Users, computers, and even entire networks can be all be compromised. Depending on the scenario, security analyst’s have to look out for different type of indicator’s of compromise (IOC). I discuss multiple scenarios below and give examples of what to be on the lookout for. If a compromise is suspected, you should collect basic artifacts about the host and user affected. They will be needed as a starting point, if a forensic investigation is undertaken.
Basic artifacts to collect, when a suspected compromise has occurred:
- Suspected email address. Domain of sender.
- Link or URL in an email.
- Files received by ftp, p2p, or as email attachments.
- IP address of host.
- Browser history.
- Affected user.
- Log entries for past xx hours.
- Files name, size, and hash of new files that have suddenly appeared (like in a temp folder).
- Running processes.
Examples of Indicators of a Compromise of a User’s Account:
- Suspicious Logins – Attempts by accounts that do not exist, afterhours login successes.
- Unusually user account activity. – Watch for time of day, systems accessed, type and volume of data accessed.
- Geographic irregularities – Where is a user logging in from? Does a user account login from two different countries in a short period of time?
Example of a Server or Workstation Compromise:
- Unusual network traffic – Typically monitor outbound traffic for spikes to unknown locations.
- Review for log anomalies. – were any files downloaded around the suspected start time.
- Increase in database read volume – When the attacker attempts to extract the full credit card database, it will generate an enormous amount of read volume.
- Suspicious registry or file system changes – Need to create a baseline and define what a clean registry looks like. Use FIM to monitor for changes. Was new software installed?
- Bundles Of Data In The Wrong Places – Do you see large gigabytes of information and data where they should not exist, particularly in compressed in archive formats? In the temp folder? If unexplained encrypted files are discovered or random files appear in a folder location typically not monitored by FIM.
Sample Indicator’s of a Network Compromise:
- Unusual DNS requests and web traffic showing non-human behavior – Is it an unknown web browser, curl command. Check for user-agent string which identifies the browser. Does a user reach out to 20 different sites simultaneously?
- Geographic irregularities – Connections to countries that the company does not do business with.
- Mismatched Port-Application Traffic – ex. DNS request over port 80.
- Signs Of DDoS Activity – Distributed denial-of-service attacks (DDoS) are frequently used as smokescreens to camouflage other more pernicious attacks. Signs of DDos are slow network performance, unavailability of websites, firewall failover, or back-end systems working at max capacity for unknown reasons. DDOS attempt to overloading mainstream services, as well as security reporting systems, such as IPS/IDS or SIEM solutions,. This presents new opportunities for cybercriminals to plant malware or steal sensitive data. As a result, any DDoS attack should also be reviewed for related data breach activity.
- Large Numbers Of Requests For The Same File – Is a single user or IP making 500 requests for ‘join.php’.
- DNS Request Anomalies – A large spike in DNS requests from a specific host, “Watching for patterns of DNS requests to external hosts, compared against geolocation IP and reputation data, and implementing appropriate filtering.
Web Browser Indicators:
- HTML response sizes – If attackers use SQL injection to extract data through a Web application, the requests issued by them will usually have a larger HTML response size than a normal request. If the attacker extracts a full credit card database, then a single response for that attacker might be 50 MB, where a normal response is only 200 KB.
Mobile Device Compromises:
- Mobile Device Profile Changes – changes to a mobile user’s device settings, replacement of user apps, gains a new configuration profile that was not provided by the enterprise.
References: https://www.darkreading.com/cyberattacks-data-breaches/top-15-indicators-of-compromise