Cybersecurity Logs and UEBA Overview

Questions and Answers

Which of the following logs can help identify phishing attempts?

Application Level Logs

Biometric systems

Email logs (correct)

DNS logs

Network level IoCs refer to indicators of compromise at the application level.

False

What does UEBA stand for?

User and Entity Behavior Analytics

Physical Access Control records can help identify anomalies in _____ access patterns.

physical

What action is triggered when a user/entity displays a high risk score?

Trigger alerts for investigation

Match the types of logs with their primary focus:

DNS logs = Communication with malicious domains Email logs = Details about sender and recipient Database logs = Access and changes to data Application Level Logs = Interactions with business applications

Excessive data transfer volumes can be considered a potential indicator of compromise.

True

What are risk scores based on in UEBA?

Severity and context of observed behavior

Which type of logs provides information about user authentication?

Authentication and Authorization Logs

Endpoint logs track network traffic between devices.

False

What is the primary purpose of UEBA solutions?

To collect and analyze user and entity behavior data to detect anomalies.

_____ logs contain information about incoming and outgoing network traffic.

Firewall

Match the log types with their descriptions:

Authentication and Authorization Logs = User account activity and authentication status Endpoint Logs = Activities on individual devices Network Traffic Logs = Communication between devices on the network VPN Logs = Information about remote access connections

Which log type would most likely show failed login attempts?

Authentication and Authorization Logs

Single Sign-On (SSO) solutions are a type of endpoint log.

False

What kinds of activities do network traffic logs monitor?

Communication between devices on the network.

What is the primary function of UBEA solutions?

To monitor and analyze user and entity behavior

UBEAs are similar to HIDS/HIPS but do not require any analytics.

False

UBEAs are integrated with EDR, XDR, SOAR, and _____ solutions.

SIEM

Match the following tasks with their descriptions:

User/Entity profiling = Establishing normal behavior profiles Behavioral Analysis = Monitoring patterns of behavior over time Network communication behaviors = Tracking data transfer and protocols used File transfer patterns = Examining typical data access methods

Which of the following is a common aspect to monitor for endpoint behavior?

Patterns of file access and application usage

ABE and UBEA provide the same functionalities and do not require additional analysis.

False

What types of devices can UBEA solutions monitor?

Servers, laptops, applications, mobile devices, IoT devices

Which of the following is NOT a factor of authentication?

Behavior-Based Authentication

Multi-Factor Authentication (MFA) strengthens security by using only one authentication factor.

False

What is the primary purpose of authentication in cybersecurity?

To verify the identity of users, systems, or entities.

An example of a possession-based authentication factor is a ______.

security token

Match the following authentication methods with their descriptions:

Knowledge-Based Authentication = Relies on user's knowledge, such as passwords Biometric Authentication = Uses physical characteristics like fingerprints Multifactor Authentication = Combines two or more authentication methods Behavioral Authentication = Monitors deviations in user behavior patterns

Which machine learning technique is commonly used to identify anomalies in user behavior?

Anomaly Detection Algorithms

Deep Learning refers to unsupervised learning methods only.

False

What does Risk-Based Authentication assess?

The risk associated with a particular login attempt.

Biometric identification includes recognition based on unique ______ characteristics.

physical

Which of the following is a technique used in UEBA?

Time-Series Analysis

Which of the following is not a biometric authentication method?

Password Encryption

False acceptance occurs when an unauthorized user is incorrectly authenticated.

True

What is the primary concern regarding the storage and security of biometric templates?

Compliance with privacy and data protection regulations

The unique way individuals walk or move is known as __________ recognition.

gait

Match the biometric method with its primary characteristic:

Fingerprint Recognition = Unique patterns of ridges and valleys on fingertips Facial Recognition = Distance between facial features Voice Recognition = Unique characteristics like pitch and tone Iris Scans = Unique patterns in the iris of the eye

What are the two main types of rates considered in biometric authentication accuracy?

False acceptance and False rejection

Unsupervised learning in ML/AI approaches requires labeled datasets.

