WEBVTT

00:07.190 --> 00:11.990
As a cyber security analyst, we may sometimes be looking at ourselves from a psychological point of

00:11.990 --> 00:12.410
view.

00:12.440 --> 00:13.700
What do I mean by that?

00:13.700 --> 00:16.460
I really mean that we look at people and we people watch.

00:16.490 --> 00:21.560
We get to see what they do, how they interact with different items, and how they cope with different

00:21.560 --> 00:22.280
mechanisms.

00:22.280 --> 00:26.630
In an electronic environment, this is often referred to as user behavior analysis.

00:26.630 --> 00:28.190
And that's what we're going to cover today.

00:28.190 --> 00:32.690
In this episode, we're really going to go over what constitutes user behavior analysis.

00:32.690 --> 00:35.450
And then by extension entity behavior analysis.

00:35.480 --> 00:36.860
Well it's a short episode.

00:36.860 --> 00:41.360
I would caution you to pay attention to it, because it really does play into the fact that we need

00:41.360 --> 00:46.430
to understand what our users are doing on our networks as we're moving forward with technology.

00:47.510 --> 00:53.030
So user behavior analysis is really the idea that we're looking at different perspectives of a specific

00:53.060 --> 00:55.040
user or user organization.

00:55.040 --> 01:00.080
This means that we need to identify what is the standard that our users interact with the different

01:00.080 --> 01:03.800
programs or technologies that are associated with each of the departments.

01:03.800 --> 01:08.870
Sometimes that's an individual, sometimes it's an entire department, regardless of which aspect you're

01:08.870 --> 01:09.380
looking at.

01:09.380 --> 01:14.870
We need to understand that I have a certain amount of users that are using a certain activity on technology

01:14.870 --> 01:16.220
on an everyday basis.

01:16.220 --> 01:17.420
What do I mean by that?

01:17.420 --> 01:23.300
If I've got a lot of different users, say, in the HR department, and they typically use windows based

01:23.300 --> 01:29.660
machines and Microsoft Office, along with Microsoft Edge as their primary forms of communication and

01:29.660 --> 01:31.250
work styles throughout the day.

01:31.250 --> 01:34.640
Then I know that that baseline behavior is normal for them.

01:34.640 --> 01:41.090
And if I have a subset or a single person within that group that suddenly starting to use Firefox,

01:41.090 --> 01:46.130
or maybe they're starting to use different software programs associated with their job function, then

01:46.130 --> 01:50.030
that would be constitute abnormal activity for that user group.

01:50.030 --> 01:51.920
Now, that's not necessarily bad.

01:51.920 --> 01:56.090
It could just be that that user prefers Firefox over, say, Microsoft Edge.

01:56.090 --> 02:01.870
However, what if they start accessing different folders or servers that that group doesn't normally

02:01.870 --> 02:02.620
access?

02:02.650 --> 02:06.370
This could constitute an objectionable abnormal activity.

02:06.370 --> 02:10.720
And this is where using user behaviour analysis comes into play.

02:10.750 --> 02:14.320
What are those users actively doing on a normal basis.

02:14.320 --> 02:20.860
And when I constitute an individual user, it might be okay because that one user is using Firefox all

02:20.860 --> 02:23.170
the time as comparison to Microsoft Edge.

02:23.200 --> 02:24.610
It's perfectly legitimate.

02:24.610 --> 02:29.920
That's just their prescribed or preferred browser that they normally utilize.

02:29.950 --> 02:34.990
Let's say that I've got that one user that normally uses Firefox after week two of on the job.

02:34.990 --> 02:40.180
That's fine, but now they started accessing web servers that aren't necessarily something that they

02:40.180 --> 02:42.580
would normally access on a day to day basis.

02:42.580 --> 02:49.240
That could be abnormal behavior, or it could just be a term in which case the user suddenly decided

02:49.240 --> 02:53.290
to use different aspects, methods for that prescribed activity.

02:53.320 --> 02:56.410
Maybe they're moving through research, through the HR Air Department.

02:56.410 --> 03:03.820
Maybe their job or their, uh, duties and responsibilities reflect that change from the average normal

03:03.850 --> 03:05.620
behavior for that department.

03:05.620 --> 03:11.380
That's quite possible, let's say, and turn this around and say, now, that user, after three years

03:11.380 --> 03:16.690
suddenly starts using or starts going to specific websites that are somewhat questionable.

