Behavioral Profiling & Investigating Account Changes

April 29th, 2016 by Peter Nguyen

What Magna Saw: Investigating a Possible Compromised Account

Insider Attacks and Risky Behaviors While Shared Administrator accounts are necessary to configure systems and administer other accounts in the environment, these accounts are also the crown jewel for those seeking unauthorized access to servers on the network. This is because attackers with such access can then create any other accounts they desire, change configuration settings, corrupt data, or launch attacks on other hosts. (Reference SANS

Recently, Magna detected an account named “Administrator” that was used to login to 38 hosts on the network. This was more than a 35x increase from the learned baseline of 1.08 host logins.

Alert generated by Magna showing the behavioral change of the Administrator account (1.08 host logins vs. 38 host logins).

Alert generated by Magna showing the behavioral change of the
Administrator account (1.08 host logins vs. 38 host logins).

Upon investigation of the alert in the Magna Analyst UI, the security analyst noticed that the logins were during normal business hours. The security analyst also viewed the Suspicious Artifacts of all the hosts and did not see any other suspicious processes or executables running, like powershell. Taken together, the security analyst was less concerned of a potential compromise, but still exported the lists of logins times and hosts and confirmed with the rest of IT that the activity was legitimate which it was.

As a final step, the Security Analyst verified with the administrators that the shared account was properly protected with a secure password that was forced to reset every 30 days. After 10 minutes of investigation, the Security Analyst deemed this behavioral change as normal because of the Administrator’s job. Even better, the Security Analyst was confident that if the Administrator account was actually compromised, Magna would find the change in behavior and the Security Analyst could quickly prevent any real damage.

This is another clear example how behavioral profiling could be used to detect anomalous account usage that differs from a learned baseline that could be indicative of a compromised account. Taken together with actionable alerts that incorporate context from the network and endpoints, investigation is straightforward and can be done quickly using a single tool.

Not everything is an attack, and key to a successful detection and response paradigm is to not only being able to quickly identify behavior that requires investigation, but being provided with the data and context that makes such investigation fast and efficient.

You can see LightCyber Magna in action by watching this short video.


Leave a Reply

Your email address will not be published. Required fields are marked *