Implementation of Behavioral Indicators in Threat Detection and User Behavior Analysis Yegor Anashkin 1 and Marina Zhukova 1 1 Reshetnev Siberian State University of Science and Technology, 31 Krasnoyarskii rabochii prospekt, Krasnoyarsk, 660037, Russia Abstract This paper considers the evolutionary path of indicator development in the tasks of monitoring and threat detection. The work aims to form a unified descriptive structure for behavioral indicators. The resulting description standard is designed to create an open database of behavior indicators. The base of behavior indicators shall be the basis for the user action profiling system that's developing by the authors. Prospects of application of the obtained results are also seen by the authors in the field of Threat Hunting, Threat Intelligence, and automation of correlation rules for SIEM systems. In addition, the possibilities, benefits, and methods of implementation of behavior indicators in the process of user actions profiling are considered. Keywords 1 Indicators, IoC, IoA, IoB, Threat Hunting, UBA, user behavior analytics 1. Introduction The opposition to security threats is a permanent task of information security. It is a continuously and difficult process, that’s consists of the next subprocesses:  identification and analysis threats  development protection system against cyber threats  monitoring attempts to implement threats  response against attempts to implement threats  analysis and conclusions based on results of response  implementation of corrective/improvement measures We focused on the monitoring process because it is the key process required to detect successful attacks or attempts to implement cyber threats. A classic and widespread approach to monitoring is a triggered approach (alert-driven). With this approach, detection and response against attempts to implement threats occur after the information protection means are triggered [1]. This approach cannot be called sufficient against modern cyber threats. Attackers are actively modernizing their techniques and tools to bypass existing information security systems. Another more mature approach to monitoring cyber threats is Threat Hunting. This term should be understood as the process of cyclical analysis of telemetry collected from the infrastructure in order to identify successfully implemented threats that were not noticed by preventive information security systems deployed in the infrastructure [1]. The use of Threat Hunting can reduce the time from the moment an attacker penetrates the victim's infrastructure to the moment he is detected [2]. Today, in both approaches to monitoring cyber threats, you can find the use of indicators. Let us define the concept of an indicator in information security as a sign that signals the presence of realized AISMA-2021: International Workshop on Advanced in Information Security Management and Applications, October 1, 2021, Stavropol, Krasnoyarsk, Russia EMAIL: a.yegoriy@gmail.com (Yegor Anashkin); zhukova@sibsau.ru (Marina Zhukova) ORCID: 0000-0003-1696-0965 (Yegor Anashkin); 0000-0003-3441-3041 (Marina Zhukova) ©️ 2022 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). CEUR Workshop Proceedings (CEUR-WS.org) 17 threats or attempts to implement threats. When classifying indicators in information security, three types of indicators can be distinguished:  indicator of compromise (IoC)  indicator of attack (IoA)  indicator of behavior (IoB) 2. Indicators of Compromise Today, indicators of compromise (IoCs) are the most widely used. An Indicator of Compromise (IoC) is an object observed on a network or an endpoint, that is highly likely to indicate unauthorized access to the system (that is, its compromise) [3]. These indicators are used to detect malicious activity at an early stage, as well as to prevent known threats. Popular types of IoC are IP addresses, DNS names, and file hashes. However, IoCs have not become a complete and sufficient solution for detecting all attempts to implement threats. The major shortcomings of compromise indicators are highlighted [4]:  Professional attackers who conduct targeted attacks either develop new tools or modify known hacker tool signatures, such as mimikatz. Due to their uniqueness, such tools are not detected by indicators.  Possibility of flooding databases with indicator noise. Attackers send a lot of false indicators, due to which professionals need to filter indicators. It also leads to a decrease in the informativeness of the indicators. It also leads to a decrease in confidence in the indicators.  Professional attackers use the «fileless» malware technique [12]. In this technique, the malicious file is not delivered to the victim's device but is built on the end-device by downloading the malicious code through standard OS features, such as PowerShell.  