Abnormal Knowledge Bases: Using PeopleBase to Prevent User Account Compromise

While a distributed workforce has myriad benefits, the one constant with any innovation in the business world is that attackers can and will exploit it.

It’s 2023. Do you know where your users are? As it pertains to your cloud email environment, your users may just be under attack or already compromised. That new application a user installed or a new user suddenly becoming a global admin on your mail tenant may not be as innocuous as you think.

That isn’t a scare tactic so much as a point of fact. As Ed Skoudis, President of the SANS Institute, noted in a 2022 TechTarget article “[attackers] are really focused on attacking home workers because they are no longer protected in these enclaves that organizations spent the last 30 years building."

This, of course, does not mean those folks going into the office are out of the woods. In the last year, the FBI noted a 65% increase in identified exposed losses due to business email compromise (BEC), which is a category that largely encompasses email account compromise (EAC).

Considering it takes, on average, 197 days to even detect a data breach–which we will use here as a fairly synonymous stand-in for a compromised user account–what can be done to sniff out the insidious actors that may be lurking on your email platform?

To help combat account compromise, Abnormal Security uses behavioral data and dynamic user profiling through its PeopleBase Knowledge Base, alongside the Account Takeover Protection and Security Posture Management Add-Ons. While the latter two are critical pieces of the cloud email security puzzle, detecting anomalous behavioral signals and potentially risky configuration and privilege changes, for the sake of this article, we will take a closer look at PeopleBase–the hub for user activity data, and a key starting point to investigate suspicious user events.

PeopleBase builds detailed, dynamic genomes connecting user behavior, app activity, and tenant activity. Security teams can quickly determine when a risky pattern may be emerging, especially when a user consistently logs in from unusual locations, uses unknown devices, suddenly gains global admin rights or adds multiple users and applications to a mail tenant (among other key behavioral categories).

Taken in a vacuum, a user logging in once from an entirely different country may raise red flags but may also be easily explained away as work travel or vacation. However, with the detection capabilities in Abnormal’s Account Takeover Protection—enhanced and correlated against the profiles built in PeopleBase—security teams can determine whether these individual events are part of a larger pattern to accurately diagnose whether a real risk is present.

Let’s take a closer look at the data housed within PeopleBase and the dynamic profiles PeopleBase builds for each user in your cloud email environment. As mentioned, PeopleBase consolidates data from a variety of sources, including Abnormal’s Inbound Email Security to detect suspicious mail activity and Account Takeover Protection to uncover anomalous activity across logins and devices.

Specifically, PeopleBase provides:

• An activity timeline including configuration changes, new applications installed, permissions granted, and more.

• The team, contact info, and manager for a given user.

• A dynamic genome comprised of a user’s typical:

  • Login locations

  • IP addresses

  • Browsers

  • Operating systems

  • Device IDs used

  • Applications used

  • Mail clients used

  • Sign-in status history

  • Geo coordinates

If an Abnormal user wants to drill down into any of the configuration changes or other activities undertaken by a given user, each item in the timeline provides links to associated applications, users, and tenants to facilitate a quick investigation.

For example, in the above screenshots, let’s say a Security administrator wanted to understand why Jonathan Green had added Josh Waters to the Azure Administrator role. While Jonathan is the Chief Financial Officer of his organization, it seems outside of his responsibilities to be determining user privileges. While all signs point to Jonathan’s account being legitimate, knowing the exact time and date this change occurred–and cross-referencing with login activity and circumstances around this time–can help Security practitioners confidently determine if this change warranted further investigation.

Beyond investigatory use cases, however, PeopleBase can be used to benchmark cloud email platform activity. Understanding how users interact at a holistic level means Security teams can be aware of what constitutes good behavior and respond immediately when conditions change.

Again, as remote work continues to proliferate and present security challenges–and even as many workers return to the office and the relative safety of being “inside the perimeter”–monitoring and understanding user behavior needs to be dynamic. Security tools need to be adaptive to user changes to help answer the questions: Do you know where your users are? Are they installing risky applications or changing security configurations? Are your users who they say they are? Abnormal Security strives to give you the answers.

Want to learn more about PeopleBase? Request a personalized demo today.