Year: 2024

Introduction

Users, computers, and even entire networks can be all be compromised. Depending on the scenario, security analyst’s have to look out for different type of indicator’s of compromise (IOC). I discuss multiple scenarios below and give examples of what to be on the lookout for. If a compromise is suspected, you should collect basic artifacts about the host and user affected. They will be needed as a starting point, if a forensic investigation is undertaken.

Basic artifacts to collect, when a suspected compromise

• Suspected email address. Domain of sender.
• Link or URL in an email.
• Files received by ftp, p2p, or as email attachments.
• IP address of host.
• Browser history.
• Affected user.
• Log entries for past xx hours.
• Files name, size, and hash of new files that have suddenly appeared (like in a temp folder).
• Running processes.

Examples of IOC of a User’s Account

• Suspicious Logins – Attempts by accounts that do not exist, afterhours login successes.
• Unusually user account activity. – Watch for time of day, systems accessed, type and volume of data accessed.
• Geographic irregularities – Where is a user logging in from? Does a user account login from two different countries in a short period of time?

Example of a Server or Workstation Compromise

• Unusual network traffic – Typically monitor outbound traffic for spikes to unknown locations.
• Review for log anomalies. – were any files downloaded around the suspected start time.
• Increase in database read volume – When the attacker attempts to extract the full credit card database, it will generate an enormous amount of read volume.
• Suspicious registry or file system changes – Need to create a baseline and define what a clean registry looks like. Use FIM to monitor for changes. Was new software installed?
• Bundles Of Data In The Wrong Places – Do you see large gigabytes of information and data where they should not exist, particularly in compressed in archive formats? In the temp folder? If unexplained encrypted files are discovered or random files appear in a folder location typically not monitored by FIM.

Sample Indicator’s of a Network Compromise

• Unusual DNS requests and web traffic showing non-human behavior – Is it an unknown web browser, curl command. Check for user-agent string which identifies the browser. Does a user reach out to 20 different sites simultaneously?
• Geographic irregularities – Connections to countries that the company does not do business with.
• Mismatched Port-Application Traffic – ex. DNS request over port 80.
• Signs Of DDoS Activity – Distributed denial-of-service attacks (DDoS) are frequently used as smokescreens to camouflage other more pernicious attacks. Signs of DDos are slow network performance, unavailability of websites, firewall failover, or back-end systems working at max capacity for unknown reasons. DDOS attempt to overloading mainstream services, as well as security reporting systems, such as IPS/IDS or SIEM solutions,. This presents new opportunities for cybercriminals to plant malware or steal sensitive data. As a result, any DDoS attack should also be reviewed for related data breach activity.
• Large Numbers Of Requests For The Same File – Is a single user or IP making 500 requests for ‘join.php’.
• DNS Request Anomalies – A large spike in DNS requests from a specific host, “Watching for patterns of DNS requests to external hosts, compared against geolocation IP and reputation data, and implementing appropriate filtering.

Web Browser Indicators

• HTML response sizes – If attackers use SQL injection to extract data through a Web application, the requests issued by them will usually have a larger HTML response size than a normal request. If the attacker extracts a full credit card database, then a single response for that attacker might be 50 MB, where a normal response is only 200 KB.

Mobile Device Compromises

• Mobile Device Profile Changes – changes to a mobile user’s device settings, replacement of user apps, gains a new configuration profile that was not provided by the enterprise.

References

https://www.darkreading.com/cyberattacks-data-breaches/top-15-indicators-of-compromise

Introduction

An enterprise security operations center (SOC) analyst’s responsibilities are both wide and varied. Based on my personal experience, this is a list of duties working in the industry. If you have limited time or resources, you should consider focusing on reviewing log events.

Monitor Security Systems

Security systems should be continuously monitored to look for compromised devices, prevent unauthorized access, or verify hardware configurations and patches been installed. Continuously ask yourself, how can I layer my defenses, am I collecting logs, and am I protecting systems and resources.

