Since the early days of Vectra, we’ve been focused primarily on host devices. After all, hosts are the entities that generate the network traffic the Cognito platform analyses in looking for attacker behaviors.
Hosts are also the entities that attackers want to own and use during the attack and will require remediation. It makes sense to attribute attacker behavior detections to the hosts they emanate from and therefore to view the world from this perspective.
Now, we are expanding our view to make room for accounts with the introduction this month of Vectra Privileged Access Analytics (PAA).
Why we built PAA
Once inside a network, attackers perform reconnaissance to map out the structure of the environment and what systems are present. They also escalate their privileges to gain greater access. Obtaining privileged credentials is often a key part of the attacker’s strategy and journey towards high-value targets on the network.
Putting ourselves in the attacker’s shoes has led to many insights that have paved the way for new technologies at Vectra. In thinking about how to best address accounts within Cognito, our security research team utilized the attacker’s perspective to focus on what matters as well as how much access and privilege an account, host or service has in the environment.
What is PAA?
Vectra PAA brings an account and privilege orientation to the Cognito platform. The foundation of PAA is a patent-pending technology that observes, infers and understands the privilege of accounts, hosts and services as they interact on the network.
These privilege levels are published as enhancements to the metadata visible in Cognito Stream and Cognito Recall, which empowers security analysts and threat hunters to investigate by leveraging queries and filters on an entity’s privilege level.
PAA privilege levels form the basis for a suite of new detection models that only look at the interactions of accounts, hosts and services of higher privilege. These are entities that capture the interest of attackers. Because of the narrower focus on privileged entities, there is room for deeper scrutiny of their behavior.
The results are high-fidelity detections of attacker behaviors involving admin and service accounts and the hosts that they use to engage in unusual and potentially malicious behavior. This is exactly what security teams should spend their time investigating.
PAA also brings with it one of the most significant changes to the Cognito UI in several years: The addition of an account-based view. Accounts that are associated with detections are given threat and certainty scores that are displayed on a two-axis chart, similar to the treatment of hosts.
Each tracked account also gets its own page that details associated detections and contextual details. The observed privilege levels of accounts, hosts and services are also visible in the Cognito UI to help analysts navigate this new view and detections.
How it works
Fundamentally, PAA cares about observed privilege. This is a different concept from the granted privilege that many in the security community are familiar with.
Observed privilege is determined by how an account or host is used on the network, which services it interacts with, and how many others interact with them. Granted privilege is based on the access rights given to the groups that an account is in with the directory server.
An account, like a domain admin, for example, may have rights to access any system within the entire network.
However, it probably is not normally utilized for doing that. Therefore, its observed privilege might be lower than that of a service account that can load and execute arbitrary code onto thousands of systems on the network. Both of those credentials would be rather appealing to an attacker. But the service account will have a much higher observed privilege.
How it’s different
UBA and other legacy approaches to account-based analytics treat all accounts equally, resulting in massive volumes of detections that are difficult for security analysts to parse through. And prevention-oriented approaches like privileged access management rely on the enforcement of policies.
The observational approach used by Cognito PAA focuses on privileged entities and provides detection capabilities that highlight malicious behaviors where preventive measures fall short.
Whether driven by an insider or an external actor, observed privilege is indispensable as an additional critical point to establishing and understanding a baseline of behaviors. The admin with medium observed privilege that starts to access unusual high-privilege services will set off alarm bells in PAA. In a granted-privilege universe, this activity would be authorized.
Cognito PAA is a fundamentally different way to look at threat behaviors during the active phases of the attack. It is now available and working on behalf of all existing Vectra customers and evaluators. If you’re ready to change your approach to monitoring and protecting your privileged entities, get in touch with us.
Jacob Sendowski, Ph.D., is the director of product management at Vectra. Before joining Vectra, he was CEO and co-founder at Souper Products LLC and was a product manager at Intel Security prior to that. He received a undergraduate in electrical engineering from University of California, San Diego as well as a graduate in electrical engineering and doctorate in electrical engineering from the California Institute of Technology.