Generally, IoCs are used in reactive mode. It means a successful attack is discovered when IoCs are found out in forensic artifacts. Thus, IoCs are instruments to identify compromising, but not to provide proactive protection. In summary, the use of IoCs can help detect attacks in which attackers use already known objects (files, DNS, IP, etc.). However, IoCs remain powerless against modern targeted attacks. This led to the emergence and application of a new type of indicators – Indicator of Attack (IoA) and Indicator of Behavior (IoB). 3. Indicators of Attack An Indicator of Attack is a rule (chain of actions) containing a description of suspicious behavior in the system, which may be a sign of a targeted attack [5]. To understand the IoA, refer to the Lockheed Martin Kill Chain Model [6] and the ATT&CK [7]. The Kill Chain model clearly shows a clear breakdown of an attacker's actions into a sequence of stages to achieve a set goal. The MITRE Knowledge Base is the structured and most comprehensive knowledge base of the tactics, techniques, and procedures of professional attackers. Thus, an indicator of an attack can be a separate technique/procedure (for example T1562.002 Impair Defenses: Disable Windows Event Logging), or a sequence of techniques used within the framework of related tactics. As an example, consider running the command line (T1059 Windows Command and Scripting Interpreter) followed by modification of the registry keys responsible for autostart to persistence into the system (T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder). The use of attack indicators (IoAs) to detect attempts to implement cyberthreats is more effective than IoCs because changing TTPs (Tactics, Techniques, and Procedures) is the most difficult thing for an attacker to do [8]. 18 4. Indicators of Behavior An Indicator of Behavior is a digital behavior monitored to understand risks within an organization [9]. A set of behavioral indicators (IoBs) includes a subset of actions from the attack indicators. The main difference between IoAs and IoBs is:  IoAs are more related to TTPs (Tactics, Techniques, and Procedures) of professional attackers (APTs). In turn, IoBs are signs of potentially dangerous behavior.  IoBs can be used to detect an internal intruder, an insider or a user who disregards established security policies. The following are examples of behavioral indicators:  use of external media  work on multiple hosts  remote login  work with system utilities  use of RATs (Remote Admin Tools) Indicators of behavior, therefore, have a broader scope of coverage. Behavioral indicators are applicable in the detection of internal intruders, insiders, breaches or non-compliance with established information security policies, leaks of confidential information, and others. 5. Integration of indicators Specialized solutions called the Threat Intelligence Platform are used to integrate IoCs into the threat detection process [18]. Threat Intelligence Platform is able to collect the information about possible threats from different sources (commercial and free, closed and open, public and private) in real-time, classify it, and perform various operations with it, including uploading it to the information security tools. A typical diagram of such a solution is shown in Figure 1. Figure 1: IoCs integration scheme In turn, the attack indicators and behavior indicators currently come as paid rule sets when you purchase the product [5][10]. Open databases, as in the case of IoCs, are not developed. In addition, full implementation of IoBs requires specific tools for profiling user actions. A user profile should be built, including the user's IoBs, and each user action should be recorded and compared with the database of IoBs. Therefore, if IoBs and IoAs are integrated, the diagram shown in Figure 1 will change to look like Figure 2. Figure 2: IoBs and IoAs integration scheme 19 Due to the lack of open IoBs databases, a general structure for describing behavioral indicators is being developed as part of the work in order to create and populate the IoBs database. In the future, it is planned to use this database of indicators in our own system for profiling user actions, which is being developed [11]. An example XML description of a behavior indicator is given in Listing 1. 