Detecting Lateral Movement Using Splunk User Behavior Analytics

Splunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we no longer use. For more information on our updated terminology and our stance on biased language, please visit our blog post. We appreciate your understanding as we work towards making our community more inclusive for everyone.

One of the most challenging aspects of running an effective Security Operations Center is how to account for the high volume of notable events that ultimately do not present a risk to the business. Some examples of non-risky notable events include a user forgetting their password and submitting it erroneously multiple times in a row, or a user accessing a system (for a completely valid reason) at an odd hour outside of their normal behavior. This can create a lot of notable events that need review by a limited security staff already struggling to handle a high volume of potential threats.

Simultaneously, your team is faced with the more concerning matter of detecting, investigating and responding to advanced, unknown threats that pose a real risk to the business. These typically consist of insider threats, advanced persistent threats (APTs), and any other threats where it would be impossible to build a rule for them, simply because advanced attackers are constantly changing their tactics and procedures.

Enter Splunk User Behavior Analytics (UBA)

Splunk User Behavior Analytics (UBA) uses unsupervised machine learning to profile each identity and asset’s “normal” behavior, and then looks for any unusual behavior patterns across users and devices - beyond anything humans could have designed rules for. It’s searching for true unknowns, because it’s impossible to build rules that monitor across thousands of actions that a bad actor can take in their attempt to obtain and abuse user credentials.

To ensure analysts are able to focus on the most critical threats that pose the greatest risk to the organization, once Splunk UBA has identified anomalies, it uses machine learning models to take a second pass to look for unusual behavioral patterns in the captured anomalies that indicate a high fidelity threat.

Lateral Movement Use Cases

Lateral movement consists of techniques that adversaries use to move across a compromised network after initial access. After exploring the targeted network, adversaries will move across compromised networks until they find and obtain access to valuable resources.

This can be seen in several ways: one of the most common use cases is the extraction of credentials or tokens from compromised systems and then using them to access peer systems, databases, file or email servers, cloud environments, file and more. For example, an intruder gains initial access to a system administrator workstation, uses Mimikatz to extract credentials, and then proceeds to access file servers, email servers, and user workstations. Such access usually comes with other post-exploitation actions such as data exfiltration, entrenchment or ransomware in some cases.

Detecting lateral movement can be very challenging. In the scenario above, even a trained analyst may see the events generated by an administrator accessing resources across the network, even during off hours, can be perfectly normal (i.e performing upgrades after work hours).  This is where Splunk UBA can be effective at detecting malicious activity. 

Lateral Movement Detection

The Splunk UBA lateral movement model provides a comprehensive framework for detecting lateral movement through the integration of advanced graph computation, sequence analysis, and various anomaly detection algorithms through multiple stages. 

At Stage 1, the model collects 30 days (configurable) of internal activity data from various data sources, such as active directory logs, firewall, endpoint and other sources. It also captures high-scored anomalies, users including those from customer-defined watchlists, and devices that are critical to the environment or that have high privileges. 

At Stage 2, the model analyzes various user behaviors that are related to lateral activities. These activities include: 

• Suspicious entities (users, devices, and applications) that indicate abnormal behaviors such as users with local/domain admin credentials who perform tasks like shadow copy; devices or applications that execute tasks not seen before. 
• Suspicious applications and processes that are denylisted by both Splunk UBA or customers. 
• Rare events, devices or processes that are statistically determined among peer groups. 
• Privilege elevation anomalies that indicate new assigned privilege levels detected. 
• User enumeration anomalies that indicate a user trying to identify names of other users and their passwords. 
• Network enumeration anomalies that indicate a user trying to scan a network through a wide range or specific sequence of ports.
• Security violation events that are detected due to various violation behaviors, such as a user-violated Enterprise Security GPO (group policy objects) or have login failures with unusual return codes or logging messages.
• Suspicious security practices are detected due to suspicious behaviors like adding or deleting other user accounts frequently from security enabled/disabled groups deviating from normal behavior patterns among peer groups. 
• Abnormal ratios that are systematically detected from an abnormally large number of process-creation activities or a higher number of login failures derived from the user's own baseline behavior pattern or peer groups. 
   

At next Stage, Indicators of Compromise (IOCs) were detected and ordered in time sequences. These IOCs represent specific tasks that an attacker needs to complete in a specific phase of an attack. In addition, our detection model considers the peer group aligned behavioral patterns so some of the frequently correlated events associated with the peer group will be removed at this stage to reduce false positives. 

In the following stages, the Splunk UBA detection model correlates all IOCs, anomalies, and security rules, and then assesses the risk by scoring threats across days. The anomalies were generated by different detection models that cover abnormal network behaviors (expanding access, unusual network communication), abnormal user behaviors (e.g. unusual amount of logins/login failures and unusual activity time), and unusual events (e.g. suspicious powershell activities, suspicious privilege escalations).

With the integration of security rules, the Splunk UBA model is able to detect a wide range of Windows events and processes, which involve many techniques, tools and procedures (TTP) as outlined in the MITRE ATT&CK Matrix. Some typical examples of these TTPs include Remote Services (T1021), Use Alternate Authentication Material (T1550) and Lateral Tool Transfer (T1570). 

