It has recently been widely reported that South Australian government employees have been the victims of a cyberattack in which personal data was stolen due to malicious activity on payroll software provider Frontier.
An additional 13,000 employees were added to the 80,000 announced at the end of 2021, bringing the total to more than 90,000 current and former employees whose personal credentials have been compromised in the attack.
Exabeam’s APJ sales director, Gareth Cox, reminds organizations that an organization “cannot defend what it cannot see”.
They must answer the following three questions to enable the best security operations possible as CISOs.
This is the million-dollar question. Understanding what normal activity looks like in your environment is key to detecting anomalous activity.
Here are a few examples:
A user resets their credentials outside of the corporate change window. A user who usually doesn’t create new accounts has made several arrangements outside the registration process. A contractor has gained access to a new system of administrator credentials. A method in your cloud account accesses a database every 30 seconds. A user staged some files and did nothing else. A system communicates with a remote server that we have never seen. A user copies a significant number of files. A developer accesses a system with access through a backdoor. A user has just sent many emails to his account. A previously silent service account now surfs the web or logs in interactively on other systems.
Rules are great but only detect known acquaintances. With behavioral models running in the background, you enable a CPU to spot anomalies and assign risk values instead of one of your heroes. There is something more to this process; one monster is usually insufficient to take decisive action. That sets us up for the next question.
2. Do you create and use timelines?
I hope you have never experienced a breach. If so, one of the first things the expensive third party you hire will do is set up a timeline of activities to locate the attack and the systems affected – even at best; this is still static and at a specific time.
After more than 25 years in cybersecurity, I’ve never seen anything more powerful than the impact of timelines for a security operations team. When done correctly, timelines answer the unanswerable; they provide a contextualized time window for any activity associated with a user or asset.
Triggering the above examples will increase the risk score and automatically put any user or item on a watchlist. The timeline is ready to help any level of analyst determine what other activities have taken place that could increase their level of risk and encourage automated or manual intervention.
If you experience a breach, you’ll likely pay a third-party IR company to help you assess the damage and remove adversaries. The tool they use to do this is a timeline. Automatic tools to leverage timelines are an evolution beyond third-party support. Among other things, they are automated and signal deviant behavior. Timelines are showstoppers – attackers hate them!
3. What is your plan for credential-based attacks?
With a few exceptions, all the most recent destructive breaches were from insiders and credential-based attacks. The opponents know the exercise:
Get someone’s references. Avoid detecting external threats. Get access with legitimate credentials. Move sideways.
With credentials for sale on criminal marketplaces for $15 per person and admin credentials selling for anywhere from $500 to $100,000, there is an opportunity for sellers and buyers alike.
Add to that the recent Lapsus$ attacks are another wrinkle, with the attacking/criminal organization using social media to recruit insiders for tens of thousands of dollars. This is a new insider threat vector, “colluding insiders”.
Your credential-based attack plan must extend beyond cybercriminals. It would help to consider others: employees, contractors, suppliers, partners, and ex-employees whose access is not disabled. This level of attention also supports supply chain security and third-party risk management. There is more.
Your plan should be to identify credentials-based attacks (insider threats) as quickly as possible before they become major incidents. Unlike external threats, internal threats typically develop over a long period.
To discover them, you need to be able to track user behavior that is not in a normal range (question #1) and likely contains timelines (question #2) to respond immediately.
Simply put, best-in-class security operations need the well-thought-out capabilities of a next-gen SIEM.
Organize security activities around capabilities.
The primary tool for identifying insider threat behavior is a SIEM with UEBA capabilities that applies data science to all users and asset activities to determine a normal baseline of expected behavior. Then, when the behavior deviates from that baseline, the solution brings those users and assets to security analysts’ attention.