Joyce Teo

How User and Entity Behavior Analytics (UEBA) helps with modern-day attacks

The modern cyber-threat landscape is evolving rapidly, with newer and more sophisticated attacks emerging daily. Enterprises have dealt with these risks by implementing complex cybersecurity frameworks consisting of firewalls, anti-malware, intrusion detection systems, etc. However, these are no longer sufficient in the age of hybrid clouds and remote working. Users can access environments from a variety of devices and locations. Hence, we need a new approach focusing on the user’s behaviour instead of the device or the location. This is where User and Entity Behavior Analytics (UEBA) comes in as an approach that shifts the focus to what the user is doing rather than where they are coming from or what their device is doing.

What is UEBA

UEBA provides an intelligent context-based approach to securing the modern-day environment by leveraging the power of Artificial Intelligence and Machine Learning to cybersecurity. By analyzing threat signals from a user’s behaviour and comparing them to their regular activity, UEBA can create a risk profile based on factors such as login patterns, application access, file access, device usage, etc. This risk profile is not static and dynamically changes as users change their behaviour over time. By essentially learning how the user behaves using AI, UEBA provides a smarter, risk-based approach to cybersecurity, instead of the static allow/disallow rules that have been used traditionally. When users start deviating from their established behaviour, the UEBA can proactively highlight this as a potential threat.

The power of UEBA is apparent when trying to mitigate attacks involving abuse of privileged access or compromised accounts. These attacks are not trivial to detect as the compromised accounts are typically authorised to access the assets. Sophisticated attacks using zero-day exploits, which can evade even the most advanced cybersecurity solutions, can be detected using UEBA as UEBA analyzes subtle context-based signals.

How UEBA works

UEBA leverages the power of machine learning and applies it to the analysis of user behavior within a network. By building a baseline of what is “normal” behavior and what isn’t, UEBA can detect subtle shifts in user behaviour that may indicate malicious activity. These contextual data signals can easily get missed by conventional tools like SIEM solutions or firewalls. A UEBA solution works by analyzing the vast amounts of data within the organization during its learning phase, where it studies data signals such as logins, file access, application and database usage patterns. This telemetry data is fed into its analytics platform, where powerful machine learning algorithms are used to understand and establish a baseline for the users and assets.

Unlike static rules, UEBA algorithms improve their detection as they learn how each environment operate.  Simply put, the more data the UEBA gathers, the better it gets at identifying anomalies. The UEBA then continually monitors user behaviour against this normal baseline in real-time and flags any deviations. This can be invaluable in identifying complex multi-stage attacks like compromised accounts, privilege abuse, insider attacks, etc.

Common use cases of UEBA

UEBA can help with various security use cases to detect threats that other solutions might miss. Let us take a look at a few of the most important ones:

  1. Compromised Accounts: A UEBA solution can be highly effective at detecting if an account has been compromised, due to its ability to flag activities the account does not normally perform. Even if an attacker has managed to authenticate and authorize themselves successfully, UEBA uses various indicators to determine if the account has been compromised. For instance, if the account is accessed from an unusual location or during odd hours, the UEBA solution promptly detects this unusual activity pattern and triggers an alert.
  2. Malicious Insiders and Privilege Abuse: A user misusing their authorized access can be one of the most challenging actions to detect. This is where UEBA solutions can show their value. Similar to compromised accounts, a UEBA solution does not rely on the authenticated status of the user, but instead analyses the user activity, eg, checking if the users are accessing servers they do not usually access or accessing files in a pattern which deviates from their norm.
  3. Privilege Escalation: An attacker or insider attempting to escalate their privileges can be detected by a UEBA solution. This can be very useful in detecting a compromised account which the attacker is using to stay persistent within the network.
  4. Unauthorized Data Access and Exfiltration: By analyzing file and data transfer attempts and comparing it against a historical baseline, UEBAs can proactively detect data exfiltration attempts and unauthorized data access. A user attempting to exfiltrate suspicious amounts of data or accessing data outside of their role will get proactively flagged.

How InsiderSecurity can help

While a UEBA solution is not a silver bullet and should form part of a holistic cybersecurity framework, its ability to detect insider attacks, compromised accounts, data exfiltration, etc., is an essential defense against modern attacks. UEBA allows companies to respond to sophisticated attacks that will fly under the radar of most cybersecurity solutions.

Insider Security’s Automated UEBA solution provides all the abilities mentioned, along with the ability to protect data on-prem and in the cloud. Our solution delivers holistic visibility into data as it is accessed, used, or moved and can detect suspicious user or network-level activity. 

Automated UEBA offers the following:

  • Proactive detection of malicious user activity within the network
  • Advanced machine learning and advanced user behaviour analytics to detect user compromises and privileged abuse

By leveraging the power of machine learning and providing actionable insights, Automated UEBA gives your cybersecurity team the ability to respond quickly and mitigate modern cyber threats without compromising user productivity.

InsiderSecurity Analysis for Volt Typhoon Attacks

InsiderSecurity conducts in-depth research and analysis on emerging cyber threats, so as to equip organizations with the knowledge to proactively protect themselves. In light of recent events, our Insider Lab team has thoroughly examined the methods and exploitation techniques employed by the notorious Volt Typhoon Attacks. Furthermore, we delved into the early detection strategies and practical measures to counter these threats. Here are the key findings from our investigation: 

Volt Typhoon Attacks  

On May 24, 2023, Microsoft and the “Five Eyes Alliance” cybersecurity information sharing organization released a joint cybersecurity advisory, which detailed a series of activities related to the Volt Typhoon. According to Microsoft’s blog post, these malicious activities have been ongoing since mid-2021 and have targeted critical infrastructure sectors in Guam and the United States. The sectors affected include communication, manufacturing, utilities, transportation, construction, maritime, government, IT, and education. 

What sets these attackers apart is their extensive utilization of Living-off-the-land techniques (LOLT), which prioritize stealth and obfuscation. Remarkably, the attackers refrained from introducing any discernible malware, custom code, or binaries into the compromised systems. By doing so, they successfully evaded antivirus and endpoint detection and response (EDR) solutions, enabling them to freely navigate the networks and systems. 

In this article, Insider Lab provides valuable insights into detecting such stealthy attackers throughout the various stages of an attack. We focus on the utilization of User and Entity Behavior Analytics (UEBA), a behavioural-based security solution designed specifically to identify threats posed by these lurking attackers within the network. 

Stage 1: Entry and Credential Access 

During the initial phase of the attack, the intruder managed to gain entry into the enterprise’s intranet by initially infiltrating the router’s management interface (step 1).  

Note: While it is uncommon for the management interface to be exposed directly to the internet, this may be necessary if the device is managed by a third party. 

Subsequently, they discovered credentials stored within the router, allowing them to access the network’s assets (step 2). 

To illustrate this stage, let’s consider a scenario where the attacker stumbled on the credential ‘RouterAdmin1’ stored within the router and utilized it to gain access to the domain servers present within the enterprise’s network. 

