From darkreading.com Ericka
Chickowski
Top 15 Indicators Of Compromise
Unusual account behaviors, strange
network patterns, unexplained configuration changes, and odd files on systems
can all point to a potential breach
In the quest to detect data breaches more quickly,
indicators of compromise can act as important breadcrumbs for security pros
watching their IT environments. Unusual activity on the network or odd clues on
systems can frequently help organizations spot attacker activity on systems
more quickly so that they can either prevent an eventual breach from happening
-- or at least stop it in its earliest stages.
According to
the experts, here are some key indicators of compromise to monitor (in no
particular order):
1. Unusual
Outbound Network Traffic
Perhaps one of the biggest telltale signs that something is amiss is when IT spots unusual traffic patterns leaving the network.
Perhaps one of the biggest telltale signs that something is amiss is when IT spots unusual traffic patterns leaving the network.
"A common
misperception is that traffic inside the network is secure," says Sam
Erdheim, senior security strategist for AlgoSec. "Look for suspicious
traffic leaving the network. It's not just about what comes into your network;
it's about outbound traffic as well."
Considering
that the chances of keeping an attacker out of a network are difficult in the
face of modern attacks, outbound indicators may be much easier to monitor, says
Geoff Webb, director of solution strategy for NetIQ.
"So the
best approach is to watch for activity within the network and to look for
traffic leaving your perimeter," he says. "Compromised systems will
often call home to command-and-control servers, and this traffic may be visible
before any real damage is done."
2. Anomalies In
Privileged User Account Activity
The name of the game for a well-orchestrated attack is for attackers to either escalate privileges of accounts they've already compromised or to use that compromise to leapfrog into other accounts with higher privileges. Keeping tabs on unusual account behavior from privileged accounts not only watches out for insider attacks, but also account takeover.
The name of the game for a well-orchestrated attack is for attackers to either escalate privileges of accounts they've already compromised or to use that compromise to leapfrog into other accounts with higher privileges. Keeping tabs on unusual account behavior from privileged accounts not only watches out for insider attacks, but also account takeover.
"Changes
in the behavior of privileged users can indicate that the user account in
question is being used by someone else to establish a beachhead in your
network," Webb says. "Watching for changes -- such as time of
activity, systems accessed, type or volume of information accessed -- will
provide early indication of a breach."
3. Geographical
Irregularities
Whether through a privileged account or not, geographical irregularities in log-ins and access patterns can provide good evidence that attackers are pulling strings from far away. For example, traffic between countries that a company doesn't do business with offers reason for pause.
Whether through a privileged account or not, geographical irregularities in log-ins and access patterns can provide good evidence that attackers are pulling strings from far away. For example, traffic between countries that a company doesn't do business with offers reason for pause.
"Connections
to countries that a company would normally not be conducting business with
[indicates] sensitive data could be siphoned to another country," says
Dodi Glenn, director of security content management for ThreatTrack Security.
Similarly, when
one account logs in within a short period of time from different IPs around the
world, that's a good indication of trouble.
"As to
data-breach clues, one of the most useful bits I've found is logs showing an
account logging in from multiple IPs in a short time period, particularly when
paired with geolocation tagging," says Benjamin Caudill, principal
consultant for Rhino Security. "More often than not, this is a symptom of
an attacker using a compromised set of credentials to log into confidential
systems."
4. Other Log-In
Red Flags
Log-in irregularities and failures can provide excellent clues of network and system probing by attackers.
Log-in irregularities and failures can provide excellent clues of network and system probing by attackers.
"Check for
failed logins using user accounts that don't exist -- these often indicate
someone is trying to guess a user's account credentials and gain
authorization," says Scott Pierson, product specialist for Beachhead
Solutions, explaining that unusual numbers of failed log-ins for existing
accounts should also be a red flag.
Similarly,
attempted and successful log-in activity after hours can provide clues that it
isn't really an employee who is accessing data.
"If you
see John in accounting logging onto the system after work hours and trying to
access files for which he is not authorized, this bears investigation,"
says A.N. Ananth, CEO of EventTracker.
5. Swells In
Database Read Volume
Once an attacker has made it into the crown jewels and seeks to exfiltrate information, there will be signs that someone has been mucking about data stores. One of them is a spike in database read volume, says Kyle Adams, chief software architect for Junos WebApp Secure at Juniper Networks.
Once an attacker has made it into the crown jewels and seeks to exfiltrate information, there will be signs that someone has been mucking about data stores. One of them is a spike in database read volume, says Kyle Adams, chief software architect for Junos WebApp Secure at Juniper Networks.
