PINPOINT COMPROMISED USERS

6
Let’s take a closer look at a typical advanced cyber attack scenario based on compromising a legitimate user’s identity. This example illustrates the sophistication of today’s cyber campaigns and how Fortscale’s solution is uniquely equipped to help enterprises discover covert account takeovers before sensitive data is lost.

 

 

 

usecase1_6_cut

 

14

THE ADVERSARY GATHERS INTELLIGENCE

Similar to any other tactical operation, the first step in a targeted cyber attack is to gather as much intelligence as possible about the target.

The adversary gathers information about the enterprise’s location, hours of operation, branch offices and employees and looks for the weakest point of entry. Online research typically includes the use of social media to identify potential “soft spots” to attack - legitimate users.

16

POST INFILTRATION, THE ADVERSARY HIJACKS LEGITIMATE USER IDENTITY

Adversaries use a combination of tools and techniques to bypass traditional security solutions. An unknown Zero-Day, an email to an unsuspecting employee containing a malicious link, social engineering, phishing and other techniques are used to exploit a vulnerability and gain remote control over a legitimate user’s identity and computer.

Today’s adversaries are both sophisticated and persistent – even if it takes months, they will eventually succeed in bypassing every imaginable security measure (particularly those on the perimeter). Once the adversary is inside the network, they go “under the radar” by masquerading as a legitimate user.

18

COMPROMISED USER AS AN ATTACK VEHICLE

Having hijacked a legitimate user’s credentials, your adversary is free to go about the business of covertly stealing your intellectual property.

This is done carefully and over a long period of time so as not to attract attention. Although most of this activity (e.g., configuration change, file access, printing, etc.) is written to logs in multiple sensors, it is not detected by real-time security tools and sensors because it appears to be regular activity, conducted during regular hours by a legitimate user.

Once the adversaries have collected the sensitive files and documents, they exfiltrate this information in very small doses and in varied scenarios so as not to arouse suspicion.

19

FINDING LEGITIMATE YET RISKY USER ACTIVITY

The Discovery of Compromised User Analytics Package Set takes into account that advanced adversary will succeed eventually in infiltrating the network. That is the reason our analytics focus on identifying lateral and so called legitimate activity, post the infection.

These analytics, developed by Fortscale, automatically analyze great amount of historical data within the organization and produce risk score for all users inside the organization. This Risk score indicates the potential threat exposed by users and pinpoint misused users or malicious insiders.

.

20

MACHINE LEARNING ALGORITHMS AUTOMATICALLY PRIORITIZE USERS FOR INVESTIGATION

The Machine learning algorithm that comprise these Sets, produce behavioral profile of users across multiple dimensions (e.g., identity, network, application, file share access, etc.) without the use of pre-defined security rules or heuristics.

These Sets are crucial for discovering unknown and under the radar attack scenarios. By understanding the various dimensions of multi-faceted and targeted attacks, our solution is able to pinpoint abnormal user activity against both historical data or against peer activity. These insights enrich the current security efforts of SOC teams and security measures. Leads are sent in real-time for further investigation and remediation, minimizing the risk of data loss.