Note: The rationale to store access credentials (to other network assets) within the router is unclear. However, this might be necessary if specific capabilities of the router have been activated. One such example is when the router needs to retrieve specific records from the identity management server, which is typically the Domain controller. 
Fig 1. Step 1 and Step 2 of Volt Typhoon Attacks

To detect steps (1) and (2) effectively, behavioural-based algorithms can be leveraged. By monitoring deviations in login behaviour, the following three use cases can trigger alerts when the ‘RouterAdmin1’ account is misused: 

  1. Odd Server Usage 
  2. Unusual Login Time  
  3. First-Time Server Login 

Fig 2. How UEBA can Detect Step 2 of Volt Typhoon Attacks

In the ‘Odd server usage’ use case, advanced behavioural analysis can detect anomalies in the usage patterns of the ‘RouterAdmin1’ account. In the event of lateral movement, if the ‘RouterAdmin1’ account is being used to access servers in a way that deviates significantly from a user’s previous patterns, an anomaly alert will be generated. For example, if an attacker gains access to the ‘File server’ and ‘Mail server’ by utilizing the ‘RouterAdmin1’ account instead of the authorized user’s account, this would trigger an alert. 

In the ‘First-time login into server’ use case, an anomaly alert will be promptly triggered when the account logs into the server for the first time. 

In the ‘Unusual login time’ use case, an anomaly alert will be generated when the account logs into the server at a time that significantly deviates from its established login timing. 

The convergence of these anomalies will increase the risk score associated with the ‘RouterAdmin1’ entity, strongly indicating malicious activities. 

Stage 2:  Command & Control 

During stage 2 of the attack, the attacker utilizes the PSEXEC to execute commands on a remote server. PSEXEC.EXE, a Microsoft tool, enables privileged users to launch processes on a remote server. Based on the NSA’s document the attacker launches the NETSH.EXE command on the File server using PSEXEC.EXE in the Domain controller (step 3). 

C:\pstools\psexec.exe” \\{REDACTED} -s cmd /c “cmd.exe /c “netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=9999” 

The attacker was also observed executing the following command to establish a network connection tunnel. 

netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=9999 connectaddress={REDACTED} connectport=8443 protocol=tcp 
Fig 4. How UEBA can Detect Step 3 and Step 4 of Volt Typhoon Attacks

To effectively detect steps 3 and 4, which involve the execution of privileged actions, the following use cases can be leveraged: 

  1. Privileged Network Drive Access 
  2. Creation of New Service 
  3. New Network Service 

Fig 4. How UEBA can Detect Step 3 and Step 4 of Volt Typhoon Attacks

In the use case of privileged network drive access, an anomaly alert will be triggered when the account accesses a privileged drive such as \\SERVER\ADMIN$. This hidden drive exists in Windows servers and enables privileged users to access the \Windows\ folder of the server. The \SERVER\ADMIN$ drive is commonly utilized by tools like PSEXEC to upload binaries into the server. 

In the use case of creating a new service, an anomaly alert will be promptly generated when a new system service is created. A specific example of concern is the PSEXEC tool, which creates and launches PSEXESVC.EXE as a new system service after successfully uploading the binary. 

In the use case of a new network service, an anomaly alert will be triggered upon the detection of new network connectivity or services. Specifically, this includes instances where NETSH.EXE is utilized to establish a network proxy that listens on TCP port 9999. Moreover, the network proxy is configured to forward incoming data to TCP port 8443 at the IP address 192.168.100.100. 

The presence of the new network service listening on TCP port 9999, as well as the outgoing connection to 192.168.100.100 on TCP port 8443 can be identified by the network anomaly algorithm. 

Stage 3: Reconnaissance and Defense Evasion

In stage 3 of the attack, the attacker executed a sequence of natively available commands to gather additional information (Step 5). These commands provide various information, including network settings, account details, running processes, and more. Finally, they attempted to clear the security log in order to conceal their tracks (Step 6). 

Fig 5. Step 5 and Step 6 of Volt Typhoon Attacks

To detect steps 5 and 6 effectively, the following use cases can be leveraged: 

  1. Suspicious LOLBIN activity 
  2. Security Log Cleared 

Fig 6. How UEBA can Detect Step 5 and Step 6 of Volt Typhoon Attacks

In the use case of suspicious LOLBin (Living-off-the-Land Binary) activity, an anomaly alert will be generated when a series of native commands are executed in a pattern that closely resembles the activities typically carried out by an attacker during reconnaissance and maintaining access. 

These are the specific LOLBin commands outlined in the advisory released by the NSA pertaining to the campaign:

Fig 7. Specific LOLBin Commands in Volt Typhoon

In the use case of security log clearance, an anomaly alert will be triggered when the account attempts to clear the security event log. This deliberate action poses a significant concern as it obstructs forensic analysis and investigation, especially when the victim lacks access to the audit trail. 

This underscores the importance of forwarding the audit log to a secure and resilient log storage facility to preserve crucial evidence for future analysis. 

Auto triage of security alerts 

In the previous sections, we discussed the use cases for detecting stealthy attackers in a network. While one can try to use a SIEM (Security Information and Event Management) solution to implement some of these use cases, there are significant limitations to consider when using a SIEM solution for such use cases. 

For example, monitoring Event ID 1102 can help detect the clearing of security logs, while Event ID 5145 can identify privileged network drive access. However, enabling these alerts in a SIEM may overwhelm the security team with numerous alerts, including many that are benign or unrelated to malicious activity. 

To address this challenge, UEBA (User and Entity Behavior Analytics) will be an effective approach. UEBA continuously triages and compares activity against the historical behavioural of entities. The security team is only notified when behavioural changes linked to relevant use cases are detected, minimizing alert fatigue. 

By leveraging UEBA, security alerts are analyzed in the context of an entity’s overall behaviour, allowing for a more accurate and targeted detection of suspicious activities. This approach significantly reduces the number of false positives and focuses attention on the most relevant alerts, improving the efficiency and effectiveness of the security team’s response to potential threats.  


 

Fig 8. UEBA send a security ticket to users

Summary and Recommendations 

The attacker’s patient execution of the campaign, relying on the operating system’s limited tools and living-off-the-land (LOL) techniques, emphasizes the need for proactive security measures. To safeguard your organization against such threats, we recommend implementing the following measures: 

  • Restrict direct internet access to the router’s management interface 
  • Maintain credentials stored in the router at lower privilege levels 
  • Implement comprehensive authentication and authorization measures for both intranet and internet-facing assets 
  • Establish a secure and centralized location for forwarding and storing audit logs 
  • Take a proactive approach by continuously monitoring audit logs for any abnormalities related to identity, network, and assets. Detecting anomalies early can help mitigate potential threats before they escalate 

How can InsiderSecurity help? 

Fig 9. A timeline chart showcasing the detection at each stage of the Volt Typhoon attack with InsiderSecurity’s Automated UEBA

InsiderSecurity’s Automated UEBA (User and Entity Behavior Analytics) powered by AI and advanced user behaviour analytics provides early detection of various security risks, including hijacked accounts, insider threats, and compromised servers. By leveraging our Automated UEBA, organizations can effectively detect all the above-mentioned attack pathways. 

Through continuous monitoring and analysis of user behaviour, InsiderSecurity identifies suspicious activities, anomalous patterns, and deviations from normal behaviour. This allows for the proactive identification of potential security incidents and timely response to mitigate risks. 

InsiderSecurity’s Automated UEBA goes beyond traditional rule-based approaches, utilizing advanced machine learning algorithms to detect complex and evolving attack techniques. By analyzing user behaviour, account activity, network traffic, and other relevant data sources, our solution provides enhanced visibility into potential threats and helps organizations stay one step ahead of adversaries. 