Consider the below security systems as a minimum for monitoring.

• Antivirus software agent on endpoints.
• Vulnerability scanning to look for missing software patches.
• Intrusion Detection / Prevention System to detect malicious traffic inside the network,
• Network devices, like routers, firewalls, VPN, Citrix should be configured for least privilege.
• On switches, segregate network using VLANS for logical access controls.
• Use a SIEM for log review and alerting.
• Employ FIM to detect critical file changes.
• Physical access controls. (cameras, key cards, other.)
• Servers to collect logs for meet compliance requirements and for forensic investigations.
• Authentication servers. Active Directory. Employ Logical access controls.
• Internal Firewalls to protect servers that store and process PII data, (i.e. credit cards).
• Web proxy to blacklist suspicious sites.
• Perimeter firewall to block connections, IDS, prevent DDOS attacks, and scan attachments.
• Network Access Controls to prevent rogue wireless devices. Also, Implement 802.1x.

Review Log Events Using a SIEM

Not all events are created equal. But, some top events to look out for in a SIEM are shown here. This list was developed from hands on experience and researching various blogs. They are not listed in any specific order and should all be treated equally.

1. Monitor for policy changes.
2. User rights assignments.
3. Local Account authentication policy changes.
4. Local user account changes.
5. Sensitive Group Changes. (PIM activations. Domain Admins, SQL admins, etc.)
6. Local group membership changes.
7. New software downloads or installs.
8. Failed login attempts or lockouts.
9. Any attempt to logon as an administrator. (domain admins, afterhours, etc)
10. Firewall policy changes. (config changes)
11. New devices attached.
12. Monitor for exfiltration of data. (use SIEM, Netflow, or NIDS systems)
13. User to User network traffic. – Should be near zero. Traffic is typically client to server.

Reference: by https://windowsultimatesecurity.com

Perform Threat Hunting

Operations centers spend the bulk of their time looking for potential threats that may affect systems or people. Threats are wide and varied, from an un-known person walking the hallways to an employee walking out of door with a USB drive. A variety of different tools will be used to hunt for all the different kinds of threats.

• Run daily File Integrity Management (FIM) scan. (Changes to registry or system files)
• Run daily malware/virus/rootkit scans on all hosts.
• Monitor wireless networks for un-authorized connections.
• Conduct daily external port scans to verify only authorized ports in the firewall are open.
• Run weekly MITRE Attack/Defense testing. (Do your defenses actually work).
• Review Conditional Access policy changes in Azure, Intune, or Purview.
• Investigate SIEM alerts. Endpoint (HIDS) events and Internal Network (NIDS) events.
• Review DNS logs for allowed/blocked access to suspicious sites.
• Review DNS logs to verify un-authorized sites was actually blocked.
• Process phish tank emails. (Block users from receiving malicious emails from senders or domains).
• Verify the endpoint AV agent is running & communicating.
• Review physical cameras for un-authorized access.
• Review external Firewall logs.

Conduct Risk Assessments

Risk assessments attempt to categorize all risks and help develop a priority improvement list. Risk can come from fines by government agencies, external attackers, internal employee threats, and other sources. Typical questions that are asked are, what is likely to occur? What actions can be taken to prevent it? and how easily can fixes be implemented? Risk assessments are often required by insurance brokers, prior to issuing a policy.

• Run weekly vulnerability scans. (patching, obsolete software, or expired SSL certs).
• Verify the scanner has recently updated rule set.
• Ensure logs are collected and stored. (90 days hot + 12 months cold)
• Backup all logs nightly and run file hash to prevent unauthorized modifications.
• Dispose of logs older then the data loss prevention or retention policy.
• Conduct clean desk inspections.
• Annually conduct a Pen test against all external facing websites.
• Sending out simulated phishing emails to all employees.

Conduct Compliance Audits

Look for weaknesses in the polices or procedures that you IT staff use. How can you make security better.

