UEBA detects multiple threat types, categorized according to the MITRE ATT&CK Framework. Go to Logpoint MITRE ATT&CK Coverage for information on our ATT&CK coverage.
Initial Access is an attempt to get into your network. There are many techniques that allow an attacker to do so. Using these techniques, the attackers try to gain an initial foothold within the network to allow them to engage in further malicious activity.
UEBA detects initial access using data from the Active Directory, Authentication, VPN, and Web Proxy logs. Some examples of related detection capabilities are:
Detecting an unusually high number of IP addresses used by a user during authentication via VPN, regardless of their successful or failed login.
Detecting significantly higher credential validation attempts of a user’s account within a given time compared to the average.
Detecting an uncommon and rare domain used by a user for uploading data, which deviates from normal behavior within the organization.
Persistence is attacker’s attempt to maintain their foothold in the network after they have obtained access. This is done mainly by changing credentials, applying configuration changes, and accessing various systems.
UEBA detects persistence using the data from Active Directory and Web Proxy logs. Some examples of related detection capabilities are:
Detecting abnormal data volumes transmitted by a user to a specific domain within an hour interval by comparing it to the historical data transfer patterns.
Detecting the recent activity of a user in any of the supported data sources after a long inactive period.
Detecting instances where a user accesses a specific host group for the first time within a defined historical period.
Privilege Escalation is the actions taken by an attacker to gain elevated privileges or permissions within a system or network, enabling them to explore and access resources with fewer restrictions. Attackers exploit system weaknesses, misconfigurations, and vulnerabilities to elevate their privileges.
UEBA detects the escalation of privilege by using data from Active Directory and Web Proxy logs. Some related detection capabilities are:
Detecting abnormal activity of a user based on their work patterns throughout the day.
Detecting the user logging into the AD host/server, they rarely use.
Detecting the unusual number of attempts to access a particular object by a user.
Credential Access is the attacker’s attempt to acquire account names and passwords, potentially compromising a user’s account. By obtaining these credentials, an attacker can perform unauthorized actions, infiltrate sensitive data, or further exploit vulnerabilities within the system, posing a significant security risk.
UEBA detects credential access using the data from Active Directory, Authentication, and VPN logs. Some related detection capabilities are:
Detecting an unusual number of unsuccessful login attempts made by a user by comparing it to their historical pattern of failed logins per hour.
Detecting an abnormal number of unsuccessful login attempts made by a user through a VPN by comparing it to their historical pattern of failed login using VPN credentials.
Detecting an unusual number of Kerberos authentication ticket requests (TGT) within a specific period, indicating potential anomalous activity.
Collection refers to the attacker’s attempt to gather specific data of interest from a network, often to exfiltrate the collected data subsequently. It involves targeting and retrieving files, drives, and emails that contain valuable information.
UEBA detects data collection using the information from Web Proxy, Active Directory, and Resource Access logs. Some related detection capabilities are:
Detecting an unusual attempt to access a file, object, share, or shared file.
Exfiltration is the ultimate objective of an attacker to steal data from your network. They typically attempt to package the data to send it to a different location or storage.
UEBA detects data exfiltration using the information from Web Proxy and Email logs. Some related detection capabilities are:
Detecting the unusual size of emails a user sends in a day compared to the historical behaviour.
Detecting anomalous sizes of data packets a user sends using a specific HTTP method by comparing them to other users’ behavior within an organization.
Detecting anomalous size of data packets a user sends in a day by comparing it to the historical data transfer pattern.
Detecting anomalous size of data packets sent to a particular URL using a specific HTTP method within an hour.