As a common activity across nearly all attack patterns, logons provide one of the clearest indicators of compromise to help protect company data and thwart attacks.
In this white paper, you’ll find:
- Who and what exactly, are the common threats
- Detailed descriptions of potential indicators of compromise
- Why logons are the easiest indication of compromise
- How UserLock can leverage this indicator to not just detect, but prevent a breach
Who and what, exactly, are the threats?
The most common threat actors boil down into two groups. The first are external actors (hackers, malware authors, threat organizations, etc.) that make up approximately twothirds of data breaches last year1.
The second are internal actors that either already have access to your valuable data, or hack internally to obtain access. This group makes up a little less than one-third of data breaches1, leaving the remainder of compromises attributed to partners and multiple actors working together1.
To make matters more complicated, there are also plenty of ways to infiltrate a network. Hacking, social engineering, and malware all top the list as attack vectors in data breaches, which only makes it more difficult to protect and detect against compromise.
There are obvious protection and prevention steps you should take, such as patching, the use of antimalware/anti-phishing software, application whitelisting, and more. But, as mentioned before, even in organizations with the strongest of security stances, successful attacks still occur.
For the remainder of this paper, we’re going to make the assumption that, despite IT’s best intention of properly securing the environment, compromise will continue to exist. So, it then becomes critical to be able to identify indicators of compromise – outliers from normal activity, network traffic, access, etc. – that should be investigated and/or responded to in the interest of each being a legitimate compromise event.
So, what are the indicators of compromise?
Identifying Key Indicators of Compromise
Any effective attack will include stealth or obfuscation to some degree, so compromise indicators don’t always show up in the same way.
So, let’s look at compromise using a set of layers of access (see diagram) within your environment – each one susceptible to attack and, therefore, compromise – and see what indicators lie at each.
It used to be that the perimeter was your firewall. But we know that organizations like yours today regularly have applications exposed for external use, utilize private and public cloud infrastructures (which logically extends the perimeter), and allow various kinds of remote access to internal resources. And, because there is a portion of that network that is exposed, it’s an obvious attack vector and point to identify compromise.
Indicators of compromise at this point in your environment will require some analysis. They include:
- Mismatched port/application traffic – communication with internal systems (which may include inbound commands and outbound exfiltration of data) often needs to take place over open ports (e.g. HTTP traffic over TCP port 80) to reach an external server.
- Increases in data reads / outbound traffic – The goal is to obtain as much data as possible; looking for additional reads on databases, as well as outbound traffic sizes are clear indicators something is amiss.
- Geographical irregularities – You have zero business in Ukraine. So, why is there so much traffic between that country and your organization? Abnormal communication sources are an obvious sign the connection requires your attention.
Interestingly enough, today’s endpoints are the one part of a network that are constantly accessible outside the perimeter – they reach beyond the network to surf the web, as well as act as receptacles for inbound email (both giving malware a means of entry and a chance to embed itself).
Indicators of compromise on endpoints involve some deep-dive comparison around what’s normal for both configurations and activity for a given endpoint. Indicators include:
- Rogue processes – Everything from malware, to hacker tools are seen as a process that hasn’t run on an endpoint before. This isn’t always easy, as some hackers live “off the land” using existing commands, DLLs, and executables, or use direct memory injection to avoid detection.
- Persistence – The presence of tasks, auto-run registry settings, browser plugins, and even tampering with service settings all demonstrate an endpoint is compromised.
Most attackers focus on leveraging accounts to either access data or to move about the organization. Logons are the necessary first step to gaining access to an endpoint with valuable data. Indicators include the following logon abnormalities:
- Endpoint Used – The CEO never logs on from a machine in Accounts Payable, right?
- When Used – A user with a 9-to-5 job function logging in on a Saturday at 3am? Yeah, that’s suspicious.
- Frequency – A user normally logs on once in the morning and logs out in the evening that suddenly is logging on and off in short bursts could indicate a problem.
- Concurrency - Most users log on to a single endpoint. Seeing a user like that suddenly logged onto multiple endpoints simultaneously is an obvious red flag.