Elevate your security posture and protect your organization from sophisticated threats. Contact us now to schedule a consultation and discover how our advanced security solutions can help you stay ahead of evolving cyber risks. Don’t wait until it’s too late – act now to secure your future. 

What are the 5 Key Areas of Cloud Security

Concerns of cloud data breaches are a key reason that cloud adoptions hit a roadblock in companies despite an eagerness to go “cloud first”. Despite the promise and flexibility that the cloud offers, security is something that companies cannot compromise on. Cloud security expertise remains high in demand and low in supply, with most CISOs struggling to fill the skills gap in their team.

It is essential to understand the fundamental principles on which cloud security is built before cloud adoption may be implemented properly. One of the biggest mistakes that companies can make is to implement a cloud solution without much consideration to its cloud security.

Let us take a look at a few of the key areas within cloud security and how they all work together.

Visibility

It is difficult to secure what you do not have visibility on, and nowhere is this more true than cloud security.

Without proper change management, cloud infrastructure can get updated within seconds leading to a security nightmare unless proper security checks are implemented. CISOs and cybersecurity teams must monitor and get visibility on what is happening within their cloud environments before a security breach happens. This is easier said than done, as cloud workloads can be geographically dispersed, managed by different teams, and even spread across different cloud providers like AWS, GCP, and Microsoft Azure. Many companies prefer to go multi-cloud to prevent vendor lock-in, which becomes a major visibility challenge for CISOs.

One solution is to adopt Cloud-native tooling like Cloud Security Posture Management (CSPM) tools so that threats and misconfigurations can be proactively identified before they lead to a security breach. These solutions may also allow auto-remediations, enabling faster response times than possible for on-premise. In addition to threat mitigations, CISOs implementing such tools gain visibility into their single or multi-cloud environment, enabling the CISOs to make informed decisions about their cloud risk posture. 

Continuous monitoring

Gaining visibility leads to the next key area, which is continuous monitoring for threats. Monitoring also helps companies to maintain compliance with regulatory standards.

The cloud lends itself to automation, and millions of events can be taking place, any one of which could be due to a potential cyber threat. Manual security response is not feasible in such an environment. A high volume of events and alerts lead to alert fatigue and critical alerts being missed out.  

It is helps to have cloud monitoring solutions powered by machine learning that can make sense of these events and to detect suspicious user activity automatically.

Security by design

It is important to include security at the design stage of cloud adoption, and not to bolt on security as an afterthought. For example, companies can make use of Infrastructure as Code (IaC) templates to spin up cloud infrastructure like compute instance, databases, networks, security groups etc with certain security controls baked in from the start.
Security by design will not only make life easier for cloud administrators but lend itself to better security down the road.

Identity Management

One of the most significant changes in cloud security is how the traditional network perimeter decreases in importance. Identitiy access management becomes much more important. While network perimeter controls do not vanish entirely, security controls now focus more on validating the user and machine identities in the cloud.

Besides strong password policies and multi-factor authentication controls, other data such as location, risk score, device status etc may also be used to establish the identity. This is part of the Zero Trust model, where there is no implicit trust granted to any user or device, whether it resides within or outside the network.

Vulnerability Management

Migrating your infrastructure to the cloud does not mean that you can now completely pass the job of vulnerability management to the cloud service provider. With the shared security responsibiliy model used by all cloud service providers, the company is responsible for vulnerability management in certain portions of the cloud infrastructure (which varies depending on whether you are using IaaS, PaaS or SaaS).

The rapid speed at which cloud environments change, and the complex architectures involved (servers, containers, serverless functions etc) can make vulnerability management in the cloud challenging.

An effective cloud vulnerability management program should recognize the unique nature of cloud workloads but carry over the best practices from an on-prem vulnerability management program. Identification, severity tracking, and tracking to closure are all activities that are needed to ensure the cloud environment is not exposed to any critical vulnerabilities.

A final note : cloud security is not static

Cloud Security does not finish after security controls are implemented. As the threat landscape changes fast, cloud security implementations can fail if they are viewed as a project with a clear start and end date. Instead, companies should regularly review and improve or adjust their cloud security controls.

These areas discussed should be addressed by security controls and be made part of an overall cloud security plan to be reviewed regularly. This eases the cloud adoption process for companies, so that companies can reap the benefits of cloud.

How can InsiderSecurity help?

InsiderSecurity Cloud Security Monitor detects threats in real-time for Microsoft 365 environments. It is a simple-to-use SaaS for enterprises to monitor their data security in Microsoft 365. With its award-winning automated cybersecurity analytics and machine-learning, InsiderSecurity CSM makes sense millions of events that are occurring in Microsoft 365, easing the burden on overworked security teams. It provides an easy way to monitor your Microsoft 365 data security.

Lessons From Recent Cloud Data Breaches

Cloud Security is an evolving area in which many companies are still finding their footing. Navigating a cloud environment can be challenging for cybersecurity teams who are unfamiliar with how security changes in a cloud environment. Examples of this can be increased automation, a shared security responsibility model, faster change management, and so on.

Cybersecurity teams can learn which areas to focus on by upskilling their cloud knowledge via certifications, adopting cloud-native best practices, and by studying cloud data breaches within the industry. By analyzing these incidents and understanding what vulnerabilities led to these control failures, companies can ensure they are not exposed in a similar way.

Let us look at a few of the most notable cloud data breaches of recent years and what lessons we can learn from them.

Accenture

Accenture, a well-known name in the IT consulting industry, revealed that a popular ransomware group had compromised them in 2017. As a consequence of a cloud misconfiguration, Accenture inadvertently left four of its AWS S3 buckets to be publicly accessible. As a result, hundreds of gigabytes of sensitive client and company data were exposed. This data included more than 40,000 plaintext passwords, sensitive API data, decryption keys, authentication credentials, user data, and customer information. Hackers released some of this data on the dark web. 

In August of 2021, Accenture again fell prey to an attack via the LockBit ransomware.  Attackers exfiltrated over six terabytes of data and demanded that a $50 million ransom payout be made. The compromise also affected Accenture customers.  

Accenture admitted in its financial report that  
“In addition, our clients have experienced, and may in the future experience, breaches of systems and cloud-based services enabled by or provided by us.” 

A few of the key lessons that can be taken from this incident are:  

  • Deploy cloud security tools to detect misconfigurations in the cloud environment. These misconfigurations are usually how attackers gain a foothold in an environment.  
  • All major cloud providers like Microsoft Azure, Google, and AWS have guidance on how to protect against ransomware. These should be studied and adopted.  
  • Insider threats are a genuine cause for concern. Employees with access can be targeted and potentially bribed by attackers with million dollar budgets. 
  • Partners and customers of Accenture were compromised as part of this attack, and hence it is essential to assess the risk of third-party access in a cloud environment.  

Cognyte 

Cognyte, a cybersecurity analytics firm, faced industry scrutiny after a misconfiguration led to over 5 billion user records being exposed over the internet. Even worse was that this database contained data about previous security incidents as part of Cognyte’s intelligence service. A misconfiguration of this database led to it being exposed over the internet without any authentication in place. Thankfully this was discovered by a security firm and informed to them proactively. 

