PCs. Common applications like Chrome, Firefox, IE, Outlook, Microsoft Live, Messenger, Google Talk, and dozens more all have their own password files. Although most of these are hashed or encrypted, readily available password cracking tools like John the Ripper, Cain and Able, and countless others will easily obtain 80% of user passwords within seconds. And since most people have the same password(s) for the majority of their accounts, criminals will often find one that will grant them access to the corporate network and at least some of the desired applications.

Once armed with a few logon credentials and at least a rudimentary picture of the target’s networks, hosts, and applications, reconnaissance ramps up to include user login attempts. The attacker may have valid credentials, but may not necessarily know which resources the user can access. Various networks, hosts, and applications will be probed and tried. While no individual security system would normally generate an alert because of a single failed login attempt, the attempt would still typically be entered in the system log.

At this point a good UEBA system such as Fortscale becomes extremely useful. By collecting, aggregating, and analyzing the logs from all of the routers, firewalls, hosts, applications, and other security systems, the attacker’s activities and objectives can be identified as he scans and probes the various resources looking for data and access.

With this comprehensive view and focused analytics, UEBA can detect a developing attack that would otherwise be very difficult to see. And it can glean critical bits of information like the attacker’s location (or attempts to obscure it), the various hosts, applications, or other resources that are being probed and tried, and any other strange or anomalous activities. If the attacker does successfully gain access, the anomaly would be reported.

An important benefit is that UEBA performs all of these tasks automatically. This frees the security staff from a great deal of mundane grunt work so they can spend their time doing other important and critical tasks.

As you can tell, I’m pretty excited about Fortscale and how it can be a very effective tool to detect attacks early on during the reconnaissance and scanning phase of an attack. In my next post, I’ll cover the next phase of an attack – Gaining access to privileged accounts, and show how Fortscale and UEBA can help there as well.

Contact us to learn more.