This is a needed step by most attacks, as their initial foothold is a low-level workstation with no rights to access anything of value. Lateral movement is the process of jumping machines (as much as is needed) to locate and access a system with valuable data. While this may seem a bit like Logons, it’s far more an analysis of the combination of connection types (via RDP, SMB, etc.) and authentication (read: logons) than anything. Indicators include:
- Mismatch of users/applications – Low-level users rarely (if ever) use IT-related tools, scripting, etc. And users that never utilize an RDP session, etc. – equally sketchy.
- Abnormal network traffic – Tools like netcat can direct communications over allowed ports, and any kind of existence or excess of traffic not normally seen (e.g. SMB, RPC, RDP, etc.) – all indicate possible compromise.
Like every part of the environment previously covered, even access to your data – whether file-based, in a database, or on an enterprise content management solution – is relatively predictable over time. So looking for the following abnormalities may indicate a compromise:
- When Accessed – Like logons, user access to data of any type is rather consistent over time. After-hours access is worthy of suspicion.
- From Where – Valuable data normally accessed by endpoints within the network should be monitored for access by endpoints that are either external to the network or on the perimeter.
- Amount of Data – Aligning with the perimeter’s need for watching to increases in data being sent out of the network, watch for any increases in data reads, exports, or copies/saves of any valuable data.
Finding the Easiest Indication of Compromise
With most indicators requiring deep analysis it is prohibitive from a time (and even cost) standpoint to begin monitoring for most of these indicators. You’re often going to need to cross reference multiple sources of information to gain any kind of insight.
We must determine which of these indicators can be most easily detected while providing the greatest indicator for compromise.
In the end, one foundational truth helps to narrow your focus of where to start - an attacker is powerless to do anything in your organization unless they are able to compromise a set of internal credentials.
With the exception of perimeter attacks (where attack methods like SQL injections need no credentials to access data), every other layer mentioned in this paper requires a logon at some point. Endpoints require logons for access, lateral movement of any type requires authentication to access a target endpoint, and access to data first requires an authenticated connection.
Simply put: no logon, no access!
In fact, 81% of hacking-related breaches leveraged either stolen or weak passwords1, making logons the one common activity across nearly all attack patterns. So, if you must choose one area to put your focus on, it’s the logon.
Preventing, not just Detecting Breaches
By assuming the logon to be a key indicator, you can also identify compromise before key actions take place. This makes logons one of the true preceding indicators. For example the indicators associated with lateral movement and data access only occur after the action has already been taken.
What’s more, when logons are monitored appropriately, they can be tied to automated responses using third-party solutions. For example UserLock will take action such as logging off users and implementing account usage restrictions to thwart threat actors, and protect company data. In short, should something fall outside a set of established restrictions, UserLock automatically takes action before the damage is done – not only when IT intervenes.
Watch how UserLock can restrict user account usage.
Authorized Department / IP Address
UserLock reduces the network attack surface to protect against unwanted access from either compromised credentials or suspicious user behavior. Outside of the restricted area, access is automatically denied.
UserLock limits access to specific timeframes or a maximum session length. Outside of these hours or when time is up, users are disconnected (force logoff) with prior warning.
Secure Wireless & Remote User Access
UserLock takes into consideration access from all session types and devices. It permits an organization to better control and restrict access to their wireless networks and user connections from outside the domain.
Deny Simultaneous Connections
from a Single Identity
UserLock can limit the number of unique entry points and concurrent sessions to prevent simultaneous logins from a single identity. Stop careless behavior, password sharing and ensure accountability for all network actions.
Deter and Stop Compromise with Logon Security
As part of a mature security strategy, the assumption that some attacks will still get past even the best layered defense is both necessary and responsible. Under that premise, it becomes necessary for IT to look for indicators of compromise as early on in an attack as is possible.
While some indicators are more difficult to monitor than other, logons remain one of the easiest to observe. And by identifying compromise before key actions take place, logons can be tied to automated responses with UserLock, to not only detect but prevent network breaches.
1 Verizon, Data Breach Investigations Report (2017)