Privilege Anomaly: Unusual Service - Insider

View all detections
Privilege Anomaly: Unusual Service - Insider

Triggers

  • An account with a low privilege score is used from a host that has a low privilege score to access a service which has a substantially higher privilege score
  • The threat score is driven by the privilege scores of the three entities (account, host and service) when the service privilege is high; for medium privilege services being accessed from low privileged hosts and accounts, the threat score is driven by the degree of mismatch in the privilege scores
  • The certainty score is driven by the observed stability of the account, host and service clusters and the number of entities in each relationship (e.g. the number of services the account has been observed to access) and the extent of the abnormality of the service compared to the services typically used with the account and the host; for medium privilege services being accessed from low privileged hosts and accounts, the certainty score is driven by the number of anomalous transactions observed

Possible Root Causes

  • The host is under the control of an attacker and the account on the host is being used to connect to one or more higher privileged services
  • The account is under the control of an attacker and is being used from multiple hosts to connect to one or more higher privileged services
  • A new admin has been hired and as the account used by the admin is new and the machine assigned to the admin is new, both have low privilege scores; when the admin then begins to perform legitimate work, detections are triggered until the privilege scores of the admin’s account and host are raised based on observed activity
  • A new service is being rolled out and it was initially only used by higher privileged admin accounts (and thus considered to be a high privilege service) but then release for use by a broader set of lower privileged accounts
  • A rarely used service is generally accessed by higher privileged accounts, but is technically also available to lower privileged accounts is accessed by one such low privileged accounts

Business Impact

  • Lateral movement within a network involving privileged accounts, hosts or services exposes an organization to substantial risk of data acquisition and exfiltration
  • Unexplained unusual patterns of use of privileged accounts, hosts and services are involved in almost all major breaches
  • Attacks carried out by rogue insiders will often exhibit unusual patterns of use as well
  • The accounts and hosts used and the services accessed provide a possible perspective on the potential business impact

Steps to Verify

  • Examine the Kerberos or Active Directory server logs for a more detailed view of activity by this host and account since if the host is compromised, the account must be considered to be compromised as well
  • Carefully inquire into whether the owner of the host in question should be using the specified accounts to access the listed services
  • Verify that the host from which authentication is attempted is not a shared resource as this could mean that the attacker is using it as a pivot point