• Conduct SOC2 internal audits.
• Prepare due diligence reports for outside auditors.
• Monitor Third Party venders for data breach disclosures.
• Run hardening scans. (Do the assets meet company policy; MS or CIS benchmarks).
• Maintain an inventory of all assets.
• Develop company internet filtering standards for users.
• Review network device config files for changes w/o authorization.
• Verify encryption is used for all hard drives.
• Implement DLP Policies. (unauthorized printing of data, SSN, CC numbers, etc.).
• Review your Microsoft Azure secure score.
• Run PCI compliance scans against external websites.
• Conduct tests against the firewall to verify it is blocking traffic from external countries or emails are blocking files with specific extensions.
• Carefully review Group Policy Objects, such as what computers can join the network, password enforcement, folder redirection (so files are not saved locally), etc.

Verify System’s Meet Hardening Standards

All servers and workstation need to meet minimum configuration hardening (aka. compliance) standards. The CIS Benchmarks are prescriptive configuration recommendations for more than 25+ vendor product families. They represent the consensus-based effort of cybersecurity experts globally to help you protect your systems against threats more confidently.

Reference: https://www.cisecurity.org/cis-benchmarks

Collect Logs From Critical Sources

Log collection is required by government regulations and industry standards. You will need to collect logs from a variety of critical systems. Logs typically need to be kept for 12 months. Be sure to back them up offsite for disaster recovery reasons.

The types of logs a SOC operations center should collect are:

• Application Logging
  • User account management
  • Access control events
  • Configuration changes
• Servers & Workstation Logging
  • Operating system logs.
    • System event logs. (shut down or restart service, etc.)
    • Audit logs. (Privileged account activity, files accessed, authentication attempts, etc.)
• Other Potentially Logging systems
  • Network Segmentation controls (switches)
  • Remote access software (VPN) or Citrix Gateway (NetScaler)
  • Virtual Hosts Servers like VMWare (ESX)
  • SQL data base access – Who access the databases.
  • DNS Proxy Servers.
  • FTP Servers – who logged in and what files were downloaded.
  • Linux servers, auth (login attempts) & sudo elevation.

Introduction

Any employee could be called upon to write a report for senior staff. Senior managers are focused on profit and want a very brief overview of systems, people, projects under their responsibility. I recommend the report should be no more than two pages long and contain items of interest that can be shown as a percent or objects that are actionable.

Suggested Items to Report

For an enterprise security report, here is a list of potential or suggested items.

• Vulnerability data
  • Discovered vulnerabilities by scanning. (critical or exploitable).
  • Total company vulnerability risk score.
  • Company risk score trends chart.
  • Company external third-party vulnerability risk score. (BitSight or UpSight Score).
• Threat Intelligence
  • Third Party data breach disclosures.  Any venders that you use on a regular basis were hit?
  • Emerging vulnerability threats from threat intel sources.
  • Vendor external third-party vulnerability risk score. (BitSight or UpSight Score).
• SIEM data
  • Count of events, alerts, or incidents. List types and severity.
  • Avg time to close an event.
  • Count of total number of assets.
• Firewall Stats
  • Count of foreign country blocks.
  • Count of weekly VPN connections (are WFH employees able to make successful connections?)
  • Count of number of files that were Ftp’d to the company.
• Email stats
  • Count of Inbound blocks from email filters. (block by sender, domain, body, subject, etc).
  • Count of Outbound mail flow stats, how many were sent, etc.
  • Count of phishing emails were reported and that were blocked, allowed or spam, clean, threat.
  • Phishing trends chart.
• User Behavior
  • Who are the risky users (clicked on a URL link, downloaded software, etc.)
  • List any discovered passwords.
  • Vulnerable service accounts, (outdated passwords, etc).
  • PIM activations ? Sensitive group changes?
• Future Initiatives
  • Hardening initiatives
    • How many hosts have local admin rights still?
    • Workstation / server hardening scan results. Percent of assets that meet PCI CIS Cisco DISA FDCC HIPPA standards.
    • How many Firewall rules are not being used. Have a 0-hit count.
  • BYOD devices.
    • Count of users accessing company resources using BYOD (i.e. email, teams, or SharePoint)
    • Are there BYOD assets patched, meet a minimum OS version?

