These 5 key indicators of compromise can prevent a breach
Logons are the one common activity across nearly all attack patterns. They also are the clearest indicators of a compromise. Here’s what to look for to prevent a breach.
A common activity across nearly all attack patterns, logons are one of the clearest indicators of compromise. Watching your Windows domain logons can help protect company data and thwart attacks.
In this white paper, you’ll find:
Who and what exactly, are the common threats.
Detailed descriptions of potential indicators of compromise.
Why Windows logons are the easiest indication of compromise.
How UserLock can leverage this indicator to not just detect, but prevent a breach.
Who and what, exactly, are the threats?
The most common threat actors boil down into two groups. The first are external actors (hackers, malware authors, threat organizations, etc.), responsible for over 80% of data breaches.
The second are internal actors. They either already have access to your valuable data, or hack internally to obtain access. Although responsible for a smaller percentage of all breaches, insiders cause 20x as much damage as external actors.
Of course, you can also see compromises linked to partners and multiple actors working together.
Adding more complexity, there are also plenty of ways to infiltrate a network. Hacking, social engineering, and malware all top the list as attack vectors in data breaches, which only makes it more difficult to protect and detect against compromise.
There are obvious protection and prevention steps you should take, such as patching, the use of antimalware/anti-phishing software, application whitelisting, and more. But, as mentioned before, even in organizations with the strongest of security stances, successful attacks still occur.
For the remainder of this paper, we’re going to make the assumption that, despite IT’s best intentions and efforts to properly secure the environment, compromise will continue to exist. So, it then becomes critical to be able to identify indicators of compromise. These are outliers from normal activity, network traffic, access, etc., and IT needs to investigate and/or respond to them. You never know when one will be a legitimate compromise event.
So, what are the indicators of compromise?
How to identify key indicators of compromise
Any effective attack will include stealth or obfuscation to some degree, so compromise indicators don’t always show up in the same way.
So, let’s look at compromise using a set of layers of access (see diagram) within your environment — each one susceptible to attack and, therefore, compromise — and see what indicators lie at each.
Perimeter security
It used to be that the perimeter was your firewall. But we know that organizations like yours today regularly have applications exposed for external use, utilize private and public cloud infrastructures (which logically extends the perimeter), and allow various kinds of remote access to internal resources. And, because there is a portion of that network that is exposed, it’s an obvious attack vector and point to identify compromise.
Indicators of compromise at this point in your environment will require some analysis. They include:
Mismatched port/application traffic: Communication with internal systems (which may include inbound commands and outbound exfiltration of data) often needs to take place over open ports (e.g. HTTP traffic over TCP port 80) to reach an external server.
Increases in data reads / outbound traffic: The goal is to obtain as much data as possible; looking for additional reads on databases, as well as outbound traffic sizes are clear indicators something is amiss.
Geographical irregularities: You have zero business in Ukraine. So, why is there so much traffic between that country and your organization? Abnormal communication sources are an obvious sign the connection requires your attention.
Endpoint security
Interestingly enough, today’s endpoints are the one part of a network that are constantly accessible outside the perimeter — they reach beyond the network to surf the web, as well as act as receptacles for inbound email (both giving malware a means of entry and a chance to embed itself).
Indicators of compromise on endpoints involve some deep-dive comparison around what’s normal for both configurations and activity for a given endpoint. Indicators include:
Rogue processes: Everything from malware, to hacker tools are seen as a process that hasn’t run on an endpoint before. This isn’t always easy, as some hackers live “off the land” using existing commands, DLLs, and executables, or use direct memory injection to avoid detection.
Persistence: The presence of tasks, auto-run registry settings, browser plugins, and even tampering with service settings all demonstrate an endpoint is compromised.
Logon security
Most attackers focus on leveraging accounts to either access data or to move about the organization. Logons are the necessary first step to gaining access to an endpoint with valuable data. Indicators include the following logon abnormalities:
Endpoint used: The CEO never logs on from a machine in Accounts Payable, right?
When used: A user with a 9-to-5 job function logging in on a Saturday at 3 a.m.? Yeah, that’s suspicious.
Frequency: A user who normally logs on once in the morning and logs out in the evening suddenly logs on and off in short bursts, and could indicate a problem.
Concurrency: Most users log on to a single endpoint. Seeing a user like that suddenly logs onto multiple endpoints simultaneously is an obvious red flag.
Lateral movement security
This is a necessary step for most attacks, as their initial foothold is a low-level workstation with no rights to access anything of value. Lateral movement is the process of jumping machines (as much as is needed) to locate and access a system with valuable data.
While this may seem a bit like Logons, it’s far more an analysis of the combination of connection types (via RDP, SMB, etc.) and authentication (read: logons) than anything. Indicators include:
Mismatch of users/applications: Low-level users rarely (if ever) use IT-related tools, scripting, etc. And users that never utilize an RDP session, etc. — are equally sketchy.
Abnormal network traffic: Tools like Netcat can direct communications over allowed ports, and any kind of existence or excess of traffic not normally seen (e.g., SMB, RPC, RDP, etc.) — all indicate possible compromise.
Data access security
Like every part of the environment previously covered, even access to your data — whether file-based, in a database, or on an enterprise content management solution — is relatively predictable over time. So looking for the following abnormalities may indicate a compromise:
When accessed: Like logons, user access to data of any type is rather consistent over time. After-hours access is worthy of suspicion.
From where: Valuable data normally accessed by endpoints within the network should be monitored for access by endpoints that are either external to the network or on the perimeter.
Amount of data: Aligning with the perimeter’s need for watching to increases in data being sent out of the network, watch for any increases in data reads, exports, or copies/saves of any valuable data.
Finding the easiest indication of compromise
Since most indicators require deep analysis it is prohibitive from a time (and even cost) standpoint to begin monitoring for most of these indicators. You’re often going to need to cross-reference multiple sources of information to gain any kind of insight.
We must determine which of these indicators can be most easily detected while providing the greatest indicator for compromise.
In the end, one foundational truth helps to narrow your focus of where to start — an attacker is powerless to do anything in your organization unless they can compromise a set of internal credentials.
Except for perimeter attacks (where attack methods like SQL injections need no credentials to access data), every other layer mentioned in this paper requires a logon at some point. Endpoints require logons for access, lateral movement of any type requires authentication to access a target endpoint, and access to data first requires an authenticated connection.
Simply put: no logon, no access!
Over 80% of hacking-related breaches leveraged either stolen or weak passwords, making logons the one common activity across nearly all attack patterns. So, if you must choose one area to put your focus on, it’s the logon.
Don't just detect breaches, prevent them
By assuming the logon to be a key indicator, you can also identify compromise before key actions take place. This makes logons one of the true preceding indicators. For example the indicators associated with lateral movement and data access only occur after the action has already been taken.
What’s more, when logons are monitored appropriately, they can be tied to automated responses using third-party solutions. For example UserLock will take action such as logging off users and implementing account usage restrictions to thwart threat actors, and protect company data. In short, should something fall outside a set of established restrictions, UserLock automatically takes action before the damage is done — not only when IT intervenes.
Deter and stop compromise with UserLock's logon security
As part of a mature security strategy, the assumption that some attacks will still get past even the best layered defense is both necessary and responsible. Under that premise, it becomes necessary for IT to look for indicators of compromise as early on in an attack as is possible.
While some indicators are more difficult to monitor than other, logons remain one of the easiest to observe. And by identifying compromise before key actions take place, logons can be tied to automated responses with UserLock, to not only detect but prevent network breaches.