A common theme across multiple versions of the so-called “attack chain,” from Lockheed Martin’s kill-chain to Mandiant’s attack chain and others, is that they all show, with a few differences, the steps an attacker takes to achieve their objective: breaching a network undetected to steal valuable data.
The most effective way for attackers to do this is by using stolen valid user credentials to slip past initial point-of-intrusion detection devices. The attack chain example that accompanies this blog is from the Mandiant APT-1 report, which helps illustrate how attackers can use stolen credentials to live within gaps.
Mandiant’s version of the attack chain shows the basic phases of an advanced persistent attack that can last weeks or months. Security practitioners focus on each of the various phases and activities of the attack chain to see what they can do to stop the attacker at each step. Most security point solutions on the market focus on initial compromise detection at the host or on the network level, which is traditionally where the vast majority of security spend has gone. And data loss prevention (DLP) system deployments have also gained traction recently for those trying to catch data leaving the organization just before the “complete mission” phase. However, there are numerous methods an attacker can use to execute each phase of the attack, creating a multiplier effect that gives them a distinct advantage.
Where stolen credentials are concerned, we need to look past the activities in the green boxes and focus on the white spaces in between. Given that so many of the recent data breaches mention the use stolen credentials, privilege escalation and unauthorized data access, what is missing from this illustration and others is an indication of where the use of stolen credentials might facilitate the phases of the attack chain. If we added credential use to the illustration, it might look something like this:
To execute phases of the attack chain, there is a high likelihood the attacker is using stolen credentials and impersonating a legitimate user. Valid credentials are the most coveted asset an attacker can get. The middle of the attack chain is also where the attacker remains resident inside the networks the longest—more than 200 days, in some cases.
Now all we need to do is learn the dynamic differences between normal user credential behaviors and access characteristics, and the abnormal usage by an attacker. This is precisely what Exabeam does. The system remembers normal behaviors for each user and scores behavioral outliers, keeping state across a session of activities from log on to log off and automatically asking if these are not only normal credential behaviors and access characteristics for the user himself, but how he compares to peers in his organizational unit or department. For each piece of out-of-context behavior, a risk score gets assigned. Once a total risk behavior score threshold is reached, the system alerts the security team.
Now suspicious user behavior can be immediately viewed in context. Exabeam automatically remembers and keeps state on the user identity and asks, “Is it normal for this user’s credentials to be accessing this resource, at this time, from this place, with this system, using a VPN to perform these tasks?” It will also attribute security alerts to credential use so that if a FireEye alert happens, the response team knows who had an open session on the affected system at the time of the alert.
User behavior solutions add an extra “brain” to an already-stretched security team that can help detect attackers by continuously and dynamically asking questions about the context around credential use, understand and remember normal behaviors of an individual and his or her peer group, and score those behaviors that are new or unusual as part of a user session.
Want to see how this brain provides user behavior intelligence? Press the demo button below, or watch a video of Colin Anderson, CISO at Safeway, discussing what Exabeam has done for his organization.