UEBA Detects Data Theft and Other Ongoing Attacks

08 Feb UEBA Detects Data Theft and Other Ongoing Attacks

LinkedInTwitterFacebookGoogle+Share

After recent blogs about the first 3 phases attackers use in successful data breaches, and how Fortscale UEBA detects attacks during each of these phases, today’s blog touches on the 4th and actual attack phase – the phase where data is actually stolen. Like the previous posts in this series, our attention will be focused on how UEBA detects criminal activity during this stage of an attack, enabling the security staff to take immediate action to halt the breach.

Once an attacker establishes persistence in his victim’s network (phase 3 of the attack), they’re ready for phase 4, the actual act of setting up and executing their goal of vandalism, denial of service, or more commonly, data theft. Assuming it’s the latter; the first order of business is finding high-value data. The initial reconnaissance performed in phase 1 may have already revealed the hosts and applications where sensitive, personal, or financial data exists. But ordinarily the attacker will need to, or just plain want to probe further into the network to look for the largest treasures.

So typically the attacker will begin a more thorough probe of the organization’s assets, looking for the highest value data. This may involve automated scans from within, or manual connections to the various hosts to see what applications are installed and what data they hold. It may involve searches on each host for account numbers, credit card or other payment card numbers, social security numbers, or other personal and financial data. Searches for proprietary information and trade secrets may be performed. For instance, the searches might look for all files and documents that contain words like “customer”, “password”, “confidential”, “private” or “classified”. The probes might also be looking for data that’s been encrypted on the assumption that it must be very valuable and can potentially be cracked.

The cyber thief may also install additional spyware and other malware to capture more user accounts or valuable data as users enter it. During this phase, login times will likely be at odd hours, or at unusual frequencies. Logins may originate from foreign countries or other unusual locations. Sessions may be extra long – lasting days or weeks, or extra short as in the case of automated systems that are quickly moving from resource to resource. And there may be hundreds of sessions originating from the same IP address, but accessing dozens of different destinations.

In most cases, many of the above actions will be anomalies and will be detected by Fortscale’s UEBA capabilities. The system’s SMART Alerts will automatically combine related activities, like everything originating from the same IP address, or user account, or unusual location – regardless of the host or resource where they occurred. So even seemingly random and benign acts spread across multiple networks, hosts, and applications will still be detected and presented to analysts in comprehensive but easily understood reports. Hopefully, and there’s a good chance of this, the attacker will be revealed before they begin transmitting data. But if not, unless the attacker is using very sophisticated transfer methods, the very act of moving the data is often logged and can be identified as an anomaly by Fortscale, especially if it’s a large quantity of data or from unusual resources.

The bottom line is that attackers must perform a lot of additional unauthorized actions during this stage in order to reach their goals, and by their very nature these activities will show up as anomalies and be detected. While UEBA isn’t the only security technology necessary today, it’s proving itself to be very effective at every stage of the attack cycle – and thus a very vital tool in today’s world.

Next up, we’ll discuss the 5th and final phase of the attack cycle – covering tracks, and how UEBA can help in that area as well.

Contact us to learn more.