False

What biometric feature is evaluated by retina scans?

Blood vessel pattern at the back of the eye

What is the primary goal of continuous authentication?

To enhance security by continuously verifying the user’s identity

Continuous authentication relies solely on static passwords for user verification.

False

List two methods of biometric monitoring mentioned.

Facial recognition and fingerprint scanning

Continuous authentication employs _____ biometrics to analyze user behavior.

behavioral

Match the content analysis tasks with their descriptions:

Spam Filtering = Identify and filter out unwanted spam emails Phishing Detection = Block phishing attempts by analyzing email content Attachment Analysis = Scan email attachments for potential malware Social Engineering Detection = Detect tactics used to manipulate users

Which of the following is NOT a key aspect monitored in continuous authentication?

Email content

Deep Learning models can be used for extracting features from user interactions.

True

What is one way to prevent unauthorized sharing of sensitive data in emails?

Data Loss Prevention (DLP)

The analysis of web content to block access to malicious sites is referred to as _____ filtering.

content

Which of the following describes Script and Code Analysis?

Examining scripts and code for potential threats

Study Notes

CYB. Defensive AI (part 4)

• This is part 4 of a Master's in Artificial Intelligence course focusing on defensive AI.
• The course is offered by ESEI University of Vigo for the 2024/25 academic year.

AI/ML in User Behavior, Authentication, and Content Analysis

• This section discusses AI/ML applications in cybersecurity, particularly regarding user behavior, authentication, and content analysis.

UBEA: User and Entity Behavior Analytics

• UBEA solutions monitor and analyze user and entity behavior across various devices (servers, laptops, applications, mobile devices, IoT).
• UBEA combines User Behavior Analytics (UBA) and Endpoint Detection Response (EDR).
• UBEA identifies abnormal or potentially malicious activities (insider threats, compromised accounts, cyberattacks).
• UBEA utilizes in-depth analytics (IA/ML/statistical analysis) and is often integrated with other security solutions (EDR, XDR, SOAR, SIEM).
• Integration provides a comprehensive view of security events and allows for correlation with other security data.
• Examples include Gurucul UBEA, Exabeam Platform, and UBA in Rapid7 InsightIDR.

Typical UBEA Subtasks

• (a) Behavioral Analysis:

• User/Entity profiling: Creates normal/typical behavior profiles from historical data and identifies anomalies leading to security incidents (unauthorized access, account compromise).

• Monitoring/measuring aspects: Monitors login times/locations, data access patterns, file transfers, application usage, frequency of interactions, and typical work hours. Also includes endpoint patterns like file access, application usage, system processes, network traffic, and data transfer destinations.

• (b) Data Collection:

• Sources include authentication and authorization logs, logs from Active Directory, single sign-on (SSO) solutions, and identity and access management (IAM) systems, providing information on user access patterns, login frequencies, privileged account usage, roles, and permissions.

• Logs from various sources are used to detect suspicious behavior such as failed login attempts, unusual access patterns.

• Endpoint logs capture activities like process executions, file access, system events, and network connections.

• (c) Risk Scoring:

• Assigns risk scores to users/entities based on observed behavior (security events and anomalies) and context.

• Risk scoring correlates with severity and context of observed behavior, triggering alerts for prioritized investigation.

• (d) Incident Response:

• UEBA solutions generate alerts and/or isolation actions when anomalies are detected, providing context for the detected incidents and facilitating further forensic analysis.

Commonly Employed ML and AI Techniques in UBEA

• Unsupervised ML:

  • Clustering algorithms group users/entities based on similar behavior.
  • Autoencoders detect anomalies by measuring reconstruction error.
  • Anomaly detection algorithms identify outliers or unusual patterns (e.g., Isolation Forests, One-Class SVM).

• Supervised ML:

  • Classification algorithms classify behavior as normal or malicious based on labeled data.
  • Deep learning (RNNs) capture complex patterns and dependencies in sequential data.

