Monitoring account activity has become a standard practice for organizations looking to mitigate the Insider Threat. Naturally, with larger organizations more prone to account abuse than small and medium businesses, managing and monitoring abnormal accounts requires security teams to be both more focused and vigilant.
A major aspect of developing the more user-centric approach to network security, is better classification of the different threats every account type poses. Fortscale, for example enables security teams to better explore user accounts through a built-in tagging component that identifies accounts as Administrators, Executives and Service Accounts.
The requirement for deeper and more intelligent user monitoring and control is seeing an outstanding increase in demand. This demand has become so widespread we’re seeing more security vendors focused on this offering alone. It is an understandable progress considering the length cyber-criminals have gone through over the past couple of years expanding their ability to gain control of privileged credentials and abuse them to accomplish malicious goals. At Fortscale we believe User Behavior Analytics has the power to provide both the visibility required to detect these threats in near-to-real-time, and also to conduct a complete investigation that will provide all the answers needed to verify a potential threat.
In past blog posts we demonstrated how Fortscale helps organization detect and investigate Admin accounts. This time, again showcasing our new release – Version 1.4, we chose to talk about monitoring threats revolving Service Accounts. We found that Service Accounts are as prone to malicious use as Admin accounts and other privileged human users. These accounts, running backup tasks, application schedulers and other highly important operations require a different kind of attention when inspecting them for abnormal activity.
Possibly, because of their constant and somewhat boring nature, Service Accounts are often neglected and left to run for months without proper audit and inspections. One disturbing example we found at a customer’s operational environment, is that Service Accounts usually have passwords that never expire. Fearing an important operational process will one day freeze and cause a wider failure, the network’s admin approved this compromising policy. There is no doubt in our mind that if a threat actor would have found this configuration he would have utilized these accounts for malicious purposes.
Looking for other dangers caused by service Account Activity we applied Fortcale’s machine learning algorithms and pattern recognition techniques. Let’s look at the following examples, which were found exclusively by Fortscale in a real customer oprtational environment:
The account above was identified as a Service Account by Fortscale’s built-in tagging component. Fortscale then automatically provided a set of useful details on this account:
- “Fixed Source”: this means that this specific Service Account is operating from a fixed set of source computers. In the image below, it is very clear that the investigated service account is operating from two source computers.
- “Server”: this means that this Service Account is mainly accessing machines of a server type. In the image below, just by looking at the first set of Kerberos events of the investigated Service Account, it is obvious that it’s accessing servers, as we should expect from this type of account.
Another important aspect, when searching for anomalous behaviors, specifically with Server accounts are distinct time patterns. Take a look at the image below, in which it’s extreamly clear that the investigated account operates every day around 24:00.
Monitoring these behaviors is conducted automatically by Fortscale’s unique machine learning engines, saving your security analysts the time, and resources required to manually monitor and audit these and other high-steak accounts. After discovering a potential threat, Fortscale offers an advanced and easy to use investigation process, to help analysts reach evidence-backed deacons. Any insights can then be quickly forwarded to the corporate SIEM appliance for further remediation.
Want to see more of Fortscale User Behavior Analytics in action – Contact us for a complete DEMO.