Top 10 Workstation User Behavior Anomalies in Cybersecurity

Very often, when we at DEF.HUB receive new requests for workstation monitoring in terms of cybersecurity, we are faced with questions about the minimum security hygiene controls that can be implemented for user machines.

Of course, there are such monumental standards as CIS Control, NIST, OWASP, which help to build a roadmap for the implementation of security controls, including the area of ​​user protection. Here we would like to share our top of basic, simple but important for detecting anomalies in user behavior, which will allow you to quickly minimize some of the risks even in those organizations where, for example, there is no Security Operations Center.

  • Suspicious activity outside of business hours — Login attempts, connection to corporate resources, or launching applications at night or on weekends may indicate that the account has been compromised. Especially if the activity outside of working hours is linear. For example, every hour, attempts to connect to a specific user are visible.

    Such connections can be detected in the Windows event log – if you have workstations in a domain and based on the Windows operating system, by logon dates. Or, if we are talking about remote connections of employees, then in the VPN server events for successful and unsuccessful connections.

  • Multiple failed login attempts — frequent unsuccessful attempts to log in from one IP address or account may indicate that an attacker is brute-forcing passwords.

    All systems should have limits on the number of unsuccessful login attempts configured, after which, depending on the criticality of the account, the account (or other attribute associated with brute force, such as IP address) should be temporarily or permanently blocked until the circumstances are clarified. The anomaly is detected by an increase in the number of authentication failure events in any systems.

    By the way, if you deploy a VPS in the cloud, then in just 5-10 minutes guests will start breaking into it and trying to guess your login and password.

  • Attempts to connect to unknown or prohibited resources — access to Internet resources, cloud storage or foreign sites not related to work tasks may indicate a compromise of the workstation and an attempt to download malicious data.

    It is difficult to do without protection tools here; most often, such access attempts can be detected using endpoint security solutions installed on employees' work machines, or at the NGFW / Security Gateway level if users connect from a corporate network or via a VPN client without traffic splitting. Reputation databases of resources that can immediately show a connection from a work laptop to an attacker's C&C are most often built into protection tools.

  • Unusually large outgoing or incoming trafficmultiple connections to external resources may indicate an internal attacker or a compromise of the work machine.

    Detection of such anomalies can most often be configured on network equipment, such as NGFW. Such anomalies quickly become noticeable even to the human eye if they are not typical for users.

    A separate story is similar network anomalies related to access to databases. Downloading a large volume of data from a database or a large number of small but frequent requests to the database may indicate attempts at unauthorized unloading of the database. Such anomalies are much more difficult to notice, built-in DBMS tools most often do not allow logging such anomalies, which is why an additional DBFW class solution will need to be implemented.

  • User activity on non-standard ports may indicate attempts to probe the infrastructure by an internal or external attacker.

    Such activity can be detected at the network equipment level or using a host-based firewall. My recommendation is to prohibit at least ordinary users from all outgoing network requests that are not required for their work at the host-based firewall level, especially ports such as 22, 3389, management plane ports to the infrastructure and, in particular, to the DBMS (MySQL – port 3306, PostgreSQL – port 5432, Microsoft SQL Server – port 143, Oracle Database – port 152, etc.).

  • Atypical nature of employee remote access, source IP, geographic location, atypical access device – all these triggers can indicate that a user account has been compromised and an attacker has connected to the infrastructure.

    A must have in terms of remote access cybersecurity is the introduction of a second factor for user authentication during remote connections and to all organization resources published on the Internet. This point has reached the latest CIS Control 8 — Control #6: Access Control Management

    “MFA enforcement is required for all external corporate or third-party applications where supported…”

    (by the way, you can download the entire CIS Control 8 here – https://www.cisecurity.org/controls/v8)

  • Atypical user actions — performing actions that are not typical for the user profile, such as accessing confidential data that is not related to the employee’s job responsibilities, running privileged processes, or changing configuration settings.

    Such actions are quite difficult to detect; most often, tools such as endpoint detection and response (EDR) are required, which are designed to detect suspicious process launches or network requests that indicate a workstation has been compromised.

    We offer our clients detection of such anomalies based on our DEF.HUB MDR service, within which our team provides regular monitoring of cybersecurity events at the level of workstations and servers.

  • Suspicious file activity — the creation, deletion or modification of a large number of files, especially in directories that are not typical for the user, may indicate a malware infection.

    Detecting such anomalies is extremely difficult. At the level of user workstations, integrity control solutions can be used, which, if configured correctly, will detect an unusually large number of created or modified files. Among open source tools, the Wazuh solution allows implementing such detections.

    In addition, I would like to clarify that the scenario in which a large number of files are changed in a short period of time is very typical for the behavior of ransomware-type malicious code that encrypts files. Alerts for such anomalies allow you to detect the encryptor if for some reason it was not detected by the antivirus.

  • Attempts to bypass security measures — actions aimed at disabling antivirus, host-based firewall, EDR or other security tools may indicate the intruder's intentions to launch malware.

    Detection of such attempts should be configured as critical cybersecurity alerts in all protection tools. Also, it is important to use built-in self-defense functions of protection tools. Such self-defense is available, for example, in most popular antivirus solutions and EDR.

  • Actions under an account with infrequent activityfor example, if an account has not been used for several months, after which activity events for this account appear, this may indicate that it has been compromised.

    This activity is typical for user accounts that may be on vacation or long-term leave, but it is also advisable to define an atypical period of inactivity for such accounts. However, activity after a long period of inactivity for a service or privileged account may become a critical alert.

    Of course, the hygienic minimum is to configure authorization systems in such a way that after a long absence of logon events (for example, 90 days), the account is blocked.

    • Similar Posts

    Leave a Reply

    Your email address will not be published. Required fields are marked *