Skip to main content

Key indicators of compromise to prevent a breach

(Image credit: Image source: Shutterstock/Ai825)

What are the threats?

There are two distinct groups of threat actors:

  • External actors: They can be hackers, malware authors, threat organizations, etc. and they make up approximately two thirds of data breaches.
  • Internal actors: They usually already have access to your network or they hack internally to obtain access. They make up a little less than one-third of data breaches which leaves the rest to partners and multiple actors working together.

Internal actors: They usually already have access to your network or they hack internally to obtain access. They make up a little less than one-third of data breaches which leaves the rest to partners and multiple actors working together.

Key indicators of compromise

Compromise indicators don’t always show up in the same way. Let’s look at compromise using a set of layers of access within your environment – each one susceptible to attack and, therefore, compromise – and see what indicators lie at each.

Perimeter

The perimeter used to be your firewall. But nowadays, organizations usually have applications exposed for external use, utilize private and/or public cloud infrastructures (which extends the perimeter), and allow different kinds of remote access to internal resources. And, because there is a portion of that network that is exposed, it’s an obvious attack vector and point to identify compromise.

Indicators of compromise at this point in your environment will require some analysis. They include:

  • Mismatched port/application traffic – communication with internal systems (which may include inbound commands and outbound exfiltration of data) often needs to take place over open ports (e.g. HTTP traffic over TCP port 80) to reach an external server.
  • Increases in data reads / outbound traffic – The goal is to obtain as much data as possible; additional reads on databases, as well as outbound traffic sizes are clear indicators that something is amiss.
  • Geographical irregularities – You have zero business in Russia. So, why is there so much traffic between that country and your organization? Abnormal communication sources are a definite sign the connection requires your attention.

Endpoint

Today’s endpoints are constantly accessible outside the perimeter – they reach beyond the network to surf the web, and act as receptacles for inbound email (both giving malware a means of entry).

Indicators of compromise on endpoints involve some deep comparison around what’s normal for both configurations and activity for a given endpoint. Indicators include:

  • Rogue processes – Everything - from malware to hacker tools - are seen as a process that hasn’t run on an endpoint before. This is not always easy, as some hackers live “off the land” using existing commands, DLLs, and executables, or use direct memory injection to avoid detection.
  • Persistence – The presence of tasks, auto-run registry settings, browser plugins, and even tampering with service settings all show that an endpoint might be compromised.

Logons

Most hackers focus on leveraging user accounts to either access data or move about the organization. Logons are the required first step to gaining access to an endpoint with valuable data. Key indicators include the following logon abnormalities:

  • Endpoint Used – The CEO never logs on from a machine in Accounts Payable, right?
  • Time – A user with a 9-to-5 job function logging in on a Sunday at 5am? Yeah, that’s suspect.
  • Frequency – A user normally logs on once in the morning and logs out in the evening, if he suddenly is logging on and off in short bursts, it could indicate that something is wrong.
  • Frequency – A user normally logs on once in the morning and logs out in the evening, if he suddenly is logging on and off in short bursts, it could indicate that something is wrong.

Lateral movement

This step is needed by most hackers, as their initial foothold is a low-level workstation with no rights to access anything of value. Lateral movement is the process of jumping from machines to machines (as much as is needed) to find and access a system with precious data. While this is similar to Logons, it’s more an analysis of the combination of connection types (via RDP, SMB, etc.) and authentication (logons) than anything. Indicators include:

  • Mismatch of users/applications – Low-level users rarely (if ever) use IT-related tools, scripting, etc. And users that never utilize an RDP session, etc. – equally sketchy.
  • Abnormal network traffic – Tools like netcat can direct communications over allowed ports, and any kind of existence or excess of traffic not normally seen (e.g. SMB, RPC, RDP, etc.) – all indicate possible compromise.

Data access

Like every part of the environment we previously covered, even access to your data is quite predictable over time. This is why looking for the following abnormalities may indicate a compromise:

  • Time – Like logons, user access to data of any type is consistent over time. After-hours access might be suspicious.
  • Endpoint Used – Important data that is normally accessed by endpoints within the network should be monitored for access by endpoints that are either external to the network or on the perimeter.
  • Amount of Data – To align with the perimeter’s need for watching to increases in data being sent out of the network, watch for any increases in data reads, exports, or copies/saves of any important data.

Easiest indicator of compromise

Most of these indicators require a deep analysis which is prohibitive from a time (and even cost) standpoint to start monitoring most of these. You often might have to cross reference different sources of information to gain some kind of insight.

The best thing to do is to determine which indicator can be most easily detected while giving the greatest indicator for compromise.

To narrow it down, there is one truth that helps: a hacker can’t do anything in your organization unless they can compromise a set of corporate credentials.

Except for perimeter attacks (attack methods like SQL injections need no credentials to access data), every other layer mentioned in this article requires a logon at some point. Endpoints require logons for access, lateral movement requires authentication to access a target endpoint, and data access first requires an authenticated connection.

Simply put: no logon, no access!

Actually, 81 percent of data breaches leveraged either stolen or weak passwords, making logons the one common activity across nearly all attack patterns. So, if you have to choose one area to focus on, it’s the logon.

Stop compromise with logon security

You always have to assume that attackers will still get past even the best layered defense. It then becomes necessary for the IT team to look for indicators of compromise as early on in an attack as possible.

Some indicators are more difficult to monitor than other, but logons remain one of the easiest to observe. By identifying compromise before key actions take place, logons can be combined with automated responses, to not only detect but prevent network breaches.

François Amigorena, founder and CEO, IS Decisions