This article explains the overview, and types of behavior analytical models that are incorporated in the Resolution Intelligence Cloud.
Behavior analytics is a process of collecting, measuring, and analyzing data related to human behavior. It involves using statistical and mathematical techniques to understand patterns of behavior and interactions. By analyzing patterns of behavior, organizations can gain valuable insights into user preferences, tendencies, and potential areas for improvement.
Understanding Behaviors in Resolution Intelligence Cloud™
Before delving into behavior analysis within the Resolution Intelligence Cloud, it's imperative to grasp what constitutes a behavior. Resolution Intelligence Cloud offers remarkable flexibility by enabling advanced computation not only on traditional elements like User, Hosts, and IP but also on any other attribute present in your event data. This expansive capability extends Behavior Analytics in the Resolution Intelligence Cloud beyond the confines of traditional UEBA (User and Entity Behavior Analytics).
Let's illustrate with examples. Suppose we aim to monitor user logins from unusual locations. In this scenario, we would select attributes such as "User ID" and "Location" for analysis. Consider the following sample dataset:
- 10th Jan: User John, Location: California
- 10th Jan: User John, Location: California
- 10th Jan: User Lynn, Location: California
- 11th Jan: User Pete, Location: Cape Town
- 12th Jan: User John, Location: Bangalore
In the given dataset, we track four unique behaviors:
1. John in California
2. Lynn in California
3. Pete in Cape Town
4. John in Bangalore
In essence, every distinct combination of values across selected dimensions constitutes a unique behavior.
Another example further illustrates this concept. Suppose we want to track abnormal resource creation in a cloud environment. In this case, we would create a model with attributes like metadata_product_name, target_resource_resource_type, and target_location_name. With a sample set like this:
- metadata_product_name: AWS CloudTrail, target_resource_type: Virtual_machine,target_location_name: us-east-1
- metadata_product_name: Azure Activity, target_resource_resource_type: Storage bucket, target_location_name: East US
- metadata_product_name: AWS CloudTrail, target_resource_resource_type: Access_policy, target_location_name: us-east-1
In the above set, we track three behaviors:
1. AWS CloudTrail, Virtual machine, US east
2. Azure Activity, Storage Bucket, East US
3. AWS CloudTrail, Access Policy, us-east
In essence, every distinct combination of values across selected dimensions constitutes a unique behavior. This comprehensive approach allows for a nuanced understanding of user activities and behavioral patterns within the Resolution Intelligence Cloud.
Types of behavior analytics
Resolution Intelligence Cloud prioritizes detecting a wide range of attack vectors and scenarios with built-in analytical models. Following are the analytical algorithms available as part of pre-GA.
Analytical types |
Description |
Deviation in Count |
Identifies deviation in the number of occurrences of an activity |
Deviation in Volume |
Tracks deviation in transaction volume for any numeric field in the log source |
Enumeration |
The model tracks enumeration attacks - attempt to discover information about a system or network. The enumeration model has been segregated into two types:
You can use any one or both types of analysis at a time while configuring the enumeration model. |
Rare occurrence of an event |
Compares an event’s frequency to past behaviors |
Deviation in Count
Detect the unusual peak and trough of any activity in your environment with a deviation in count. For example, sign failure rates are abnormally higher than usual, accessing an unusual number of resources in an environment, or an unusual number of files modified by a user.
For each combination of rows from the selected UDM fields, the model generates a baseline behavior.
Use case: Abnormal spike in login fail attempts
The attacker tries to login to systems by brute force attacks or credential stuffing to steal confidential details or distribute malware across other systems within the organization.
For example, Emily, a system administrator, typically experiences a low number of login failure attempts due to her familiarity with the login process. However, the deviation in the count model flags a sudden increase in failed login attempts for Emily's account over a short period of time. Investigation reveals multiple failed login attempts from different IP addresses at remote locations during non-business hours, indicating a potential brute-force or credential stuffing attack targeting Emily's account.
Employing the Deviation in Count model helps in detecting the increased spikes in login failures by establishing a baseline during the model configuration.
Deviation in Volume
Deviation in volume spots any anomalous transactional volume in your environment. For example, a sudden spike in data uploaded from a host. This model requires a numeric field to establish a baseline and a string field to create attribution.
You can choose if the model should be baselined on maximum, minimum, average, or sum of the transactional activity performed over the defined aggregation window -- daily, weekly, and hourly.
Use case: Insiders, employees or contractors, download humongous data within an organization (also known as data exfiltration)
An insider downloads intellectual property to his/her google drive as an espionage activity.