03:16.690 --> 03:22.180
Is that a retraining methodology that we need to utilize, or is that abnormal behavior something that

03:22.180 --> 03:23.200
they're not aware of?

03:23.230 --> 03:30.250
By tracking the user's normal behavior, we could identify if malicious activities are imposed on that

03:30.250 --> 03:31.270
user account.

03:31.270 --> 03:34.510
Let's say that abnormal behavior is 2 a.m. in the morning.

03:34.510 --> 03:39.280
I quite honestly, I like to use 2 a.m. in the morning, but they start going to websites at 2 a.m.

03:39.280 --> 03:45.100
in the morning, but their normal work hours are literally from 8 to 5 p.m. again, abnormal activity

03:45.100 --> 03:47.380
on the network using that specific user.

03:47.380 --> 03:51.460
However, what if I've got an entire department that starts accessing that website?

03:51.460 --> 03:56.200
Is that abnormal behavior, or is the HR department moving in a new direction.

03:56.200 --> 03:58.600
If they're moving in a new direction, that's fine.

03:58.600 --> 04:04.240
We just need to be aware of that, to associate that new behavior as part of their baseline activity

04:04.240 --> 04:05.590
within that department.

04:05.620 --> 04:12.460
Abnormal behavior really provides us with an analysis that relates back to a malicious activity or possible

04:12.460 --> 04:13.750
malicious activity.

04:13.750 --> 04:16.210
Then there's something called impossible travel.

04:16.240 --> 04:21.730
Impossible travel is where I've got a user that normally works in, say, Seattle, and now all of a

04:21.730 --> 04:27.310
sudden they're in New York and then back in Seattle within a two hour time frame, that's impossible

04:27.310 --> 04:27.760
to happen.

04:27.760 --> 04:34.300
There is no way that a user can move literally from Seattle to New York within two hours and start communicating.

04:34.330 --> 04:40.360
Teleportation doesn't exist yet, and so that's not a feasible recommendation of that travel perspective.

04:40.360 --> 04:45.910
If you think about it, it takes the average user about seven hours from fly from Seattle to New York.

04:45.910 --> 04:48.310
Now, that's not counting wait times in the airport.

04:48.310 --> 04:51.850
That's not counting car taxi travel from the airport to the hotel.

04:51.850 --> 04:53.320
That's just air travel.

04:53.320 --> 04:56.410
And while that may be possible, two hours is improbable.

04:56.410 --> 05:03.160
And so if we detect where the location has changed theoretically in a major way between one point to

05:03.190 --> 05:08.050
another, we refer to that as impossible travel, and we can thereby lock down those accounts.

05:08.050 --> 05:12.970
We can automate that process through our Soar and Siem environment, to where something like that is

05:12.970 --> 05:14.140
impossible to interact.

05:14.140 --> 05:19.810
And if we identify and detect that problems, we can quickly lock down accounts, thereby reflecting

05:19.810 --> 05:23.980
malicious activity, and stop hacking it before it actually takes hold of our network.

05:24.880 --> 05:28.480
By extension, we have something that's called entity behavior analysis.

05:28.510 --> 05:34.210
Now, unlike user behavior analysis, we're looking at the organization as a whole, and we're scrutinizing

05:34.210 --> 05:36.880
the behavior of specific entities within our network.

05:36.880 --> 05:43.450
And Indy is a specific machine or a specific department within the environment as a whole.

05:43.450 --> 05:47.020
Now, we talked about departments as part of user behavior analysis.

05:47.050 --> 05:52.410
When we say the average of all the users say in the HR department, interact with a specific server,

05:52.410 --> 05:57.930
but we can also look at it from an entity perspective, where the behavior within a specific server

05:57.930 --> 06:05.730
or a specific HTTP request, or the different locking mechanisms within a physical environment are affected.

06:05.760 --> 06:11.940
Let's take this in a scenario based if I've got a specific server, i.e. an entity that normally is

06:11.940 --> 06:18.540
interacted with on a daily basis between, let's say 6 a.m. and 3 p.m., however, traffic quickly curtails

06:18.540 --> 06:20.580
or drops off after 330.

06:20.610 --> 06:27.390
Then that entity's behavior is, uh, the traffic goes from very early in the morning, 6 a.m. spikes

06:27.390 --> 06:32.670
up, say about 9 a.m., kind of stays at that high point till about 12 and then steadily curtails or

06:32.670 --> 06:34.200
drops off till by 330.

06:34.230 --> 06:39.120
I shouldn't have access to that environment on a regular basis after 330.

