Compromised Insiders - Exabeam

Compromised Insiders

Detect bad actors masquerading as legitimate employees, and quickly trace and remediate their actions.

Hackers don’t break in—they log in

Employees or other users within an organization may become compromised if an adversary gains access to their credentials. Bad actors can masquerade as legitimate employees going about their normal business, making them hard to detect. Their under-the-radar activities often take weeks or months to be discovered, resulting in more severe data breaches or remediation costs.

Compromised Credentials

In 2019, stolen credentials were used in 80% of reported data breaches. Without the ability to discern adversary activity from normal employee behavior, organizations continue to struggle to detect these attacks. Equally bad, investigating credential-based attacks is a complex, error-prone, and time-consuming process. Expert analysts must run dozens of search queries to trace the activities of attackers in order to understand the footprint and magnitude of the breach.

Exabeam helps security teams outsmart the complexities of compromised credentials by applying machine learning and user behavior analysis to baseline normal behavior for every user, device and peer group. Exabeam then automatically detects the anomalous behaviors that are indicative of a compromised account, regardless of the attackers’ techniques.

Hackers Don’t Break In - They Log In Download the Solution Brief
Lateral Movement

Lateral movement is a growing problem, with nearly 60% of external attacks utilizing this stealthy tactic. Adversaries use lateral movement to pass systematically through a network to find sensitive data or high value assets. After gaining initial access, attackers probe other assets for vulnerabilities to compromise other accounts, escalate privileges and ultimately exfiltrate data or do other damage. Traditional security tools are unable to distinguish between lateral movement activity associated with compromised accounts and normal user behavior.

Exabeam prescribes key data sources for engineers to ingest so analysts can detect risky access and techniques, like pass the hash, pass the ticket, and more. Exabeam behavioral models put anomalous activity, like first time or failed access to hosts and assets in the context of the historical behavior of that user, their peers, and their organization to clearly identify adversary behavior from normal activity.

Exabeam and Lateral Movement Download the Solution Brief
Privilege Escalation

Privilege escalation is the fourth most common tactic used in reported data breaches. Many legacy security systems that rely on static correlation rules are unable to detect an attacker who escalates their privileges. A privileged user’s work patterns may not occur in regular, predictable patterns, making it difficult to detect privilege escalation. If undetected, a privilege escalation attack can enable access to high value assets with impunity. The result of a privilege escalation attack can be devastating to an organization, as attackers gain access to networks, typically with the aim of exfiltrating data, disrupting business activity, or installing backdoors to enable continued access to internal systems.

Exabeam helps protect against attackers using privilege escalation by detecting techniques like credential enumeration, bloodhound execution, and more. Behavioral models detect anomalous activity, like first time access to hosts and assets or permission changes, and put them in the context of the historical behavior of that user, their peers, and their organization to clearly distinguish an adversary from a normal user.

Detect, Investigate and Respond Download the Solution Brief
Privileged Activity

Privileged accounts are those which have greater access compared to standard users and grant extensive control over and access to sensitive data and IT systems. Bad actors target privileged accounts to bypass security controls and monitoring, disrupt corporate operations, or exfiltrate large amounts of sensitive data. According to the Ponemon Institute, these types of attacks cost organizations $2.79 million annually.

Exabeam detects adversaries performing privileged activity through the combination of user context and identification of abnormal behavior. Account activity for domain controllers, executives, other other privileged accounts are monitored; as well as disabled accounts, privileged assets, or even privileged processes.

Account Manipulation

Account manipulations are a collection of techniques an adversary might use to persist in an environment, including manipulations to a user and/or group they might use to maintain access to a network. This might include attempting to elevate their access by modifying the group a compromised insider belongs to, or adding and removing a temporary user in order to shield their true identity. By changing their permissions, adversaries can then perform malicious activity such as: performing reconnaissance of a system, or accessing, hoarding, or exfiltrating data.

Exabeam detects account manipulation by identifying abnormal user behavior such as manipulating an organization’s active directory (AD), creating or deleting accounts, or modifying group membership and permissions. Exabeam also detects unusual activity performed by adversaries, like when they hide behind system accounts, or when there is abnormal activity using a non-service account.

Data Exfiltration

Data exfiltration refers to attackers who have illicitly transferred data outside an organization. According to the Ponemon Institute, the majority of data breaches are caused by malicious attacks and cost an average of $4.27 million. While data loss prevention (DLP) solutions alert on potential attacks, these tools can generate high volumes of false alerts. As a result, security teams must choose between chasing false positives, or simply ignoring certain alerts—possibly missing a threat.

Exabeam puts DLP alerts in the context of a user’s normal behavior to better identify when they pertain to a compromised user. By combining user activity from a variety of data sources, including those from DLP tools, Exabeam can detect risky data exfiltration across a variety of channels, including domain name system (DNS), email, or web upload.


After compromising a user or asset, adversaries use a host of evasion tactics to remain undetected. They use this time to perform additional malicious activity such as deploying malware for exfiltrating data, encrypting files for ransomware, or exploiting resources for cryptomining. The faster an organization can identify an adversary, the more they can reduce the costs of an estimated breach. Recent research estimates organizations can save $1.12 million on average if a breach is detected within 200 days.

Exabeam detects anomalous activity associated with evasion, such as tampering with audit logs, file destruction or encryption, and the use of a tor proxy to hide web activity.