A few of the critical lessons that can be taken from this incident are:  

  • Misconfigurations remain one of the biggest threats to cloud security. Without controls to detect and remediate such mistakes, a company can face a similar situation to Cognyte.  
  • It is difficult to secure that on which you have no visibility. Make use of cloud security tools to identify all cloud resources and their security posture.  
  • Passwords are simply not enough to secure a cloud environment. Implementing multi-factor authentication would have mitigated the impact of this exposure and is something all companies should implement.  

Kaseya

Kaseya, a popular IT management software provider based in the U.S., was compromised in July 2021 by a Russian Hacking group. The attack was similar to the supply chain compromise of SolarWinds in which a popular software is compromised and used as a jumping point to access more environments. While the company shut down its SaaS servers and notified customers, it was not enough to contain the blast radius of the attack as customers found themselves receiving ransomware instead of Kaseya’s regular software updates. The situation was severe enough for the FBI and cybersecurity firms like Mandiant to get involved.  

A few of the critical lessons that can be taken from this incident are:  

  • Supply chain attacks can be highly devastating as many other parties are compromised along with the initial victim. Attackers are smart enough to realize that compromising the software supply chain can be easier and result in higher payoffs than attacking companies head-on.  
  • Patching remains as essential as ever, as the Russian Group was able to compromise Kaseya by exploiting unpatched vulnerabilities.  

Raychat

Raychat, a famous Iranian chatting application, was compromised in February of 2021 due to a misconfigured database similar to Cognyte. Over 267 million personal details of its customers were accessed and then deleted by a bot. The misconfiguration meant that no advanced technical skills were needed, and the attacker could simply access the database and destroy it without any controls detecting or stopping the malicious activities.  

A few of the critical lessons that can be taken from this incident are:  

  • The common theme of misconfigurations once again shows up in this case. If Raychat had implemented controls to detect and remediate this weakness in time, the entire data breach could have been avoided.  
  • Continuous monitoring of a cloud environment is essential. An attacker accessing a cloud database should be detected due to its suspicious nature. However, the lack of such controls meant Raychat was not aware while the attack was taking place.  

Lessons learned

By analyzing these incidents, we can pick up some common themes in nearly all of these incidents. These are lessons to ensure that our cloud environments do not contain the same weaknesses:  

  • Misconfigurations are a crucial risk, and it is essential to have controls in place that can detect and mitigate these weaknesses. 
  • Visibility into cloud resources is critical, as cloud environments change rapidly.  
  • Continuous monitoring of cloud resources is needed. Suspicious activities like logins from suspicious locations and data exfiltration should be detected. Cloud Security Monitor provides such automated, continous monitoring.  
  • Multi-factor authentication is a best practice that should be implemented in both the cloud and on-premise. 
  • Supply chain risk can be a blind spot in cloud environments. It is useful to do a risk assessment of the software supply chain and implement controls to protect against its compromise.  

Top Cloud Security Challenges in 2023

Cloud adoption is speeding up in 2023, with Gartner estimating the worldwide spending on public cloud services to grow by 20% from 2022. This has beaten the initial forecasts of 18% for cloud growth, showing the high demand for public cloud services despite an overall economic slowdown across the globe. Infrastructure as a Service (IaaS) leads this growth, with the other services close behind.
The cloud bring benefits for companies due to its agile and scalable nature. However, at the same time, cloud adoption presents unique security challenges as well.
We look at the key cloud security challenges in cloud adoption and how to address these challenges.

Insufficient cloud security expertise

Cloud is a different environment from on-premise and cybersecurity teams that “copy-and-paste” security controls into the cloud will soon find that this approach does not work. Cloud lends itself to automation and speed, hence native cloud security tooling becomes a important requirement. These tools require upskilling the current cybersecurity teams; otherwise, CISOs will find themselves with environments their teams are not equipped to defend! It is essential to implement tools that are optimized for cloud environments and to invest in the proper training of the cloud security teams.

Misconfigurations

Misconfigurations are a key reason for most cloud security breaches, as cloud administrators unintentionally end up exposing cloud interfaces and infrastructure over the internet. This is easily picked up by attackers and used as an entry point into the cloud environment. The misconfiguration may also be carried out by an insider threat with malicious intent, and not be detected due to a lack of cloud security tooling. Insider threat is a genuine risk regardless of which environment it is occurring in, and misuse of authorized access can be very difficult to detect without proper tooling.

Lack of visibility

Multi-cloud is a reality today as most companies do not want to live with the risk of vendor lock-in. Most companies adopting the cloud have hybrid environments with workloads split between on-prem and two or more cloud providers. While this provides flexibility and options, it also becomes a nightmare for CISOs to control and secure due to its scattered nature. Each cloud environment is different in how it functions, and it is important to have a cloud security solution put in place that can provide centralized view of the risk posture of each environment.

Account takeovers

Cloud identities are a key focus point for attackers, given that the traditional network perimeter no longer exist in the cloud. Cloud control planes are the “keys to the kingdom” in most cloud environments and attackers can target cloud administrators via phishing attacks, malware etc. to compromise their credentials and gain access. This is especially easy to do if multi-factor authentication (MFA) has not been configured or the password itself is weak and susceptible to brute-forcing attacks. Even if MFA is enabled, attackers can still compromise the cloud control plane if the administrator’s machine has been compromised.
This attack is not just restricted to user identities but also to services and applications. Users can unintentionally grant access to SaaS applications within their cloud environments, which may be malicious and allow attackers to bypass security controls and gain access to your cloud environment. It is essential to follow a zero-trust model and authenticate every request made. SaaS applications should be reviewed for excessive permissions that grant trusted access to cloud data.

Cloud vulnerabilities

Cloud workloads can be vulnerable to the same weaknesses that are present in any software unless controls are set up within the pipeline. Missing patches, insecure coding, weak communication protocols, excessive permissions etc. are all weaknesses that can be taken advantage of by attackers and used to gain a foothold within a cloud environment. Cloud workload protection mechanisms help to assess the security posture of workloads throughout the lifecycle and can mitigate risks arising in real time.

How Cloud Security monitor can help

Cloud Security Monitor monitors for threats in real-time for Microsoft 365 environments. Its award-winning automated cybersecurity analytics and machine learning makes sense of the millions of events that are occurring in Microsoft 365, easing the burden on overworked security teams. It monitors for insider threats and suspicious data access.
Some of its key features are :
● Discover if an insider threat or hacker is stealing valuable company data from Sharepoint or OneDrive
● Monitor for documents shared to the public by accident
● Easy-to-read summary reports instead of alerts
● Monitor your cloud security health with easy-to-read summary reports without the need to manually go through a high volume of events or alerts
● Intelligent algorithms automatically uncover suspicious activities and automatically provide risk grading of the entities
● Get notified when there is a high-risk activity
● With intelligent algorithms making sense of activity events, you only get alerted when there is a high-risk activity, so you do not get swamped by alerts
● Discover if your Microsoft 365 accounts are compromised and whether a hacker is accessing your company data and emails

InsiderSecurity Analysis for CVE-2023-23397 Microsoft Outlook Vulnerability 

CVE-2023-23397 Threat Overview 

InsiderSecurity carries out research and analysis on the latest cyber threats to help organizations stay ahead. InsiderSecurity analysed the possible exploitation techniques for the recent Outlook vulnerability, as well as methods for early detection of such exploits, both for this specific vulnerability and future similar vulnerabilities. The following are our findings:

Microsoft recently released a patch for Outlook vulnerability CVE-2023-23397, which has been actively exploited for almost an entire year. The CVE-2023-23397 vulnerability in Microsoft Outlook has generated significant concern due to its high severity score of CVSS 9.8.  It affects everything from Microsoft 365 apps for enterprise to Outlook 2013 SP1. This exploit has caught the attention of a hacking group linked to Russia’s GRU military intelligence agency that is using it to target some European organizations in government, transportation, energy, and military sectors.  

