Cybersecurity Logs and UEBA Overview

Questions and Answers

Which of the following logs can help identify phishing attempts?

• Application Level Logs
• Biometric systems
• Email logs (correct)
• DNS logs

Network level IoCs refer to indicators of compromise at the application level.

False (B)

What does UEBA stand for?

User and Entity Behavior Analytics

Physical Access Control records can help identify anomalies in _____ access patterns.

physical

What action is triggered when a user/entity displays a high risk score?

Trigger alerts for investigation (D)

Match the types of logs with their primary focus:

DNS logs = Communication with malicious domains Email logs = Details about sender and recipient Database logs = Access and changes to data Application Level Logs = Interactions with business applications

Excessive data transfer volumes can be considered a potential indicator of compromise.

True (A)

What are risk scores based on in UEBA?

Severity and context of observed behavior

Which type of logs provides information about user authentication?

Authentication and Authorization Logs (A)

Endpoint logs track network traffic between devices.

False (B)

What is the primary purpose of UEBA solutions?

To collect and analyze user and entity behavior data to detect anomalies.

_____ logs contain information about incoming and outgoing network traffic.

Firewall

Match the log types with their descriptions:

Authentication and Authorization Logs = User account activity and authentication status Endpoint Logs = Activities on individual devices Network Traffic Logs = Communication between devices on the network VPN Logs = Information about remote access connections

Which log type would most likely show failed login attempts?

Authentication and Authorization Logs (A)

Single Sign-On (SSO) solutions are a type of endpoint log.

False (B)

What kinds of activities do network traffic logs monitor?

Communication between devices on the network.

What is the primary function of UBEA solutions?

To monitor and analyze user and entity behavior (D)

UBEAs are similar to HIDS/HIPS but do not require any analytics.

False (B)

UBEAs are integrated with EDR, XDR, SOAR, and _____ solutions.

SIEM

Match the following tasks with their descriptions:

User/Entity profiling = Establishing normal behavior profiles Behavioral Analysis = Monitoring patterns of behavior over time Network communication behaviors = Tracking data transfer and protocols used File transfer patterns = Examining typical data access methods

Which of the following is a common aspect to monitor for endpoint behavior?

Patterns of file access and application usage (A)

ABE and UBEA provide the same functionalities and do not require additional analysis.

False (B)

What types of devices can UBEA solutions monitor?

Servers, laptops, applications, mobile devices, IoT devices

Which of the following is NOT a factor of authentication?

Behavior-Based Authentication (D)

Multi-Factor Authentication (MFA) strengthens security by using only one authentication factor.

False (B)

What is the primary purpose of authentication in cybersecurity?

To verify the identity of users, systems, or entities.

An example of a possession-based authentication factor is a ______.

security token

Match the following authentication methods with their descriptions:

Knowledge-Based Authentication = Relies on user's knowledge, such as passwords Biometric Authentication = Uses physical characteristics like fingerprints Multifactor Authentication = Combines two or more authentication methods Behavioral Authentication = Monitors deviations in user behavior patterns

Which machine learning technique is commonly used to identify anomalies in user behavior?

Anomaly Detection Algorithms (D)

Deep Learning refers to unsupervised learning methods only.

False (B)

What does Risk-Based Authentication assess?

The risk associated with a particular login attempt.

Biometric identification includes recognition based on unique ______ characteristics.

physical

Which of the following is a technique used in UEBA?

Time-Series Analysis (C)

Which of the following is not a biometric authentication method?

Password Encryption (D)

False acceptance occurs when an unauthorized user is incorrectly authenticated.

True (A)

What is the primary concern regarding the storage and security of biometric templates?

Compliance with privacy and data protection regulations

The unique way individuals walk or move is known as __________ recognition.

gait

Match the biometric method with its primary characteristic:

Fingerprint Recognition = Unique patterns of ridges and valleys on fingertips Facial Recognition = Distance between facial features Voice Recognition = Unique characteristics like pitch and tone Iris Scans = Unique patterns in the iris of the eye

What are the two main types of rates considered in biometric authentication accuracy?

False acceptance and False rejection (C)

Unsupervised learning in ML/AI approaches requires labeled datasets.

False (B)

What biometric feature is evaluated by retina scans?

Blood vessel pattern at the back of the eye

What is the primary goal of continuous authentication?

To enhance security by continuously verifying the user’s identity (C)

Continuous authentication relies solely on static passwords for user verification.

False (B)

List two methods of biometric monitoring mentioned.

Facial recognition and fingerprint scanning

Continuous authentication employs _____ biometrics to analyze user behavior.

behavioral

Match the content analysis tasks with their descriptions:

Spam Filtering = Identify and filter out unwanted spam emails Phishing Detection = Block phishing attempts by analyzing email content Attachment Analysis = Scan email attachments for potential malware Social Engineering Detection = Detect tactics used to manipulate users

Which of the following is NOT a key aspect monitored in continuous authentication?

