Despite continued improvements in malware prevention, the success rate of infections still out paces the industries best detection methods. This is true even though signature matching picks up on many types of viruses however, it seems the nastiest contagions still penetrate our defenses. What is long overdue is the practice of better behavior monitoring and today i want to focus on user authentication monitoring.
A Common Cold
Consider what happens when a person becomes infected with a common cold virus. The symptoms can start with any number of indicators: a sore throat, sneezing, itchy eyes, etc. These are behaviors that the individual doesn’t normally exhibit. If someone experiencing these symptoms works next to a person who is already fighting a cold, we start to wonder if the virus has spread. If the person eventually comes down with a cold and then others in the office experience similar behaviors, we start to correlate these disparate events with the earlier assumption that it is the result of the same virus. Some would argue that this correlation of events process is one way that machine learning works. We often know when our co-workers are getting sick because we have a developed a baseline of how they normally behave.
User Authentication Monitoring
Similar to knowing how people normally behave, we can do the same with system authentications. Take for example a typical user on a Windows laptop at the office. Perhaps after watching a user over time, we learn that the individual authenticates to 6-10 systems per day on average. If one day the username is seen authenticating on 12 systems in a short amount of time, a threshold can be triggered. This event by itself isn’t a definitive event that necessarily tells us the credentials have been compromised and are being used to authenticate to other machines. It could however, certainly be suspicious – especially if the system was seen scanning the network just prior to the authentication or if a significant data transfer occurred after the authentication. This can be done by analyzing NetFlow and IPFIX. Correlating both flow and authentication events is machine learning’s way of picking up on a sore throat, sneezing, itchy eyes, etc.
“attackers began scanning internal machines connected to an infected endpoint and identified two internal Windows systems that that were used to manage cameras. The attacker then used one of these compromised systems to create a new administrator-level user in Active Director called “LocalAdministator,” source
Get the Logs
In order to monitor authentications, the logs have to be gathered from LDAP, Active Directory, Radius, Cisco ISE, ForeScout CounterACT and other authentication systems. Logic has to be applied to algorithms which pour through the logs collected and then build out baselines, set thresholds and ultimately trigger events.
Behavior Monitoring Works
Given the continued use of polymorphic infections which evade signature matching, we understand that the way we hunt for miscreants must change. Consistently, cyber weapons seek out and exploit authentication credentials. This has been a very consistent behavior for over 20 years. Password collection in order to authenticate onto a system still leaves a trail which can lead to detection and ultimately mitigation.
Suspicious events found in authentication meta data, correlated with unwanted traffic patterns found from analyzing NetFlow and IPFIX can lead to the discovery of contagions that are capable of dynamically changing their digital signatures. However, when it comes to behaviors, some things never change. If you want to learn more, check out Security Analytics.