Companies have to quickly patch their Outlook software and implement measures to detect if they have been compromised. As companies may already be compromised, it is not sufficient to simply block access to port 445 on the internet. 

Stealing the Net-NTLM hash 

CVE-2023-23397 allows the attacker to steal the Net-NTLM hash from the victim, which enables an attacker to assume a victim identity and to move deeper into the organisation.  
The attacker steals the Net-NTLM hash by tricking the victim into accessing an UNC path \\Attacker_IP_Address. The ‘leaking’ of Net-NTLM hash through this mechanism is not new, nor is it considered an actual vulnerability by itself, as it is a feature which allows Windows machines to communicate with one another. 

The safer Kerberos authentication is typically used by machines within the same domain. However, when a user wants to communicate with a machine belonging to a different domain or with a machine known only by its IP address, the Kerberos authentication would not work, hence, the user’s authentication type will be downgraded from Kerberos to NTLM, and the user’s Net-NTLM hashes will automatically be sent to the destination. 

For instance, if a user attempts to access the following UNC paths, the Net-NTLM hash will be sent (and therefore leaked) to an attacker. 

\\Attacker_IP_address 

\\Attacker_hostname.In_another_domain 

How is CVE-2023-23397 exploited 

The impact of CVE-2023-23397 is equivalent to the impact of a successful Net-NTLM based attack. In all attack paths, the attacker sends a malicious email to the victim, causing the victim’s machine to send their Net-NTLM hash to the attacker. Once the attacker steals the Net-NTLM hash from the victim, they could proceed with either of the attacks described in the slides: 

  1. In attack path 1, the attacker could gain high privileged access to Windows domain server of interest by relaying the Net-NTLM of the privileged user to the domain server. This could be done by targeting a privileged user to send their Net-NTLM hash to a pre-compromised machine belonging to a clueless employee within the network. This is also known as NTLM-Relay attack. 
  1. In attack path 2, the attacker could attempt to recover the password from the stolen Net-NTLM hash through offline password cracking, allowing the attacker to login into the company’s network via VPN and move laterally from assets to assets. This could work because the password for all the services available to the victim could be synchronized and centrally managed by an identify provider (i.e. – Domain controller). Multi-factor authentication (MFA) will reduce the possibility of this attack path.  
  1. In attack path 3, the same password recovery technique described in attack path 2 would be used which allows the attacker to login into the victim’s cloud account. The attack could then continue to search for valuable data or secrets stored in the cloud and perform cloud-based attacks. MFA will reduce the possibility of this attack path too. 

Detection strategies  

There are a number of approaches to detect successful Net-NTLM based exploits due to the CVE-2023-23397 or similar vulnerabilities. These include 

1.  Detecting for TCP connections made to port 445 (SMB) and port 80 (WebDAV) in both internal (Attack path 1) and external IP (Attack path 2 and 3) addresses, especially for new destination IP addresses not observed in the past. 

2.  Successful login from accounts made from a new location, whether from cloud and on-premise (Attack paths 1,2 and 3)

3.  Detecting for NTLM authentication from accounts that do not usually perform NTLM authentication. Successful Net-NTLM-Relay attack has been observed to be chained with NTLM hash dump which will lead to pass-the-hash attack. 

4.  Monitoring for changes in server access patterns, where a compromised account is used to access servers in a suspicious manner. 

Behaviour analytics can detect such changes and enable users to detect Net-NTLM exploits, even if the exploit is due to newly discovered vulnerability. 

The above are some of the use cases we have in InsiderSecurity solutions, and we hope these tips are useful for the community. So, gear up and get ready to hunt down these attacks like a pro. And always remember to stay safe out there! 

Avoid Similar Attacks with InsiderSecurity

Looking for ways to stay ahead of any cyber threats? InsiderSecurity provides advanced cybersecurity behavior analytics products that help your company to uncover cyber threats before there is any serious data loss. We offer a range of solutions, including Automated UEBA for securing on-premise and cloud IT infrastructure, as well as the Cloud Security Monitor for ensuring cloud data security. 

Automated UEBA establishes baselines of data access behaviour and alerts on abnormal activity. It detects insider threats, backdoors and advanced attacks by leveraging machine learning and advanced user behavioral analytics.  

InsiderSecurity protects your critical data wherever it resides—on-premises, in the cloud and the hybrid environment. 

Cybersecurity Code-of-Practice (CCoP) 2.0: Complying with InsiderSecurity

Why choose InsiderSecurity for CCoP 2.0

InsiderSecurity products are built for compliance

  • Ease of use, especially useful for small IT teams
  • Automated review of account activity saves hours in monitoring
  • Built-in workflow that support governance and audits

Do you also know:

  • InsiderSecurity is used and trusted by Singapore CII today
  • InsiderSecurity is IMDA accredited
  • InsiderSecurity is an award-winning Singaporean technology company that has its engineering and technical support teams in Singapore

What is Cybersecurity Code-of-Practice (CCoP) 2.0?

The Cybersecurity Code-of-Practice (CCoP) 2.0 refers to the Cybersecurity Code of Practice for Critical Information Infrastructure 2.0, which is an updated version of the CCOP 1.0 released in 2018. The CCoP 2.0 published on 4 July 2022. It specifies the minimum cybersecurity requirements that organizations operating Critical Information Infrastructure (CII) must implement to ensure the security and resilience of their IT or OT system and/or network infrastructure, including physical devices and systems, software platforms, and applications of the CII.

The primary objective of CCoP 2.0 is to enhance the defensive capabilities of organisations against the sophisticated tactics, techniques, and procedures (TTPs) employed by cyber attackers. It seeks to impede their progress of attacks and improve the agility to tackle emerging risks in domains such as cloud, AI, and 5G. Additionally, it facilitates coordinated defenses between the government and private sectors to promptly identify, discover, and respond to cybersecurity attacks and threats.

Whom will CCoP 2.0 affect?

The designated CII sectors, which are responsible for the continuous delivery of essential services in Singapore, are Government, Energy, Water, Healthcare, Banking & Finance, Transport (encompassing Land, Maritime, and Aviation), Media, Infocomm, and Security & Emergency Services.

How does InsiderSecurity meet CCOP 2.0?

InsiderSecurity helps to meet key CCoP 2.0 requirements that are challenging and tedious to comply with. As a leader in automated analytics, InsiderSecurity’s solutions are especially useful for smaller IT teams. InsiderSecurity solutions are used in Singapore CII today. 

InsiderSecurity meets CCOP2.0 in the below two areas: 

  • Database security
    InsiderSecurity’s simplified database monitoring flags out data access anomalies. InsiderSecurity saves manpower in monitoring.
  • Monitor for anomalies in user behaviour patterns
    InsiderSecurity’s automated log analysis flags out anomalies in behaviour patterns and detects early signs of breach. With InsiderSecurity, the user does not have to manually review high volume log events or alerts. InsiderSecurity makes sense of the logs and saves manpower in monitoring.

Which CCOP2.0 requirements are addressed by InsiderSecurity?