Email content (B)

Deep Learning models can be used for extracting features from user interactions.

True (A)

What is one way to prevent unauthorized sharing of sensitive data in emails?

Data Loss Prevention (DLP)

The analysis of web content to block access to malicious sites is referred to as _____ filtering.

content

Which of the following describes Script and Code Analysis?

Examining scripts and code for potential threats (C)

Flashcards

What is User and Entity Behavior Analytics (UEBA)?

UEBA solutions monitor and analyze the behavior of users and entities like servers, laptops, applications, mobile devices, and IoT devices.

How is UEBA related to UBA and EDR?

UEBA is essentially combining User Behavior Analytics (UBA) with Endpoint Detection and Response (EDR).

What kind of security issues can UEBA help detect?

UEBA helps detect abnormal activities like insider threats, compromised accounts, or cyberattacks.

How does UEBA analyze behavior?

UEBA uses in-depth analytics, including AI, machine learning, and statistical analysis, to analyze behavior.

What other security tools does UEBA work well with?

UEBA is often integrated with EDR, XDR, SOAR, and SIEM solutions to provide a more comprehensive view of security events.

How does UEBA analyze user or entity behavior?

UEBA creates profiles of users and entities to establish what their typical behavior is like.

What are some of the aspects of user behavior UEBA monitors?

UEBA monitors various aspects of user activity, including login times, data access patterns, file transfers, application usage, and network communication.

What are some of the aspects of endpoint behavior UEBA monitors?

UEBA also monitors endpoint activity, including file access, application usage, system processes, network traffic, and protocol usage.

Authentication and Authorization Logs

Information about user authentication, account activity, group memberships, and changes to user attributes.

Where do Authentication and Authorization Logs come from?

Logs from Active Directory, Single Sign-On (SSO) solutions, and Identity and Access Management (IAM) systems.

What kind of information do Authentication and Authorization Logs contain?

Data like login frequencies, user access patterns, and privileged account usage.

What are Endpoint Logs?

Activities that occur on individual devices, like process execution, file access, system events, and network connections.

What are Network Traffic Logs?

Information about communication between devices on the network.

What are Firewall Logs?

Logs that record information about incoming and outgoing network traffic.

What are VPN Logs?

Logs that record information about remote access.

What are Proxy Server Logs?

Logs that record information about web traffic and internet access.

UEBA (User and Entity Behavior Analytics)

A technique that analyzes user and entity behavior patterns to detect suspicious activities. It uses logs from various sources to identify anomalies and assess the likelihood of threats.

Web Traffic Logs

Logs recording details of websites visited, URLs accessed, and browsing activity. This data helps identify unusual browsing patterns.

DNS Logs

Logs that capture network communications related to Domain Name System (DNS) requests. Analyzing these logs can reveal suspicious communication with malicious domains.

Email Logs

Logs recording details of email communication, such as sender and recipient information, timestamps, and attachments. They help identify phishing attempts, spam, and suspicious attachments.

Database Logs

Logs recording database activities, including access attempts, queries, and data modifications. These logs are valuable for identifying unauthorized access, data manipulation, or data exfiltration.

Business-Critical Application Logs

Logs generated by business-critical applications, such as financial systems or customer relationship management (CRM) platforms. They track interactions, transactions, and application-specific events, helping identify anomalies in user activity and business processes.

Physical Access Control Records

Logs recording physical access events like swiping access cards or using biometric authentication. Analyzing these logs helps identify unusual access patterns.

Biometric System Logs

Logs created by biometric systems such as fingerprint scanners or facial recognition tools. These logs provide additional context about user interactions.

Fingerprint Recognition

Unique patterns on your fingertips used for authentication.

Voice Recognition

Unique characteristics of your voice (pitch, tone) used for identification.

Retina Scan

Pattern of blood vessels at the back of your eye used for verification.

Hand Geometry

Measures the physical structure of your hand (finger length and width).

False Acceptance

Authenticating an unauthorized user. Accepting someone who shouldn't be.

False Rejection

Rejecting an authorized user. Blocking someone who should be allowed.

Biometric Template

The digital representation of your biometric data.

Continuous Authentication

Verification that happens throughout an entire interaction with a system.

Unsupervised Machine Learning

A type of machine learning where the algorithm learns patterns from unlabeled data. It helps identify anomalies or outliers that deviate from typical behavior.

Clustering Algorithms

These algorithms group users or entities with similar behavior together. It helps pinpoint individuals with unusual activities.