For example, Lisa, a mid-level employee in the finance department, typically accesses and downloads financial reports and client data within a reasonable volume as part of her daily tasks. However, the deviation in volume model flags a significant spike in Lisa's data download activity over the past week. Upon investigation, it is revealed that Lisa has been downloading unusually large amounts of sensitive client data outside of her normal working hours.
The Deviation in Volume model identifies outliers based on the baseline set during the training period of a model, which is based on the last 60 days of data from the day of model enablement
Note: Post the training period, the model retrains baselines every week.
Enumeration
The enumeration model tracks – enumeration attacks – attempt to discover information about a system or network. The resultant information is used to detect future attacks, such as brute-force attacks or password dictionary attacks. For example, if an attacker scans a large number of ports on a system, it could be a sign of a brute-force attack.
The enumeration model has been segregated into two types:
- Rarity: In this analysis type, the model detects a rare behavior by baselining with the usual behavior of source and target ports. The usual behaviors for source and target aggregate on a daily basis.
- Deviation: In this analysis type, the model detects an anomaly when a source connects to unusual number of targets by baselining with the defined count of targets. The count of targets aggregates on daily basis.
Note: You can use any one or both analysis types at a time while configuring the enumeration model.
Enumeration attacks are carried out via multiple methods, which include:
-
Port scanning: This involves scanning a system or network for open ports. Open ports can then be targeted for further attacks.
Use case: The following example illustrates how an attacker gains access to the internal systems via vulnerable ports.
Alex, a network administrator, typically conducts routine network scans to identify vulnerabilities and ensure network security. The enumeration model has been implemented in his organization, and it flags a spike in the port scans in Alex's account. Upon investigation, Alex identified some ports that were vulnerable and gained access to his account to map out his organizational infrastructure. The enumeration type model detects this abnormal behavior and triggers an alert, enabling the security team to promptly respond and mitigate the potential security breach. - Ping scanning: This involves sending ping requests to a system or network to see if it is responding. This can be used to identify active hosts.
-
DNS enumeration: This involves querying DNS servers for information about a domain name. This information can be used to identify subdomains, email servers, and other hosts associated with the domain name.
Use case: The following example describes how an internal system is compromised by DNS brute force attacks.
Sarah, a ligitimate employee in an organization, commonly accesses confidential information by querying the DNS subdomain during her working hours. The enumeration model learns this common behavior and records it as a pattern. At an unusual time, the enumeration model detects enormous DNS queries originating from internal IP addresses that do not match any user profile. These queries include “Admin”, “hr”, and “finance” keywords in the subdomains to get access to sensitive areas in a network. Resolution Intelligence Cloud receives a signal, turns it into an actionable item, and triggers an alert to respective personnel to mitigate the issue.
Other examples include:
- One s3 bucket accessed by many unique accounts.
- One machine having multiple unique login failures.
- One Source IP, one destination ip accessing(targeting) many distinct ports.
- One account, one port accessing (targeting) many distinct destination addresses.
Rare occurrence of an event
Rare occurrences learn past behaviors for the combination of UDM fields selected to discern a rare behavior from a repeated behavior. Repeating an activity that is currently considered rare will eventually cause the model to learn and no longer distinguish it as rare.
Note: The rare occurrence model will also detect the first occurrence for the combination of UDM fields. To precisely track the first occurrence, along with attaching distinct priorities and tactics, create a first occurrence model.
Usecase: Unusual user login detected at unusual time
The paramount importance of a behaviour model is to protect the user from threats and attacks. Enabling a behaviour model in Resolution Intelligence Cloud helps detect unusual log-ins from a user at an unusual location.
Suppose we aim to monitor user logins from unusual locations. In this scenario, we would select attributes such as "User ID" and "Location" for analysis. Consider the following sample dataset:
- 10th Jan: User John, Location: California
- 10th Jan: User John, Location: California
- 10th Jan: User Lynn, Location: California
- 11th Jan: User Pete, Location: Cape Town
- 12th Jan: User John, Location: Bangalore
In the given dataset, we track four unique behaviors:
1. John in California
2. Lynn in California
3. Pete in Cape Town
4. John in Bangalore
In essence, every distinct combination of values across selected dimensions constitutes a unique behavior.
So, you have delved into the types of behavior models that we offer. Let's create a behavior model that you can use to detect and monitor user behavior.
Comments
0 comments
Please sign in to leave a comment.