Skip to content

Latest commit

 

History

History
347 lines (278 loc) · 19.6 KB

File metadata and controls

347 lines (278 loc) · 19.6 KB

User Behavior Analysis

Identity-based attacks that exploit legitimate accounts are growing in prevalence given the rise in cloud services and hybrid networks. Insider threats are a constant risk as well. As such, it is imperative to be able to analyze the behaviors of user accounts and discern malicious activity. Fortunately there are many data sources providing visibility into user activity, from identity and access management (IAM) logs, to sign-in authentication logs, to SaaS audit logs, to OS-level login events, and EDR events tied to specific accounts. LLMs can help navigate the complexity and lead to insightful user behavior inferences.

Authentication Event Analysis

Analyze user logon and identity-verification events for anomalies and excesses. The trick for defenders is discerning the malicious activity among legitimate activity. Under Zero Trust Architecture (ZTA), Identity is one of 5 pillars and organizations are encouraged to gain visibility and deploy analytics to adjudicate access to resources based on a user's identity (roles, org, etc.), devices, networks, geolocations, and requested resources (apps/workloads and data). Depending on the system logging user authentication and logon events, the availability of such contextual information will vary. LLMs can be used to provide actionable guidance when provided with effective prompts. Furthermore LLMs integrated within Identity platforms and cloud services often have advanced authentication risk analytics which are able to assist cybersecurity professionals.

You are a <network/cloud/app admin | cybersecurity forensics analyst> auditing user authentication events for compromised accounts, insider threat, and signs of malicious activity.

You are reviewing authentication events for the following systems:
[start]
<Active Directory>
<SaaS application>
<cloud directory or service>
<VPN solution>
<IAM / IDP solution>
<specific application>
<network captures or event logs with authentication protocol traffic > 
[end]

You have access to the following tools, data sources, and solutions:
[start]
<Specific SIEM with specific logs, data sources>
<cloud security service>
<EDR solution>
<IAM solution>
<network analysis tool or sensor>
...
[end]

Perform the following tasks:
1. Identify relevant user authentication events, logs, auditing, and risk detection features and capabilities available in my environment.
2. Provide step-by-step instructions for enabling user authentication event logs and features.
3. Outline a query strategy to detect risky authentication events based on anomalous properties such as <device details, network information, geolocation, requested resource/app/data, time of day, etc.>
4. Recommend thresholds that can be used to detect malicious activity such as number of failed authentications, number of unique observed user accounts, devices, locations, network addresses, user agents, etc.
5. Recommend aggreggations on a per-user basis that can be used to detect malicious activity such as number of devices, locations, user agents, etc. 

Include explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

Tips

  • Be sure to use the LLMs or AI integrations offered by your EDR solution, SaaS, or SIEM, if applicable, as they may be fine-tuned to help with user authentication event analysis.
  • Work iteratively with your prompts. The more specific and focused you are with the desired task, the better the inferences.

Warning: Sanitize sensitive information before including them in prompts or RAG, as there is the potential to leak confidential information found in authentication events.

Authorization Event Analysis

Once users have been authenticated, their authorizations entitle them to access certain resources. An array of application audit logs, identity and access management (IAM) logs, and privileged access management (PAM) logs provide visibility into authorization events. User management portals can also be used. The challenge for defenders and administrators is looking for deviations from normal authorization patterns. Permission-granting events are also of interest as privileges can be escalated by malicious activity. Machine learning features of SIEM platforms are able to help with establishing baselines and enabling authorization anomaly detection. LLMs can help!

You are a <domain/cloud/app admin | cybersecurity forensics analyst> auditing user authorization events for abuse of compromised accounts, insider threat, privilege escalation, and other signs of malicious activity.

