UBA 5.0 Demo Script

Summary:

This document outlines a series of security incidents detected using User and Behavior Analytics (UBA) technology within a healthcare environment. The analysis was conducted to identify potential threats to sensitive patient information from web server logs and Powerbroker records. Here are the key findings and steps taken for each incident: ### Incident 1: Connection to Malicious URL - **Description**: The system connected to a suspicious domain ("microsft.com") which is very similar to "microsoft.com". This could be part of an attempt at phishing or accessing malicious content. UBA detected this as potentially harmful based on third-party intelligence about its reputation. - **Investigation**: - The system was monitored for further activities, and a detailed analysis revealed the connection to the suspicious domain. - A security alert was triggered indicating potential phishing activity. - Further investigation confirmed that no unauthorized access had occurred; however, it indicated a risk of future malicious engagement. ### Incident 2: Visit to Algorithmically Generated Domains - **Description**: The system visited URLs with nonsensical character strings ("xbfhjrp"), which are typical for domains generated algorithmically and often used in fast flux DNS activities for command and control, indicating possible malware activity or other malicious intent. - **Investigation**: - UBA flagged the visit to these domains as anomalous behavior indicative of potential malware engagement. - The system was scanned using antivirus software to identify any threats associated with these domains. - A firewall rule update was implemented to block future visits to such domains. ### Incident 3: Rare Windows Process Created - **Description**: An unusual process (svhost.exe) was detected on the system, possibly indicating unauthorized software or privilege escalation due to compromised credentials. - **Investigation**: - UBA flagged the creation of this rare process and its anomalous location in the file system. - A full system scan revealed suspicious activity in multiple files, leading to the identification of malware. - The system was quarantined as a precautionary measure while further investigation was conducted. ### Incident 4: Potential XSS Attack - **Description**: A GET request with an excessively large content size (3.4 MB) was observed on the web server, characteristic of a cross-site scripting attack, indicating unauthorized access and script injection attempts. - **Investigation**: - UBA detected the unusual traffic pattern as indicative of potential XSS attacks. - The affected web page was taken offline for security review. - Web application firewalls were updated to block future XSS attacks. ### Incident 5: Log Modification and Covering Tracks - **Description**: The sysadmin user attempted to modify log files, specifically removing "/usr/log/server.log", in an attempt to cover up unauthorized activities. - **Investigation**: - UBA flagged the modification of critical system logs as a potential sign of malicious intent. - A forensic analysis was conducted on the sysadmin user's actions and history, confirming unauthorized access attempts. - The affected account was locked out to prevent further tampering with system files. ### Conclusion The UBA technology effectively monitored and alerted on unusual activities that may indicate compromised systems or potential cyber threats targeting sensitive patient information. Further investigation through tools like the Investigation Workbench allowed for detailed analysis of logs and data, confirming suspicions about unauthorized access and malicious activity. These findings demonstrate how UBA can be an essential tool in maintaining cybersecurity within healthcare environments by identifying and responding to potential security incidents promptly.

Details:

The document outlines a demonstration script for ArcSight User Behavior Analytics (UBA) version 5.0, focusing on various user scenarios designed to showcase its capabilities in detecting potential risks and anomalies within an organization's network environment. Key features of UBA are highlighted through practical examples involving different resources such as Websense, SharePoint_file, Symantec_Endpoint, PaloAlto, and IronportEmail. The demonstration script is structured with scenarios that highlight user behavior analysis using rule-based, peer group-based, and behavior-based methods to identify potential threats or anomalies in various activities. These include: 1. Detecting possible flight risk behaviors during job searches. 2. Monitoring exiting behavior patterns for suspicious activity. 3. Identifying anomalous download activities compared to peers using SharePoint_file. 4. Detecting a spike in upload activities to personal storage sites using PaloAlto. 5. Assessing cross-channel data egress through Symantec_Endpoint and IronportEmail. 6. Monitoring high numbers of failed USB attempts using Symantec_Endpoint. The demonstration also provides setup instructions for accessing the UBA interface, where an admin can log in with credentials to view a dashboard displaying entities like users, uncorrelated accounts, resources, and network addresses with the highest risk. This tool is designed to analyze user profiles, establish baseline normal behavior, detect anomalies or outliers, and compare behaviors among similar peers based on attributes such as job code, title, manager, location, etc. Overall, this demonstration script serves as a guide for users to understand how ArcSight UBA can be utilized in real-world scenarios to enhance security by identifying unusual activities that may indicate potential risks or compromises within an organization's network. This text discusses a system called UBA (User Behavior Analytics) used for monitoring user activities in an environment, focusing on high-risk users like Kevin Milton. The main features include filtering and analyzing data from various resources such as applications, servers, and devices through IP addresses. The process involves several steps to understand the context of risky behavior: 1. **Filtering Data**: Users can customize views by clicking filters (like 70%-90% under Violators by Percentile) or selecting specific peer groups and data services. 