Co-authored by Dr. Yaron Wolfsthal

While some behavioral analytics methods have been pursued for business intelligence purposes for quite some time, they have been primarily focused on the buying habits of groups of people. In the context of information security, behavioral analytics can be used to carefully and comprehensibly develop models that would support an organization’s ability to conduct risk assessment of resources such as users and computers on an enterprise network to alert against individual entities that may pose a potential threat.

Examples of attacks that can be identified by security behavioral analytics may include a cybercriminal who has gained access to an employee’s legitimate credentials, an insider whose behavior represents a threat to the well-being of the company or a compromised server on the organization’s network that is clandestinely sending corporate data to a command-and-control (C&C) server on the open Internet.

How Security Behavioral Analytics Differ From Cohort Analytics

Superficially, security behavioral analytics may look similar to business intelligence methods like cohort analytics. The latter takes data collected from the usage of products or services, such as an e-commerce or online gaming platform, and breaks it down into related groups for analysis. These related groups, or cohorts, usually share common characteristics within a defined time span.

By properly capturing the different characteristics of cohorts (e.g., the purchasing patterns over time), a company can adapt and tailor its service to specific cohorts (e.g., offering special incentives at critical stages). Thus, cohort analysis is useful in making mass marketing smarter and more effective. However, the success or failure of cohort-based marketing is less critical to the company’s well-being than security behavioral analytics, where the timely detection of an attack on a company’s crown jewels can save the company from losing business.

Identifying Anomalies With Behavioral Analytics

On a basic level, behavioral analytics relies upon anomaly detection — the capability to sift through large amounts of data and to identify patterns that do not conform to those statistically expected. In the context of security, such anomalies might represent a variety of threats: intrusions to networks by an impostor, unwarranted escalation of privileges, transmission of sensitive corporate information across irregular channels and so on.

Take the example of user authentication. Traditional methods have primarily relied upon password-based schemes or biometric methods to authenticate an individual accessing the system. Taking a behavioral analytics approach, an input device can track the interaction profile of the user, such as click speed or geometric patterns of mouse movement, and differentiate impostors from legitimate users based on changes in their interaction patterns.

A good anomaly detection mechanism looks not only for abundance — say, too many failed login attempts that may indicate that someone is trying to breach the system — but also the truly different. As an example, when bank employee A goes on vacation and her role is temporarily filled by employee B, the algorithm should not trigger an alarm merely on seeing different IDs in the access logs unless different systems are accessed by B during A’s vacation period. That would suggest further investigation of the difference. In this example, the algorithm has essentially learned the system access patterns associated with the said role.

Practical Aspects

In deploying behavioral security analytics, a phase of tuning will almost always be required to customize the solution to the specific environment it is in. Moreover, since anomaly detection is based on statistical methods, a baseline for normal system behavior must be established. No system can come completely customized to your organization special needs out of the box. In some systems, a single failed login is a cause for alarm, while in others it might be the norm, and verifying a breach requires the detection of another attack vector like port scanning.

During operation, some of the detected anomalies or misbehaviors may be unrelated to security, with red flags going up due to malfunctioning or new system components. To effectively prioritize and act solely on the true security breaches, the organization needs to have the resources to investigate these issues. A high-quality forensics tool is invaluable for this purpose.

In establishing a sound enterprise security strategy, behavioral analytics provides an advanced level of protection, but it cannot replace — and, in fact, must be built upon — more basic methods. For example, assume that an antivirus tool claims to have successfully cleaned a malware, but other indicators detect a post-breach behavior of this virus. In this case, behavioral analytics can cross-correlate the basic indicators and help reach the right conclusion.

Three Tips for Implementing Security Behavioral Analytics

  1. Collect all the information you can lay your hands on. In this era of big data, the more you have, the better you can find the things you should be looking for. Sometimes, success can come from connecting dots that you didn’t even know you had.
  2. Use state-of-the-art machine learning tools. There are many possible solutions, some of which are even open source, and the best mix is to have a subject matter expert work hand-in-hand with the machine learning expert.
  3. Reiterate. Since you are chasing bad guys who are actively trying to avoid being caught, you must change your methods regularly to keep finding them.

More from Intelligence & Analytics

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…