The average number of days between a network intrusion and it’s detection by the victim is around 200 days, which is at least 199 days too long. Sooner or later your company will suffer an network intrusion, computer incident, or data breach, in spite of your best efforts to prevent it. The goal is to shorten the time between intrusion and detection.
A recently article on Tech Republic discusses the sort of detective work that a network admin or cybersecurity analyst needs to undertake to make quicker detection happen. A good place to start is in your event logs. What sorts of indicators should you be looking for?
- Failed logon attempts – Event IDs 4625, 529-539.
- Explicit credentials – Event ID 4648 and/or 552
- Privilege changes – Event ID 4728, 4732, 4756.
- Suspicious sites – Look for DNS records about connections to sites. If an unusual site or address appears repeatedly, it could indication C2 (command and control) connections.
- Slow connections – if your Internet connection is unusually slow, it could indicate data exfiltration activities.
- Activity on port 22 – Hey, this should already be blocked at your firewall, but outbound traffic on using File Transfer Protocol could also show that data is leaving the building.
- Password dumping programs – Check your AV logs for evidence of these programs
- Droppers – If your endpoint AV or other security systems detects one of these, it means someone is trying to install malware on your system.
- Backdoors – programs such as Pirpi, Derusbi, Winnti, Nettraveler, PlugX, and 9002 RAT create an return point for the attacker. Look for these in your AV logs too.
- Log clearing events 104 and 1102
- EMET crash logs
- Applications that crash or hang.
- Windows Defender errors – Windows Events 1005, 1006, 1008, 1010, 2001, 2003, 2004, 3002, 5008
Of course this process works best when automated, so finding the right tool and budgeting for it is going to be critical to early detection and remediation of a network intrusion. Good luck and good hunting!
More information:
Share
MAY
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com