Insider Threat Use Cases: How Modern SIEM Solutions Detect Malicious Activity

In the previous posts of this series, we discussed the growing risk of insider threats and the role of modern security information and event management (SIEM) solutions in detecting and mitigating these threats. In this third post, we explore specific insider threat use cases, highlighting how advanced SIEM solutions can effectively detect malicious activities in today’s complex IT environments.

Insider threat detection, investigation, and response (TDIR) can be challenging when relying solely on legacy correlation rule-based approaches. Combining user and entity behavior analytics (UEBA), automation, and pre-built use case content allows security teams to differentiate between legitimate user activity and unauthorized use. Advanced analytics can enhance the productivity of security teams and reduce response times through automation. This post outlines seven techniques that indicate insider threats and how an advanced SIEM solution can detect them.

1. Compromised credentials

Compromised credentials involve the unauthorized acquisition of legitimate user credentials. Advanced SIEM solutions use UEBA to establish a behavioral baseline for all users and assets, assign risk scores to anomalous events, and visualize deviations from the baseline. This results in better coverage and less alert fatigue for analysts, improving the overall security posture of the organization.

Some types of attacks that are used to find, steal, or otherwise acquire legitimate credentials are:

• Phishing and spear phishing
• Password spraying
• Credential stuffing
• Keyloggers
• Brute force
• Social engineering
• AD Reconnaissance

2. Lateral Movement

Lateral movement is a common tactic used by attackers to navigate through a network after gaining control of one asset. Advanced SIEM solutions apply pre-built correlation rules to highlight activities associated with lateral movement, such as port scanning and remote desktop access. Pre-assembled timelines, risk scores, watchlists, and lists of compromised assets improve analysts’ efficiency and reduce the risk of lateral movement on the network.

3. Privilege escalation

Privilege escalation involves an attacker gaining higher-level permissions or unauthorized access. Modern SIEM solutions create a baseline of user and device behavior, allowing them to detect anomalous behavior or fact-based rule triggers. Preconfigured rules based on modeled data for a particular user help identify compromised accounts used for privilege escalation.

Some types of attacks, and the methods used to carry out privilege escalation by an attacker, include:

• Horizontal escalation
• Discovery
• Credential dumping
• Vertical escalation
• Weak security

4. Privileged activity

Privileged activity represents a heightened risk if a user account or asset becomes compromised. Modern SIEM solutions should provide tools for defining and managing privileged entities and processes, helping organizations better monitor and secure their privileged accounts.

Some types of attacks, and the methods used to exploit privileged activity by an attacker are:

• Privileged users
• Privileged accounts
• Privileged assets
• Domain controllers

5. Evasion

Evasion refers to an attacker’s attempts to maintain persistence on a network while avoiding detection. Advanced SIEM solutions detect evasion by leveraging fact-based rules and behavioral analytics for users, assets, and processes. Regular uploads of common indicators of compromise (IoCs) further enrich the SIEM solution.

Some types of attacks, and the methods used to exploit evasion by an attacker are:

• Create processes with PowerShell
• Pass encrypted or encoded commands
• Delete files
• Use TOR
• Manipulate processes
• User hacker toolkits

6. Account manipulation

Account manipulation involves attackers exploiting account controls to escalate privileges, move laterally, compromise credentials, and gain control. Behavioral analytics form the backbone of advanced SIEM solutions to detect account manipulation, with prepackaged scenarios and content designed to identify suspicious activity.

7. Data exfiltration

Data exfiltration involves the unauthorized removal of data from a network. Modern SIEM solutions use UEBA capabilities to detect abnormal activity and trigger alerts for suspicious behavior. Fact-based rules alert on processes and utilities known to be used by attackers attempting to exfiltrate data, helping organizations protect sensitive information.

Conclusion

By combining UEBA, automation, and pre-built use case content, organizations can effectively detect, investigate, and respond to insider threats. Advanced analytics and behavioral baselining play a significant role in enhancing security posture and staying ahead of cyberthreats. As we have seen in this post, modern SIEM solutions can effectively tackle various insider threat use cases, such as compromised credentials, lateral movement, privilege escalation, privileged activity, evasion, account manipulation, and data exfiltration.
By understanding these use cases and leveraging the capabilities of advanced SIEM solutions, organizations can build a robust security posture, protect sensitive data, and mitigate the risk of insider threats. In the next post of this series, we will explore critical considerations for defending against insider threats and best practices for insider threat programs.

To learn more, read The Ultimate Guide to Insider Threats

Do you know what the biggest threat is to your organization? The answer may surprise you. It’s your own employees, contractors, and other insiders. These trusted insiders have authorized access to sensitive information and can cause significant harm to your organization, whether they mean to or not.

Insider threats are a growing concern for organizations worldwide, and it’s essential to understand the risks they pose and how to defend against them. That’s why we’ve created this comprehensive guide to help you better understand what insider threats are and how to protect your organization from them.

Read this eBook to learn about:

• What insider threats are and why they’re a growing concern
• The importance of simulation and security training for defending against insider threats
• A modern approach to insider threat detection, including real-world examples and case studies
• Advanced best practices for insider threat programs, including data science, data feed detection points, and use cases.

With this guide, you’ll know how to improve your organization’s overall security posture with faster, easier, and more accurate insider threat detection, investigation, and response. Download now!