Finding abnormal activities
I reported in the past of the project in which my company and SAP Deutschland SE & Co. KG (SAP) worked together in order to attach non SAP systems of the city Wolfsburg to their ETD instance. I created with colleagues some charts and patterns to detect attacks and system anomalies. I like to introduce in this post reasons for patterns/charts which bases on our experiences of different customers. I will tell also, why it’s necessary to adjust the system after the integration periodically.
Abnormal activities are very broad and different. Abnormal activates could be wrong configured systems which sends a lot of messages or they are potential threats for the network.
Initially I give you an example for a wrong configured system. We know this case from one of our customers. All clients of our customer had two DNS server addresses. This was manual configured and not pushed by DHCP. When our customer ordered new computers, a disc-image was used for the installation of 25 clients. This disc-image contained a typing error in the first DNS server address. As a result all clients asked the email server first for an IP look up and then the second DNS server. So the load balancing between the first and the second DNS server failed. This abnormal activity is harmless but necessary to detect.
Here is a definition of threats. Threats are split up in to two classes. “Regular threats” are for example infrastructure threads e. g. the heat in server rooms. This is a calculated threat and the air condition should regulate the temperature. An abnormal threat is known as attack on it infrastructures. We also distinguish these attacker threats into: unknown attackers from outside and known attacker from inside. The background of both is very versatile and I will not talk about the causes of in- and outsiders. From our experience an insider is not the exception. You often find unaware users being in charge. It is possible that in- and outsiders create abnormal activities in a network, which gives us the chance to detect them. But, what are these activities?
1. Abnormal activities
Abnormal activities indicate often something. You have to observe them and often correlate multiple events to find the root cause of the incident. Here are some indicators of abnormalities we recognized in the past.
1.1. Email activities
Here is a case where a customer’s employee stayed longer at work every Friday. The employee told colleagues that he would wait for his sport course to start. It turned out that he collected information about customers and sent this information to a contact of another company. Home office was not allowed in this company, so this happened every Friday approximately at eight o’clock for a long time. The employee thought that it would be more inconspicuous sending emails in this timeframe than during regular business at day. Especially since the employee had to scan various documents which is more suspiciously at day.
I give you another case where an employee’s pc was hacked probably by a bot network. As a result his email account sent a lot of emails every day to all contacts in his address book distributed over the whole world. It took some time, till an end-customer told this company that they spread spam mails.
1.2. Remote Logging
A lot of employees have remote access to their company network due to home office activities. Here is a case where a customer’s employee misused his home office notebook. The usual behaviour of this employee was starting remote access in the mornings and disconnecting in the evenings, from Monday till Friday. The employee was not in touch with customers or partners. He worked as a clerk only. Someday the employee started the remote connection on a Saturday at 11 pm o’clock and disconnected 20 minutes later. What has happen? The employee served guests with confidential information before deleting them. Deletion of this information brought the guests some advantages.
1.3. Suspicious user Logons
Here is another nice study case where user performed nightly logons. An employee went on a business trip. He needed some travel information, booted his computer, logged into his account, checked emails and printed some documents. When finished the employee turned off the computer and started his business trip. Although this was a legal action, an alarm was triggered because the detected logon time in general is abnormal. An account logon at night might be a hacker or thief.
2. Find this Abnormal Activities with ETD
In order to learn normal behaviour of a computer network, you need to collect log data for a few weeks. It is called initial data collection. During this process you may create basic charts in the ETD. When initial data collection is finished you are able to transform those charts into patterns and setup thresholds. In addition further charts may be layouted that are especially made for your specific network.
2.1. Email activities cases
The first case study was about sending of emails with confidential information to competitors. This case is quite difficult to map, but possible to detect. We created an overview chart for a defined period time and set the threshold for attachments to 1 or higher. Additionally we observed the time between 6 pm till 6 am (night time) only. Another option is attach the print-server to the ETD instance (which includes the scanner) in order to observe activities that happen not during the office hours.
Much more interesting is the other case. There an email account constantly sent out a lot of spam mails. In the project (see post ETD monitors non SAP systems) we have created a corresponding chart based on our experiences. We call it mails-per-user-chart. In this chart it is possible to see how many emails a user sends per day, week or month. The different periods of time are just a matter of configuration. Even though it is not a feature observing a specific user since the user names are pseudonymized. An analyst only sees for example the following label instead of the username: “TEEQL-73393”
Whenever a user sends out too many emails, we are able to recognize who he is. You just have to undo the pseudonymization process for that user. De-pseudonymization is only permitted for a specific ETD user account having granted the corresponding privileges. You should make sure that a high authority only may do this.
2.2. Remote Logging Case
We like to be informed, whether an employee establishes a remote connection in the evening, especially at the weekends. In ETD it is not possible to look at some specific days only (e.g. Saturday). As a result, we need to observe the whole week but within a certain time window (e.g. 6:00 pm to 6:00 am). Set a threshold in patterns to value higher than 0 and have an alarm triggered.
2.3. Suspicious user Logons
User-logons outside the office hours made from inside the office location is typical abnormal behaviour. Create a chart, count remote sessions and compare them with the domain controller logons. Correlate findings in the timeframe between 8 pm and 6 am. A threshold checks the number of remote connections and triggers an alarm, if they are less than domain controller logons (e. g. 0 remote connections < 1 dc logon => trigger alarm).
In the picture below we observed a full day.