Kibana Bug: User Risk Value Persists After Asset Unassignment

Introduction

In the realm of cybersecurity, accurately assessing user risk is paramount. Security Information and Event Management (SIEM) tools like Kibana play a vital role in this process by aggregating data and providing insights into potential threats. A crucial aspect of user risk assessment involves considering asset criticality – the importance of the assets a user has access to. However, a bug has been identified in Kibana version 9.3.0 where the user risk value doesn't reset to its original state after asset criticality is unassigned. This article delves into the specifics of this bug, its implications, and the steps to reproduce it.

Understanding the Bug: User Risk Value Not Resetting

The core of the issue lies in the User Risk calculation within Kibana's Entity Analytics feature, specifically in the Privileged User Monitoring section. When an asset criticality is assigned to a user, their risk score increases, reflecting the elevated potential impact of a compromise. However, when this asset criticality is later unassigned, the user's risk score should ideally revert to its original value. This is because the direct association with a critical asset has been removed, thus reducing the immediate risk. The bug manifests when the risk score fails to reset, potentially leading to a skewed perception of user risk and potentially misdirecting security efforts.

The implications of this bug are significant. If user risk values are not accurately reflected, security teams may prioritize individuals who no longer pose an elevated risk due to the unassignment of critical assets. This can lead to a waste of resources and may even obscure genuine threats from users who truly maintain access to sensitive systems. Therefore, understanding the nuances of this bug and how to reproduce it is crucial for both users of Kibana and the developers working to resolve the issue. This article provides a detailed walkthrough of the steps required to reproduce this behavior, ensuring that readers can verify the bug for themselves and contribute to the ongoing efforts to enhance Kibana's security capabilities.

Technical Details: Kibana/Elasticsearch Stack Version

To accurately address and resolve a bug, it's crucial to have precise information about the software environment in which it occurs. In this case, the bug concerning the user risk value not resetting after unassigning asset criticality has been identified in a specific version of the Kibana/Elasticsearch stack.

The reported version details are as follows:

• VERSION: 9.3.0
• BUILD: 93599
• COMMIT: 3d7ff39b1d00b9cc24a944c219adc6f5282c3699

This information is vital for developers and system administrators alike. Knowing the exact version, build number, and commit hash allows for precise replication of the environment where the bug occurs. This is essential for debugging and testing the fix. Developers can use this information to set up a local environment that mirrors the affected system, enabling them to step through the code and pinpoint the root cause of the issue. Similarly, system administrators can use this information to assess their own systems and determine if they are susceptible to the bug. If they are running the affected version, they can then take appropriate steps, such as applying a patch or upgrading to a fixed version, to mitigate the risk.

Pre-Conditions: Setting the Stage for Reproduction

Before diving into the steps to reproduce the bug, it's essential to establish the necessary pre-conditions. These pre-conditions ensure that the environment is properly configured to trigger the bug and that the reproduction steps are executed under the right circumstances. Failing to meet these pre-conditions may result in the bug not being reproducible, leading to confusion and wasted effort. The following pre-conditions must be met before attempting to reproduce the user risk value reset bug in Kibana:

1. Kibana v9.3.0 must be available: This is the specific version of Kibana in which the bug has been identified. Using a different version may not exhibit the same behavior.
2. Data for Risk Score and Privileged Access Anomalies must be available: The bug is related to user risk scores, which are calculated based on various factors, including privileged access anomalies. Therefore, there needs to be data present in the system that can be used to calculate these scores.
3. Hosts or Users with Risk Scores must be available: Similarly, there need to be users and/or hosts that have associated risk scores. This is necessary to observe the impact of assigning and unassigning asset criticality.
4. ML Jobs should be enabled: Machine learning jobs often play a role in identifying anomalies and calculating risk scores. Ensuring that these jobs are enabled is important for accurate risk assessment and bug reproduction.

By ensuring these pre-conditions are met, you create an environment that is conducive to reproducing the bug consistently and reliably. This is a crucial step in the bug reporting and fixing process.

Steps to Reproduce: A Detailed Walkthrough

Now that we have established the necessary context and pre-conditions, let's walk through the steps to reproduce the bug where the user risk value doesn't reset after unassigning asset criticality in Kibana 9.3.0. By following these steps carefully, you can observe the bug firsthand and contribute to the understanding and resolution of this issue.

