BSides London 2021 BSides London 2021

Saturday, November 13, 2021

Credential attack recon detection: How current UEBA & NID tooling fail and how to reduce false positives

Organisations throw money at the latest user entity behaviour analytics (UEBA) and network intrusion defence (NID) tooling but these still allow credential attack and other reconnaissance activities to slip through undetected.

This talk will demonstrate what UEBA/NID traditionally flag, and several ways that they can be improved to detect and stop almost certain indicators of malicious and unauthorised recon activities, principally around credential compromise.

The attack signatures described will not only significantly reduce the likelihood of network and application compromise, but will also reduce the instances of false positives and improve detection and attack prevention earlier on in the cyber kill chain.This is all based on research on the methodology of recent successful credential attacks and the offering of current UEBA/NID tooling which fails to detect these key signatures at the recon stage of an attack.

The presentation will cover the following areas with examples included:

1) Overview on why it is easily possible to evade current network defences; research into some major network defence tooling reveals how recon flags are not being detected; how network defence tools can be configured to detect recon activity/credential attacks.

2) What UEBA and traditional network defence tools filter and how they may detect a credential/recon attack

3) A walkthrough of recon attack signatures that give a high indication of malicious activity and which are not currently built into existing threat detection tooling