Initial Thoughts

Polices are global in nature. All company employee’s are expect to follow the guidelines. Examples of polices include: the Acceptable Use Policy (AUP), Memorandum of Understanding (MOU), or Bring Your Own Device (BYOD) to work. These a often generic guidelines that all employees must adhere to. On the other hand, procedures are typically at the department or team level. They are a step-by-step guide book. Many departments will have multiple Standard Operating Procedure (SOP) for a wide variety of topics.

When writing either, they follow a general outline. Here is some generic language to get you started.

General Outline

1. Purpose – Define the purpose of the policy.

“The purpose of this procedure is to set forth the process for investigating, evaluating, and recovery from a security Breach to comp[any information assets, data, or other resources.”

2. Requirements – Why is this required? What standards are to be followed? PCI data security standard (PCI DSS)? What other Legal or regulatory rules apply?

“Payment Card Industry Data Security Standards (PCI DSS) were developed specifically to provide a baseline of technical and operational requirements designed to protect account data, to protect against threats, and secure elements in the payment ecosystem. The company adheres to all PCI DSS standards.”

“Standards & Organizational Controls (SOC 2) was developed to audit internal controls. Compliance helps provide information and assurances to customers of how you process users’ data and keep it private. The company will conduct a SOC2 audit bi-annually based on the published schedule.

“The company adheres to all PCI DSS standards. HIPPA standards, CISA hardening requirements, and SOC2 audit requirements. Specifically, this procedure is mandated by PCI Standard 12.10.1, 10.10.3, 12.10.5, 12.10.06. See the PCI standards listed in the Appendix.”

3. Definitions – Define any terms or definitions used in the document.

4. Process & Procedure – Typically a flow chart. Also, what data is to be evaluated (input), what results are expected (output). Are any records created ? Any reports generated?

5. Role Responsibilities – Who is to do what? Who is to use this procedure?

• Computer end user will notify security in the event of a suspected event.
• Security analyst will gather the PC and any data necessary for an analyst.
• Forensic analysts will analyze the collected data and conduct the investigation.
• Any communication to the executive committee will be conducted by the CISO.
• A member of the executive committee will be responsible for speaking on the company’s behalf to law enforcement, legal, and the public.

7. Communication, Exceptions, & Sanctions – Who is this procedure to be communicated to? All employees? Who is exempt from following the policy? Who should they contact to get an exemption? What is the penalty if it is not followed?

“Any training about this procedure will be provided by the security team. Any modifications to this procedure is the responsibility of the oversight committee.  If a user needs to request an exemption to this policy, or the policy needs to be updated, please contact the HR department.”

“Any employee, contractor, or user who willfully violates this procedure is subject to disciplinary action up to and including termination. Company reserves the right to pursue legally permissible action it deems necessary to protect its interest and the interests of its customers. Further information, see Employee Handbook”.

8. Document Control – Who is the owner of the document, how often is it reviewed (annually?), Revision history chart is needed.

“This document is maintained by the Human Resources Department.  Content owner is responsibly for identifying circumstances that might warrant out-of-cycle reviews (such as process changes, regulatory changes, etc.). A review should be initiated no more than 12 months after the last review.

“This document is maintained by the Human Resources Department.  This document is available online in the SharePoint Library and it published for viewing by all employees. Version 1.6 is the current approved version of this document.”

Create a Bordered Table with the following columns: Revision date, description, approved by, version #

9. Appendix – A written copy of the PCI standards that the document references. A URL or other notes or documents.