AI Security

Using AI to Detect Privilege Credential Abuse

Vectra can identify the abuse of stolen privilege credentials in both network and cloud environments.

Understanding How Attacker's Use Privilege Credentials

Attackers use privilege credentials to move laterally and execute other tactics in the network and cloud.

Attackers leverage privileged credentials to move within networks and clouds, exploiting weak security controls and application vulnerabilities. Defenders can proactively monitor for malicious activities, track attackers, and implement preventative measures to secure privileged accounts and configurations.

When attackers get their hands on privileged credentials, they can access a wide range of network and cloud resources without using malware or triggering alarms. While enforcing strict privilege levels can help, recent attacks have shown that it's still a major challenge.

To address the problem of stolen credential abuse, it's important to detect when abuse is happening. However, this is not easy because attackers can blend in by using legitimate permissions and actions that are not necessarily new or suspicious. Simply relying on new or unusual activity alerts won't be effective in these dynamic environments.

To effectively identify and combat credential abuse, a security-led approach is needed. This approach considers the specific actions an attacker aims to accomplish with stolen credentials. By understanding their objectives, we can better detect and prevent abuse of privileged credentials.

Detecting Privilege Credentials Abuse

Vectra can identify the abuse of stolen privilege credentials in both network and cloud environments. Core to this security-led detection approach is an understanding of what attackers do with stolen credentials. The value of privileged credentials to an attacker is the ability to access services and functionality regarded as high value and privileged in the environment.

Vectra’s security researchers identified that if you knew the actual privilege of every account, host machine, service, and cloud operation—you would have a map of all the high-value resources that exist. While concepts of granted privilege are well established, this representation provides an upper bound to what the true privilege of something is compared to the minimum necessary privilege. Instead, Vectra’s security research team and data science team identified a new way of representing the value of systems in an environment based on what was observed over time. This dynamic and ground view of value is called observed privilege. This data based view of privilege provides an effective zero-trust approach to credential use without manual configurations.

Observed privilege is a zero-trust view of the normal privilege a user needs to do their job. Use of privilege beyond what is normally necessary warrants additional scrutiny.

Redefining Privilege Assessment Through Access Pattern Analysis

Vectra’s AI calculates the observed privilege by considering the historic interactions between the tracked entities, not the privilege that is defined by an IT admin. The breadth and specificity of access and usage heavily contribute to the scores. A system that accesses several systems that are normally accessed by other systems will have a low privilege whereas a system that accesses a high number of systems that are not accessed by others will have a high privilege score. This approach allows Vectra to differentiate between domain admin accounts and normal user accounts.

Vectra learns observed privilege levels based on user behavior. An account that accesses a lot of common services has lower privilege than one that accesses services few others access.

Once observed privilege scores have been calculated, all the interactions between accounts, services, hosts, and cloud operations are mapped to understand the normal historical interactions between systems. Then, a suite of unsupervised learning algorithms that consider the privilege scores identify anomalous cases of privilege abuse, where custom anomaly detection algorithms and implementations of Hierarchical Density-Based Spatial Clustering of Applications with Noise (HDBSCAN) are used.

Vectra applies unsupervised learning that considers observed privilege and the interactions between accounts, hosts, services and cloud operations in order to find credential abuse.

The results of this sophisticated security-led approach are the ability toidentify stolen credentials that are abused in both the cloud and in onpremises networks. The observed privilege metric focuses the detection onthe anomalous actions that matter and enables both higher precision andrecall than an approach that ignores this critical perspective.