D3-ANET
Definition
Collecting authentication events, creating a baseline user profile, and determining whether authentication events are consistent with the baseline profile.
How it works
Authentication event data is collected (logon information such as device id, time of day, day of week, geo-location, etc.) to create an activity baseline. Then, a threshold is determined either through a manually specified configuration, or a statistical analysis of deviations in historical data. New authentication events are evaluated to determine if a threshold is exceeded. Thresholds can be static or dynamic.
Actions
As a result of the analysis, actions taken could include:
•Raising an alert
Example data sources
•Directory server logs
•VPN Server logs
•IDAM Capability logs
•NAC logs
•Authentication client logs
•Kerberos network traffic
•LDAP network traffic
Considerations
This technique covers statistical outliers. Though depending on the complexity or dimensionality of the data considered, outliers may not be obvious to a human analyst reviewing events in simplistic analytic views. If the malicious activity is not statistically different from benign activity, an alert threshold will not be met.