06:39.150 --> 06:43.710
This is entity behavior analysis as compared to user behavior analysis.

06:43.740 --> 06:46.950
We're looking at the actual item, not the user itself.

06:46.950 --> 06:54.040
In this case, I've got a server where the, traffic on corresponding on it drops after 3 p.m. or 3:30

06:54.040 --> 06:59.880
p.m., in which case I can see that if I've got a shunt in traffic curtailing up or at about 6 p.m.,

06:59.880 --> 07:01.230
that goes against that.

07:01.260 --> 07:06.810
Any behaviour I may have a early threat detection process through malicious use.

07:06.810 --> 07:09.120
This can also reduce false positives.

07:09.120 --> 07:15.600
If we go through and we identify that normal traffic is between 6 a.m. and 330, and we're detecting

07:15.600 --> 07:23.160
a lot of malware perspective to that specific device, but that device provides specific proprietary

07:23.160 --> 07:24.120
software on it.

07:24.150 --> 07:25.260
We scan it.

07:25.290 --> 07:29.700
We know that that stuff is on there already because we've run scans on the past.

07:29.700 --> 07:32.100
That's part of that entity's behavior.

07:32.100 --> 07:35.340
Meaning when I scan it, we already know those vulnerabilities are there.

07:35.340 --> 07:38.070
We already know and annotate those different vulnerabilities.

07:38.070 --> 07:43.890
And so we can identify if there's a false positive associated with it, or if, in fact, those vulnerabilities

07:43.890 --> 07:46.650
have already been written off because we're aware that they exist.

07:46.650 --> 07:50.160
It can reduce those false positives because we know they're already there.

07:50.160 --> 07:56.670
We can also improve our incident response because if we're not subjecting our entities to specific problems

07:56.670 --> 08:01.170
on that specific piece of equipment because we already know they're there, then that entity's behavior

08:01.170 --> 08:02.340
is associated with it.

08:02.340 --> 08:05.640
This improves incident response because we're not going into the process.

08:05.640 --> 08:07.380
However, we let's flip this around.

08:07.380 --> 08:13.380
If I've got a environment or an entity that's behaving in a specific manner on a day to day basis,

08:13.410 --> 08:19.180
a, i.e. from 6 a.m. to 3:30 p.m., and then all of a sudden we see that upward traffic at, say, 7

08:19.180 --> 08:22.200
p.m. or even 9:30 p.m. that could pose a problem.

08:22.200 --> 08:26.310
We can improve our incident response because we shouldn't see traffic on that specific device.

08:26.310 --> 08:30.480
After 3:30 p.m., we can quickly analyze that and lock that device down.

08:30.480 --> 08:34.980
This is a way that any behavior analysis works in comparison to user behavior analysis.

08:34.980 --> 08:40.950
Remember, entity is specific hardware or physical devices on our network, entire departments or segments

08:40.950 --> 08:41.790
of our network.

08:41.790 --> 08:45.900
That's the entity in which we're referring to user behavior analysis.

08:45.900 --> 08:51.770
That's people, places, that type of thing where we have physical assets in relation to our people,

08:51.770 --> 08:53.900
not the actual equipment that's come into play.

08:53.930 --> 08:54.860
User behavior.

08:54.890 --> 08:56.630
User entity behavior.

08:56.630 --> 08:58.940
That's the entity or the physical device.

08:59.930 --> 09:04.160
Throughout this episode, we talked about the psychological conditions of people and why the user behavior

09:04.160 --> 09:05.150
analysis is important.

09:05.150 --> 09:09.980
But we also talked about the different mechanisms or hardware that's associated with it, including

09:09.980 --> 09:12.500
software that we can go into practice with.

09:12.530 --> 09:17.660
Both of those play an important role as a cybersecurity analyst to identify and understand which one

09:17.660 --> 09:21.290
is which and how they interact with our company or organization as a whole.

09:21.290 --> 09:26.600
And your Cisa exam, I would take in perspective those specific different determinations between the

09:26.600 --> 09:27.050
two.

09:27.080 --> 09:32.840
You might see a scenario based question dependent upon identifying the difference between a user behavior

09:32.840 --> 09:38.540
analysis versus an entity behavior analysis, and understand the acronyms opposed between the two UVA

09:38.570 --> 09:39.590
versus EBA.

09:39.620 --> 09:43.160
If you can do that, this is a very high level purpose of the exam.

09:43.160 --> 09:45.620
You shouldn't have any troubles with this little section.