On True Positives and Security Incidents
The Potential POS Breach
Exabeam recently discovered unusual behavior at one of our retail customers. On some of the most sensitive point of sale (POS) devices, a local account was added to a privileged active directory group. Some of the audit functionalities on these machines were then disabled and a few minutes later the account was removed from the privileged group and the audit functionalities were reactivated. This was happening on hundreds of POSs at recurring intervals, suggesting an automated and operational attack was in place.
When this was discovered, tension rippled throughout the organization. Haunting recollections of recent retail POS breaches at other companies were top of mind as some of the best minds in IT were rushed to a war room, forensic teams stood by and VPs instructed that they were to be updated over the course of the investigation – day or night.
Fortunately, the investigation revealed that the reason behind this activity was a configuration error. An IT administrator had created a new group policy (GPO) that affected the POS systems. The new policy conflicted with an older one which was still active and the observed behavior occurred when the new policy was applied and then undone by the older one.
After a sigh of relief and the blood returning to everyone’s face, the security administrator turned to me and said, “So, a false positive after all.” I asked her to elaborate and she replied, “Since this was not an actual attack, isn’t this a false positive?”
Contemplating The Importance of True Positives
That conversation with the security administrator got me thinking, “what is the purpose of the security operation?” Is it to detect “real” malicious activity, or is it to be aware of potentially harmful activities, and are these always the same thing?
Consider antivirus for example. Practically every organization deploys such solutions and these systems are continuously reporting detections. Since these are signature based alerts, there is a 100% certainty that when an alert is triggered, the malicious code does in fact exist on the system. Antivirus is a system with a 100% true positive detection rate (the problem they face is potential false negatives or not finding malicious activity due to not having the required signature).
Surely a product with such a great rate of true positives should be one of the most important to modern security operations team, right? Yet in reality, we know that these alerts are largely ignored by security teams to the point that some organizations decided to dump them altogether. One of the main reasons these alerts are of little value probably comes down to their lack of context, but nevertheless the point is that true positives are not the quintessential element all of security.
Conversely, a behavior analytics system (UEBA) uses context, history, and the evolvement of the presumable attack to present a compelling case that the security team should be aware of – whether it is driven by malicious intentions or not. Therefore, the criteria for evaluating UEBA should be whether the detected behavior was significant enough for the security team to spend its time on, not if real malicious intent was driving it. Said another way, UEBA looks for behavioral anomalies which malicious or not, should be investigated.
Reassessing Detection Criteria
Going back to the POS case, the security team should ask itself: do we want to know about cases of users being added to privileged groups in close proximity to audit mechanisms being disabled on POS systems? If the answer is yes, then the case described above is a great insight that could not have been provided by any other solution. In this case, the organization can rest assured that if, in fact, a real adversary would perform this or similar behavior it would not go undetected.
The beauty of using machine learning to detect such anomalous behavior is that the system was not specifically programmed to detect it, as a SIEM would be. Instead UEBA learns what is normal for every user and entity in an environment, then identifies the anomalies with the highest risk for investigation by analysts. This means that even findings which don’t meet the classical definition of “a true positive” provide significant value to security teams as they tend to uncover misconfiguration issues or other activity that while not malicious, is important to have visibility over.
Curious what Exabeam’s market leading UEBA will find in your environment? Schedule a demo today.