Identifying Abnormal Authentication: Associating Users with Workstations and Detecting When Users (Try to) Logon to Someone Else’s Workstation

Webinar Registration

How do you determine when a nosy or potentially malicious insider tries to logon to another user’s workstation with their own account, or to their own computer with a colleague’s password? How do you detect password sharing?

The first hurdle is knowing which account each workstation belongs to – a time consuming affair at a large organization. If you have an accurate and up-to-date asset management system that has this information -- and if you can regularly import it into your SIEM -- that’s a strong first step. But most organizations I work with really struggle on this score.

In most cases, it’s more practical to automatically associate users and computer based on logon history. But you have to take into account turnover both in users and computers. A static baseline will only produce increasing false positives until it becomes useless.

In this webinar, I will first show you how to learn which account each workstation belongs to. You have two options:

  • Kerberos events from domain controller security logs
  • Logon events from workstations

The obvious advantage with Kerberos events is that we only need to collect and analyze logs from domain controllers; instead of workstations which are exponentially higher in quantity and event volume. The only problem though is that the key Ticket Granting Ticket event we use (4768) only provides the IP address of the workstation – not its name. That’s OK if you use static IPs but workstations are usually DHCP. Theoretically, you could correlate with DHCP server logs but there are other options available which we will explore in this real training for free session.

One alternative is to look at Service Ticket events on domain controllers instead of TGT events. Kerberos logs a service ticket event for every computer a user accesses whether it’s a workstation or server. So that means we need to distinguish between those two system types.

In this webinar I’ll show you how that information is available in Active Directory or you might be able to use a simple pattern match if you consistently follow a naming convention that distinguishes servers and/or workstations.

Once you can associate each user with their workstation, detecting unauthorized usage and password sharing is only the tip of the iceberg. There’s much more you can do.

Marcos Schejtman of LogRhythm will be joining me for this real time training for free webinar. He’ll be presenting solutions to reduce the mean time to detect (MTTD) static and interactive abnormal authentications in multiples ways.

In his demo, we will see a few subsets of the UEBA capabilities of LogRhythm with two use cases.

In the first, Marco will highlight how to use a static method/approach to recognizing user activity within an organization. Following a learning period, you can begin detecting any deviation to the list, and with LogRhythm’s embedded SAO solution, analysts can update and pivot off the list, so any false positive or false negative can be avoided in the future.

In his second use case, he’ll use a trend behavioral method to recognize user login activity during a period and then compare it against the actual activity.

Please join us for this real training for free session.

First Name:   
Last Name:   
Work Email:  
Job Title:

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us.



Additional Resources