000001 Using the Windows command line Command line usage may indicate an attempt to execute a system command to run scripts, change system configuration, retrieve system information, etc. Not all users need to interact with the command line when performing their work tasks. Medium Policy Violation, Improper Use Execution T1059 true Windows Windows Security Log 4688 NewProcessName Contains Windows\System32\cmd.exe Listing 1: Example description of a behavior indicator Semantically, the structure of the IoB description can be divided into two components: a block with the necessary descriptive characteristics of the indicator and a block with information to detect the indicator. The description and purpose of the fields are shown in the Table 1. Table 1 Description of the IoB fields Field name Description Id Unique identifier of the behaviour indicator Name Name of behaviour indicator Description Brief description of behaviour indicator Priority Priority of behaviour indicator Category Category of behaviour indicator MITRE_TACT Display of the behaviour indicator in MITRE base tactics MITRE_TECH Display of the behaviour indicator in the MITRE base technique Standalone_IOA Field shows if the behaviour indicator can be considered as a separate attack indicator BehaviorOn This field shows where the behavior indicator can be observed: on the Windows host, on a network or on a Linux host. Detection The field includes detectors that can be used to detect an IoB Detector The field includes the necessary data to detect IoB: in which source to watch, which field and which value. LogSourceName Event source name EventID Identifier of the event in the event source system Parameter Parameter of the event to analyze Condition Condition that must be met by the parameter Value Value for condition 20 The resulting behavior indicator description structure includes not only descriptive fields but also typical event sources, fields, and their values required for indicator detection. This feature allows the use of the IoBs database to automate the writing of correlation rules of SIEM systems. 6. Implementing behavioral indicators in user behavior analysis (User Behavior Analytics) User Behavior and Entity Analytics is a class of information security tools for detecting threats to information systems, based on the analysis of user, device, application, and other behavior [13]. In today's User Behavior Analytics/User Behavior and Entity Analytics solutions, the Scoring method or Scoring models (counting the value, in information security, this is counting the value of the risk) are mostly found [14, 15]. This approach is combined with the time decay method. This means that when a user stops taking actions that add negative points to their risk score, the risk score will gradually decrease, e.g. every 5 minutes by 10 points. Thus, this approach is not sensitive to time-distributed attacks. This approach also lacks retrospective analysis. Behavioral indicators can be used to build both retrospective graphs of potential actions that preceded the current behavior and predict graphs of future actions. Therefore, their use allows for decoupling from the time frame. Detection should not depend on the frequency of potentially dangerous actions but on the sequence of such actions. Also, the quality of UEBA class solutions is highly dependent on the number of data sources used to enrich actions with context [16]. Data enrichment allows finding deeper connections. For example, if integrated correctly with the helpdesk, UEBA can eliminate false positives related to the execution of applications by administrators on users' hosts. Thus, the number and quality of sources connected and processed directly affect the accuracy figure (false positive rate). Hence, a direct way of improving UEBA class solutions is to work on parsing all sorts of existing data sources, natural language text processing, etc. The authors have chosen a different direction – increasing the number of models used. In order to reduce false positives and increase the number of scenarios for the use of user action profiling, a multi-model approach was previously proposed. The multi-model approach, as originally conceived, consisted of the following models  a user behavior model  a working behavior model  a security behavior model  a model of a potential attacker Previously, the multi-model approach was based on analyzing the sequence of all user actions. However, the main purpose of this class of solutions is to detect malicious intent in the user's actions. To detect malicious intent, behavior indicators and attack indicators are sufficient. Therefore, let us now consider the transformation of each model with the implementation of the behavior indicators. 6.1. The user behavior model The user behavior model consists of a set of characteristics of the infrastructure with which the user interacts (e.g. IP address and work hostname) and a set of behavior indicators. The set of behavior indicators generated by user action profiling is primarily designed to avoid false positives. Let's look at a specific example. Let's take an internal attacker as the subject. It is assumed that the internal attacker already has initial access to the system as opposed to the external attacker. However, an internal attacker may use his/her colleague's account to elevate his/her rights or hide his/her actions. To detect such attempts, let's introduce an appropriate behavior indicator - logging in under someone else's account. The entered indicator will work based on the work host specified in the user's profile. When a user logs in to a host they have never logged in to before - the system considers this behavior a possible indicator of logging in under someone else's account. 