CCoP 2.0 Requirements Clause InsiderSecurity
5.2 Account Management 5.2.1(d) Establish mechanisms and processes to monitor the activities of each account, including behavioural patterns, for any anomalies and to trigger an alert for investigation when any anomaly is detected; Yes
5.13 Database Security 5.13.4 The CIIO shall monitor databases in a CII for anomalous activities and trigger an alert for investigation when any anomaly is detected. Yes
5.13.5 The CIIO shall monitor for bulk queries that exceed a predetermined threshold of data to be retrieved and trigger an alert for investigation when any such bulk query is detected. Yes
6.1 Logging 6.1.1 The CIIO shall generate, collect and store logs of the following: Yes
(a) All access and attempts to access the CII and the activities during such access, including application and database activities, and access to data in the CII; Yes
6.2 Monitoring and Detection 6.2.1 The CIIO shall establish and implement mechanisms and processes for the purposes of: Yes
(a) Monitoring and detecting all cybersecurity events in respect of the CII; Yes
(b) Collecting and storing records of all such cybersecurity events (including, where available, logs relating to the cybersecurity event); Yes
(c) Analysing all such cybersecurity events, including correlating between cybersecurity events, and determining whether there is or has been any cybersecurity incident; and Yes
6.2.2 For the purposes of monitoring and detecting cybersecurity events, the mechanisms and processes established by the CIIO shall include: Yes
(b) Establishing the normal day-to-day operational activities and network traffic in the CII, and using this as a baseline against which the CIIO is to monitor for deviations and anomalous activities; and Yes
(c) Ensuring that alerts for further investigation are triggered for all deviations and anomalous activities that are detected. Yes

CSA has also provided more clarification via their Responses to Feedback Received dated July 2022. The below compliance table outlines how InsiderSecurity meets the CSA responses on CCoP 2.0:

CSA responses on CCoP 2.0InsiderSecurity
11.4 The CIIO is expected to monitor the behavioural patterns of user accounts within the CII environment and to trigger an alert if a CIIO detects suspicious behaviour patterns or behaviour patterns that deviate from the expected baseline.Yes
11.12 The intent of the clause is to facilitate early detection of any unauthorised access and malicious activities performed by the privileged accounts. The CIIO should log privileged account related activities such as login attempts, configuration changes etc.Yes
11.41. The CIIO should log and monitor all application access and activities to detect any unauthorised access or malicious activities to the application. Following the feedback, CSA has revised the clause to provide clarity.Yes
12.15. Examples of the components of the threat hunting include having data to baseline normal traffic to find outliners, develop hypothesis based on tools and framework, and investigate and analyse potential threats to discover any new malicious patterns in the data and uncover threat actor’s TTPs.Yes

What are the InsiderSecurity products that meet CCOP2.0?

InsiderSecurity’s Database Activity Monitor (DAM) discovers data access anomalies early before there is serious data loss. Some of its key features are:

  • Easy Deployment and Reduce Operation Cost
    By leveraging on machine learning and AI, Database Activity Monitor does not require the user to configure complex, error-prone database rules. Database Activity Monitor works practically out-of-the-box.
  • Automated monitoring for suspicious data activity
    Automatically detect suspicious database administrator activities, data theft and unusual network activities in the databases.
  • Save manpower
    With smart algorithms making sense of events 24/7, customers only need to review high-risk accounts and activities instead of long, complex reports.
  • Built for compliance
    Features for IT governance and support for audit.

InsiderSecurity’s Automated UEBA flags out anomalies in behaviour patterns and detects early signs of breach. Some of its key features are:

  • Stop Internal Threats
    Continuous, automated monitoring of all user behaviours to uncover suspicious user activities early, before there is any serious data loss
  • Automated Threat Detection
    Detect automatically and save on manpower.
  • Advanced Sensors
    Provide visibility needed to catch Advanced Persistent Threats (APTs)
  • Built for compliance
    Features for IT governance and support for audit.

About InsiderSecurity

InsiderSecurity is a Singapore-based cybersecurity technology company that has garnered industry recognition and awards. Founded by a team of cybersecurity experts, InsiderSecurity provides cutting-edge user behavior analytics to detect internal cyber threats early.

InsiderSecurity is a two-time winner on CSA Cybersecurity Innovation Day, in 2020 and 2022, and has also been listed in the ASEAN 40 under 40 for its groundbreaking cybersecurity innovations. InsiderSecurity is the only company accredited by Singapore Government in the area of User and Entity Behavior Analytics. This means that InsiderSecurity met IMDA’s high standards for deployment in enterprises and government agencies.

InsiderSecurity solutions are used by large enterprises and government agencies today.

Complying CCoP2.0 with InsiderSecurity

For more information on how InsiderSecurity can help you meet your compliance and security needs

Contact Now

Malware in the Cloud: Challenges and Best Practices

Ask any CISO about the top three risks to his or her enterprise, and you can be sure that malware will be on that list.  

Malware as a cybersecurity threat has evolved over the years from a nuisance to a devastating multi-billion-dollar industry that can bring governments and companies to their knees. The Colonial Pipeline ransomware attack in 2021 was just a taste of things to come, and attackers have further refined their attempts to weaponize malware. Recent events like the Russia-Ukraine conflict provide them with more avenues for ransomware and state-sponsored attacks, with the government of Costa Rica being forced to declare a state of national emergency after ransomware devastated its infrastructure.  

Attackers go where the money is, and the top two technology trends of the last few years have been the rapid adoption of Cloud Computing and Artificial Intelligence. Cloud adoption is expected to reach $1.55 Trillion by 2030, which is a staggering amount, and attackers have not been slow to see its potential. 

How malware can compromise the cloud

Along with the increased adoption by companies, attackers have also started using the cloud to be more scalable and efficient in their operations. There have already been reports of SaaS models cropping up offering cybercrime hosted on the cloud. Just like businesses, attackers are now utilizing the speed and agility of the cloud to supercharge their operations, which extends to malware as well.  

Malware can use cloud computing in one of two ways: 

  • As a delivery platform: By using the power and storage of the cloud, attackers can automate and streamline their operations to be faster, more cost-effective, and thus more dangerous. The cloud can be used as a delivery vehicle for malware and an amplifier, with attacks like DDOS benefiting from the cloud resources they can access.   
  • As a target: Cloud infrastructure can become the target of the malware itself, with misconfigured infrastructure services and storage like S3, Dropbox, etc. being a prime target of attackers. There are many ways of doing this:  
  • Misconfigurations: Despite cloud security maturing year by year, there are still reports of simple misconfigurations having devastating effects, like the recent S3 bucket that exposed over 69 million documents and 12TB+ of production data!  
  • Malicious Cloud apps: Most cybersecurity teams are unaware of the permissions they have granted to SaaS applications within their environments, nor do they verify their origin. Attackers can gain a foothold into a tenant by tricking users into installing a malicious cloud app or using a compromised account to install a cloud app that acts as a backdoor. 
  • As part of a supply chain attack: Many companies use the cloud for their code repositories and keep critical workloads on-prem in a hybrid computing model. Attackers can compromise the cloud repos and inject malicious templates as a jumping pad into the customer’s environment.  

