LogPoint UEBA can detect multiple types of threats in your system. This section highlights the threat types on which we provide the best detection.
Threat types are categorized according to the MITRE ATT&CK Framework. For a complete picture of our ATT&CK coverage, refer to the LogPoint MITRE ATT&CK Coverage.
Note
The threat types here are outlined in the same order as in the ATT&CK framework.
The following list is not exhaustive.
Initial Access is an attempt to get into your network. There are many techniques that allow an attacker to do so. Using these techniques, the attackers try to gain an initial foothold within the network to allow them to engage in further malicious activity.
UEBA detects initial access using data from the Active Directory, Authentication, VPN, and Web Proxy logs. Some examples of related detection capabilities are:
The detection of an anomalous amount of IP addresses utilized by a user when attempting to authenticate via VPN, for both successful and unsuccessful attempts.
The detection of credential validation attempts of a user’s account being significantly larger than the average within a given time frame.
Detection of anomalous domain used by a user where data was uploaded. It is based on how rare the actual domain is used in the organization compared to normal behavior.
Persistence deals with the attackers attempting to maintain their foothold in the network after they have obtained access. This is done largely by changing credentials, applying configuration changes, and accessing various systems.
UEBA detects persistence using the data from Active Directory and Web Proxy logs. Some examples of related detection capabilities are:
The detection of anomalous amounts of data sent by a user to a particular domain, based on the historical bytes sent by the user within an hourly timeframe.
The detection of whether a user has become active after a long time in any of the supported data sources.
The detection of the first use of a particular host group by a user, reporting the cases where the user utilized a host previously not accessed, compared to a set historical period.
Privilege Escalation concerns an attacker’s attempt to obtain higher level permissions to explore the network with fewer limitations. Overall system weaknesses, misconfigurations, and vulnerabilities are common opportunities that are taken advantage of.
UEBA detects the escalation of privilege by using data from Active Directory and Web Proxy logs. Some related detection capabilities are:
The detection of anomalous activity of a user based on their work patterns throughout the day.
The detection of a user logging onto an AD host/server that they usually do not use.
The detection of anomalous number of attempts to access a particular object by a user.
Credential Access is the attacker’s attempt to steal account names and passwords, which could cause a user’s account to be compromised. With this set of tactics, an attacker can carry out compromising activities using existing credentials.
UEBA detects credential access using the data from Active Directory, Authentication, and VPN logs. Some related detection capabilities are:
The detection of an anomalous number of failed login attempts by a user, based on the historical number of failed logins within an hourly timeframe.
The detection of an anomalous amount of unsuccessful login attempts by a user via VPN, based on the historical number of failed logins using their VPN credentials of a within an hourly timeframe.
The detection of an anomalous amount of Kerberos authentication ticket requests (TGT) within a given time frame.
Collection is the attacker’s attempt to collect data of interest from your network, typically with the intent of data Exfiltration. The collection is usually of files, drives, and emails.
UEBA detects data collection using the information from Web Proxy, Active Directory, and Resource Access logs. Some related detection capabilities are:
The detection of an anomalous attempt to access a particular file on a shared file.
The detection of an anomalous attempt to access a particular shared file.
The detection of an anomalous attempt to access a particular object.
The detection of an anomalous amount of attempts to access a share.
Exfiltration is an attacker’s later-stage goal of stealing data from your network. They often attempt to package the data before exfiltration through various channels.
UEBA detects data exfiltration using the information from Web Proxy and Email logs. Some related detection capabilities are:
The detection of anomalous daily size of emails sent by a user, based on the historical bytes sent by the user during the day.
The detection of anomalous size of data packets sent by a user with a particular HTTP method, based on the historical bytes sent to a particular domain by all the users within an organization in an hourly timeframe.
The detection of anomalous daily size of data packets sent by a user, based on the historical bytes sent by the user during the day.
The detection of anomalous size of data packets sent to a particular URL using a particular HTTP method within the past hour.