2. **Activity Accounts and Associated Objects**: This section allows users to view all accounts, resources, and risk scores associated with the user of interest, Kevin Milton. 3. **General Details and Risk Scorecard**: Detailed information about the user (e.g., employment status, performance review) is compiled into a risk scorecard for analysis. 4. **Behavior Profile**: This shows baseline activity over time and any anomalies that exceed this norm. 5. **Violations Summary**: Lists detected violations such as excessive job search activities or failed USB attempts with associated details like filenames and dates. The system also provides context to potential issues by integrating non-IT data (e.g., HR information) with IT data, helping in the assessment of risks more accurately. For example, if an employee is searching for resignation documents, it might indicate dissatisfaction or a pending departure, warranting closer scrutiny even before they leave the company. This text outlines how UBA helps in identifying high-risk users like Kevin Milton and provides detailed insights into their activities, thereby supporting better decision-making regarding user permissions, access controls, and potential security threats within an organization. The provided information details a security analysis involving Kevin Milton's data exfiltration attempts through various digital channels such as USB drives, emails to self, and file transfer services. Key findings include: 1. **Data Exfiltration Attempt**: Kevin Milton attempted to transfer confidential files (MOU-def2015.docx) but was unsuccessful due to limitations on his USB drive usage. He subsequently used email for file transfers and external storage sites to continue the data exfiltration, which was detected by PaloAlto and UBA (User Behavior Analytics). 2. **Multiple Vectors Used**: The analysis revealed that Kevin employed multiple vectors such as email attachments and personal storage sites to transfer files without authorization from Symantec Endpoint Protection. This behavior was identified through cross-channel data egress analysis. 3. **Performance Review Context**: The review of his activities led to the discovery that Kevin's performance in 2014 was poor, which could indicate dissatisfaction or intentions related to confidentiality before he left the company, as evidenced from HR system information. 4. **Violation Confirmation and Case Creation**: Specific violations were confirmed by analysts, leading to case creation for further investigation. The analyst also reviewed and marked these activities as confirmed violations. 5. **Investigation Workbench**: In the Investigation Workbench, Kevin's violated policies were visually analyzed, revealing multiple activity accounts potentially linked to his unauthorized data exfiltration efforts. These findings were supported by detailed account analysis in the UBA system. 6. **Comparing with Peers**: The report compared Kevin Milton's activities (emailing MarketingPlan2016.pptx) with those of peers, revealing that John Keller had also sent this attachment externally during the same period. A new investigation was initiated into John Keller to compare and contrast his digital footprint in a parallel analysis. The entire process underscores the capabilities of UBA (User Behavior Analytics) systems in detecting anomalous behavior within an organization's digital environment, often providing valuable insights into potential data breaches or insider threats that might otherwise be difficult to identify using traditional security measures alone. This document outlines an analysis of Kevin Milton's email attachments and interactions with specific emails to detect anomalies in his account activity. The analysis is conducted using the UBA (User Behavior Analytics) technology which employs several methods including behavior-based, peer-based, identity-based, and rule-based detection. The investigation revealed that a service account named SVC_DB_BACKUP had anomalous behavior: it logged into an IP address not previously used by any account, executed rare commands on the database, and deleted audit logs—commands usually not performed by such accounts. To further investigate this activity, the user accessed the UBA interface to launch the investigation workbench. The analysis showed multiple events of a network login (logon type 3) and an interactive login (logon type 2), both characteristic of normal user logins rather than service accounts like SVC_DB_BACKUP. The anomalous activities were traced back to specific IP addresses, with the "normal" activities being associated with different IPs but within the same range as the anomalies. The investigation workbench allowed for a detailed examination and attribution of these anomalous actions to Kevin Milton's account, suggesting potential misuse or unauthorized use of company resources by SVC_DB_BACKUP. This scenario highlights the importance of monitoring high-privileged accounts like service accounts for unusual activities that deviate from typical user behavior patterns. The provided text outlines a cybersecurity scenario involving unauthorized access and high privilege account (HPA) usage, specifically focusing on an incident related to the user "mybot" through the NM-ROOT account. The scenario involves several security violations detected by UBA (User Behavior Analytics): 1. **Jumpbox Violation**: The NM-ROOT account accessed a Powerbroker resource without being checked out from CyberArk. This was done using Rules Based UBA technology. 2. **Self Permission Elevation**: The mybot account performed self-permission elevation, giving itself root access to run scripts and commands on the server, also using Rule Based UBA technology. 3. **Rare File Executed**: A rare Python script named "myRootkit.py" was executed for the first time by the sudo account on a Powerbroker datasource, again employing Rule Based UBA technology. 4. **FTP to Malicious Destinations**: Large file transfers were detected towards a malicious FTP site using Behavior Based UBA technology. 5. **Audit Log Tampering**: The audit logs were tampered with, which was identified through the "First use of Account to perform Transaction" check in a Behavior Based manner. 6. **High Number of SSH Commands Executed**: An unusually high number of SSH commands were executed over time (33 times daily baseline), indicating potential misuse, also using Behavior Based UBA technology. 