Organizations today live in a world where the threat of compromise is ever-present, ever-changing, and ever-growing. Never before in the history of IT has there been so much focus on the need for security – so much so, that it’s become an integral criteria when vetting, discussing, or choosing new solutions, platforms, and applications.
Threat actors are no longer individuals, but are thriving businesses seeking to grow their revenue each year by improving their fiendish “products” and “services”. In many ways, because we’re no longer fighting an opportunistic thrill-seeker, but a collective group of individuals intent on breaking in and stealing anything valuable on your network, IT needs to focus as much effort on detection of compromise as it does protection against it.
But, who and what, exactly, are you up against?
The most common threat actors boil down into two groups. The first are external actors (hackers, malware authors, threat organizations, etc.) that make up approximately twothirds of data breaches last year1. The second are internal actors that either already have access to your valuable data, or hack internally to obtain access. This group makes up a little less than one-third of data breaches1, leaving the remainder of compromises attributed to partners and multiple actors working together1.
To make matters more complicated, there are also plenty of ways to infiltrate a network. Hacking, social engineering, and malware all top the list as attack vectors in data breaches, which only makes it more difficult to protect and detect against compromise.
There are obvious protection and prevention steps you should take, such as patching, the use of antimalware/anti-phishing software, application whitelisting, and more. But, as mentioned before, even in organizations with the strongest of security stances, successful attacks still occur.
For the remainder of this paper, we’re going to make the assumption that, despite IT’s best intention of properly securing the environment, compromise will continue to exist. So, it then becomes critical to be able to identify indicators of compromise – outliers from normal activity, network traffic, access, etc. – that should be investigated and/or responded to in the interest of each being a legitimate compromise event.
So, what are the indicators of compromise?
Any effective attack will include stealth or obfuscation to some degree, so compromise indicators don’t always show up in the same way.
So, let’s look at compromise using a set of layers of access (see diagram) within your environment – each one susceptible to attack and, therefore, compromise – and see what indicators lie at each.
It used to be that the perimeter was your firewall. But we know that organizations like yours today regularly have applications exposed for external use, utilize private and public cloud infrastructures (which logically extends the perimeter), and allow various kinds of remote access to internal resources. And, because there is a portion of that network that is exposed, it’s an obvious attack vector and point to identify compromise.
Indicators of compromise at this point in your environment will require some analysis.
- Mismatched port/application traffic – communication with internal systems (which may include inbound commands and outbound exfiltration of data) often needs to take place over open ports (e.g. HTTP traffic over TCP port 80) to reach an external server.
- Increases in data reads / outbound traffic – The goal is to obtain as much data as possible; looking for additional reads on databases, as well as outbound traffic sizes are clear indicators something is amiss.
- Geographical irregularities – You have zero business in Ukraine. So, why is there so much traffic between that country and your organization? Abnormal communication sources are an obvious sign the connection requires your attention.