The parade of breaches, attacks and various other digital maladies hitting corporations in 2014 made it clear that default, out-of-the-box compliance and security is not enough to protect organizations. However, the nature of advanced persistent threats (APTs), and other forms of malware, makes it difficult to find an investment that can keep the next threat from growing into the next breach.
As with any security situation, shortening the time from detection to protection is key in surviving an attempted attack. By leveraging a Security Information and Event Management (SIEM) solution and looking to common Indicators of Attack (IoAs), organizations can shave minutes off their detection process and stop threats before they morph into a full-blown breach.
IoAs are exactly as they sound: common behaviors that could indicate the rumblings of an attack. The goal behind properly identifying and addressing an IoA is to prevent it from becoming an Indicator of Compromise – or, an IoC. Once an IoA goes undetected and becomes an IoC, the business in question is faced with the risk of becoming an embarrassing headline.
So, how can businesses know what to look for? McAfee, part of Intel Security, has compiled a list of the eight most common IoAs and the warning signs of each to help your organization separate the signal from the noise.
With these IoAs you can figure out the who, the what, the when, the where and the how to shut any threat down before it potentially becomes an IoC and, then inevitably, a breach:
1. Internal hosts communicating with known bad destinations or to a foreign country where you do not conduct business.
Suspicious communications from internal hosts, where a computer or other device connects to a network, is great indicator of attack. The reason: some malicious programs need to connect to their command and control servers, often located in different countries, in order to relay information and to receive orders.
2. Internal hosts communicating to external hosts using non-standard ports or protocol/port mismatches.
Events like such as sending command shells (SSH) rather than HTTP traffic over port 80, the default web port, can indicate an infected host trying to communicate with either a command and control server, or an attacker trying to extract data.
3. Publicly accessible or demilitarized zone (DMZ) hosts communicating to internal hosts.
Communication coming from external hosts, or from your DMZ hosts, to your internal network could indicate an attack. This action could allow for leapfrogging from outside actors to your inside network and back, allowing for data exfiltration and remote access to your assets.
4. Off-hour malware detection
Network activity during off hours may not always indicate an attack, but communications from specific devices at odd hours can be an indicator. Setting your SIEM to detect these suspicious communications could signal a compromised host.
5. Network scans by internal hosts communicating with multiple hosts in a short time frame.
Rapid-fire communications and network scans from internal hosts to other hosts could indicate an attacker attempting to move laterally within a network.
6. Multiple alarm events from a single host or duplicate events across multiple machines in the same subnet over 24-hour period.
Multiple alarm events from a single host, or duplicate alarms from multiple hosts, in a short period could indicate an attacker attempting to compromise a network or computer.
7. A system is re-infected with malware within five minutes after being cleaned.
While infection is a clear attack, re-infection within minutes of cleaning the compromised host could indicate the presence of an ATP – a far more serious issue than simple malware.
8. A user account trying to login to multiple resources within a few minutes from or to different regions.
A user rapidly attempting to gain access to multiple resources, either from or to different regions, could indicate an active attacker trying to extract data.
By Karl Klaessig on Feb 23, 2015