1. Log in with the prerequisite user: Access the Kibana instance using an account that has the necessary permissions to navigate the Security and Entity Analytics features. This user should have the ability to view and modify user risk scores and asset criticality assignments.
2. Navigate to Security -> Entity Analytics -> Privileged User Monitoring: This path will lead you to the section of Kibana where user risk is assessed and monitored. The Privileged User Monitoring section focuses specifically on users with elevated privileges, making them prime candidates for risk assessment.
3. Scroll down to the Privileged users section: Within the Privileged User Monitoring page, locate the section that lists privileged users and their associated risk scores. This is where you will be able to interact with individual user profiles and observe the impact of asset criticality assignments.
4. Open the details flyout for any user having alerts: Identify a user in the list who has existing alerts and open their details flyout. This flyout will provide a comprehensive view of the user's risk profile, including their current risk score, contributing factors, and assigned asset criticality.
5. Observe that Asset Criticality is unassigned, and the User Risk summary shows a value: In the user details flyout, verify that the Asset Criticality is initially set to unassigned. Note the User Risk summary value. In the example provided, the user Geoffrey King has a risk score of 36.55.
6. Assign an Asset Criticality to the User: Assign a criticality level to the user, such as Extreme, High, or Medium. This action simulates the scenario where a user is granted access to a critical asset, thereby increasing their potential risk.
7. Observe that the Risk Score value will be increased on adding the Asset Criticality value, and alerts included will also increase: After assigning the asset criticality, you should observe an immediate increase in the user's risk score. Additionally, the number of alerts associated with the user may also increase, reflecting the heightened risk profile.
8. Now unassign the Asset Criticality Value from the User: Remove the previously assigned asset criticality from the user. This simulates the scenario where a user's access to a critical asset is revoked, and their risk should theoretically return to its original level.
9. Observe that the Asset Criticality value will be removed from Risk Contributions. However, the Risk Score will not reset to the initial value as it was before assigning Asset Criticality: This is where the bug manifests. While the Asset Criticality is correctly removed from the Risk Contributions section, the User Risk score remains elevated and does not revert to its original value (e.g., 36.55 for Geoffrey King).

By completing these steps, you should be able to consistently reproduce the bug where the user risk value fails to reset after unassigning asset criticality. This reproducible scenario is crucial for developers to diagnose and address the issue effectively.

Expected Results: What Should Happen

In a properly functioning system, the User Risk value should accurately reflect the current risk associated with a user. This means that when an Asset Criticality is unassigned, the User Risk value should revert to its original state. The rationale behind this expectation is straightforward: assigning asset criticality elevates a user's risk profile because they have access to sensitive resources. Conversely, removing asset criticality should reduce their risk profile, as their potential impact on critical assets is diminished.

To illustrate this, let's revisit the example of Geoffrey King. Initially, Geoffrey King had a User Risk value of 36.55 with Asset Criticality unassigned. When Asset Criticality was assigned (e.g., to "Extreme"), the Risk Score increased, and the included alerts increased. This reflects the heightened risk associated with Geoffrey King now having access to critical assets. However, when the Asset Criticality is unassigned, the expected result is that the User Risk value should return to its original value of 36.55. This would accurately reflect that Geoffrey King no longer has direct access to the critical assets, and the associated risk should be reduced accordingly.

The failure of the User Risk value to reset to its original value after unassigning Asset Criticality indicates a bug in the system. This discrepancy can lead to inaccurate risk assessments, potentially causing security teams to misallocate resources or overlook genuine threats. Therefore, the expected result of a User Risk value reset is crucial for maintaining the integrity and effectiveness of risk management processes.

Observation: Evidence of the Bug

The key observation that confirms the presence of this bug is the discrepancy between the removal of Asset Criticality from Risk Contributions and the persistence of the elevated Risk Score. As demonstrated in the provided image link https://github.com/user-attachments/assets/f1e2a6d8-050e-4053-aee2-95b4e1e77a90, after unassigning Asset Criticality, the system correctly removes the Asset Criticality value from the Risk Contributions. This indicates that the system recognizes the change in the user's access and its potential impact on their risk profile.

However, the crucial point of failure is that the Risk Score does not reset to its initial value. In the example of Geoffrey King, even after unassigning Asset Criticality, the Risk Score remains elevated, failing to reflect the reduced risk exposure accurately. This inconsistency is a clear indicator of a bug. The system acknowledges the change in asset assignment by removing it from Risk Contributions, yet it fails to propagate this change to the overall Risk Score calculation. This suggests that the Risk Score calculation is not fully synchronized with the Asset Criticality assignment status, leading to the observed discrepancy. This observation underscores the importance of thoroughly testing the interaction between different components of a security system to ensure accurate and consistent risk assessment.

Conclusion

In conclusion, the identified bug in Kibana 9.3.0, where the user risk value does not reset after unassigning asset criticality, poses a significant challenge to accurate risk assessment. This article has detailed the steps to reproduce the bug, highlighted the expected behavior, and presented the key observation that confirms its existence. By understanding the nuances of this bug, security professionals and developers can work together to ensure the integrity and reliability of risk management processes within Kibana. Addressing this issue will contribute to a more accurate and effective security posture for organizations relying on Kibana for their security analytics needs.

For more information about Kibana and its security features, visit the official Elastic website.