Orion Cassetto, Director, Product Marketing, Exabeam, surveys the cybersecurity risk to different departments of a business. “The highest-ranking members of a company are often the most lucrative targets for cybercriminals,” he says.
Departments within an organization may be easily distinguished by where they are situated in an office building (when we are allowed into our offices, that is) – perhaps finance and sales share floor two, and executives are up on floor six – but their network activity is just as identifiable.
Every user on a network performs specific tasks and generates unique events every day. These events are logged and collected to provide valuable information to security analysts that can be used for activity profiling and anomaly detection.
As cyberattacks become more complex and harder to find, correlation rules often lack context and also require significant maintenance, which generate false negatives or miss unique incidents. To mitigate threats and ensure malicious activity by attackers is not overlooked, security analysts must be able to benchmark baseline behaviors for users at all levels of an organization.
Machine Learning-based behavior analytics is increasingly deployed by security teams to identify when legitimate user accounts exhibit anomalous behavior and provide insights into both compromised and malicious users to SOC analysts and insider threat teams.
Let’s dig into what some normal network activity might look like for various company personas and examples of anomalous behaviors that might raise suspicion for SOC analysts — and how to address them.
Company executives – CEOs, COOs and CFOs
The highest-ranking members of a company are often the most lucrative targets for cybercriminals. Since they hold significant clout within a company, cybercriminals can easily obtain assets by impersonating these individuals.
Normal network behavior for a CEO and other high-level executives might include sharing earnings documents with stakeholders, accessing new business plans, reviewing contracts, competitive data or mergers and acquisition information.
If one of these individuals is suddenly directing suspicious wire transfers or sending mass emails to staff or stakeholders containing malicious links, it would trigger SOC analysts to investigate further.
Similar to executives, finance departments deal with sensitive and privileged assets, proving them a goldmine for bad actors. Finance managers and staff may access quarterly budget documents, collect spending records for different organizational departments or deal with accounts receivable and payable.
They may access payroll documents — but likely wouldn’t be downloading information on a company vendor or employee contract, which often hold personal information like bank details, social security numbers or private addresses. Those activities should certainly raise alarm bells.
Chief People Officers and HR managers often act as the primary liaison between the organization’s management and employees. Human Resources are often very active on a company network due to the nature of their work, which means their network activity can be complex and difficult for legacy systems to monitor.
Using software like DocuSign or DropBox would likely be a baseline behavior for HR departments, which would help them facilitate the hiring and onboarding of new employees. Anomalous behavior by an HR employee might look like a user attempting to access financial records or download employees’ personal tax documents.
Sales and marketing
Baseline behavior for sales and marketing users would likely include accessing apps like Zoom or Skype to host sales pitches or meetings, but they likely wouldn’t need to be viewing personnel files or financial documents.
This type of behavior would likely generate a high-risk score and require further investigation. They also often send large files, like design files, videos, webinar recordings, etc and send them out of the organization; whether that be via file sharing apps, to a website, or to partners and customers.
To other tools this may look like data exfiltration due to large outbound file transfers. Sales and marketing employees, who are often communicating more often with external entities (i.e new business leads, vendors or third-party agencies) may also easily fall victim to credential-stuffing attacks. After stealing these users’ information, hackers then move laterally within a network to gain higher-level access in hopes of obtaining private data or high-value assets.
These individuals often have administrative privileges that hackers can use to obtain authorized access to high-value resources, such as a sensitive database, a user-rights management system or an authentication system.
When a hacker obtains privileged-user credentials, the threat actor can move freely to high-value assets. For this reason, SOC analysts must closely monitor this category of users for anomalous activity indicative of a threat.
While the tasks of IT professionals can be both widespread and unrestricted; even a frequency spike in what would be considered normal activities by a specific network user could trigger a warning that the account has been compromised.
Using behavioral analytics to detect threats sooner
As businesses and their employees continue to endure and thrive in work-from-home arrangements, their reliance on cloud-based resources and network activity grows more complex. For this reason, behavioral analytics is one of the most rapidly adopted technologies within enterprise security and is being used to detect and investigate advanced threats.
This adaptable and customizable approach uses behavioral analysis of users and also non-user entities like routers, servers and endpoints that are unable to be addressed by legacy solutions. Behavioral analytics solutions are divergent with variations of Artificial Intelligence and Machine Learning, advanced analytics, data enrichment and data science to effectively combat complex threats.
By looking at the entire picture, SOC teams can get a better estimate of a potential alert’s context so that they can calibrate risk scores more realistically and avoid a high number of false positives. This approach combines all data sources with analytics so that security analysts can get a low volume high fidelity feed and stop drowning in endless noise — enabling them to remain vigilant and detect suspicious behaviors from the C-suite all the way to IT.
Orion Cassetto, Director, Product Marketing, Exabeam, has nearly a decade of experience marketing cybersecurity and web application security products. Prior to Exabeam, Orion worked for other notable security vendors including Imperva, Incapsula, Distil Networks and Armorize Technologies. He is a security enthusiast and frequent speaker at conferences and tradeshows.