Autoencoders

A type of neural network used to reconstruct input data. Deviations between the original and reconstructed data reveal anomalies.

Anomaly Detection Algorithms

These algorithms identify unusual patterns or outliers. They help identify individuals or entities that don't conform to typical behavior.

Classification Algorithms

Algorithms that train on labeled data to classify behavior as either normal or potentially malicious.

Deep Learning (RNNs)

A type of machine learning that involves complex neural networks used for analyzing sequential data. They help capture patterns and dependencies in user actions over time.

Time-Series Analysis

Examining data over time to spot trends, recurring seasons or cycles, and predict future behavior.

NLP Techniques

Techniques used to analyze user activities involving text data, such as email or chat messages. They help identify unusual text patterns, sentiments, and language usage.

Bayesian Network for Risk Scoring

Provides a score representing the risk of a particular user or entity. It takes into account various factors like their history, behavior, and current actions.

Feature Engineering

Modifying or transforming existing data to improve model performance. It involves reducing the number of features in the dataset to make it more efficient for analysis.

What is continuous authentication?

Continuous authentication is a security technique that continuously monitors and verifies a user's identity throughout their session, adapting security levels in real-time based on their behavior.

When is continuous authentication useful?

It's used in situations where the risk of unauthorized access changes frequently or where dynamic security measures are necessary. For example, banking apps constantly monitoring your location and device to detect suspicious activity.

How does continuous authentication work?

Continuous authentication involves analyzing user behavior, activities, and interactions with the system or application in real-time.

How does risk assessment work in continuous authentication?

Risk assessment is dynamic in continuous authentication because it continuously analyzes user behavior, including the access context (where they are accessing from), device used, location, and typical patterns, to determine the level of risk.

What are adaptive security levels in continuous authentication?

Adaptive security levels mean that the system can adjust its security measures based on the risk level detected. For instance, if suspicious behavior is detected, the user might be prompted to provide additional authentication factors like a password or a one-time code.

How are behavioral biometrics used in continuous authentication?

Behavioral biometrics analyzes user behavior patterns, like keystroke dynamics, mouse movements, typing patterns, and touch screen interactions, to create a unique profile.

What is device context in continuous authentication?

Device context considers factors like the type of device being used, its location, and the network being used to establish a baseline and detect unusual activities.

How is biometric monitoring used in continuous authentication?

Biometric monitoring re-authenticates users using biometric methods like facial recognition or fingerprint scanning to add an extra layer of security. It's like a second check to ensure the user is who they claim to be.

What is content analysis in cybersecurity?

Content analysis examines various forms of digital content, like text, images, audio, and video, to detect and respond to security threats.

How is content analysis used in email security?

Content analysis in email security helps identify and mitigate potential security threats within email content. It uses various methods like NLP and ML to analyze the text, links, and attachments in emails.

Study Notes

CYB. Defensive AI (part 4)

• This is part 4 of a Master's in Artificial Intelligence course focusing on defensive AI.
• The course is offered by ESEI University of Vigo for the 2024/25 academic year.

AI/ML in User Behavior, Authentication, and Content Analysis

• This section discusses AI/ML applications in cybersecurity, particularly regarding user behavior, authentication, and content analysis.

UBEA: User and Entity Behavior Analytics

• UBEA solutions monitor and analyze user and entity behavior across various devices (servers, laptops, applications, mobile devices, IoT).
• UBEA combines User Behavior Analytics (UBA) and Endpoint Detection Response (EDR).
• UBEA identifies abnormal or potentially malicious activities (insider threats, compromised accounts, cyberattacks).
• UBEA utilizes in-depth analytics (IA/ML/statistical analysis) and is often integrated with other security solutions (EDR, XDR, SOAR, SIEM).
• Integration provides a comprehensive view of security events and allows for correlation with other security data.
• Examples include Gurucul UBEA, Exabeam Platform, and UBA in Rapid7 InsightIDR.

Typical UBEA Subtasks

• (a) Behavioral Analysis:

• User/Entity profiling: Creates normal/typical behavior profiles from historical data and identifies anomalies leading to security incidents (unauthorized access, account compromise).

• Monitoring/measuring aspects: Monitors login times/locations, data access patterns, file transfers, application usage, frequency of interactions, and typical work hours. Also includes endpoint patterns like file access, application usage, system processes, network traffic, and data transfer destinations.

• (b) Data Collection:

• Sources include authentication and authorization logs, logs from Active Directory, single sign-on (SSO) solutions, and identity and access management (IAM) systems, providing information on user access patterns, login frequencies, privileged account usage, roles, and permissions.

• Logs from various sources are used to detect suspicious behavior such as failed login attempts, unusual access patterns.

• Endpoint logs capture activities like process executions, file access, system events, and network connections.

