August 30, 2016
Joe Franscella

Interpret User Behavior Using Breach Detection Analytics

<p>Successfully avoiding victimization by hackers is a lofty goal that may be altogether unrealistic in today’s climate of cyber threats. In a recent poll, successful network <a href="" target="_blank">hacks affected two-thirds of companies</a> in the last year, with one-quarter of the respondents reporting breaches occurring monthly!</p><p>Eliminating breaches altogether is ideal but not entirely feasible. The prevalent attitude towards breaches nowadays is to hopefully detect them before they occur, but prepare for an inevitable successful hack.</p><p>Data extrusion (also called <em>exfiltration</em>) is the end goal of many hackers. In some cases, <a href="">hackers delete or sabotage data</a>, but in many cases, victims’ files can be copied to other machines and exploited depending on their content. This transfer can be initiated locally by an insider or remotely via a compromised connection. When an advanced persistent threat is taking place, the victim is often unaware there is an enemy actor accessing your files, reading emails, etc. Most breaches go undetected for months. During this time you may be spied upon, have your work stolen, or have your network be abused to perpetuate DDoS attacks against others.</p><p>Recently the Democratic National Convention experienced a hack, reportedly perpetrated by intelligence-affiliated hackers in Russia. Investigators were able to use breach detection analytics to determine the source of the hacks, the type of files accessed (mostly emails and chats) as well as the duration of the APT. At least one of the successful parties of <a href="" target="_blank">DNC hackers went undetected for at least a year</a>.</p><p>Precursory activities leading up to a breach are complex and must be understood in context. There are many behavior patterns which have been identified to precede an attack. Think of them as “tells” that with great effort can now be identified with artificial intelligence. Breach detection analytics are a complex set of factors defined based on successful hacking events which occurred in the past. User behavior analytics are able to detect problems which are more nuanced than presence of malware.</p><p>Events analyzed for indicators of compromise:</p><ul><li>Unusual remote user behavior</li><li>Unwarranted activity to access privileged files</li><li>Traffic to or from known hackers</li><li>Traffic to or from user-identified adversaries</li><li>Compromised files in cloud storage</li><li>Suspicious <a href="">login credential activity</a></li><li>Unexplained or unnecessary changes to user privileges</li><li>Unusual surges in traffic</li></ul><p>In the aftermath of an attack, there is much to be learned. Logical engines can correlate different data points and allow investigators to follow enemy activity all along the kill chain. Stacking or grouping these alerts helps to prioritize responses and stay organized. You can use breach detection analytics to examine enemy activity from the first attempts at phishing to the initial foothold all of the way through to full network exploitation.</p><p>Cyber-security is an end goal as well as a process by which we investigate adversaries and adjust security measures accordingly. Combining threat data into one central threat-analyzing platform will allow you to leverage breach detection analytics. When your threat intelligence platform is configured properly, you can respond at the first sign of a threat.</p><p>Threat intelligence has emerged as the next big data challenge for businesses and governmental agencies. The growth of malware variants, that actors and attack vectors has also meant an explosion in the number of indicators of compromise (IOCs). Today these IOCs number in the tens of millions. Knowing which of these should matter to your organization at any given moment is now a huge challenge and makes finding value in threat intelligence data increasingly difficult. Anomali Match Breach Analytics automates analysis of your log data to provide your organization threat intelligence that matters.</p><p>Download the white paper to understand the value of this breakthrough approach.</p><p><span class="hs-cta-wrapper" id="hs-cta-wrapper-b8474223-9140-4d88-8a84-1c87f8974d60"><span class="hs-cta-node hs-cta-b8474223-9140-4d88-8a84-1c87f8974d60" data-hs-drop="true" id="hs-cta-b8474223-9140-4d88-8a84-1c87f8974d60" style="visibility: visible; display: block; text-align: center;"><a class="cta_button" cta_dest_link="{page_3454}" href=";placement_guid=b8474223-9140-4d88-8a84-1c87f8974d60&amp;portal_id=458120&amp;redirect_url=APefjpH3ybp9CuBUwd_jGnq7Cxs0gruiTIoT2aaFYrwjlYo0a2eHWKFFXQukmnv0gq79LHK-9DK7Hx_qFAqves_0n5VCU_wQcKJwDSNy9NaX5UqC9Swb3PrFp6rw6gTExuTzFIa0y2d3Xd30X_nrYwy7OmO2qBYPRVQsc0Q-qtlnshQskf2MrX4340Q7twriTWQEU1js_QGoN_hAJgwAZZv7ljfrHUZMvUbxQk-P_ej7VUXjAvomN1l_nr9zRJluyJciuIGW6AhPFxExwAeOOM9oQOr0m-13PDqYui8ZEB31uBFpdk4fp8YHHRUT6Z9hYV154JZR7Mlvkn7PGq3AchXasB6M8jaYy-aHvxII0k99lRw0PGBuvUA7a-4hQEeeyJBO3PFZG497&amp;hsutk=2767d93d6471d657e0c9f660e4b58ef8&amp;;;pageId=4371949608&amp;__hstc=41179005.2767d93d6471d657e0c9f660e4b58ef8.1456736058655.1478822660171.1478831861868.179&amp;__hssc=41179005.20.1478831861868&amp;__hsfp=1335165674" id="cta_button_458120_d082dffc-00d1-4e32-9613-f9706ead4533" style="margin: 20px auto;" target="_blank" title="Download Here">Download Here </a> </span> <script charset="utf-8" src=""></script> <script type="text/javascript">hbspt.cta.load(458120, 'b8474223-9140-4d88-8a84-1c87f8974d60', {});</script> </span></p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.