Abnormal Activity
Abnormal Account Activity
Monitoring use of user accounts is an effective way to identify suspicious activity.
- e.g.,
- A user account for an employee with well-defined working hours being used during the night
- A user account provisioned to only work on desktop computers being used on a server computer
- A user account created on a local computer or created by a user without authorization to create accounts
- An account being added to a group unexpectedly or added by an unauthorized individual
Impossible travel is a tracking of information such as GPS address, IP address, or user’s device to pinpoint a user’s location and determine whether a behavior was physically possible.
- an indicator that has become more common with remote work and cloud computing
- could be result of VPN use
Abnormal Behavior and Patterns
Monitoring computer activity may reveal problematic activities or sequences of activities that match known attack patterns.
- e.g.,
- Evidence of communication with known malicious IP addresses or domain names
- Abnormal communication patterns such as encrypted communication between a device and a remote host every two minutes
- Abnormal protocol activity such as gigabytes of DNS traffic or ping requests that do not receive responses or have unusual packet sizes
- Evidence of traffic on ports associated with C&C traffic using encoded communications and commands
- Evidence that a user received an email with a suspicious link, visited the site, launched an executable, and established a connection to a system located on the Internet
User and Entity Behavior Analytics (UEBA)
- UEBA scans indicators from multiple intrusion detection and log sources to identify anomalies
- often integrated with SIEM platforms
- identifies malicious behaviors from comparison to baselines
- tracks user account behavior across different devices and cloud services
- entity refers to machine accounts
- e.g., client workstations, virtualized server instances, embedded hardware
- complex to determine baselines and reduce false positives
- heavily depend on AI and machine learning
- tools