• (c) Risk Scoring:

• Assigns risk scores to users/entities based on observed behavior (security events and anomalies) and context.

• Risk scoring correlates with severity and context of observed behavior, triggering alerts for prioritized investigation.

• (d) Incident Response:

• UEBA solutions generate alerts and/or isolation actions when anomalies are detected, providing context for the detected incidents and facilitating further forensic analysis.

Commonly Employed ML and AI Techniques in UBEA

• Unsupervised ML:

  • Clustering algorithms group users/entities based on similar behavior.
  • Autoencoders detect anomalies by measuring reconstruction error.
  • Anomaly detection algorithms identify outliers or unusual patterns (e.g., Isolation Forests, One-Class SVM).

• Supervised ML:

  • Classification algorithms classify behavior as normal or malicious based on labeled data.
  • Deep learning (RNNs) capture complex patterns and dependencies in sequential data.

• Other:

  • Time-series analysis detects trends, seasonal patterns, and forecasts.
  • NLP techniques analyze text data for pattern detection, sentiment analysis, and language usage.
  • Other: Bayesian networks for risk scoring, feature engineering for dimensionality reduction.

Authentication in Cybersecurity

• Goal: Verify the identity of users, systems, or entities attempting to access resources or services, ensuring only authorized individuals/entities gain access to sensitive information.
• Authentication Factors:
  • Knowledge-Based: Information the user knows (passwords, PINs, security questions).
  • Possession-Based: Something physical or virtual the user possesses (security tokens, mobile devices).
  • Biometric-Based: Unique biological and/or behavioral characteristics (fingerprints, iris patterns, facial/voice recognition).
• Multi-Factor Authentication (MFA) combines two or more authentication factors for enhanced security.

Related Topics

• Single Sign-On (SSO) and Session Management: Enables single login access to multiple applications or systems.
• Password Policies: Set requirements for password length, complexity, and regular changes, including password storage best practices.
• Authentication Protocols: Standard methods for secure authentication.
• Account Lockout and Brute Force Protection: Implement account lockout mechanisms and protection against brute force attacks.
• Risk-Based Authentication: Assigns risk scores based on user behavior patterns (location, time of day, device used) for additional security measures if needed.
• Behavioral Authentication: Establishes a baseline for user behavior and detects deviations to trigger additional authentication checks.
• Continuous Authentication: Ongoing verification of user's identity throughout a session or interaction.

Biometric Authentication

• Verifies identity based on unique physical or behavioral characteristics.
• Methods Include: Fingerprints, Facial recognition, Iris scans, Voice recognition, Hand geometry, Retina scans, Vein recognition, Ear shape recognition, Gait recognition.
• Tools: Examples: LexisNexis BehavioSec, Mitek ID R&D.

Practical Aspects and Considerations

• Accuracy (false acceptance/rejection rates).
• Robustness against physical changes and spoofing.
• User acceptance of non-intrusive mechanisms.
• Template storage and security.
• Deployment costs and scalability.

ML/AI Approaches in Biometric Authentication

• Supervised Learning: Trained on labeled datasets (biometric features paired with known identities).
• Unsupervised Learning: Clusters similar biometric patterns without prior knowledge of identities.
• Other approaches: Semi-Supervised Learning, Ensemble Learning, Transfer Learning.

Continuous Authentication

• Goal: Enhance security by continuously monitoring and verifying the user's identity.
• Useful in dynamic scenarios (changes in risk of unauthorized access).
• Involves real-time monitoring of user behaviour and activities.
• Dynamic Risk Assessment: Continuously assess risk associated with user behaviour (e.g., context of access, device, location, standard patterns).
• Adaptive Security Levels: Apply adaptive security measures in case of suspicious activities, prompting the user for additional authentication factors.

Key Aspects to Monitor

• Behavioral Biometrics: Analyzing keystroke dynamics, mouse movements, typing patterns, touchscreen interactions.
• Device Context: Evaluating the device used, its location, network being used, and establishing a baseline for normal behavior to identify suspicious activities.
• Biometric Monitoring: Employing biometric re-authentication (e.g., facial or fingerprint recognition) to provide an additional layer of security.

Content Analysis

• Examines various forms of digital content to identify security threats.
• Content Analysis in Mail Security:
  • Spam Filtering
  • Phishing Detection
  • Attachment Analysis (scans for malware/malicious content).
  • Social Engineering Detection (identifies social engineering tactics).
  • Data Loss Prevention (DLP) (prevents unauthorized sharing of sensitive data).
• Content Analysis in Web Security
• Content Filtering
• URL Categorization
• Content Reputation Analysis
• Ad and Tracker Blocking
• Script and Code Analysis
• Web Application Firewall (WAF)