"When the
attacker attempts to extract the full credit card database, it will generate an
enormous amount of read volume, which will be way higher than you would
normally see for reads on the credit card tables," he says.
6. HTML
Response Sizes
Adams also says that if attackers use SQL injection to extract data through a Web application, the requests issued by them will usually have a larger HTML response size than a normal request.
Adams also says that if attackers use SQL injection to extract data through a Web application, the requests issued by them will usually have a larger HTML response size than a normal request.
"For
example, if the attacker extracts the full credit card database, then a single
response for that attacker might be 20 to 50 MB, where a normal response is
only 200 KB," he says.
7. Large
Numbers Of Requests For The Same File
It takes a lot of trial and error to compromise a site -- attackers have to keep trying different exploits to find ones that stick. And when they find signs that an exploit might be successful, they'll frequently use different permutations to launch it.
It takes a lot of trial and error to compromise a site -- attackers have to keep trying different exploits to find ones that stick. And when they find signs that an exploit might be successful, they'll frequently use different permutations to launch it.
"So while
the URL they are attacking will change on each request, the actual filename
portion will probably stay the same," Adams says. "So you might see a
single user or IP making 500 requests for 'join.php,' when normally a single IP
or user would only request that page a few times max."
8. Mismatched
Port-Application Traffic
Attackers often take advantage of obscure ports to get around more simple Web filtering techniques. So if an application is using an unusual port, it could be sign of command-and-control traffic masquerading as "normal" application behavior.
Attackers often take advantage of obscure ports to get around more simple Web filtering techniques. So if an application is using an unusual port, it could be sign of command-and-control traffic masquerading as "normal" application behavior.
"We have
noticed several instances of infected hosts sending C&C communications
masked as DNS requests over port 80," says Tom Gorup, SOC analyst for Rook
Consulting. "At first glance, these requests may appear to be standard DNS
queries; however, it is not until you actually look at those queries that you
see the traffic going across a nonstandard port. "
[Your
organization's been breached. Now what? See Establishing The New Normal After A Breach.]
9. Suspicious
Registry Or System File Changes
One of the ways malware writers establish persistence within an infected host is through registry changes.
One of the ways malware writers establish persistence within an infected host is through registry changes.
"Creating
a baseline is the most important part when dealing with registry-based
IOCs," Gorup says. "Defining what a clean registry is supposed to contain
essentially creates the filter against which you will compare your hosts.
Monitoring and alerting on changes that deviate outside the bounds of the clean
'template' can drastically increase security team response time."
Similarly, many
attackers will leave behind signs that they've tampered with a host in system
files and configurations, says Webb, who has seen organizations more quickly
identify compromised systems by looking for these kinds of changes.
"What can
happen is that the attacker will install packet-sniffing software to harvest
credit card data as it moves around the network," he says. "The
attacker targets a system that can watch the network traffic, then installs the
harvesting tool. While the chances of catching the specific harvesting tool are
slim -- because they will be targeted and probably not seen before -- there is
a good chance to catch the changes to the system that houses the harvesting
tool."
10. DNS Request
Anomalies
According to Wade Williamson, senior security analyst for Palo Alto Networks, one of the most effective red flags an organization can look for are telltale patterns left by malicious DNS queries.
According to Wade Williamson, senior security analyst for Palo Alto Networks, one of the most effective red flags an organization can look for are telltale patterns left by malicious DNS queries.
"Command-and-control
traffic is often the most important traffic to an attacker because it allows
them ongoing management of the attack and it needs to be secure so that
security professionals can't easily take it over," he says. "The
unique patterns of this traffic can be recognized and is a very standard
approach to identifying a compromise."
"Seeing a
large spike in DNS requests from a specific host can serve as a good indicator
of potentially suspect activity," he says. "Watching for patterns of
DNS requests to external hosts, compared against geoIP and reputation data, and
implementing appropriate filtering can help mitigate C&C over DNS."
11.
Unexpected Patching Of Systems
Patching is generally a good thing, but if a system is inexplicably patched without reason, that could be the sign that an attacker is locking down a system so that other bad guys can't use it for other criminal activity.
"Most attackers are in the business of making money
from your data -- they certainly don't want to share the profits with anyone
else," Webb says. "It sometimes does pay to look security gift horses
in the mouth." Patching is generally a good thing, but if a system is inexplicably patched without reason, that could be the sign that an attacker is locking down a system so that other bad guys can't use it for other criminal activity.
12. Mobile Device Profile Changes
As attackers migrate to mobile platforms, enterprises should keep an eye on unusual changes to mobile users' device settings. They also should watch for replacement of normal apps with hostile ones that can carry out man-in-the-middle attacks or trick users into giving up their enterprise credentials.