How to combat cloud malware

Protecting against cloud malware is not all that different from safeguarding against on-prem attacks. Along with investing in a proper anti-malware solution, you should follow these best practices to secure your environment:  

  • Strengthen your access control, as the more locked down your permissions are, the more difficult it will be for cloud malware to take control of your infrastructure. Best practices like principle of least privilege, multi-factor authentication, and role-based access control are all essential practices for securing your cloud.  
  • Implement a process to audit the permissions given to SaaS applications within your environment. What level of permissions do these applications have, and are they verified? Is there an approval process present before a SaaS application can connect to your cloud? 
  • Make sure you have a backup method so that you can recover from malware disruptions. This can be a different media or a separate account or subscription. 
  • Implement a governance model that segregates your production cloud environment from less secure accounts like development or sandbox. You should be using a different cloud account or subscription for running your production and development workloads. The best practice is to segregate them and implement guardrails on what developers can do, even with elevated access.  This will ensure that even if malware can compromise privileged access within a development cloud account, it cannot laterally move onto your production workloads.  
  • Implement behavioral analytics to detect malicious activity within the cloud. In large cloud environments, there are millions of events happening at any given time, which is beyond the scope of human security analysts or SIEM solutions to analyze. Using tools like InsiderSecurity’s Cloud Security Monitor can help you detect suspicious cloud activities and prevent cloud data from being misused by malicious or compromised users. Our software will help you identify any malicious activity before it can infect your environment and your users.  

The future of malware  

Malware is an evolving threat, and cybersecurity professionals must keep pace or risk being attacked. Teams must upskill themselves to take advantage of cloud security controls and their speed/automation in stopping such threats. One of the biggest mistakes cybersecurity teams make is to “copy-paste” their on-prem controls to the cloud and not take advantage of its security tooling. The cloud is now in the cross-hairs of cybercriminals both as a target and as a platform, and cybersecurity teams need to take steps to secure their cloud footprint before it is targeted. 

Uber Data Breach

Insights from the Uber Breach: Ways to Prevent Similar Attacks 

Uber Technologies disclosed it was investigating a cybersecurity incident after reports that hackers had breached the company’s network. An in-depth analysis of the attack reveals how the attack occurred and ways organizations can prevent similar incidents in the future. The security industry, however, is still abuzz following this incident, with experts concerned about how an allegedly 17-year-old attacker hacked Uber’s IT infrastructure and acquired sensitive data.  

Experts at InsiderSecurity dissected the attack and came up with hackers’ progression along Uber’s killchain, starting from the initial access, discovery, lateral movement, and data exfiltration. This breach is a reminder that threats are always present and evolving, hence we must do our utmost to learn and adapt to the ever-changing threat landscape. Therefore, based on the Uber incident details, we provide a list of effective strategies organizations can use to identify and mitigate similar incidents in the future.  

What and How Did the Attack Happen? 

  1. Initial Access 
    The hackers accessed Uber’s IT environment after accessing the company’s VPN infrastructure credentials. We got this information from Uber’s September 19 security update that names Lapsus$ as the potential threat actor.  
    “An Uber EXT contractor had their account compromised by an attacker,” reads Uber’s security update. “It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web after the contractor’s device had been infected with malware, exposing those credentials.” 
    It’s important to note that Uber has implemented multifactor access control for its systems. However, according to their update, the attacker successfully logged in after the contractor accepted one of the many attempted two-factor login approval requests.  
  1. Discovery  
    The contractor whose credentials were stolen did not have privileged access to critical systems. Nevertheless, the contractor had access to a network share. This access is authorized for most internal users. Furthermore, even with restricted access, the cyber actor located a PowerShell script containing hard-corded privileged credentials for Thycotic, the target’s Privileged Access Management (PAM) solution. The PAM user credentials granted access to Uber’s secret services, such as DA, DUO, AWS, GSuite, and Onelogin.  
  1. Privilege Escalation and Access to Critical Systems   
    The hacker stole the admin credentials needed for elevated permission to different critical systems and tools. This attack is unique and worthy of attention as it shows how credential theft can lead to a breach of multiple systems. For instance, the attacker in Uber’s case accessed Slack, Google Workspace Admin, AWS accounts, HackerOne admin, SentinelOne EDR, vSphere, and financial dashboard.  
    Besides, the hacker posted a message to a company-wide Slack channel and reconfigured OpenDNS to display a graphic image on internal sites.  
  1. Data Exfiltration  
    Uber divulged that the cyber actor accessed the company’s bugs and vulnerabilities reports, but the security team had remediated the bugs. However, the hacker stole crucial information from the Slack business messaging app.   
    An excerpt from the company’s security update reads, “it does appear that the attacker downloaded some internal Slack messages as well as accessed or downloaded information from an internal tool our finance team uses to manage some invoices.”  
    Uber responded by identifying and blocking compromised accounts to ensure the attacker had no further access to systems. In some cases, the company required a password reset to restore accounts. Uber also disabled affected tools, rotated keys to reset access to internal servers, locked down the codebase, and required employees to re-authenticate to regain access.  

Lessons from the Breach and Ways to Mitigate Similar Attacks  

Uber’s security incident involved both human users and systems. Therefore, it’s worth pointing out that a single technology solution could not avoid such a breach. Instead, cybersecurity professionals and companies require a set of controls and training to mitigate similar attacks in the future.  

  1. Strengthen Security Configuration  
    As pointed out above, Uber had MFA in place for user access. That is to say; multifactor authentication is not a silver bullet in today’s cybersecurity landscape. Today, hackers have developed various methods to circumvent access control mechanisms, including MFA.
    A crucial step towards safeguarding your systems and information is to get rid of embedded credentials. Additionally, it is vital to remove standing access to sensitive infrastructure and cloud interfaces, which in turn can limit lateral movement.  
  1. Implement Cloud Security Monitor (CSM) 
    Organizations can enhance security by implementing a CSM solution that provides a clear view of their systems and networks for visibility of any unusual activity or behavior. For instance, InsiderSecurity’s CSM is a simple-to-use SaaS for enterprises to monitor their data security in cloud services like Microsoft 365. CSM provides automated monitoring of cloud user logs. The solution uses award-winning automated cybersecurity analytics and machine learning, allowing you to discover threats early before serious data loss.  
  1. Social Engineering is Still a Serious Threat  
    The fact remains that end users are an organization’s biggest security risk. According to Dark Reading’s 2021 Strategic Security Survey, 48% of participants still perceive users breaking security policies as the biggest risk, while 15% believe social engineering attacks still cannot be anticipated or prevented by current technology. As staff members and other authorized users still remain the gatekeepers of your company data, it is essential to train them to detect and report social engineering attacks like phishing to avoid credential theft.  
  1. Detect Login Anomalies from Privileged Accounts   
    Certainly, privileged accounts remain attractive targets for cyber attackers due to their access to sensitive information and systems.  In fact, data breaches and compromised privileged accounts go hand-in-hand. Therefore, you should secure your vital secrets and privileged credentials before extending the same to other data and information. Companies can monitor account use through continuous visibility and reporting that ties activities to specific users. Keep an open mind and look at admin accounts’ events from all angles to detect indicators of compromise.  
  1. Detect and Investigate Excessive Downloads  
    Excessive downloads can be categorized as risky because it indicates an insider or a compromised user who is trying to exfiltrate data. Implementing automated activity monitoring across the entire IT environment to identify unusual file download activity. For example, if a user is seen to have downloaded a large amount of data outside of their expected download behavior, an alert will be triggered. This behaviour can be learned via machine learning algorithms that capture the user’s profile within the environment.  
  1. Detect Suspicious Email Transport Rule Activities and Other Privileged Activities 
    There are legitimate scenarios for using mailbox rules that either forward or delete all emails that matches certain criteria. However, attackers are also known to add suspicious email transport rules in victims’ mailboxes so that any new email received will be forwarded elsewhere, typically to an attacker’s email account. For example, a hacker might want to collect financial data from a company. In this case, they create an inbox rule on a compromised user mailbox to forward all emails containing finance and accounting keywords in the subject or the message body to an external mailbox.  
    Malicious inbox rules are widely common in phishing campaigns and business email compromise, making it important to monitor them consistently. 
    Certainly, unexpected rule changes could be a sign of a compromised email account. Therefore, it is important to verify with the user if the mailbox rules were added intentionally in the case of updated email transport rules. 