21 Reflecting on this behavioral indicator, it is possible to conclude that there are scenarios with false positives. For example, a system administrator or helpdesk employee may log on to users' hosts to resolve technical problems. Therefore, to avoid false positives, these user roles need to have another behavioral indicator in their profile - operating on multiple hosts. 6.2. The potential attacker model The potential attacker model is the most significant in terms of the threat posed. This model is therefore subject to particularly stringent false positives. A solution to this requirement could potentially be to set it to trigger only when a specific sequential chain of behavior indicators is detected. The fixation of behavior indicators relating to different stages of an attack is a tell-tale sign of malicious behavior on the part of the user. This concept can be represented as an IoB matrix: 𝑏11 ⋯ 𝑏1𝑛 (1) 𝐼𝑜𝐵 = [ ⋮ ⋱ ⋮ ], 𝑏𝑛1 ⋯ 𝑏𝑛𝑛 where bij=1 if it is possible to move from stage IoB(i) to stage IoB(j). Then, for example, putting L = 3 as the chain length required to trigger an alert, consider a case study. Introduce a behavior indicator, "use of external media", which corresponds to the Initial Access tactic of the MITRE matrix. The current chain length is 1. Next, we notice the "launching a program from removable media" indicator, which correlates with the Execution tactic. From the 'use of external media' indicator, it is possible to move to the "launching a program from removable media" indicator, so the chain length becomes 2. The next indicator observed is 'change in registry values associated with autorun'. This indicator is related to the Persistence tactic. The observed indicator can be associated with the previous one, the chain length becomes 3. Chain length reaches a threshold value - an alert is generated. In addition, with this matrix, it is possible not only to detect current events but also to predict expected indicators of behavior in the future. An example of such a predictive chain is shown in Figure 3. Figure 3: An example of a predictive chain of behavior indicators 6.3. The working behavior model The working behavior model aims to reduce false positives associated with specific infrastructure and corporate policies. For example, in some organizations the use of remote administration tools is legitimate, in others, it is not. Therefore, if the activity is legitimate, appropriate behavioral indicators should be added to the working model. Examples of corporate behavioral indicators are: 22  use of remote administration tools (RAT)  use of telnet  use of public file repositories What is the underlying assumption for the effectiveness of this behavioral indicator approach? Three popular models related to attacker behavior are considered:  The Kill Chain model by Lockheed Martin [6]  MITRE ATT&CK matrix [7]  DIAMOND model [17] The Kill Chain model does a good job of showing the sequence of actions in an attacker's actions to achieve their goals. The MITRE database is rich in techniques that are indeed capable of being indicators of malicious intent, as they are highlighted by analyzing the actions of multiple professional groupings (APTs). The Diamond model shows that infrastructure features and capabilities (analogous to techniques) can identify a specific attacker (attacker attribution). Thus, the multi-model approach combines the best practices of the three models for analyzing user behavior. The potential attacker model is based on the consistency principle of the Kill Chain model. To cover the behavior of professional attackers, the behavior indicators incorporate MITRE matrix techniques. The user behavior model adopts the Diamond model's experience of identifying a subject by infrastructure attributes and user capabilities (behavioral indicators). Despite the perceived benefits of using best practices, the disadvantages cannot be overlooked: 1. The listed models (Kill Chain, MITRE, DIAMOND) target external attackers. To fully cover the sources of cyber threats, models need to be expanded and adapted to also target the internal attacker. As an example, Initial Access tactics from the MITRE base may be completely redundant for an internal attacker because the internal user has a priori certain access rights. 2. More relevant and precise points of contact between the behavioral indicators are needed. Building attack chains (transitions between indicators) on the basis of the attack tactics stage alone will potentially have errors of the first kind. It means detecting an attack attempt based on potentially consistent behavioral indicators, which actually come from different sources and are not related to each other. The presence of false-positive verdicts creates the need for additional manual analysis. 