In Splunk UBA 5.3, significant enhancements were made to further improve the detection capabilities of the model. 15 new types of Windows events were enhanced by new security rules, as shown below.

The above events were chosen from field feedback and threat research, present in many Red and Purple Team exercises with customers. Some of them are directly associated with the use of specific credential access tools like Mimikatz or kerberoasting attacks.

To reduce false positives, the Splunk UBA model in 5.3 integrates new security rules that can enhance the detection of anomalies. New security configurations, such as Deny/Allow List, have been updated to accommodate the upgraded operating systems. UBA also enables users to update their own Deny/Allow List according to their specific requirements and preferences, ensuring a customized security solution.

This Splunk UBA screenshot illustrates a typical lateral movement scenario involving an identified intruder named Charles Arbanak. The timeline spans from April 6, 2023, to May 1, 2023, with a total duration of 25 days. Lateral movement progresses through five steps, each following a specific sequence to accomplish its objective.

At the first step, a suspicious process is observed across multiple users over several days. This event is considered rare as it is not observed among other peers. These events generate an anomaly categorized as "Period with Unusual Windows Security Event Sequences."

After a few days, the UBA model detects an event with a security violation return code. Worth mentioning, intruders typically exhibit slow actions during the early stages of lateral movement.

Subsequently, probing activities and privilege escalation activities are detected in the third and fourth steps, respectively. A regular user cannot traverse an organization with their assigned privileges, so the intruder must escalate their privileges to expand their reach.

Once the intruder successfully acquires additional access privileges, multiple actions were taken on May 1, 2023. As the intruder's login pattern and device access differ from their peers, unusual Windows events are detected by the peer group-based security rules in the fifth step (enhanced in Splunk UBA 5.3). The UI also displays all 50 devices associated with each step of lateral movement.

Splunk UBA also offers analysts the ability to view Threat Relationships, enabling them to retrieve all the devices that have been affected by a specific user. By examining the relationships between the target account/user and the devices, analysts can gain insights into the types of triggered anomalies that were detected when the target user accessed those devices. This feature allows users to understand the security implications and potential risks associated with the user-device interactions within their environment.

The Threat Anomalies Timeline provides an alternative perspective on the progression of each step in a lateral movement scenario. For instance, the figure below illustrates the actions taken by the identified intruder (compromised Charles Arbanak account) over a span of time. It reveals that the compromised account initiated activity on April 23 by exploring the network system. After several days, his second move involved attempting to gain additional privileges for accessing resources. Within a brief timeframe, during the third move, the compromised account became more active and engaged in a series of suspicious activities, carrying out abnormal Windows operations that were derived from his peer groups. This timeline offers valuable insights into the evolving nature of the threat and its associated anomalies at each step.

To gain a comprehensive understanding of the actions performed by intruders, the Indicators of Compromise feature provides a detailed account of all the abnormal activities observed within the system. It highlights the specific violations committed by the user that contributed to the detection of potential threats. 

The Anomalous Activity Summary (shown in the image below) provides users with detailed information about each anomalous or suspicious event, offering insights into the source and target accounts, devices, origin device, process, return codes, services, and event descriptions extracted from system logs. This comprehensive overview allows users to delve deeper into the specifics of each event and better understand potential security issues.

Splunk UBA also assists users in pinpointing the Device Location of suspicious events and providing risk levels assigned to each event. This allows users to prioritize their investigations based on the severity of the risk associated with each event. By leveraging these scored risk levels, users can focus their attention on the most critical areas of concern within their environment.

As seen in the screenshot above, the compromised user Charles Arbanak has been observed in a period of “unusual Windows security event sequences” in which the models compare the user’s own baseline (0.26) against 13 new and unusual events detected. This may indicate account compromise, takeover or lateral movement from another account. 

Putting It All Together (Splunk Enterprise Security + Splunk UBA)

The detected lateral movement threats can be sent to Splunk Enterprise Security, and visualized along with other notables as seen in the screenshot below. As seen in the screenshot, we can visualize the new lateral movement threats as notables in the Incident Review panel to take advantage of Splunk UBA and Splunk Enterprise Security interoperability to create further investigations. 

The Investigation panel can show a list of all the notable events generated from UBA. And from here, we can manage and proceed with our review of events. 

Conclusion

Splunk UBA provides advanced insider threat detection using machine learning to help organizations find unknown threats and anomalous user behavior across users, devices and applications. The Splunk UBA lateral movement model provides a comprehensive ML empowered framework to detect various techniques, tools and procedures that enable attackers to access and control systems within your organization. 

To learn more about Splunk UBA, we encourage you to visit the Splunk UBA product webpage, take a tour, and our latest Splunk UBA 5.3 documents.

References

• Splunk UBA Models Overview
• Active Directory Lateral Movement
• Administer Splunk User Behavior Analytics
• https://attack.mitre.org/tactics/TA0008/

This blog was co-authored by Rod Soto.