• Other:

  • Time-series analysis detects trends, seasonal patterns, and forecasts.
  • NLP techniques analyze text data for pattern detection, sentiment analysis, and language usage.
  • Other: Bayesian networks for risk scoring, feature engineering for dimensionality reduction.

Authentication in Cybersecurity

• Goal: Verify the identity of users, systems, or entities attempting to access resources or services, ensuring only authorized individuals/entities gain access to sensitive information.
• Authentication Factors:
  • Knowledge-Based: Information the user knows (passwords, PINs, security questions).
  • Possession-Based: Something physical or virtual the user possesses (security tokens, mobile devices).
  • Biometric-Based: Unique biological and/or behavioral characteristics (fingerprints, iris patterns, facial/voice recognition).
• Multi-Factor Authentication (MFA) combines two or more authentication factors for enhanced security.

Related Topics

• Single Sign-On (SSO) and Session Management: Enables single login access to multiple applications or systems.
• Password Policies: Set requirements for password length, complexity, and regular changes, including password storage best practices.
• Authentication Protocols: Standard methods for secure authentication.
• Account Lockout and Brute Force Protection: Implement account lockout mechanisms and protection against brute force attacks.
• Risk-Based Authentication: Assigns risk scores based on user behavior patterns (location, time of day, device used) for additional security measures if needed.
• Behavioral Authentication: Establishes a baseline for user behavior and detects deviations to trigger additional authentication checks.
• Continuous Authentication: Ongoing verification of user's identity throughout a session or interaction.

Biometric Authentication

• Verifies identity based on unique physical or behavioral characteristics.
• Methods Include: Fingerprints, Facial recognition, Iris scans, Voice recognition, Hand geometry, Retina scans, Vein recognition, Ear shape recognition, Gait recognition.
• Tools: Examples: LexisNexis BehavioSec, Mitek ID R&D.

Practical Aspects and Considerations

• Accuracy (false acceptance/rejection rates).
• Robustness against physical changes and spoofing.
• User acceptance of non-intrusive mechanisms.
• Template storage and security.
• Deployment costs and scalability.

ML/AI Approaches in Biometric Authentication

• Supervised Learning: Trained on labeled datasets (biometric features paired with known identities).
• Unsupervised Learning: Clusters similar biometric patterns without prior knowledge of identities.
• Other approaches: Semi-Supervised Learning, Ensemble Learning, Transfer Learning.

Continuous Authentication

• Goal: Enhance security by continuously monitoring and verifying the user's identity.
• Useful in dynamic scenarios (changes in risk of unauthorized access).
• Involves real-time monitoring of user behaviour and activities.
• Dynamic Risk Assessment: Continuously assess risk associated with user behaviour (e.g., context of access, device, location, standard patterns).
• Adaptive Security Levels: Apply adaptive security measures in case of suspicious activities, prompting the user for additional authentication factors.

Key Aspects to Monitor

• Behavioral Biometrics: Analyzing keystroke dynamics, mouse movements, typing patterns, touchscreen interactions.
• Device Context: Evaluating the device used, its location, network being used, and establishing a baseline for normal behavior to identify suspicious activities.
• Biometric Monitoring: Employing biometric re-authentication (e.g., facial or fingerprint recognition) to provide an additional layer of security.

Content Analysis

• Examines various forms of digital content to identify security threats.
• Content Analysis in Mail Security:
  • Spam Filtering
  • Phishing Detection
  • Attachment Analysis (scans for malware/malicious content).
  • Social Engineering Detection (identifies social engineering tactics).
  • Data Loss Prevention (DLP) (prevents unauthorized sharing of sensitive data).
• Content Analysis in Web Security
• Content Filtering
• URL Categorization
• Content Reputation Analysis
• Ad and Tracker Blocking
• Script and Code Analysis
• Web Application Firewall (WAF)

Description

Test your knowledge on cybersecurity logs, indicators of compromise, and User and Entity Behavior Analytics (UEBA). This quiz covers log types, their purposes, and anomaly detection techniques. Improve your understanding of how logs are utilized to identify security threats.