The average number of days between a network intrusion and it’s detection by the victim is around 200 days, which is at least 199 days too long. Sooner or later your company will suffer an network intrusion, computer incident, or data breach, in spite of your best efforts to prevent it. The goal is to shorten the time between intrusion and detection.
A recently article on Tech Republic discusses the sort of detective work that a network admin or cybersecurity analyst needs to undertake to make quicker detection happen. A good place to start is in your event logs. What sorts of indicators should you be looking for?
- Failed logon attempts – Event IDs 4625, 529-539.
- Explicit credentials – Event ID 4648 and/or 552
- Privilege changes – Event ID 4728, 4732, 4756.
- Suspicious sites – Look for DNS records about connections to sites. If an unusual site or address appears repeatedly, it could indication C2 (command and control) connections.
- Slow connections – if your Internet connection is unusually slow, it could indicate data exfiltration activities.
- Activity on port 22 – Hey, this should already be blocked at your firewall, but outbound traffic on using File Transfer Protocol could also show that data is leaving the building.
- Password dumping programs – Check your AV logs for evidence of these programs
- Droppers – If your endpoint AV or other security systems detects one of these, it means someone is trying to install malware on your system.
- Backdoors – programs such as Pirpi, Derusbi, Winnti, Nettraveler, PlugX, and 9002 RAT create an return point for the attacker. Look for these in your AV logs too.
- Log clearing events 104 and 1102
- EMET crash logs
- Applications that crash or hang.
- Windows Defender errors – Windows Events 1005, 1006, 1008, 1010, 2001, 2003, 2004, 3002, 5008
Of course this process works best when automated, so finding the right tool and budgeting for it is going to be critical to early detection and remediation of a network intrusion. Good luck and good hunting!