The following example demonstrates how LogPoint UEBA can detect the threats in an organization and the measures that can be used to counteract them.
After finding out that their contract will be terminated, an infuriated admin in your organization decides to engage in an insider attack against your organization to retaliate. To do so, they decide to create a new user account and log in to one of the organization’s cloud storage solutions.
The detector that identifies the accounts with a long period of no previous activity fires an anomaly based on how this account has not previously been seen on the network.
The newly created user has no previous login attempts. Therefore, the detector fires an anomaly that is based on a sudden increase in login attempts per hour compared to the user itself.
The newly created account then attempts to access the cloud resource. This information is received by a detector aimed at detecting the first time a user accesses a repository. As the user is completely new, the only files that they have accessed are most likely local and limited to their specific role, so the attempt at accessing a specific, remote cloud enabled directory immediately fires off an anomaly and raises the user’s risk score.
As the malicious insider accesses the files that they would like to exfiltrate, they inevitably access many, if not all of the files for the first time.
The dedicated UEBA module instantly detects that the newly created user had accessed information in the R&D repository and copied 17 files one-by-one to different newly created folders within an hour. Knowing that these actions differ a great deal from the normal business behaviors in the organization, LogPoint UEBA further elevates the user’s risk score.
The employee then decides to finally move the files they have staged for exfiltration to a final pre-exfiltration location. This information is received by the detector aimed at detecting unusual amounts of data uploaded by the user. There is a matching detector that also aims to recognize unusual download amounts and it is likely that both would be activated.
The movement of files can also be detected by a detector looking at data movement towards various domains and detecting irregular ones, based on both the user’s and the organization’s previous activities. Not only can this identify unusual traffic internally, but also the movement of data to an external location.
Finally, the malicious soon-to-be-former employee attempts to email the zip files containing the sensitive data. This action triggers a final tranche of detectors, the ones that detect unusual email destination and unusual email attachment size.
If malicious employees attempt to jeopardize the integrity of your organization in a similar manner, LogPoint UEBA can lend you significant assistance in detecting, tracking, and documenting every stage of the attack, no matter at what point of the ATT&CK framework the attacker happens to be.
Investigation can start as soon as UEBA detects the initial anomalous user creation. Even in this stage, it’s possible to stop the attack by singling out the account and confirming whether its creation conforms to the policies. In the following stages, it is simple for an analyst to identify unusual behavior based on the anomaly. Finally, even if the attacker has already succeeded in damaging the organization, it’s still possible to mitigate due to the awareness of timing, method, and entities involved that LogPoint UEBA provides.