You are reviewing authorization, permission-granting, and entitlements management events for the following systems:
[start]
<Active Directory>
<SaaS application>
<cloud directory or service>
<VPN solution>
<PAM solution>
<IAM / IDP solution>
<specific application>
<network captures or event logs with authentication/authorization protocol traffic > 
[end]

You have access to the following tools, data sources, and solutions:
[start]
<Specific SIEM with specific logs, data sources>
<cloud service management portal>
<EDR solution>
<PAM solution>
<IAM solution>
<network analysis tool or sensor>
...
[end]

Perform the following tasks:
1. Identify relevant user authorization events, logs, auditing, and risk detection features and capabilities available in my environment.
2. Provide step-by-step instructions for enabling user authorization event logs and features.
3. Outline a strategy to detect abnormal authorizations for users using any machine learning features available in my environment.
4. Create a query or instructions to view the resources to which an arbitrary user is entitled.

Include explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

Tips

  • Be sure to use the LLMs or AI integrations offered by your EDR solution, SaaS, cloud service provider, or SIEM, if applicable, as they may be fine-tuned to help with assessing and managing user authorizations.
  • Work iteratively with your prompts. The more specific and focused you are with the desired task, the better the inferences.
  • Carefully review generated code and query syntax for any hallucinations or faulty assumptiosn made about data schemas

Warning: Sanitize sensitive information before including them in prompts or RAG, as there is the potential to leak confidential information found in authorization events.

Credential Scope Analysis

Modern hybrid networks rely on a myriad of different credentials for identity and access management: certificates, Kerberos, java web tokens, OAuth bearer tokens, NTLM hashes, etc. Visibility into credential use is provided in sources such as application audit logs, authentication logs, OS events, and network protocols. When accounts and credentials are compromised defenders often need to track the usage of particular credentials to ascertain the scope of compromise. LLMs can help users properly query diverse visibility sources and tools to help with this task.

You are a <domain/cloud/app admin | cybersecurity forensics analyst>.
You are investigating the use of compromised credentials across systems to understand the impact of an incident involving a compromised account, insider threat, or other malicious activity.

The following systems of interest are in your environment:
[start]
<Active Directory>
<SaaS application>
<cloud directory or service>
<VPN solution>
<PAM solution>
<IAM / IDP solution>
<specific application>
<network captures or event logs with relevant protocol traffic> 
[end]

You have access to the following tools, data sources, and solutions:
[start]
<Specific SIEM with specific logs, data sources>
<cloud service management portal>
<EDR solution>
<PAM solution>
<IAM solution>
<network analysis tool or sensor>
...
[end]

Perform the following tasks:
1. Identify relevant events, logs, auditing, and risk detection features and capabilities available in my environment that shed light on credential use.
2. Provide step-by-step instructions for enabling user credential logging and related features.
3. Create a query to retrieve credential information for an arbitrary user.
4. Create a query to retrieve events involving the use of a particular credential.

Include explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

Tips

  • Be sure to use the LLMs or AI integrations offered by your EDR solution, SaaS, cloud service provider, or SIEM, if applicable, as they may be fine-tuned to help with credential analysis.
  • Work iteratively with your prompts. The more specific and focused you are with the desired task, the better the inferences.
  • Carefully review generated code and query syntax for any hallucinations or faulty assumptiosn made about data schemas

Warning: Sanitize sensitive information before including them in prompts or RAG, as there is the potential to leak credentials and account details.

Account Management Activity Monitoring

User account information repositories and databases are found in solutions such as Active Directory, SaaS platforms, IAM systems, PAM solutions, and cloud service portals. Endpoints also retain information on accounts, at a local level. The goal with account management activity monitoring is to detect activity such as the unauthorized creation, deletion, and modification of accounts. Manipulations such as changes to group/role memberships, authentication mechanisms, credentials, etc. can indicate malicious activity. Consider LLM prompts to help with standing threat hunting queries and manual account audits.

You are a <network/domain/cloud/app admin | cybersecurity forensics analyst>.
You are performing an audit of user accounts in your environment, looking for unauthorized account creation, deletion, and property changes. 

