K

Whitepaper

Key Indicators of Compromise

Organizations today live in a world where the threat of compromise is ever-present, ever-changing, and ever-growing. Never before in the history of IT has there been so much focus on the need for security – so much so, that it’s become an integral criteria when vetting, discussing, or choosing new solutions, platforms, and applications.

Threat actors are no longer individuals, but are thriving businesses seeking to grow their revenue each year by improving their fiendish “products” and “services”. In many ways, because we’re no longer fighting an opportunistic thrill-seeker, but a collective group of individuals intent on breaking in and stealing anything valuable on your network, IT needs to focus as much effort on detection of compromise as it does protection against it.

But, who and what, exactly, are you up against?

The most common threat actors boil down into two groups. The first are external actors (hackers, malware authors, threat organizations, etc.) that make up approximately twothirds of data breaches last year1. The second are internal actors that either already have access to your valuable data, or hack internally to obtain access. This group makes up a little less than one-third of data breaches1, leaving the remainder of compromises attributed to partners and multiple actors working together1.

To make matters more complicated, there are also plenty of ways to infiltrate a network. Hacking, social engineering, and malware all top the list as attack vectors in data breaches, which only makes it more difficult to protect and detect against compromise.

There are obvious protection and prevention steps you should take, such as patching, the use of antimalware/anti-phishing software, application whitelisting, and more. But, as mentioned before, even in organizations with the strongest of security stances, successful attacks still occur.

For the remainder of this paper, we’re going to make the assumption that, despite IT’s best intention of properly securing the environment, compromise will continue to exist. So, it then becomes critical to be able to identify indicators of compromise – outliers from normal activity, network traffic, access, etc. – that should be investigated and/or responded to in the interest of each being a legitimate compromise event.

So, what are the indicators of compromise?

Identifying Indicators

Key indicators of compromise Any effective attack will include stealth or obfuscation to some degree, so compromise indicators don’t always show up in the same way.

So, let’s look at compromise using a set of layers of access (shown below) within your environment – each one susceptible to attack and, therefore, compromise – and see what indicators lie at each.

The Perimeter

It used to be that the perimeter was your firewall. But we know that organizations like yours today regularly have applications exposed for external use, utilize private and public cloud infrastructures (which logically extends the perimeter), and allow various kinds of remote access to internal resources. And, because there is a portion of that network that is exposed, it’s an obvious attack vector and point to identify compromise.

Indicators of compromise at this point in your environment will require some analysis.
They include:

  • Mismatched port/application traffic – communication with internal systems (which may include inbound commands and outbound exfiltration of data) often needs to take place over open ports (e.g. HTTP traffic over TCP port 80) to reach an external server.
  • Increases in data reads / outbound traffic – The goal is to obtain as much data as possible; looking for additional reads on databases, as well as outbound traffic sizes are clear indicators something is amiss.
  • Geographical irregularities – You have zero business in Ukraine. So, why is there so much traffic between that country and your organization? Abnormal communication sources are an obvious sign the connection requires your attention.

The Endpoint

Interestingly enough, today’s endpoints are the one part of a network that are constantly accessible outside the perimeter – they reach beyond the network to surf the web, as well as act as receptacles for inbound email (both giving malware a means of entry and a chance to embed itself).

Indicators of compromise on endpoints involve some deep-dive comparison around what’s normal for both configurations and activity for a given endpoint. Indicators include:

  • Rouge processes – Everything from malware, to hacker tools are seen as a process that hasn’t run on an endpoint before. This isn’t always easy, as some hackers live “off the land” using existing commands, DLLs, and executables, or use direct memory injection to avoid detection.
  • Persistence – The presence of tasks, auto-run registry settings, browser plugins, and even tampering with service settings all demonstrate an endpoint is compromised.

Logons

Most attackers focus on leveraging accounts to either access data or to move about the organization. Logons are the necessary first step to gaining access to an endpoint with valuable data. Indicators include the following logon abnormalities:

  • Endpoint Used – The CEO never logs on from a machine in Accounts Payable, right?
  • When Used – A user with a 9-to-5 job function logging in on a Saturday at 3am? Yeah, that’s suspicious.
  • Frequency – A user normally logs on once in the morning and logs out in the evening that suddenly is logging on and off in short bursts could indicate a problem.
  • Concurrency - Most users log on to a single endpoint. Seeing a user like that suddenly logged onto multiple endpoints simultaneously is an obvious red flag.

