Maturing UBA Deployments Part 2: User Access, Network, and Flow Anomalies

View Only

Maturing UBA Deployments Part 2: User Access, Network, and Flow Anomalies

By PATEL MILAN posted Tue November 26, 2019 04:38 AM

Like

As the depth and breadth of the use cases in QRadar have grown, so has the frequency of the questions I hear from clients about maturing their insider threat program with UBA. In this blog series, I’ll address and answer these questions for our UBA clients.

In my previous blog, we covered getting started with a collection of account access and authentication behavioral use cases. In this blog, we’ll focus on deploying use cases that detect abnormal access behaviors, browsing patterns, network or cloud activity, and endpoint activity.

The table below highlights the 9 categories in which these use cases fall. When enabled, these help SOC analysts detect 78 distinct behavioral anomalies.

Setting the Stage

Before embarking on configuring, enabling and deploying these use cases, I would strongly recommend taking a look at each of the use case and the corresponding log or flow data sources. In the tuning page of UBA [Figure 1 below], clicking the information icon on the right it will take you to the documentation of that individual use case. The description of the use case, its logic, building blocks, risk score and the utilized log sources are documented here.

Figure 1: UBA Use Case Tuning Page

It’s important to ensure that the required log sources are fed into QRadar, and that they are instrumented to include the users’ identity and are being parsing properly. If certain use cases require a reference set, ensure to populate the reference set with the required data.

Refer to the DSM guide for the comprehensive list of log sources supported by QRadar and their configurations.

In the second phase of implementation I recommend you deploy use cases related to user access behavior, network, and flow anomalies. Identifying user behavior based on how they access their systems, or corporate assets, or use network resources can help detect potential threats and compromised or stolen accounts.

Below are selected list of 42 use cases, grouped by user behavioral anomalies that might interest you and relevant to your environment. Each use case name is hot linked to the documentation of that use case on the IBM Security App exchange. Each page provides a short description of the use case, the logic and building blocks used to detect the behavior, its default risk score and most importantly the data source(s) – logs and/or flows needed to help UBA detect the anomalous activity.

Access and Authentication anomalies:

UBA : Executive Only Asset Accessed by Non-Executive User	Detects when a non-executive user logs on to an asset that is for executive use only. Two empty reference sets will be imported with this rule : "UBA : Executive Users" and "UBA : Executive Assets". Edit the reference sets to add or remove any accounts and IP addresses that are flagged from your environment. Enable this rule after you configure the reference sets.
UBA : High Risk User Access to Critical Asset	Detects when a user involved in incidents (offenses) access to critical asset.
UBA : Multiple VPN Accounts Failed Login From Single IP	Detects any VPN account login failures from the "UBA : Multiple VPN Accounts Failed Login From Single IP" reference set.
UBA : Multiple VPN Accounts Logged In From Single IP	Maps multiple VPN users that are coming from the same IP address and then raises the risk score. When the rule detects VPN users coming from the same IP address, the IP address is added to the "UBA : Multiple VPN Accounts Logged In From Single IP". Before enabling this rule, make sure the rule "UBA : Populate Multiple VPN Accounts Logged In From Single IP" is enabled and the "UBA : Multiple VPN Accounts Logged In From Single IP" reference set has data.
UBA : User Access from Multiple Hosts	Detects when a single user logs in from more than an allowed number of devices.
UBA : AWS Console Accessed by Unauthorized User	Detects an unauthorized attempt to access the Amazon Web Services (AWS) console by a user that is outside the authorized list in the 'AWS - Standard Users' reference set.
UBA : Non-Standard User Accessing AWS Resources	Detects a non-standard user who is attempting to access Amazon Web Services (AWS) resources.

Domain Controller-based anomalies:

UBA : Kerberos Account Enumeration Detected	Detects Kerberos account enumeration by detecting high number of user names being used to make Kerberos requests from same source IP.
UBA : Multiple Kerberos Authentication Failures from Same User	Detects multiple Kerberos authentication ticket rejections or failures.
UBA : Non-Admin Access to Domain Controller	Detects non-admin account access attempts to domain controller.
UBA : Pass the Hash	Detects Windows logon events that are possibly generated during pass the hash exploits.
UBA : Possible SMB Session Enumeration on a Domain Controller	Detects attempts at SMB enumeration against a domain controller.
UBA : Possible TGT Forgery	Detects Kerberos TGTs that contain Domain Name anomalies. These possibly indicate tickets that are generated by using pass the ticket exploits.
UBA : Possible TGT PAC Forgery	Detects use of Forged PAC certificate to get a Service Ticket from Kerberos TGS.
UBA : TGT Ticket Used by Multiple Hosts	Detects Kerberos TGT ticket being used on two (or more) different computers.

