Detections
- Home
- - Detections
- -DT101
- ID: DT101
- Created: 13th September 2024
- Updated: 13th September 2024
- Contributor: Ismael Briones-Vilar
Cloud User Behavior Analytics (UBA)
Implement UBA tools tailored for cloud environments to continuously monitor and analyze user activities, detecting anomalies that may signal security risks. Typically offered as services by cloud providers or third-party platforms, Cloud UBA can track and flag unusual behavior, such as excessive data downloads, accessing a higher-than-usual number of resources, or large-scale transfers inconsistent with a user’s typical patterns. These tools can also provide real-time alerts when users engage in behavior that deviates from established norms, such as accessing sensitive data during off-hours or from unfamiliar locations. By identifying such anomalies, UBA enhances the detection of insider threats and unauthorized activities within cloud environments.
Sections
ID | Name | Description |
---|---|---|
IF002.010 | Exfiltration via Bring Your Own Device (BYOD) | A subject connects their personal device, under a Bring Your Own Device (BYOD) policy, to organization resources, such as on-premises systems or cloud-based platforms. By leveraging this access, the subject exfiltrates sensitive or confidential data. This unauthorized data transfer can occur through various means, including copying files to the personal device, sending data via email, or using cloud storage services. |
AF018.002 | Environment Tripwires | The subject develops a custom API that monitors specific activities, network traffic, and system changes within the target environment. The API could monitor HTTP/HTTPS requests directed at sensitive endpoints, track modifications to security group settings (such as firewalls or access policies), and identify administrative actions like changes to user accounts, data access requests, or logging configurations.
This tripwire API is embedded within various parts of the environment:
Once deployed, the tripwire API continuously monitors network traffic, API calls, and system changes for indicators of an investigation. It looks for:
The API can use whitelists for expected IP addresses or user accounts, triggering alerts if unexpected access occurs.
Upon detecting activity, the API tripwire can take immediate evasive actions:
|