Lateral Movement

This is a needed step by most attacks, as their initial foothold is a low-level workstation with no rights to access anything of value. Lateral movement is the process of jumping machines (as much as is needed) to locate and access a system with valuable data. While this may seem a bit like Logons, it’s far more an analysis of the combination of connection types (via RDP, SMB, etc.) and authentication (read: logons) than anything. Indicators include:

  • Mismatch of users/applications – Low-level users rarely (if ever) use IT-related tools, scripting, etc. And users that never utilize an RDP session, etc. – equally sketchy.
  • Abnormal network traffic – Tools like netcat can direct communications over allowed ports, and any kind of existence or excess of traffic not normally seen (e.g. SMB, RPC, RDP, etc.) – all indicate possible compromise.

Data Access

Like every part of the environment previously covered, even access to your data – whether file-based, in a database, or on an enterprise content management solution – is relatively predictable over time. So looking for the following abnormalities may indicate a compromise:

  • When Accessed – Like logons, user access to data of any type is rather consistent over time. After-hours access is worthy of suspicion.
  • From Where – Valuable data normally accessed by endpoints within the network should be monitored for access by endpoints that are either external to the network or on the perimeter.
  • Amount of Data – Aligning with the perimeter’s need for watching to increases in data being sent out of the network, watch for any increases in data reads, exports, or copies/saves of any valuable data.

Finding the Easiest Indication of Compromise

These five layers of access provide a lot of food for thought, as there’s a lot to be watching for. You initially can’t have eyes everywhere, so it becomes necessary to determine which of these indicators can be most easily detected, while providing the greatest indicator for compromise.

One of the challenges to nearly all the indicators of compromise covered in this paper is that they require significant analysis of data that’s not readily accessible at your fingertips. Often cases, you’re going to need to cross-reference multiple sources of information to gain any kind of insight.

So, where should you place your efforts?

Logons: The Common Indicator (The Tie that Binds)

In the end, one foundational truth helps to narrow your focus of where to start - an attacker is powerless to do anything in your organization unless they are able to compromise a set of internal credentials. Simply put: no logon, no access. 81% of hacking-related breaches leveraged either stolen or weak passwords1, making logons the one common activity across nearly all attack patterns.

With the exception of perimeter attacks (where attack methods like SQL injections need no credentials to access data), every other layer mentioned in this paper requires a logon at some point. Endpoints require logons for access, lateral movement of any type requires authentication to access a target endpoint, and access to data first requires an authenticated connection.

So, if you must choose one area to put your focus on, it’s the logon.

By assuming the logon to be a key indicator, you can identify compromise before key actions, such as lateral movement and data access, take place. This makes logons one of the true preceding indicators, as the indicators associated with lateral movement and data access only occur once the action has already been taken. But logons, when monitored and responded to appropriately, can be tied to automated responses using third-party solutions, that will take actions such as logging off users and implementing account usage restrictions, thwarting threat actors, and protecting company data.

Impeding Compromise with Indicators

As part of a mature security strategy, the assumption that some attacks will still get past even the best layered defense is both necessary and responsible. Under that premise, it becomes necessary for IT to look for indicators of compromise as early on in an attack as is possible.

Logon denied

With most indicators requiring deep analysis and corroboration with multiple data sources, it may be prohibitive from a time (and even cost) standpoint to begin monitoring for most indicators.

But logons are both a powerful indicator of a potential compromise, as well as putting IT squarely into a proactive – rather than reactive – stance in its compromise monitoring.

While some compromise indicators are more difficult to monitor than other, logons remain one of the easiest to observe, and provide one of the clearest leading indications of compromise. By putting monitoring of logons in place, IT quickly and easily adds another layer to its security strategy – detection – and continues to reduce the risk and potential impact of attack-based compromises.

1 Verizon, Data Breach Investigations Report (2017)

About UserLock

Over 3,000 customers around the world rely on UserLock to help prevent security breaches. Working alongside Active Directory to extend, not replace its security, UserLock offers powerful protection for all Windows Active Directory domain logins, even when credentials are compromised.

  • Using the contextual information around a user’s logon, UserLock can apply further restrictions on what users can do once authenticated
  • UserLock offers real-time visibility, risk detection tools and centralized auditing to help detect and respond to suspicious activity quickly.

Discover and try UserLock

Dashboard UserLock