7. Conclusions The next stage in the development of cyber threat monitoring and detection is the integration of behavioral indicators and attack indicators into this process. This requires not only the availability of specific tools but also the emergence of open and accessible indicator databases. To this end, attempts have been made to develop a descriptive framework of behavioral indicators to further build and populate the primary indicator base. This database will be used in its own system for profiling user actions. In addition, it is planned to place the database of indicators in the public domain, which will allow the community to use this database, for example, for the automated creation of correlation rules for SIEM systems. In order to improve the quality of UEBA class solutions, the idea of implementing behavioral indicators in the behavior analysis is proposed. The advantage of using behavioral indicators is their focus on malicious intent. Behavioral indicator sequence analysis is able to detect time-distributed attacks, unlike the popular Scoring method. Taking into account the implementation of behavior indicators and the basic ideas of the Kill Chain, MITRE, and DIAMOND models, an early multi-model approach to user action profiling has been redesigned. Further work will focus on developing algorithms for modeling and detecting behavioral indicators from different log events. 23 8. References [1] Cyber Polygon, Threat Hunting. Why might you need it, 2020. URL: https://cyberpolygon.com/materials/threat-hunting-why-might-you-need-it/. [2] SANS, Threat Hunting Survey: The Differing Needs of New and Experienced Hunters, 2019. URL: https://www.sans.org/media/analyst-program/2019-threat-hunting-survey-differing- experienced-hunters-39220.pdf. [3] Encyclopedia by Kaspersky, Indicator of Compromise (IoC). URL: https://encyclopedia.kaspersky.com/glossary/indicator-of-compromise-ioc/. [4] S. Curry, Indicators of Behavior: The New Telemetry To Find Advanced Cyber Attackers, 2019. URL: https://www.forbes.com/sites/samcurry/2019/06/27/indicators-of-behavior-the-new- telemetry-to-find-advanced-cyber-attackers/?sh=2d7920e4193e. [5] Kaspersky Anti Targeted Attack Platform, Using indicators of compromise (IOC) and attack (IOA) for Threat Hunting. URL: https://support.kaspersky.com/KATA/3.7/en-US/194907.htm. [6] E. Hutchins, M.J. Cloppert, R. M. Amin. "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains", Lockheed Martin Corporation, 2010. URL: https://www.lockheedmartin.com/content/dam/lockheed- martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf. [7] MITRE ATT&CK®. URL: https://attack.mitre.org/. [8] David J. Bianco. The Pyramid of Pain, 2013. URL: https://detect- respond.blogspot.com/2013/03/the-pyramid-of-pain.html. [9] A. Ross, Indicators of Behavior (IOBs) – With 2020 Vision, Forcepoint, 2020. URL: https://www.forcepoint.com/blog/x-labs/indicators-of-behavior-iob. [10] Forcepoint. Dynamic User Protection. URL: https://www.forcepoint.com/product/dynamic-user- protection. [11] Yegor V. Anashkin, Marina N. Zhukova. "About the System of Profiling User Actions Based on the Behavior Model" IEEE Conference of Russian Young Researchers in Electrical and Electronic Engineering (ElConRus), St. Petersburg, Russia 2021. doi: 10.1109/ElConRus51938.2021.9396158. [12] Microsoft Docs, Fileless threats, 2021. URL: https://docs.microsoft.com/en- us/windows/security/threat-protection/intelligence/fileless-threats. [13] Encyclopedia by Kaspersky, UEBA (User and Entity Behavior Analytics). URL: https://encyclopedia.kaspersky.com/glossary/ueba/. [14] J. Wang. Deep Learning in Security – An Empirical Example in User and Entity Behavior Analytics (UEBA), Spark Summit, Video, 2017. URL: https://databricks.com/session/deep- learning-in-security-an-empirical-example-in-user-and-entity-behavior-analytics-ueba. [15] Derek Lin, Leonid Kladko, User Behavior Analytics for Cyber Security and Its Implementation In Scala, ScalaUA Conference, Video, 2018. URL: https://www.scalaua.com/2018/03/22/user- behavior-analytics-for-cyber-security-and-its-implementation-in-scala-derek-lin-leonid-kladko/. [16] G. Sadowski, A. Litan, T. Bussa, T. Phillips, Market Guide for User and Entity Behavior Analytics: analytical report, Gartner, 2018. URL: https://www.cbronline.com/wp- content/uploads/dlm_uploads/2018/07/gartner-market-guide-for-ueba-2018-analyst-report.pdf. [17] S. Caltagirone, A. Pendergast. The Diamond Model of Intrusion Analysis, Center for Cyber Threat Intelligence and Threat Research, Hanover, MD, 2013, 61 P. URL: https://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf. [18] Cyberpedia, What is a Threat Intelligence Platform, Palo Alto Networks. URL: https://www.paloaltonetworks.com/cyberpedia/what-is-a-threat-intelligence-platform. 24