* Look for a device using multiple accounts and credentials to access network resources.
Attackers love credentials to ease their process and stay undetected. They steal or generate accounts and use those to explore and gain access. This is a mark of both external and internal attackers. Analyze credential usage to spot outliers that are indicative of such attack activity.
- Data Source: Monitoring network traffic or analyzing logs from your authentication and authorization infrastructure are your best resources for credential abuse. Extract the data and analyze it to get a sense for how many systems each user generally interacts with. Then monitor for anomalies.
- Challenges: There is a lot of variability between users, but you can try to baseline the “average” user. Even just listing out your high volume users should give decent visibility - if you see a new name pop onto the list you can check it out.
* Look for an attacker trying to find valuable data in file servers. One step an attacker will typically take is to figure out what Windows files shares are broadly accessible in order to either hunt for important data—such as intellectual property or credit card numbers—or to remotely encrypt data for ransom. Spotting anomalies in file share access can be a valuable signal, and may also alert you to an employee who is considering insider theft.
- Data Source: logs from your file servers are the best bet to do this yourself. But it will take some analysis to turn this into a view from the users’ perspective, and thus grant the ability to see user-access anomalies.
- Challenges: Some file shares are truly commonly accessed, and a large spike as a user goes there for the first time might generate a false positive. In addition, the data on access is pretty messy and hard to analyze. This can be seen with network tools as well, but it is a lot of work to extract the information that matters.
* Look for the command and control activity or persistent access mechanisms. Attackers need a way to communicate between the Internet and endpoint(s) they control in your environment. While there is less malware in use throughout the attack than there used to be, there can still be malware and Remote Access Trojans (RATs) in place. Keep an eye on outbound communications for indications of malicious software phoning home.
- Data Source: Many perimeter security tools already seek out command and control activity. Targeted malware may attempt to contact AWS or Azure resources or new servers that won’t be recognized by traditional threat intelligence services.
You can augment your existing security by looking at DNS logs for patterns of DNS look-ups that indicate malware trying to find command and control servers. Lots of failed DNS requests or requests that look like machine-generated domain names are a sign of malware programmed to avoid reputation-based blocking.
- Challenges: Attackers have a lot of ways to conceal command and control traffic, so it is good to keep an eye out, but don’t depend on this type of detection alone to discover malware. You can never tell what combination of normal Internet sites, including Twitter, Craigslist, Gmail, and many more, that malware might exploit for command and control communications. So, it is worth spending some effort to track this activity, but isn’t as important as tracking lateral movement or excessive credential use, which are much more difficult for an attacker to conceal.
Sign up for CIO Asia eNewsletters.