To date, security models against network incidents and threats are based on adding different layers of security to the infrastructure. We find the simile with the defenses of a castle; where the walls, the higher the better, allow the defense of the relics. Although, monolithic fortifications in digital environments have been an effective form of defense against fraud and digital threats; The current environment, complex, hyperconnected and with exponential growth, makes the tasks of protection, detection and response extremely difficult: The cybersecurity expert must monitor a large number of entities that generate large amounts of data per minute.
If we analyze the world of cyberattacks, we find a scenario of professionalized organizations and also with exponential growth. In fact, Cyberattacks are now a recurring news item around the world, according to sources in the United States intelligence center, the number of attacks during 2021 increased by up to 150% compared to last year, with small and medium-sized businesses being the main target of cybercriminals. Among the attacks that most affect companies and institutions are phishing attacks (Phishing), where criminal groups impersonate the user to obtain confidential information. Attacks of Ransomware based on encrypting data and hijacking devices with the aim of demanding rewards. Finally, denial of service attacks (Denial of Service) based on collapsing server resources by disabling the services it can offer.
In recent years, the Artificial Intelligence (AI) has become a great ally in the fight against fraud and cyber threats in the digital world given its capabilities to optimize and automate the tasks of incident response services.. Until now, AI techniques have been based on reactive threat detection, determining attack patterns to detect future attacks, such as in IPS systems where expert systems are trained to filter potentially dangerous traffic. Despite the effectiveness of reactive systems, they leave out the main factor of cyber threats: The human factor. Along these lines, research into user-centered techniques has gained relevance in recent years; The techniques of User and Entity Behavior Analytics (UEBA), where user behavior is analyzed through AI to offer both reactive and predictive capabilities against latent attacks.
These techniques are based on studying the past, present and future behavior of the interactions of users and entities in a network, they allow determining the normal and/or expected behavior of the entities of a corporation and any deviation in this behavior is analyzed through AI algorithms to search for and determine anomalous patterns or behavior, the result of cyberattacks. The main advantage of this type of technique, compared to purely reactive ones, is the flexibility in agnostic threat identification, capable of detecting different types of attacks including zero-days and early threat detection: Detection of behavioral changes allows the early stages of the attack vector to be detected.
In detail, UEBA techniques allow Model user behavior based on two-dimensional analysis: historical and group component. In the first component, artificial intelligence techniques allow the user to be profiled and the patterns that determine their behavior to be known; using, for example, AI techniques such as decomposition into singular factors, clustering or state-of-the-art techniques based on deep learning. On the other hand, the second dimension lies in systematically comparing the entities in the network, allowing us to determine changes in behavior or anomalies. In this dimension, as in the previous case, there is a wide range of techniques, with clustering techniques being the preferred ones. Along these lines, the leading project in UEBA techniques, called openueba developed by i2cat, seeks to determine user behavior with the aim of calculating exposure to specific threats, helping the analyst focus their efforts on those users with risk patterns that make them more likely to be affected by a specific threat.
The future trend is that cyber threats will continue to grow exponentially. We will experience more attacks, more diverse and affecting institutions and entities that were previously unimaginable. To address the anticipated scenario, the UEBA techniques, previously described, will become a key point for threat-agnostic prevention, helping to build cyber-secure digital environments.
References
- https://media.kaspersky.com/es/business-security/enterprise/Human%20factor_main%20threats_final_ES.pdf
- https://ciberseguridad.blog/ueba-user-and-entity-behavior-analytics-deteccion-por-comportamiento/
- https://blog.conzultek.com/ciberseguridad/inteligencia-artificial-en-la-ciberseguridad
- https://tdacyber.cat/