Posted in Incident Response

How to Use ObserveIT ITM for Proactive Threat Hunting

Reading Time: 3 minutes

TL;DR: This post walks through how security analysts can use ObserveIT’s new cloud-based Insider Threat Management Platform for proactive threat hunting.

In case you missed it, Proofpoint recently announced the next generation of our ObserveIT Insider Threat Management (ITM) Platform on top of our new cloud-based architecture. With unique context on the insider and their activity, proactive threat hunters can identify and investigate potential incidents.

Historically, threat hunting focused on technical indicators of compromise by external parties within network and endpoint logs. It’s usually a manual process. Insider threat indicators are very different. There’s no need to hack into a network, or compromise an endpoint for credentials. Insiders know where the key data is and how to get access to it. As a result, threat hunting around insiders is challenging. It’s focused on suspicious behavior that flouts security policies, but hasn’t yet caused major damage to the company.

ObserveIT ITM solves these challenges by focusing on insider threat indicators. Based on research with CERT institute at Carnegie Mellon, NITTF and NIST standards, these cover:

  • Data exfiltration
  • Accidental data movement
  • Privilege abuse
  • Application and server misuse
  • Unauthorized endpoint activity
  • Anomalous system access

Let’s walk through how threat hunting teams use our platform

  • Exploration cards: As a threat hunter, we’ll review exploration cards of activity optimized for a user’s environment. Usually this involves a mix of our crowdsourced explorations and saved searches. In this screenshot, we’ve highlighted a few cards. We’re particularly interested in the top left card named ‘All File Related Activities’. As more teams work from home, we expect heightened usage of cloud apps, which can hide some bad behavior. Let’s explore.
Explorations Overview
  • Powerful filter & search: The next hurdle is to narrow down from thousands of activities related to each card down to the just the ones you need to dig deeper. ObserveIT simplifies this by building on the well-known, open-source search engine from Elasticsearch for lightning-fast search and easy filtering setup. Through these filters here, we’ve focused on software downloads to understand if users are downloading unsanctioned applications.

  • Intelligent groupings: Beyond search and filtering, intelligent groupings of the activities let us dive deeper within a click. In the screenshot below, on the left hand side, activities are grouped by user, hostname and URL domain, as we’re looking into software downloads from websites. We’re specifically interested in the username ‘antonio.l’ based on his user risk profile. He’s on an HR performance improvement plan and has shown irregular behavior.

  • Context to insider threat alerts: We see that there are alerts related to his file downloads in the above screenshot. As an organization, we are protective of Github usage outside of our corporate Github accounts. User ‘antonio.l’  is downloading files from Github using the GUI. We know he’s a developer from our Active Directory integration. We don’t expect he would need to download Github files using a web browser. The context around the alert indicates he’s downloading web hacking tools, which is certainly anomalous. Let’s dive deeper.
  • Timeline of user activity: We want to understand his activity beyond Github to figure out what he did with these hacking tools. We do this by jumping into the timeline of user ‘antonio.l’ at the timestamp of this recent Github activity. We see that this anomalous activity is just the last of a string of suspicious software downloads. These include applications such as unsanctioned network traffic analysers, VPN solutions and bitcoin mining code. The user has also spent significant time on cryptocurrency research over the same period. What we see gives us enough concern to broach this evidence with HR counterparts and start a conversation with ‘antonio.l’.

Context is the foundation of protecting from insider threats

As you can see, each activity by itself does not rise to a level of an insider threat.  However, when taken together within a broader context, this example above is clearly a malicious attempt to exfiltrate a sensitive corporate file. ObserveIT provides this complete context in order to help SOC analysts tell the difference between the good, the bad, and the ugly. 

Want to learn more about context-based user risk management? Get a demo today!