The risks to employees and organizations from stolen or compromised credentials and information are well-known. And with hackers and insiders becoming more advanced and sophisticated in their techniques the global threat is increasing. At a recent IT security forum, I was speaking with a customer about an Alert (TA16-250A) that the United States Computer Emergency Readiness Team (US-CERT) released on “The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations” and how User and Entity Behavior Analytics (UEBA)can help address some of their recommendations.
The alert provides information on recent vectors of attack that advanced persistent threat (APT) actors are targeting and offers a number of useful recommendations that enterprises can use to better protect their organization. In this blog, we’ll dive into three of the recommendations from the and discuss how UEBA can be applied to help organizations across any industry (healthcare, government, finance, manufacturing, retail, etc) more proactively detect and prevent breaches and insider threats.
Here are the three recommendations where UEBA can make a difference:
- Segment networks and segregate networks based on functions
The assumption being made here is that we need to assume that attackers will get inside the perimeter. Once they are on the inside they try to propagate exploits or laterally move around the internal network in order to gain more privileges and access to critical systems and sensitive data. The recommendation is that “Security architects must consider the overall infrastructure layout, segmentation, and segregation. Segregation separates network segments based on role and functionality. A securely segregated network can contain malicious occurrences, reducing the impact from intruders, in the event that they have gained a foothold somewhere inside the network.”
With a UEBA solution you can take that one step further. Because UEBA learns the behavior of all of the users and entities within an organization, if the attacker has gained a foothold, it can help detect when they attempt to do or access something in the network that is considered risky. Once detected, advanced UEBA solutions with adaptive policy-based responses, like the Preempt Behavioral Firewall, can validate the threat and prevent the attacker from gaining further movement and accessing sensitive data.
- Harden Network Devices
The recommendation here is to enhance network infrastructure security and follow best practices for security configurations that can better protect the integrity of network infrastructure devices. For example, disabling unnecessary services, implementing robust policy passwords, eliminating stale accounts and more.
UEBA-based Behavioral Firewalls allow organizations to not only gain greater visibility into user behavior, but it also helps with gaining a better understanding of the infrastructure including stale privileged accounts, insecure endpoints and weak passwords. It can assign and enforce policies that govern access to all internal resources, ensuring that hackers cannot compromise such critical resources.With continuous visibility and insights, organizations can protect sensitive infrastructure elements like directory services and more easily reduce their attack surface and harden their infrastructure.
- Secure Access to Infrastructure Devices
Administrative privileges allow greater access to resources in the network than an average user. Attackers look to exploit administrator privileges because it is easier for them to move about the network, expand their access and gain more control over the infrastructure. “When administrator privileges are improperly authorized, granted widely, and/or not closely audited, intruders can exploit them.” US-Cert recommends techniques for better implementing secure access policies for Administrative and Privileged Access. This includes implementing multi-factor authentication, managing privileged access and managing administrative credentials.
The advantage of a Behavioral Firewall with UEBA is that it is able to provide a comprehensive view of all of the privileged accounts as well as insights about each of them (who, what, where, etc.) and why a user has been assigned as privileged. This makes it much easier for security teams as it provides them with clear insights so they can make or change group policies as well as group membership to ensure that users have the appropriate level of access along with managing administrative credentials to ensure they are enforcing complex passwords.
A Behavioral Firewall will also automatically respond to potentially risky behavior from administrators and privileged accounts to validate a user’s identity before allowing access. By using stronger authentication processes, such as multi-factor authentication, which uses at least two identity components to authenticate a user’s identity, an organization is more likely to thwart an exploit. For more tips on how the Preempt Behavioral Firewall can help better secure privileged accounts, check out our whitepaper on 6 TIps for Securing Privileged Accounts.
To be sure, implementing these recommendations can help with reducing the impact from compromise, malicious hackers and adversaries. It can assist with preventing them from gaining full control of the network infrastructure and enabling further compromise of devices and data. Over time, as the perimeter continues to dissolve, organizations will need to look more to behavior-based identity to better enforce security policies and reduce risk. Advanced UEBA solutions, like the Preempt Behavioral Firewall, enables that change.