Avoid Attacks with InsiderSecurity  

An analysis of recent incidents reveals there is no foolproof against modern frequent and sophisticated data breaches. Fortunately, implementing layered and robust security measures along with training of employees as well as the use of cloud security solutions to monitor and report anomalous activities can help mitigate attacks. Unfortunately, some firms lack the resources and expertise to implement such controls. To make matters worse, they might not know if they are breached until months later, when it is too late.  

InsiderSecurity offers advanced cybersecurity solutions and expertise needed to help your company to find cyber threats before there is any serious data loss. We offer a range of solutions, including the Cloud Security Monitor for ensuring data security in your cloud services and Automated UEBA for securing on-premise and cloud IT infrastructure.  

5 Effective Ways to Prevent Data Breaches

In Singapore’s Cybersecurity Awareness Month in Oct, various data breaches impacting organizations large and small were reported. High-profile incidents included Australian telcos Optus and Telstra, eight Shangri-La hotels around Asia, health insurance provider Medibank, online retailers MyDeal and Vinomofo .

In late September 2022, Optus, Australia’s second largest telco is breached. It has been revealed that 2.1 million personal identification numbers have been stolen with 30,000 of its current and former employee details leaked as well. In early October, Telstra had 18.8 million of its accounts stolen. There was another data breach earlier last week in Australia’s biggest health insurance provider Medibank, which led to 200GB worth of confidential data being stolen. Another major cybersecurity incident occurred at MyDeal just a day after the Medibank data breach. MyDeal has confirmed that the data of around 2.2 million customers has been breached.

With today’s sophisticated hackers, no business is safe from data breaches. Small and medium-sized enterprises (SMEs) often have leaner cybersecurity teams and budgets and lack effective cyber security strategies. Cyber criminals are aware of the fact that SMEs are often easier targets. It is a misconception that SMEs are spared from cyber criminals.

So how can you stop this from happening to your company? In this article, we will discuss five solidly proven ways to prevent cyber disaster from occurring at your organisation.  

1. Beware Shadow IT

Gartner refers to shadow IT as “IT devices, software and services outside the ownership or control of IT organizations”. Training the users on the risk of shadow IT and having the IT team be able to support the needs of the business is extremely important. Gone were the days which IT folks can ask users to wait weeks or months to get a service up, because most people would simply use google to find out if the service was available for them to use online. It would be a major plus point if these services are free, but in our current modern world that values data more then any other thing, are free services truly free?

2. Automate certificate services

Certificates are used everywhere, in your websites, on your email, when you do a VPN or when your administrators log into a web portal to perform actions on hardware devices. We see a trend of maturity where larger organisations create a central Public Key Infrastructure(PKI) service to centralise control over all certificate usage. This central PKI service issues certificate for the entire organisation and provides the gateway devices the ability to block any self-signed services reducing the risk that was previously mentioned. The next step would then be the automation of not just the certificates request via self-service but the renewal of these certificates as well. Netrust is a well-known Singapore Certificate Authority that would be able to help with this.

3. Uncover the internal threats early 

User and Entity Behaviour Analytics (UEBA) has emerged as the most effective approach to comprehensively detect a far wider range of real-time suspicious activities and unknown threats in the enterprise. 
InsiderSecurity’s Automated UEBA applies algorithms, scenario analytics and advanced machine learning rather than rules or signatures to provide crucial visibility and risk score of suspicious activity. It reduces response time to cyber attacks. Based on advanced analytics of user behavior, our automated UEBA provides increased security coverage with minimal investment for security experts in SMEs.
For example, consider this attack scenario. There is a zero-day vulnerability in your systems, which is not yet known to the public but is already being actively exploited by attackers. InsiderSecurity’s Automated UEBA is able to uncover such an attack by monitoring for the suspicious account and network activity in the systems and alert you early.

Unusual activity of an insider/ a hijacked account detected by the InsiderSecurity UEBA solution before data breaches
Figure 1: Unusual activity by an insider/ a hijacked account — detected by the InsiderSecurity UEBA solution

4. Secure the database server

Database Activity Monitor is a critical aspect of minimizing your company’s risks and protecting not only your data but also company’s reputation. For organizations with sensitive databases, InsiderSecurity’s Database Activity Monitor automatically discovers suspicious data access and data theft early. This leverages on InsiderSecurity’s AI-driven cybersecurity analytics. Database Activity Monitor works out-of-the-box as users do not need to configure complex rules. Furthermore, Database Activity Monitor helps meet data protection regulations such as PDPA and GDPR. 
After attackers or rogue insiders gained initial access in a victim’s infrastructure, they will move laterally around the internal IT systems and attempt to access high-value data stored in the enterprise’s databases. InsiderSecurity’s Database Activity Monitor can discover such database access early before there is serious data loss.

Data theft detected by the InsiderSecurity DAM solution before the data breaches becoming publicly known
Figure 2: Data theft— detected by the InsiderSecurity DAM solution

5. Ensure data security in cloud services

To safeguard against the ever-evolving cloud threats, consider implementing InsiderSecurity’s Cloud Security Monitor (CSM) for managing cloud access and securing the cloud workspace. It is a simple-to-use SaaS to monitor data security in cloud services. CSM detects suspicious data access and new and emerging threats with behavioral analytics. It applies machine-built timelines to decrease response times and improve analyst productivity by automating incident investigation. CSM also monitors for compromised Microsoft 365 accounts and discovers documents shared to the public by accident. 
Attackers are known to do this: after compromising an on-premise network, the attackers are able to steal the cloud credentials to access the victim’s cloud infrastructure and gain access to sensitive documents in OneDrive or SharePoint. With InsiderSecurity’s Cloud Security Monitor, such threat behaviour can be detected early to mitigate further damage.

Suspicious data access detected by the InsiderSecurity CSM before data breaches
Figure 3: Suspicious data access— detected by the InsiderSecurity CSM

Summary

In the past 10 years, the number of data breaches has increased significantly. Protecting the business from these threats is essential. Protect your company by implementing the approaches described above. 

Clearly understanding the possible danger from shadow IT and the benefits of certificate automation are vital for ensuring the proper security of your organization’s critical assets. Netrust is a well-known Certificate Authority that provide such certificate services, please reach out to Netrust Pte Ltd at sales@netrust.net or visit https://www.netrust.net/ if you would like to find out more.

The other key is to be able to detect the breach early. Detecting the breach early enables a company to minimize or prevent data loss altogether and avoid a cyber disaster. InsiderSecurity’s award-winning solutions help you to do this.