Traditional cybersecurity protection, like anti-virus tools, perimeter defences or firewalls, are virtually powerless to defend against today’s tech-savvy cybercriminals, who now use legitimate compromised credentials of an employee within an organisation to gain access to sensitive data.
Such is the popularity of using compromised credentials that 81% of data breaches now involve them, according to Verizon’s Data Breach Investigations Report (DBIR) 2017. The sheer volume of attacks of this nature is worrying to organisations, whose security setup is unlikely to flag any malicious behaviour because access has come from a legitimate login.
Organisations have no choice therefore but to do more to find out exactly who is on the network at any given time, and what they’re doing. But monitoring networks, access and file activity manually is not a practical task for any IT team — no matter how many people you’ve got at your disposal.
Which is why organisations should do more to look out for “key indicators of compromise”. When cybercriminals are on your network, stealing your data, they leave behind clues to their existence — much in the same way a burglar in your home will leave behind clues as to how they got in and which rooms they’ve been in. But unlike common burglars, cybercriminals will do their best to cover up their tracks. However, there are a few things that they can’t cover up, which will indicate to you that you’ve got an intruder on your hands.
1. Odd endpoint activity
The first thing includes strange activity on employee endpoints, like smartphones, tablets and laptops. Because of their mobile nature, these are constantly accessible outside the perimeter — and are targets for attack. They reach beyond the network to surf the web, as well as act as receptacles for inbound email (both giving malware and ransomware from phishing a means of entry).
Indicators of compromise on endpoints involve a deep dive comparison around what’s normal for both configurations and activity for a given endpoint. One such indicator is rouge processes. Everything from malware to hacker tools can be seen as a ‘process’ that hasn’t run on an endpoint before. However, this isn’t always easy, as some hackers live ‘off the land’ using existing commands, DLLs, and executables, or use direct memory injection to avoid detection.
Another such indicator is persistence — the presence of tasks, auto-run registry settings, browser plugins, and even tampering with service settings all demonstrate an endpoint is compromised.
2. Strange contextual information around logins
More indicators of compromise can be found by analysing the contextual information around login attempts. Logons often are the first step to gaining access to an endpoint with valuable data on it. Indicators of a breach include a login on an endpoint that isn’t usually used by the person who owns those login credentials, for example a CEO logging on from a machine in the accounts department. Another indicator might be a logon at a strange time of day, for example a user with a 9–5 job function logging in on a Saturday at 3:00am. Abnormal login frequencies are another red flag, especially for those that login once at the beginning of the day and log out at the end of the day. Anything more than two logins from that kind of person should be enough to alert you to a breach. Finally, login concurrency is a huge indicator of a breach. Most users log on to a single endpoint, so seeing a user like that suddenly logged onto multiple endpoints simultaneously is sign of something bad.
3. Lateral movement
Lateral movement is the process of jumping machines in an attempt to locate and access a system with valuable data — something that’s necessary for most attacks because a hacker’s initial foothold is often a low-level workstation with no access rights to anything of significant value. The analysis of the combination of connection types (via RDP, SMB, etc.) and authentication (read: logons) can point to indicators of a breach. For example, low-level users rarely use IT-related tools, scripting or RDP sessions, so if you find someone using those, you may have had a breach. Abnormal network traffic is yet another indicator of compromise — tools like Netcat can direct communications over allowed ports, and any kind of existence or excess of traffic not normally seen (for example SMB, RPC, RDP, etc.).
4. Suspicious data access
Even access to data is relatively predictable over time, which means that any access at a strange time of day or after hours can indicate a compromise. Location is also an important factor — valuable data normally accessed by endpoints within the network should be monitored for access by endpoints that are either external to the network or on the perimeter. The last indicator of compromise is access to an abnormal amount of data. Sudden increases in data being sent out of the network or increases in data reads, exports, copies or saves of valuable data is a clear sign that something malicious is going on.
One of the challenges to all the indicators of compromise above is that they require significant analysis of data that’s not readily accessible at your fingertips. And quite often, you’re going to need to cross reference multiple sources of information to gain any kind of insight.
So the best place to focus your efforts is the logons. It’s difficult for an attacker to cause damage to your organisation unless they are able to compromise a set of employee credentials. By monitoring logon activity more closely, you can identify compromises before key actions, such as lateral movement and data access, take place. That makes monitoring logons a pre-indicator to indicators of compromise. It’s a bit like getting an alert to a burglar trying to enter your house via your front door using your key — you’ll know before they’ve had a chance to set foot on your front doormat so you can do something about it quickly.
It’s all about getting the information you need, when you need it, without needing to ask for it.
François Amigorena, CEO, IS Decisions
Image Credit: Ai825 / Shututerstock