Security

02:13 PM
Becca Lipman
Becca Lipman
Slideshows
Connect Directly
Facebook
Google+
Twitter
RSS
E-Mail

7 Unusual Behaviors That Indicate Security Breaches

Breaches create outliers. Identifying anomalous activity can help keep firms in compliance and out of the headlines.




Here is a rather uncontested statement: In the world of cyber security there are many things that can go wrong.

Some breaches are intentional, other accidental. A case in which an employee unwittingly discloses confidential information, or is working from an infected machine may look similar to the actions of employee who has gone rogue by uploading or downloading inappropriate data.

Regardless of the cause of the behavior, determining if a behavior is normal or not normal is important to catching a variety of security breaches.

Skyhigh Networks compiled real-world examples of behaviors that security teams identified as several standard deviations outside of normal activity.




104,338 tweets from 1 day from 1 IP address. In this instance, a bot was exfiltrating data from a bank 140 characters at a time.

One bank was taken aback by the discovery of malware sending out sensitive information through Twitter - 140 characters at a time. The account was created as a window to send tweets to a machine that presumably stitched the information together. To anyone following the account, it would have looked like gibberish.

In this instance no employees were out of line, and the malware was responding to outside forces.


A retail employee uploads 4.5 GB of files to Kanbox before the employee leaves the organization

Kanbox, a high risk file sharing service, may not be on the radar of security teams.

Rajiv Gupta, CEO of Skyhigh Networks explains in this case an employee was sending out information to an unknown file sharing service that was not blocked by the company. He had gone rogue, and planned to leave the firm. "He had taken out confidential data he knew the company didn't want to him to have, which is why he chose to use unapproved and unmonitored channels."

In this instance, security teams may have noticed the significant size of data being transmitted from the firm.


A single authenticated user at an energy company tried to connect to GoToMyPC 11,101,872 times in a week.

In some cases an infected machine will try to find ways to get information out, but the door is locked. In this example, an infected machine tried to connect to GoToMyPC, a screen sharing service typically used by support staff, over 11 million times. "This is an indicator that it wasn't a human being, says Gupta. "It's probing at the defenses looking for a way to get out."

This bears resemblance to the earlier (and more successful) Twitter example in which malware found an unblocked escape route.


A single IP address at a healthcare company attempts to connect to Facebook, which was blocked, 3.8 million times.

In a healthcare company that blocks employees access to Facebook it is not unusual to see someone make an occasional log in attempt. If they try to do it several times in a week they might be a bit slow on the uptake, but even they had to acknowledge something was unusual when a single IP made 3.8 million attempts in a single week.

In this case some malware was finding its intended exit closed off but continued to try.

The interesting thing here, adds Gupta, is that while it's important to look at the behaviors behind unauthorized information that is successfully sent, it's equally important to look at what didn't get out. In this case, the malware was identified and extinguished.


A manufacturing employee has 188 uploads totaling 48.7 GBs in 1 day to Ryu Share. The data is sent to a Drop Zone outside of the company's jurisdictional location.

This use case requires some attention to detail. For a company that authorizes the use of Ryu Share, an employee sending out 48GBs may not be entirely suspicious, as it could be a large file. However in this instance the average employee sends only a few megabytes a day, making 48.7GBs a noteworthy outlier.

In this case it was due to an employee who had gone rogue, but this behavior could have also been linked to an innocent mistake, an account comprised, or indication that a machine has been infected.


65 KB upload to open source code repository leading to loss of proprietary IP.

Source code in financial services is usually highly proprietary, which helps explain why in 2013 Goldman Sachs criminally charged its ex-programmer for stealing computer code.

He had sent himself 32megabytes of code from Goldman's HFT system to a German source code repository. Debates continue if the programmer's intentions were malicious (probably not), but in the eyes of Goldman the practice of uploading source code was not only bad, but the site it was sent to, SourceForge, has terms of conditions not at all aligned with corporate policy.

In SourceForge, the terms and conditions state all quotes submitted must be certified as an OSI-Approved License. Once uploaded, the code is now open source regardless of how the employee intended its use. "He didn't read the terms and conditions," explains Gupta. "He just wasn't aware they were so onerous."

 

Becca Lipman is Senior Editor for Wall Street & Technology. She writes in-depth news articles with a focus on big data and compliance in the capital markets. She regularly meets with information technology leaders and innovators and writes about cloud computing, datacenters, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Becca L
50%
50%
Becca L,
User Rank: Author
3/27/2014 | 9:34:09 PM
re: 7 Unusual Behaviors That Indicate Security Breaches
I see a classic "word problem" potential here. If Sally tweets 104,000 times over 2 days, how many..."

I wonder if Twitter itself is tracking these kinds of outlying behaviors, and if they have any means (or interest) in stopping it.
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Apprentice
3/27/2014 | 8:49:57 PM
re: 7 Unusual Behaviors That Indicate Security Breaches
Yeh, 104,000+ tweets in 1 day. that's about 1 tweet every 1.2 seconds. Clearly something is wrong, as no human has that much to say on twitter...LOL
andrewboon2739
50%
50%
andrewboon2739,
User Rank: Apprentice
3/18/2014 | 11:26:31 AM
re: 7 Unusual Behaviors That Indicate Security Breaches
Interesting article !
Becca L
50%
50%
Becca L,
User Rank: Author
3/17/2014 | 9:37:06 PM
re: 7 Unusual Behaviors That Indicate Security Breaches
Agreed, As Skyhigh suggests, companies need to first understand what constitutes normal behavior so when events like these happen alarms are sounded, rather than appear as blips on a report an IT team can overlook.
Kelly22
50%
50%
Kelly22,
User Rank: Author
3/17/2014 | 6:05:10 PM
re: 7 Unusual Behaviors That Indicate Security Breaches
That one surprised me too. I feel like that amount of data going to an unknown site should have triggered some red flags.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
3/14/2014 | 2:13:33 PM
re: 7 Unusual Behaviors That Indicate Security Breaches
Another scary one is the case of the retail employee sending 4.5 GB of confidential information to Kanbox, an "unknown" file sharing service that was not blocked by the company. Wouldn't an astute IT team notice this amount of data leaving the company? Is it a sign that this retail company was asleep at the switch?
Becca L
50%
50%
Becca L,
User Rank: Author
3/13/2014 | 11:33:28 PM
re: 7 Unusual Behaviors That Indicate Security Breaches
A secret code! Something straight out of a detective/spy novel. I agree that it wouldn't raise any eyebrows.

Besides, if nobody is following the account who is there to raise the alarm? Compare that to if your account started tweeting thousands of times per week you'd have a lot of angry (former) followers!
ANON1233964134849
50%
50%
ANON1233964134849,
User Rank: Apprentice
3/13/2014 | 11:21:20 PM
re: 7 Unusual Behaviors That Indicate Security Breaches
"With the apparent failure of IDS, network behavioral analysis, malware detection tools and stale market leading DLP systems; organizations must adopt new technologies faster than Hackers do. GTB's advanced data protection solutions provide such powerful technologies which really do secure against unauthorized transmissions from Malware, Viruses and Frenemies" says Uzi Yair, GTB CEO. "Unlike others, our DLP system actually works and prevents breaches from occurring." from http://www.gtbtechnologies.com...
Nathan Golia
50%
50%
Nathan Golia,
User Rank: Author
3/13/2014 | 6:00:32 PM
re: 7 Unusual Behaviors That Indicate Security Breaches
That twitter one is pretty crazy Gă÷ i wonder how sophisticated you could get and maybe develop a code that looks like normal tweets. The inanity of a random twitter account would surely not raise any eyebrows.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8, October 2014
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.
Video