[BreachExchange] Tips for unmasking network attackers

Audrey McNeil audrey at riskbasedsecurity.com
Fri Jul 8 14:18:52 EDT 2016


http://www.itworldcanada.com/blog/unmasking-network-attackers/384674

NNo one wants to join the growing list of companies that have announced
they’ve been hacked and suffered a data breach. As CIO, you have confidence
in your IS staff but you’re still wondering if an undetected attack has
already occurred.

Attacks begin with a tiny, difficult-to-detect event such as a single
infection or the take-over of a single computer. The good news is that, as
attackers invariably increase their activity on your network, you can stop
them if you know how to unmask them. Here are five strategies to identify
attackers and stop them.

Look for telltale signs of a breach

Repeated port scans and an excessive number of failed log-ins indicate
reconnaissance as attackers map out your network. These telltale events
occur because attackers need to understand the topology of the network they
have infiltrated as a prelude to creating havoc. First attackers will look
for additional vulnerable workstations and poorly configured servers. Then
they will zero in on administrative accounts and valuable datastores.

Identifying the follow-on from the initial breach will require persistence
because there are a lot of chatty workstations and applications on your
network. It will take a while to filter out your legitimate traffic from
the attacker-initiated traffic.

Look for a normal end-user performing administrative tasks

Increasingly, attackers use your network and data management tools, rather
than known attack tools and malware, to avoid detection by your
signature-based anti-virus and anti-malware software.

This tool usage by attackers is an anomaly that you can detect. You know
who your authorized admin accounts are. You know what tools your
administrators use and what applications and file servers they typically
manage, such as an ERP database, a document management application or an
Intranet website. With that knowledge, you can spot when attackers take
over a non-admin workstation and start performing unexpected administrative
tasks often at an unusual time of day.

Unfortunately, performing this analysis isn’t as easy as it sounds because
legitimate administrative activity is so sporadic. Monitoring Secure Shell
(SSH) and Remote Procedure Call (RPC) usage provides a good starting point.
Using your list of approved administrative workstations as a baseline, you
can detect the administrative activity initiated by attackers.

Look for workstations using multiple accounts

Attackers love using valid credentials to advance their nefarious activity
and remain undetected. First they hijack existing accounts. Then they
generate new accounts. Attackers use both to explore and to gain more
privileged access. Analyze account usage to spot excessive usage that is
indicative of such attack activity.

Network traffic logs from your authentication and authorization
infrastructure are your best resources for account abuse indications.
Scanning for anomalies, starting with your high volume end-users, should
help you spot attacker-commandeered workstations and accounts.

Look for attackers searching for valuable data

Attackers almost always look for file shares and database access
credentials that are broadly accessible to hunt for important data, such as
intellectual property or credit card numbers. Important data can then be
copied or remotely encrypted for ransom. Spotting anomalies in file and
database access can be a valuable signal of attackers at work.

The data about your file share and database accesses can be messy and
difficult to gather and analyze but will reveal attackers.

Look for command and control activity

Attackers need a way to communicate between the workstations they control
in your network and the Internet. Attackers use Remote Access Trojans
(RATs) for this communication.

Keep an eye on strange, outbound communications for indications of
malicious software phoning home. Attackers may attempt to contact Amazon
Web Services (AWS), Microsoft Azure resources or invalid servers that
aren’t part of your network. Large numbers of Domain Name System (DNS)
look-ups indicate malware trying to find command and control servers.
Attackers can mask their outbound communication by using Twitter,
Craigslist, Gmail, and many more websites.

Once you unmask an intrusion, there is often sufficient time to root out
attackers and malware before a serious data breach inflicts damage.

What is your experience with unmasking network attackers? Share your
thoughts below!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160708/717eb439/attachment.html>


More information about the BreachExchange mailing list