Stamus-Networks-Blog

Weak Attack Signals Your Legacy IDS Will Miss: Unauthorized User Activity

Written by Stamus Networks Team | Dec 2, 2022 3:00:00 PM

When you already know the specific attacks faced by your organization, then the basic detection provided by IDS is a great solution. Unfortunately, weaker signals that could still present trouble, such as unauthorized user activity, are continually missed by legacy IDS solutions. This is not because IDS is ineffective, but because there are certain limitations those systems have from a fundamental standpoint.

While unauthorized user activity, shadow IT, and policy violations are not usually attack signals on their own, they each represent security risks that could leave an organization open to an attack. Because detecting this activity with a legacy IDS isn’t possible, your organization needs to employ additional tools capable of providing the network visibility needed to locate, identify, classify, and control unauthorized activity on your network.

What is Unauthorized User Activity?

There are several different types of network activity that can be classified as unauthorized user activity. Essentially, any type of activity that isn’t explicitly approved by the organization’s security team and IT department can be considered “unauthorized”. This can vary across each organization. Within this umbrella also falls shadow IT (the use of unapproved software, systems, devices, or systems) and policy violations (when a user breaks a defined rule).

Not every instance of unauthorized user activity is intentional or malicious. In some cases, the user is just trying to increase their productivity, but because the system they are using is unapproved its usage patterns may not be monitored. In other cases, a violation of policy could signal the presence of a malware actor who has taken control of a user account and the user is completely unaware that their credentials are being used. Regardless of the context, it is important that security teams maintain visibility into their user activity so they can quickly investigate suspicious activity.

Why Can’t IDS Detect Unauthorized User Activity?

IDS detection relies largely on signature-based mechanisms. By comparing packets on the network to a library of explicit rules, the IDS can generate alerts when traffic matches a known attack “signature”. 

Unfortunately, this type of detection does not help uncover unauthorized user activity which must be detected by monitoring host activities and actively hunting for known violations. Organizations should establish a baseline for what is authorized and what is not; however, the responsibility for monitoring user activity and auditing these policies often falls on the security team. An IDS alone cannot maintain the host state needed to view the relevant data which comprises a user’s history and activity. Thankfully, integrated threat hunting tools provided by more modern systems like network detection and response (NDR) can mitigate the amount of work an analyst would need to do to identify unauthorized user activity by providing a panel of insights from the host that can quickly and easily be filtered to look for violations in policy

How Can Unauthorized User Activity be Detected?

One of the most effective ways to identify unauthorized activity using network data is with proactive threat hunting. While legacy IDS systems generate most of the data needed to do this (related logs and NSM data help complete the picture), there is not typically an automated process to trigger alerts based on user activity. Experts recommend a proactive approach to finding unauthorized activity through using a threat hunting tool which can query all the relevant host data in a specific time window.

For example, your organization might not authorize users to run HTTPS proxy applications in your environment. In order to locate any instances of this, you could use a network-based threat hunting tool that provides a query for this specific type of activity. In turn, you can review those incidents and where the user/activity is originating from. From there, you may further investigate the user, see why the unauthorized activity is happening, stop the activity, and then create further automation that would trigger a notification if it ever happened again.

Conclusion

Unauthorized user activity doesn’t necessarily signal the presence of a malware actor on your network, nor does it mean that your users are purposefully trying to violate your policies. But maintaining oversight into these instances is still an incredibly important part of defending the organization. While this kind of activity does not always indicate that you are under attack, unauthorized user activity can leave your organization vulnerable.

Stamus Security Platform (SSP) is a broad-spectrum and open network detection and response (NDR) system that provides response ready threat detection from multiple sources — machine learning, behavioral anomalies, stateful logic, and IDS signatures. To learn more about how SSP’s enriched hunting interface can help identify unauthorized activity on the network, read our article “Threats! What Threats? Uncovering Shadow IT with Stamus Security Platform '' or start our series on guided threat hunting with “Introduction to Guided Threat Hunting”.