New Cloud Provider for User

Description

Detect a user who is accessing a cloud storage provider they've never used before.


Use Case

Insider Threat, Security Monitoring

Category

Data Exfiltration, Insider Threat, Shadow IT

Security Impact

Data exfiltration techniques vary across the world, but certainly a very common approach taken in 2018 is to upload data to a non-corporate file storage solution. Tracking new file storage solutions end up in your environment is a key capability to track where data flows in your organization along with the adoption of Shadow IT.

Alert Volume

High (?)

SPL Difficulty

Medium

Journey

Stage 2

MITRE ATT&CK Tactics

Exfiltration
Command and Control

MITRE ATT&CK Techniques

Exfiltration Over Alternative Protocol
Web Service

MITRE Threat Groups

APT12
APT33
APT37
APT41
BRONZE BUTLER
Carbanak
FIN6
FIN7
FIN8
Lazarus Group
Leviathan
Magic Hound
OilRig
Patchwork
RTM
Thrip
Turla

Kill Chain Phases

Actions on Objectives

Data Sources

Web Proxy

   How to Implement

Implementation of this example (or any of the First Time Seen examples) is generally very simple.

  • Validate that you have the right data onboarded, and that the fields you want to monitor are properly extracted.
  • Save the search.

For most environments, these searches can be run once a day, often overnight, without worrying too much about a slow search. If you wish to run this search more frequently, or if this search is too slow for your environment, we recommend leveraging a lookup cache. For more on this, see the lookup cache dropdown below and select the sample item. A window will pop up telling you more about this feature.

   Known False Positives

This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over (or for the lookup cache feature, the first occurrence over whatever time period you built the lookup). But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.

You should not review these alerts directly (except for access to extremely sensitive system), but instead use them for context, or to aggregate risk (as mentioned under How To Respond).

   How To Respond

When this search returns values, validate whether the usage of this cloud provider is permitted by your policy, and investigate to see what data is being stored there. Common allowable scenarios can be uploading into a box folder provided by a vendor for secure support file upload, which might be allowable, versus the backup of data to a personal Google drive account. Ultimately this search will generate many shades of gray, so it's prudent to understand supporting information such as the amount of data transmitted before reaching out to the employee or their manager to determine next steps.

   Help

New Cloud Provider for User Help

This example leverages the Detect New Values search assistant. Our dataset is an anonymized collection of Palo Alto Networks events. For this analysis, we are effectively grouping by username and app name after filtering for the category, which will give us a row for each username+appname combination. We check if the first time that has occurred was in the last day.

SPL for New Cloud Provider for User

Demo Data

First we bring in our basic demo dataset. In this case, a list of anonymized PAN logs. We're using a macro called Load_Sample_Log_Data to wrap around | inputlookup, just so it is cleaner for the demo data.
Now we filter for just online storage behavior, and where there is at least ~1.5 MB transmitted out (actual recommendation is 3 MB.. but the sample data was mostly low volume)
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
Next we calculate the most recent value in our demo dataset
We end by seeing if the earliest time we've seen this value is within the last day of the end of our demo dataset.

Live Data

First we bring in our base dataset of proxy logs (with several different varieties offered for convenience, you should filter to the index+sourcetype of yours), where we have app and bytes_out fields defined.
Technically this line could be a part of the prior, but to make it easier to read -- we now filter for where the category belongs to Online Storage. Included here are the category names used by PAN, Check Point, and Blue Coat.
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
We end by seeing if the earliest time we've seen this value is within the last day.

Accelerated Data

tstats gives us a dense and fast query for just web sharing activities. Here we're filtering for file sharing behavior / cloud storage sites, where we've uploaded more than ~3 MB, and grouping by user and by the actual app.
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
We end by seeing if the earliest time we've seen this value is within the last day.

Screenshot of Demo Data