By: Bronwen Cohn-Cort, Data Scientist, and Shaul Saitowitz, Data Scientist
Welcome to the Unraveling Cyber Defense Model Secrets series, where we shine a light on Adlumin’s Data Science team, explore the team’s latest detections, and learn how to navigate the cyberattack landscape.
The Essential Role of Threat Detection
Threat detection is a critical component of an organization’s cybersecurity strategy. Requiring the combination of human expertise and machine learning, risk can be significantly reduced by identifying threats before a potential attack.
Many threats can go unnoticed for months or even years. In IBM’s latest report, it takes an average of 277 days for security teams to identify and contain a data breach, and the cost of a breach skyrocketed, reaching an average of $4.45 million. Given the extended timeframe it often takes to detect and contain a data breach, organizations must proactively implement measures to quickly respond to potential threats and reduce the risk of costly damages.
To effectively combat malicious activity in your environment, it can be challenging to stay on top of all the potential threats, particularly as it demands skilled professionals who can develop models to apply artificial intelligence. Setting up alerts for when suspicious activity is detected can help organizations quickly respond to potential breaches and mitigate the risk of further damage to their systems and data.
Critical Detections for Your Network Security
While there are many types of security threats and detections to consider today, we highlight credential harvesting and insider threats as two crucial ones to add to your queue.
Adlumin Data Science is rolling out alerts for credential harvesting and insider threats, each capable of warning against prevalent attack tactics within their domains by utilizing user and entity behavior analytics. These detections are crucial as they are often difficult for organizations to identify.
Credential Harvesting Detection
A credential harvesting alert addresses a post-exploitation technique to broaden network access. After gaining a foothold, this alert will notify an organization about suspicious activities related to stealing login credentials from a computer system. This information can then be used to access other systems, steal data, or even compromise an entire network.
Sources of stored credentials include files, databases, registry entries, and memory structures where login credentials are stored, whether in plaintext or encrypted form. Some of these locations include LSASS (Local Security Authority Subsystem Service), GPP (Group Policy Preferences), and web browsers that store passwords. Cybercriminals can use one of many tools or techniques to capture the stored credentials.
These include utilities like Mimikatz, Hashcat, and SharpChromium. Once the credentials have been extracted, the attacker harvests them for future use. Encrypted passwords can be cracked offline and then used to access other systems within the network, furthering the attack.
The detection exposes several credential dumping techniques and delivers background on the tool discovered. This allows prompt stoppage of the unfolding attack and helps protect business assets. The detection model should be updated regularly to keep up with new tactics and methods.
Credential harvesting poses a significant threat to organizations, leading to unauthorized access, data breaches, and financial loss. Setting up alerts for credential dumping processes is crucial as it enables early detection and swift response to mitigate potential damage. Organizations can protect their sensitive information, maintain operational continuity, and uphold trust with customers and stakeholders by efficiently enriching, containing, and recovering from such incidents.
Insider Threat Detection: Aggregating and Analyzing Widespread File Deletion
Some ransomware variants, like REvil, involve mass file deletion; in some instances, an unauthorized insider may gain permissions sufficient to mass-delete files. The Insider Threat model detects and alerts on cases of a user or attacker deleting an abnormally high number of files across many different subdirectories. Further analysis is conducted to filter out file extensions and locations that likely correspond to benign deletion activity. For example, a user emptying the Recycle Bin would not trigger an alert.
Setting up an Insider Threat alert uses a machine learning model to determine anomalies in the number of Windows Event ID 4663 (“An attempt was made to access an object”) events with Delete access permissions. A high quantity of these 4663 events in a half-hour period significantly deviating from the customer baseline is considered anomalous.
The table below displays partially redacted information from 4663 events associated with an alert. For each, it shows the time of the log message, the computer name on which it occurred, and which Object Name and Process Name were associated with the event. This table can be used to further investigate the deletion activity by reviewing the details of what computers, locations, and types of files were involved.