The following systems of interest are in your environment:
[start]
<Active Directory>
<specific endpoint devices and OS information>
<SaaS application>
<cloud directory or service>
<VPN solution>
<PAM solution>
<IAM / IDP solution>
<specific application>
<network capture or event logs with relevant protocols (e.g., LDAP, RADIUS, etc.)>
[end]

You have access to the following tools, data sources, and solutions:
[start]
<Specific SIEM with specific logs, data sources>
<cloud service management portal>
<EDR solution>
<PAM solution>
<IAM solution>
<network analysis tool or sensor>
...
[end]

Perform the following tasks:
1. Identify relevant events, logs, auditing, and risk detection features and capabilities available in my environment that shed light on account management activity.
2. Create a query to retrieve account <creation | deletion | modification> events.
3. Create a query to retrieve the properties of a given account, including <groups, roles, permissions, auth mechanisms, ...>.
4. Outline a detection strategy to flag changes to account properties.

Include explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

Tips

  • Be sure to use the LLMs or AI integrations offered by your IAM/PAM solution, EDR, SaaS, cloud service provider, or SIEM, if applicable, as they may be fine-tuned to help with account management.
  • Work iteratively with your prompts. The more specific and focused you are with the desired task, the better the inferences.
  • Carefully review generated code and query syntax for any hallucinations or faulty assumptiosn made about data schemas

Warning: Sanitize sensitive information before including them in prompts or RAG, as there is the potential to leak confidential account details.

Access Pattern Analysis

The goal of access pattern analysis is to discern when users are performing activities that are inconsistent with their roles. If a normal business user suddenly starts behaving as an admin, with use of remote management protocols and access to administrator apps and networks, it likely signals a compromised account and privilege escalation. LLMs can help identify solutions and strategies to detect anomalous access patterns for users and systems in your environment.

You are a cybersecurity threat hunting analyst interested in detecting compromised user accounts performing activities and accessing resources inconsistent with their organizational or functional roles.

The following systems of interest are in your environment:
[start]
<Active Directory>
<specific endpoint devices and OS information>
<SaaS application>
<cloud directory or service>
<VPN solution>
<PAM solution>
<IAM / IDP solution>
<specific application>
<network capture or event logs with relevant protocols>
[end]

You have access to the following tools, data sources, and solutions:
[start]
<Specific SIEM with specific logs, data sources>
<cloud service management portal>
<EDR solution>
<PAM solution>
<IAM solution>
<network analysis tool or sensor>
...
[end]

Perform the following tasks:
1. Identify relevant events, logs, auditing, and risk detection features and capabilities available in my environment that shed light on account roles and access activity.
2. Create a query to list the user roles or groups that exist across systems within the environment 
3. Create a query to list the resources (e.g., apps, files, data storage objects, networks, servers, permissions, etc.) accessed by an arbitrary account.
4. Outline a strategy to discern the resources typically accessed by a certain role or group.
5. Outline a detection strategy to flag accounts with anomalous access patterns.

Include explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

Tips

  • Be sure to use the LLMs or AI integrations offered by your IAM/PAM solution, EDR, SaaS, cloud service provider, or SIEM, if applicable, as they may be fine-tuned to help with account access activity analysis.
  • Work iteratively with your prompts. The more specific and focused you are with the desired task, the better the inferences.
  • Carefully review generated code and query syntax for any hallucinations or faulty assumptiosn made about data schemas

Warning: Sanitize sensitive information before including them in prompts or RAG, as there is the potential to leak confidential account and resource details.

Temporal Activity Analysis

Insider threats or compromised accounts may perform activities at abnormal times of the day or days of the week. They may also have long-lived sessions or a high frequency of sessions. LLMs can help frame strategies and identify solutions for performing temporal analysis of account activities.

You are a cybersecurity threat hunting analyst interested in identifying accounts performing activities at abnormal times, days, frequencies, durations, and intervals.

