User Entity Behavior Analysis (UEBA) is an exciting technology for detecting cyber threats, particularly for financial firms. UEBA is intended to provide another layer of protection by identifying anomalous behavior, enabling you to detect attackers sooner and protect sensitive assets. However, as you adopt and begin to depend on UEBA, it is important to make sure that it has been tested thoroughly against what real attackers do, in order to make sure that it is providing the protection you expect.
What Is UEBA?
User Entity Behavior Analysis is a modern security tool that uses data analysis and machine learning to analyze behavior and detect attack activity, such as lateral movement, privileged account abuse, privilege escalation, credential compromise, or insider threat activity. UEBA can help determine suspicious behavior in a network by comparing the behavior of a user or non-human system on the network (in other words, an entity) to previous behavior, or to expected behavior, and alerting if there is a deviation. It is often used alongside a SIEM, since both UEBA and SIEM use data such as logs, packet captures, and security monitoring data in order to provide insight into the security posture.
Why Are Banks Investing Heavily in UEBA?
Banks need to accelerate their digital transformation in order to keep up with the market and with customer expectations. Secure digital transformation requires having the tools to detect and respond to attacks in the current landscape. Traditional detection methods are based on signatures, which are still important for detecting known threats. However, today’s quickly evolving threat landscape requires the ability to detect emerging threats as well.
UEBA’s usefulness to a financial institution can extend beyond traditional cybersecurity, as well. Characteristics of transactions, as detected by UEBA, can also help detect fraudulent transactions, something typically handled by a separate financial fraud team. However, just like with any security technology, you cannot be sure that you are getting the expected return on investment unless you are consistently testing.
Why Is UEBA Testing Critical for Banks?
UEBA is just like any other security tool: you cannot assume that it works fresh out of the box. If you are not testing UEBA, you don’t know that UEBA is effectively finding suspicious behavior or emerging threats. Without testing, you will not build a clear idea of whether it is letting suspicious behavior go by, or whether it is inundating your cybersecurity team with false positives.
UEBA testing can feel daunting because managers — and even security team members — often do not know the mathematical algorithms behind UEBA. Thus, they treat UEBA as a black-box solution, and assume it works in ways that they cannot understand. However, UEBA is not just a black box: many UEBA platforms are based on similar mathematical models. And, aside from the mathematical aspect, you can still tune the data it sees, and the ways in which it alerts the security team.
Fortunately, UEBA testing is possible.
For one, you can find out whether a UEBA system is seeing all the data that it needs to be processing. Without verifying that it can access the data it needs, you cannot confirm that it will be calculating accurate models of user or entity behavior. On the other hand, you also need to make sure it is taking in the right kind of data, in order to give it enough visibility to point out behavior that is actually anomalous.
Furthermore, you need to verify that the device has been properly tuned. You cannot always tell that a device is properly tuned based on system defaults. I once saw an environment where a UEBA was trained on an environment through its built-in “Learning Mode,” but the environment was already compromised by unknown malware while it was being trained. In that case, the UEBA was never going to alert on that malware, given that it was trained on the malware being a normal feature of the environment.
On the other hand, you also have to make sure not to “overfit” the training of the UEBA. Minimizing false positives is helpful in traditional signature-based detection, but too much minimization in behavioral analysis is going to diminish the capacity to detect new attacks since the model can become overly specific to the point of missing things.
How Can Red Teaming Help Verify the Effectiveness of UEBA?
A red team exercise is an approach to security testing that mirrors what real attackers do. As opposed to a penetration test, which focuses on particular devices or systems, a red team exercise simulates full-featured attacks and helps you make higher-impact security decisions once your business has built a baseline of security maturity. These attack simulations can be tuned to reflect real, current threats against your organization and industry vertical.
Attack simulations can specifically attempt to evade specific security technologies in your environment to make sure those defenses are working as planned. This includes using UEBA evasion: after all, attackers are aware of UEBA and what UEBA is typically designed to detect, and the techniques to get around these tools.
At one point, we did a UEBA red team engagement with a client who used the technology to detect and block bots and automated tools which abuse websites. Simple automated tools were detected by the client’s UEBA, as configured before the red teaming engagement. Then, the red team adopted several TTPs that attackers typically use to evade UEBA. Those tactics included:
- Distributing IP addresses of attack traffic
- Modifying the timings of their traffic, slowing it down and randomizing it just enough to fool the UEBA into thinking it is human instead of automated
- Scripting keyboard and mouse input to appear more like human typing and mouse usage
- Using browser automation to make traffic appear to come from a conventional browser and not a script
The UEBA configuration did not catch these well-known evasion techniques. After the red teaming engagement, the client was able to use the report, work with their UEBA vendor, and tune the UEBA so that it caught these attacks. Therefore, the red team engagement ended with the UEBA providing more useful information, and ensured that it was able to better identify actual malicious behavior.
Moving Forward with UEBA Security
A UEBA is an important part of your financial institution’s security infrastructure. UEBA red team testing is an important element of verifying that the system is working properly, since it allows you to find out whether it can see everything it needs to see, and whether it is tuned to identify ways that attackers are actively evading UEBA systems.
Kroll has deep red teaming experience and a strong record of working with emerging technologies like UEBA. Our comprehensive red teaming services can help you make sure that you are getting the right security benefits and the proper return on your investments in UEBA.
