IT Security Mar 18, 2021

Keep attackers under pressure – Minimize dwell time with behavioral analysis.

On average an attacker snoops around in the environment they’ve hacked for 56 days before being detected. This means reality diverges greatly from what is often portrayed in the media with the good guys and the bad guys in a race against time and each other. The reason for this, however, is not only to create drama in films and reports. In reality, the reason why criminals can wreak havoc undetected for long periods of time is because many companies’ networks are spread over several locations and have different responsibilities and their services are not always as up-to-date as they should be. The aim must therefore be to expose attackers as quickly as possible, which is where behaviour analysis and device identification came into play.

Share article

Jens Käsbauer
Content Manager

The more dispersed and disorganised an organisation’s network is, the longer an attacker can lurk undetected and cause damage, which is why the dwell time in the corporate network is an important indicator of how serious an attack is. Generally speaking, the longer an attacker remains undetected in the network, the greater the damage caused.

IT teams are flooded with alert messages.

Another reason for the extended dwell time of nearly two months in the network is also the previous way of working. Traditional security systems do not take into account a users’ actions in context and therefore often produce a large number of incidents, and normal and deliberate behaviour can be classified as potentially dangerous and reported as such. The reason for these “incidents” tends to be due to the similarities between harmless and harmful behaviour. These tools also very often incorrectly assume changes to the system, such as reinstalling or updating software, have been carried out by malware. The result is often that an IT security employee has to analyse what’s happened, which takes up a lot of time and resources as only experienced specialists can differentiate between harmless and harmful incidents. Automated reactions can even restrict an end device’s functionality, which generates an unnecessary issue (false positive).

Even though there are plenty of automated solutions these days, most alerts are often still manually processed, which is an extremely long-winded process that takes up colossal amounts of time. Time that experts could better spend hunting down attackers hiding in the network.

Just as bad as false positives are false negatives that ensure that attackers have it easy to cause harm to your systems by finding a gap in your defences and virus and malware signatures are not recognised as threats meaning they can continue to run, throwing open the door to attackers. 

At first glance, e-mails recognised as false positives are less serious as normally, the affected e-mail is quarantined. This means there is no direct damage to the system, but if customer correspondence is wrongly assumed to be malicious, this can most certainly be damaging. If an order is lost or if the customer relationship is permanently impacted when there is no response or a delay in responding to enquiries, this often results in a revenue losses and a loss of trust.

Time for an early warning system.

The question you have to ask yourself is how can the IT department effectively and quickly uncover these kind of attacks? On top of checking files for viruses and malware, it’s also important to continuously monitor transactions within the network. AI-based analysis systems help pick up on the first signs of an attack by pooling and examining individual user actions as sessions. The actions in each session are compared with those performed by the user in similar, previous sessions. Often, the actions and sessions of colleagues with a similar job profile are used for comparison. The aim is always to detect unusual behaviour patterns.

Hackers usually first want to get an overview of the company network and its IT systems, so it can be assumed that the attackers’ activities will differ significantly from those of a legitimate user. Time differences between the company location and the attacker’s base can also be a good starting point and examples of unusual behaviour are logins and accessing date at strange times of the day or from numerous locations. Another sign could be attempts to access IT systems that an authorised user doesn’t need and a significant change in the volume of downloaded data, which may indicate that someone has managed to gain unauthorised access to the user or their device. An AI-supported early warning system installed on all PCs and the network can detect and stop hackers much more quickly.

How does this kind of system work?

To recognise the benefits of a modern system to defend against cyberattacks compared to traditional virus scanners and firewall systems, it’s important to know how current solutions work. As already mentioned, the system examines the daily behaviour of users and sometimes devices as well. These kind of tools are called User Behaviour Analytics (UBA) and User and Entity Behaviour Analytics (UEBA) systems  and serve to analyse the actions of the user to determine if an attack is taking place or if the actions are legitimate. True to the zero trust motto “trust no one”, modern solutions assume that all systems are potentially corrupted. To be able to carry out these checks, the data flow within the network has to be permanently monitored and this process can be divided into the following steps:

Step 1.

In the first phase, the system gets to know the normal behaviour of the IT user or device. To do so, the user’s interactions with the company’s IT systems are combined with log systems and SIEM solutions to generate a baseline for their normal behaviour. In this phase, some systems create a kind of scoring system that evaluates user actions on a granular level and arranges them according to the sensitivity of the respective systems that a user regularly accesses.

Step 2.

When the device or user is given a baseline value, their future behaviour is compared against it and if serious deviations are detected, the IT department is informed.

Step 3.

Some systems are able to immediately react and prevent potentially damaging user activity. Generally speaking, access to particularly sensitive data from product development or customer and employee data is prevented if the employee does not work in these departments, and changes to server and security components’ configuration files would trigger such a reaction in real-time.

There are, of course, multiple benefits: Unauthorised access can be instantly detected and prevented and are immediately drawn attention to by corresponding reporting systems. This enables your employees to take targeted steps to remove the attacker from the system. The machine learning process ensures that false positives are no longer an issue and thus gives security experts time to focus on the real threats. While there are plenty of benefits, questions surrounding the use of personal data abound.

Which data are used?

The aim is clear: to determine a user’s distinct behaviour and compare this to behavioural data that has already been processed. The question of what data are collected, stored and processed to do so is obvious. Just as with a fingerprint, individual pieces of information are collated to form a bigger picture. The more detailed the fingerprint is, the easier it is to minimise or even completely eliminate false positives. These data include that from the use of existing IT systems, but also biometric user data. The following are examples of which data that could be:

  • Regularly used files, folders and servers
  • Regularly used applications and operating systems
  • Used end devices such as smartphones and notebooks
  • Typical working hours
  • Branch location data
  • Log management systems and directory services
  • Data from SIEM solutions
  • Data from cloud services
  • Typing speed and common typing mistakes
  • Mouse movement and trackpad use

The two sets of biometric data in particular enable clear conclusions to be drawn about the device user and also means that behaviour can be reliably recognised, even if the user changes devices frequently.

Data protection and behaviour analysis.

As all this data are needed to quickly identify attacks, protection of users’ privacy is extremely important. The German Data Protection Regulation (DSGVO), which came into force in 2016, has impacted this approach to protecting the IT infrastructure and has put the protection of personal data in the spotlight once again: All usage data must be handled with extreme care, and access may only be granted to those who have special authorisation.

The systems that deliver the data for the UEBA solutions such as log management systems and tools for monitoring privileged user groups, have to be able to anonymise said data, and access must always be secured. There are a range of different measures that can be put in place to do so, including authentication by several colleagues.

Increased levels of security when using UEBA tools can be achieved by encrypting the data at every point along the chain. The data delivered to the UEBA system by log management, PAM or SIEM systems should already be encrypted as should data being transferred from one system to another. The preferred methods for ensuring strong encryption are AES and Twofish, which are classed as particularly secure thanks to their 256-bit key length.

More time = more security.

The benefits of modern tools to secure your corporate IT are clear. Your IT department can focus on the more important tasks at hand such as defending against attacks and aren’t distracted by time-intensive jobs that don’t contribute to the overall goal. Your security experts can get a quick overview of processes within your infrastructure as needed and immediately react to behaviour that alludes to an attack. If you have an eye on privacy protection from the outset, you will not only have a well-secured corporate network, but at the same time protect the privacy of your employees and prevent potential damage to your business.

Want to find out more? Our experts are happy to work with you to develop a security concept tailored to your business.