7. **High Amount of Data Transferred to Malicious Site**: A significant amount of data was transferred through the Palo Alto proxy server to a malicious location, exceeding normal activity baselines and detected as anomalous under Behavior Based analysis. The scenario includes detailed steps on how to access and analyze this information via a UBA interface, including navigating through dashboard views and investigations to uncover activities linked to the mybot account and its network address usage (IP 10.34.76.12). The text also details further actions like starting new investigations and viewing accounts associated with specific IP addresses to continue the forensic analysis of the security breaches committed by the "mybot" user, as identified by UBA technology. The provided text outlines a scenario involving the use of Unified Behavioral Analytics (UBA) to monitor and analyze potential security threats in an environment, specifically focusing on a user named alechuga_pc. Here's a summary based on the information given: 1. **High Number of Patient's Data Accessed**: The system associated with alechuga_pc accessed an unusually high number of patient records, far exceeding normal thresholds. This raised concerns about potential unauthorized access and data breaches. 2. **Potential Lateral Movement**: There was observed lateral movement from alechuga_pc to other user systems (rbriant_pc, jfilippi_pc, rgills_pc, eduane_pc), which is indicative of possible malware or malicious activity attempting to move through the network without authorization. 3. **Connection to Malicious URL**: The system connected to a suspicious domain that was very similar in name ("microsft.com") to the legitimate "microsoft.com". This could be part of an attempt at phishing or accessing malicious content, detected by UBA as potentially harmful based on third-party intelligence about its reputation. 4. **Visit to Algorithmically Generated Domains**: The system visited URLs with nonsensical character strings ("xbfhjrp"), which are typical for domains generated algorithmically and often used in fast flux DNS activities for command and control, indicating possible malware activity or other malicious intent. 5. **Rare Windows Process Created**: An unusual process was detected on the system, possibly a sign that unauthorized software is running or there has been privilege escalation due to compromised credentials. The text suggests that these issues were addressed using UBA technology, which analyzed user behavior and correlated activities across multiple resources to identify potential security threats. The analysis led to further investigation through tools like the Investigation Workbench, where more detailed logs and data could be reviewed to confirm or refute suspicions about unauthorized access and malicious activity. The overall purpose of this scenario is to demonstrate how UBA can be used in a healthcare environment to monitor and alert on unusual activities that may indicate compromised systems or potential cyber threats targeting sensitive patient information. This document describes a series of security events observed by UBA (User and Behavior Analytics) technology from web server logs and Powerbroker records. The analysis involved the following steps: 1. **High Risk Network Addresses**: Identified an external IP address responsible for making 51,989 failed GET requests followed by one successful request on a web server, likely indicative of attempted exploitation or misconfiguration. 2. **Suspicious File Execution**: Detected the execution of a suspicious file (wp-config.php) on the web server, which contained sensitive information such as database credentials. This was confirmed by observing a GET request with an unusually high content length, suggesting potential command execution or data exfiltration. 3. **Potential XSS Attack**: Identified a GET request with an excessively large content size (3.4 MB) characteristic of a cross-site scripting attack, indicating unauthorized access and script injection attempts on the web server. 4. **User Added by External IP**: Noted the addition of a user named my_root via Powerbroker by an external IP address, which is not normal behavior unless justified for specific administrative tasks. This led to escalation of privileges when my_root accessed sudo/root privileges. 5. **Log Modification and Covering Tracks**: Observed the sysadmin user attempting to modify log files (removing /usr/log/server.log) as part of efforts to cover up unauthorized activities, ultimately aiming to hide evidence of the compromised account's actions. The UBA tool utilized rule-based analytics to detect these anomalies and potential threats, with all events being analyzed through a dashboard interface that provides an overview of users, resources, and network addresses at risk based on predefined policies and thresholds for behavior deviation. This document discusses an investigation into a high-risk network address (62.210.136.206) conducted using the UBA (User and Behavior Analytics) interface to detect potential security violations. The investigation involved reviewing several policies violated by this IP address, including detecting anomalous behavior on the resource "blynch_pc," such as a rare Windows process detected, anomalous file hash change, potential lateral movement, visiting domains generated algorithmically, and data exfiltration to a CNC server. Key findings include: 1. A rare Windows process was identified as svhost.exe in an unusual directory (C:\Systems32\Windows\), which could be malicious, attempting to mimic a standard Windows process. 2. Anomalous behavior was observed with changes in the Registry file hashes monitored by Tripwire, indicating potential security violations. 3. UBA detected lateral movement between PCs like blynch_pc and LMueller_pc, deviating from normal communication patterns. 4. The resource blynch_pc communicated with servers using domain names generated by a Domain Generation Algorithm (DGA), such as s3t8.com; f3q8.com; g9m8.com. 5. Significant data exfiltration was detected, indicating potential unauthorized data transfer to a CNC server. The investigation involved setting up the UBA interface with admin/password credentials accessed via https://172.16.100.110:8443/Profiler/, and reviewing detailed policies violated through the UBA dashboard view of High Risk Entities, sorted by Risk Score.