"If a managed mobile device gains a new configuration profile that was not provided by the enterprise, this may indicate a compromise of the user's device and, from there, their enterprise credentials," says Dave Jevans, founder and CTO of Marble Security. "These hostile profiles can be installed on a device through a phishing or spear-phishing attack."
13. Bundles Of Data In The Wrong Places
According to EventTracker's Ananth, attackers frequently aggregate data at collection points in a system before attempting exfiltration.
"If you suddenly see large gigabytes of information and data where they should not exist, particularly compressed in archive formats your company doesn't' use, this is a telltale sign of an attack," he says.
In general, files sitting around in unusual locations should be scrutinized because they can point to an impending breach, says Matthew Standart, director of threat intelligence at HBGary.
"Files in odd places, like the root folder of the recycle bin, are hard to find looking through Windows, but easy and quick to find with a properly crafted Indicator of Compromise [search]," Standart says. "Executable files in the temp folder is another one, often used during privilege escalation, which rarely has a legitimate existence outside of attacker activity."
14. Web Traffic With Unhuman Behavior
Web traffic that doesn't match up with normal human behavior shouldn't pass the sniff test, says Andrew Brandt, director of threat research for Blue Coat.
"How often do you open 20 or 30 browser windows to different sites simultaneously? Computers infected with a number of different click-fraud malware families may generate noisy volumes of Web traffic in short bursts," he says." Or, for instance, on a corporate network with a locked-down software policy, where everyone is supposed to be using one type of browser, an analyst might see a Web session in which the user-agent string which identifies the browser to the Web server indicates the use of a browser that's far removed from the standard corporate image, or maybe a version that doesn't even exist."
15. Signs Of DDoS Activity
Distributed denial-of-service attacks (DDoS) are frequently used as smokescreens to camouflage other more pernicious attacks. If an organization experiences signs of DDoS, such as slow network performance, unavailability of websites, firewall failover, or back-end systems working at max capacity for unknown reasons, they shouldn't just worry about those immediate problems.
"In addition to overloading mainstream services, it is not unusual for DDoS attacks to overwhelm security reporting systems, such as IPS/IDS or SIEM solutions," says Ashley Stephenson, CEO at Corero Network Security. "This presents new opportunities for cybercriminals to plant malware or steal sensitive data. As a result, any DDoS attack should also be reviewed for related data breach activity."
+++++++++++++++++++++++++++++++++++++++++++++=++++++
=======================================================
https://www.youtube.com/watch?v=HTgYHHKs0Zw
scoop_post=bcaa0440-2548-11e5-c1bd-90b11c3d2b20&__scoop_topic=2455618
==============================================
Special Bulletin - My just released book,
"You're Hired. Super Charge our Email Skills in 60 Minutes! (And Get That Job...)
is now on sales at Amazon.com
Great Reasons for Purchasing Netiquette IQ
·
Get more
email opens. Improve 100% or more.
·
Receive
more responses, interviews, appointments, prospects and sales.
·
Be better
understood.
·
Eliminate
indecision.
·
Avoid
being spammed 100% or more.
·
Have
recipient finish reading your email content.
·
Save time
by reducing questions.
·
Increase
your level of clarity.
·
Improve
you time management with your email.
·
Have
quick access to a wealth of relevant email information.
Enjoy
most of what you need for email in a single book.
=================================
**Important note** - contact our company for very powerful solutions for IPmanagement (IPv4 and IPv6, security, firewall and APT solutions:
www.tabularosa.net
In addition to this blog, Netiquette IQ has a website with great assets which are being added to on a regular basis. I have authored the premiere book on Netiquette, “Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". My new book, “You’re Hired! Super Charge Your Email Skills in 60 Minutes. . . And Get That Job!” has just been published and will be followed by a trilogy of books on Netiquette for young people. You can view my profile, reviews of the book and content excerpts at:
www.amazon.com/author/paulbabicki
In addition to this blog, I maintain a radio show on BlogtalkRadio and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and Yahoo. I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ and PSG of Mercer County, NJ.
I am the president of Tabula Rosa Systems,
a “best of breed” reseller of products for communications, email,
network management software, security products and professional
services. Also, I am the president of Netiquette IQ. We are currently developing an email IQ rating system, Netiquette IQ, which promotes the fundamentals outlined in my book.
Over the past twenty-five years, I have enjoyed a dynamic and successful career and have attained an extensive background in IT and electronic communications by selling and marketing within the information technology marketplace.Anyone who would like to review the book and have it posted on my blog or website, please contact me paul@netiquetteiq.com.
If you have not already done so, please view the trailer for my books below.
=============================================================
No comments:
Post a Comment