Endpoint-based anomalies:

UBA : Detect Insecure Or Non-Standard Protocol	Detects any user that is communicating over unauthorized protocols that are regarded as insecure or non-standard protocols. Authorized protocols are listed in the UBA : Ports of Authorized Protocols reference set with default value 0, which is the port of QRadar events. Edit the UBA : Ports of Authorized Protocols reference set to flag from your environment before you enable this rule.
UBA : Malware Activity - Registry Modified In Bulk	Detects processes that modify multiple registry values in bulk within a shorter interval.
UBA : Process Executed Outside Gold Disk Whitelist (Windows)	Detects processes that are created on a Windows system and alerts when the process is outside the golden disk process whitelist.
UBA : Ransomware Behavior Detected	Detects behavior that is typically seen during a ransomware infection.
UBA : Restricted Program Usage	Indicates that a process is created and the process name matches one of the binary names listed in the reference set "UBA : Restricted Program Filenames". This reference set is blank by default so that you can customize it. You can populate the reference set with file names that you want to monitor for risk management.
UBA : User Running New Process	Detects processes that are created by the user and then alerts when a user runs a new process. Rule "UBA: Populate Process Filenames" populates the reference set "UBA : Process Filenames" used as a utility rule for "UBA : User Running New Process." Note: The rule is disabled by default. Enable the rule for a shorter duration to populate the filenames.
UBA : Volume Shadow Copy Created	Detects shadow copies that were created using vssadmin.exe or Windows Management Instrumentation Command-line (WMIC).

Anomalous data movement and transfers:

UBA : Large Outbound Transfer by High Risk User	Detects an outbound transfer of 200,000 bytes or more by a high risk user.
UBA : Multiple Blocked File Transfers Followed by a File Transfer	Detects exfiltration by checking for file uploads that were initially blocked but were followed by a successful upload within a span of 5 minutes.
UBA : Suspicious Access Followed by Data Exfiltration	Detects access from unusual, restricted, or prohibited locations followed by a data exfiltration attempt.
UBA : Data Exfiltration by Print.	Detects users that are sending files to print or that are using screen capture tools such as Print Screen and Snipping Tool
UBA : Data Exfiltration by Cloud Services.	Detects users that are uploading files to personal cloud services.
UBA : Data Exfiltration by Removable Media.	Detects users that are transferring files to removable media such as USB and CD.
UBA : Data Loss Possible	Detects possible data loss determined by either the data source, event category or specific events related to data loss detection and prevention.

Geography-based anomalies:

UBA : Anomalous Cloud Account Created From New Location	Detects cloud account creation activities from a new location.
UBA : User Access from Multiple Locations	Indicates that multiple locations or sources are using the same user account simultaneously. Adjust the match and duration parameters to tune responsiveness.
UBA : User Geography Change	A match indicates that a user logged in remotely from a country that is different from the country of the user's last remote login. This rule might also indicate an account compromise, particularly if the rule matches occurred closely in time.
UBA : User Geography, Access from Unusual Locations	Indicates that users were able to authenticate in countries that are unusual for your network, as defined by the building block rule "UBA : BB : Unusual Source Locations".

Network and DNS-based anomalous behaviors:

UBA : D/DoS Attack Detected	Detects network Denial of Service (DoS) attacks by a user.
UBA : Honeytoken Activity	Detects activity using a Honeytoken account.
UBA : Network Traffic : Capture, Monitoring and Analysis Program Usage	Indicates that a process is created and the process name matches one of the binary names that are listed in the reference set "UBA : Network Capture, Monitoring and Analysis Program Filenames". This reference set lists the binary names of network packet capturing software. The reference set is pre-populated with the names of some common network protocol analysis software filenames.
UBA : Potential Access to DGA Domain	Detects events that indicate the user potentially accessed a DGA (Domain Generated by Algorithm) domain. Requires the IBM QRadar DNS Analyzer app.
UBA : Potential Access to Tunneling Domain	Detects events that indicate the user potentially accessed a tunneling domain. Requires the IBM DNS Analyzer app.

Users accessing or connecting with risky sites (threat intelligence):

UBA : User Accessing Risky IP, Anonymization	This rule detect when a local user or host is connecting to an external anonymization service.
UBA : User Accessing Risky IP, Botnet	This rule detects when a local user or host is connecting to a botnet command and control server.
UBA : User Accessing Risky IP, Dynamic	This rule detects when a local user or host is connecting to a dynamically assigned IP address.
UBA : User Accessing Risky IP, Malware	This rule detects when a local user or host is connecting to a malware host.

Tuning and enabling this selection of 42 use cases will help you advance your Insider Threat program to the next level of detecting anomalous activities of users that may be an indication of usage of compromised or stolen credentials, authentic insiders either being careless and exposing the company to unwanted risks or engaging other risky or suspicious activities.

0 comments

31 views

IBM Security QRadar