The following users and systems of interest are in your environment:
[start]
<specific user activity or systems (e.g., SSH servers, RDP jumphosts, etc.)>
<Active Directory>
<specific endpoint devices and OS information>
<SaaS application or workload>
<cloud directory or service>
<VPN solution>
<PAM solution>
<IAM / IDP solution>
<specific application>
<network capture or event logs with relevant protocols>
[end]

You have access to the following tools, data sources, and solutions:
[start]
<Specific SIEM with specific logs, data sources>
<cloud service management portal>
<EDR solution>
<PAM solution>
<IAM solution>
<network analysis tool or sensor>
...
[end]

Perform the following tasks:
1. Identify relevant events, logs, auditing, and risk detection features and capabilities available in my environment that enable temporal analysis of account activity.
2. Create a query or provide instructions to profile and visualize the days and times an arbitrary account has been active.
3. Create a query or provide instructions to profile and visualize the average <frequency, duration> of sessions for user accounts in the environment.
4. Outline a detection strategy to flag accounts that deviate from temporal norms. 

Include explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

Tips

  • Be sure to use the LLMs or AI integrations offered by your SIEM, IAM/PAM solution, EDR, SaaS, or cloud service provider, if applicable, as they may be fine-tuned to help with temporal analysis.
  • Work iteratively with your prompts. The more specific and focused you are with the desired task, the better the inferences.
  • Carefully review generated code and query syntax for any hallucinations or faulty assumptiosn made about data schemas

Warning: Sanitize sensitive information before including them in prompts or RAG, as there is the potential to leak confidential account details.

User Data Transfer Analysis

Data loss prevention (DLP) and Insider threat programs are particulary focused on detecting users making unauthorized data transfers. See prompts for user access pattern analysis and network volume analysis, which can support this type of analysis when focused on specific users, devices, data objects, and transfer mechanisms.

Web Session Analysis

Insider threats and compromised accounts often seek to evade detection by using web services that are not expressly monitored. LLMs can help correlate activity across different visibility sources and apertures to link user accounts with process and network events where illicit web transactions are performed.

You are a cybersecurity threat hunting and forensics analyst interested in identifying web sessions made by a compromised account.

The following systems of interest are in your environment:
[start]
<Active Directory>
<specific endpoint devices and OS information>
<SaaS application or workloads>
<cloud directory or service>
<VPN solution>
<PAM solution>
<IAM / IDP solution>
<specific application>
[end]

You have access to the following tools, data sources, and solutions:
[start]
<Specific SIEM with specific logs, data sources>
<cloud service management portal>
<EDR solution>
<PAM solution>
<IAM solution>
<network analysis tool or sensor>
...
[end]

Perform the following tasks:
1. Identify relevant events, logs, auditing, and risk detection features and capabilities available in my environment that link user activity to web sessions.
2. Create a query or provide instructions to display device names, IP addresses, User Agents, certificates, or web-related processes used by an arbitrary user
3. Create a query or provide instructions to display IP addresses, domains, or URLs accessed by an arbitrary user
4. Create a query or provide instructions to display IP addresses, domains, or URLs accessed by an arbitrary <IP, device, certificate, User Agent, process>

Include explanation of your reasoning and provide references.

If you don't know the answer, say you don't have enough information or you need more context.

Tips

  • Be sure to use the LLMs or AI integrations offered by your SIEM, IAM/PAM solution, EDR, SaaS, or cloud service provider, if applicable, as they may be fine-tuned to help with network and user analysis.
  • Work iteratively with your prompts. The more specific and focused you are with the desired task, data sources, and tools the better the inferences.
  • Carefully review generated code and query syntax for any hallucinations or faulty assumptiosn made about data schemas

Warning: Sanitize sensitive information before including them in prompts or RAG, as there is the potential to leak confidential account details.


Back to Blue Team Tasks > Detect

Back to CyberPrompts Home