In today’s worlds, organizations are facing the threat of compromise that is ever-present, ever-changing, and ever-growing
The questions is: who and what exactly, are you fighting?
Threat actors are most commonly divided into two groups. The first group is represented by external actors (hackers, malware authors, threat organizations, etc.). They were responsible for approximately two thirds of data breaches last year. The second group is represented by internal actors. They either already have access to your valuable data, or hack internally to obtain access. This group is responsible for a little less than one-third of data breaches, leaving the remainder of compromises attributed to partners and multiple actors working together.
What are the indicators of compromise?
Whatever the threat, we can look at compromise using a set of layers of access (see diagram) within your environment. Each layer can possibly be attacked and, therefore offer us indicators of compromise.
Indicators of compromise that can be identified at this layer will require some analysis.
- Mismatched port/application traffic – communication with internal systems (which may include inbound commands and outbound exfiltration of data) often needs to take place over open ports (e.g. HTTP traffic over TCP port 80) to reach an external server.
- Increases in data reads / outbound traffic – The attack goal is to obtain as much data as possible; looking for additional reads on databases, as well as outbound traffic sizes are clear indicators something is amiss.
- Geographical irregularities – You have zero business in Ukraine. So, why is there so much traffic between that country and your organization? Abnormal communication sources are an obvious sign the connection requires your attention.
Indicators of compromise on endpoints involve some deep-dive comparison around what’s normal for both configurations and activity for a given endpoint.
- Rogue processes – Everything from malware, to hacker tools are seen as a process that hasn’t run on an endpoint before. This isn’t always easy, as some hackers live “off the land” using existing commands, DLLs, and executables, or use direct memory injection to avoid detection.
- Persistence – The presence of tasks, auto-run registry settings, browser plugins, and even tampering with service settings all demonstrate an endpoint is compromised.
Most attackers focus on leveraging accounts to either access data or to move about the organization. Logons are the necessary first step to gaining access to an endpoint with valuable data. Indicators include the following logon abnormalities:
- Endpoint Used – The CEO never logs on from a machine in Accounts Payable, right?
- When Used – A user with a 9-to-5 job function logging in on a Saturday at 3am? Yeah, that’s suspicious.
- Frequency – A user normally logs on once in the morning and logs out in the evening that suddenly is logging on and off in short bursts could indicate a problem.
- Concurrency – Most users log on to a single endpoint. Seeing a user like that suddenly logged onto multiple endpoints simultaneously is an obvious red flag.
Lateral movement is the process of jumping machines (as much as is needed) to locate and access a system with valuable data. While this may seem a bit like Logons, it’s far more an analysis of the combination of connection types (via RDP, SMB, etc.) and authentication (read: logons) than anything. Indicators include: Indicators include:
- Mismatch of users/applications – Low-level users rarely (if ever) use IT-related tools, scripting, etc. And users that never utilize an RDP session, etc. – equally sketchy.
- Abnormal network traffic – Tools like netcat can direct communications over allowed ports, and any kind of existence or excess of traffic not normally seen (e.g. SMB, RPC, RDP, etc.) – all indicate possible compromise.
Looking for the following abnormalities may indicate a compromise:
- When Accessed – Like logons, user access to data of any type is rather consistent over time. After-hours access is worthy of suspicion.
- From Where – Valuable data normally accessed by endpoints within the network should be monitored for access by endpoints that are either external to the network or on the perimeter.
- Amount of Data – Aligning with the perimeter’s need for watching to increases in data being sent out of the network, watch for any increases in data reads, exports, or copies/saves of any valuable data.
Focusing Your Effort on a common Indicator
As you can see, there is a lot to be watching for. The thing is, you can’t have eyes everywhere, so it becomes necessary to determine which of these indicators can be most easily detected, while providing the greatest indicator for compromise.
So, where should you focus your efforts?
There is one foundational truth that helps focus your efforts on where to start – an attacker needs to compromise a set of internal credentials if he wants to be able to do anything in your organization. In other words: no logon, no access. 81% of hacking-related breaches leveraged either stolen or weak passwords, making logons the one common activity across nearly all attack patterns.
Except for the perimeter attacks (where attack methods like SQL injections need no credentials to access data), every other layer mentioned in this article requires a logon at some point. Endpoints require logons for access, lateral movement of any type requires authentication to access a target endpoint, and access to data first requires an authenticated connection.
So, if you have to choose one area to put your focus on, it’s the logon.
By focusing on the logon, you can identify compromise before key actions, such as lateral movement and data access, take place. This makes logons one of the true preceding indicators, as the indicators associated with lateral movement and data access only occur once the action has already been taken. What’s more? When monitored and responded to appropriately, logons can be tied to automated responses that will take actions such as logging off users and implementing account usage restrictions, thwarting threat actors, and protecting company data.
About the Author
François Amigorena is the founder and CEO of IS Decisions, and an expert commentator on cybersecurity issues.
IS Decisions is a provider of infrastructure and security management software solutions for Microsoft Windows and Active Directory. The company offers solutions for user-access control, file auditing, server and desktop reporting, and remote installations.
Its customers include the FBI, the US Air Force, the United Nations and Barclays — each of which rely on IS Decisions to prevent security breaches; ensure compliance with major regulations; such as SOX and FISMA; quickly respond to IT emergencies; and save time and money for the IT department.