1, unusual outbound network traffic
Perhaps the biggest sign is unusual outbound network traffic. "The common misconception is that traffic inside the network is safe," says Sam Erdheim, senior security strategist at ALGOSEC, "to see the suspicious traffic leaving the network, we should not only focus on incoming traffic, but also pay attention to outbound traffic." "For modern attacks, it is difficult for companies to prevent attackers from entering the network, so enterprises should pay more attention to outbound traffic." "So the best way to do this is to check the activity within the network and check the traffic out of the network," said Geoff Webb, head of solution strategy at NetIQ. The attacked system usually calls the command-control server, and you can keep an eye on the traffic to stop the attack. ”
2. Privileged User account Activity exception
In a well-planned attack, an attacker would either elevate the privileges of the account they had already attacked or use the attacking account to enter other accounts with higher privileges. Viewing unusual account behavior from privileged accounts not only discovers internal attacks, but also discovers that accounts are controlled. "Changes in the behavior of privileged users may indicate that other people are using the account to attack your network, and companies should focus on account changes, such as activity time, access system, type or number of information accessed," Webb said. ”
3. Geographical anomalies
Whether through privileged accounts, geographic anomalies in logins and accesses can also indicate that an attacker is attempting to attack from a remote location. For example, a business should investigate when it finds that traffic is being exchanged between countries that do not have business dealings. ThreatTrack Security Content Management director Dodi Glenn said that, while the account is in a short period of time from all over the world from different IP logins, this may be a sign of attack.
4. Logon Exceptions and failures
Logon exceptions and failures can provide good clues to detect attackers ' detection of networks and systems. Beachhead Solutions company product expert Scott Pierson said that multiple logon failures could also mark an attack and check for logins that use Non-existent user accounts, which usually indicates an attempt to guess the user's account information and to obtain authentication. Similarly, trying to get a successful login at work time may also indicate that this is not true for employees accessing data. Companies should investigate this.
5, the volume of database reading surges
When an attacker invades an enterprise and tries to ooze information, you may find changes in the data store. One is the proliferation of database reads. "When an attacker tries to extract full credit card data, he generates a huge amount of reading, which is much higher than what you normally see," said Kyle Adams, chief software Architect at Juniper Network. ”
6. HTML Response size
Adams also said that if an attacker uses SQL injection to extract data from a Web application, an attacker's request typically contains a larger HTML response than a normal request. "For example, if an attacker extracts all the credit card databases, a single response to an attacker could be 20MB to 50MB, and the normal response would be 200KB," he says. ”
7, a large number of requests for the same document
Attackers need to do a lot of trial and error to launch an attack, they need to try different exploits to find a portal. When they find that a vulnerability exploit may be successful, they usually start it with a different permutation combination. Adams said, "As a result, the URLs they attack may change on each request, but the actual filename portion may remain unchanged, and you may see a single user or IP 500 requests to ' join.php ', which normally require a single IP or user to request only a few times. ”
8, mismatched port application traffic
Attackers often use fuzzy ports to circumvent simpler web filtering techniques. Therefore, when an application uses an unusual port, this may indicate that the command control traffic is pretending to be "normal" application behavior. "We may find that the infected host sends commands to control traffic to port 80, posing as DNS requests, at first glance, they may look like standard DNS queries," said Tom Gorup, an SOC analyst at Rook Consulting. However, if you look closely, You will find that these flows pass through nonstandard ports. ”
9. Changes to suspicious registry or system files
One of the ways malware writers maintain a long-standing presence within an infected host is through registry changes. When dealing with a registry-based IOC, creating a baseline is the most important part, Gorup says, "Defining what the normal registry should contain, which basically creates a filter." Monitoring and alerting deviations from the Normal template changes will increase the response time for the security team. "Similarly, many attackers may leave indications that they have tampered with the host's system files and configurations, and that businesses can quickly discover infected systems by looking at these changes." "What could happen is that an attacker would install a packet sniffer software to obtain credit card data, and an attacker would aim at a system that could view network traffic and then install the tool," he said. While the chances of capturing such attacks are slim (because they are very targeted and may not have been seen before), companies can discover changes in the system. ”
10. DNS Request exception
According to Wade Williamson, senior security analyst at Palo Alto, the most effective indication that companies should look at is the whistleblower pattern left by a malicious DNS request. "Command-control traffic is usually the most important traffic for an attacker because it allows them to continue to manage attacks, and they need to protect this traffic to ensure that security professionals do not easily find that a unique pattern of business should identify this traffic because it can be used to detect attack activity," he said. "When DNS requests from a specific host increase significantly, this can indicate potential suspicious behavior, view the DNS request mode of the external host, compare it to geographic IP and reputation data, and do not properly filter, and can help ease command control through DNS," he said. ”
11, inexplicable system vulnerability repair
System repair is usually a good thing, but if the system is suddenly repaired without warning, it may indicate that the attacker is locking the system so that other attackers cannot use it for other criminal activities. "Most attackers try to use your data to make money, and they certainly don't want to share the fruits of victory with others," Webb said.
12, mobile device configuration file changes
As attackers move to mobile platforms, businesses should focus on unusual changes in the device configuration of mobile users. They should also look at changes to the normal application, as well as programs that might carry man-in-the-middle attacks or entice users to disclose their login credentials. "If a managed mobile device gets a new profile, not an enterprise, it may indicate that the user's device and its corporate login credentials are infected," said Dave Jevans, founder and chief information officer at Marble Security. These profiles may be installed on the mobile device through phishing attacks or harpoon phishing attacks. ”
13, the data is in the wrong position
According to EventTracker's ananth, attackers usually place data at the collection point of the system before attempting to seep. If you suddenly see gigabit information and data in the wrong place and in a compressed format not used by your company, this indicates the presence of the attack. Typically, when a file is in an unusual position, the enterprise should be rigorously scrutinized because it may indicate an impending data disclosure incident. "In strange locations, such as the root folder of the Recycle Bin, it is very difficult to find it through windows, but these can be found by carefully crafted indicators," said Matthew Standart, the hbgary Company's threat intelligence officer. ”
14, non-human behavior of the web traffic
"Web traffic that does not match normal human behavior should not be sniffed," said Andrew Brandt, head of the coat corporate threat research. "Under what circumstances will you open 20 or 30 browser windows for different sites?" A computer that infects different click-fraud malware may generate a large amount of web traffic in a short time. For example, in a corporate network that has a locking software policy, everyone can only use one browser type, and the analyst may find such a Web session where the user agent character shows the user using a browser type that is not allowed by the enterprise, or even a nonexistent version. ”
15. Signs of DDoS attack activity
Distributed denial of Service attacks (DDoS) are often used by attackers as smoke bombs to disguise other, more hostile attacks. If businesses find signs of DDoS, such as slow network performance, inability to use a Web site, firewall failover, or a back-end system somehow running at maximum capacity, they should not just worry about these superficial problems. "In addition to overloading mainstream services, DDoS attacks often ' overwhelm ' security reporting systems, such as Ips/ids or Siem Solutions," said Ashley Stephenson, chief executive officer of Corero Network. This can allow attackers to implant malware or steal sensitive data. Therefore, any DDoS attack should be seen as a sign of related data disclosure activity. The