Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
6/11/2015
04:35 PM
Ryan Vela
Ryan Vela
Partner Perspectives
Connect Directly
Twitter
RSS
0%
100%

Breach Defense Playbook: Hunting For Breach Indicators

Do you proactively hunt for malware on your network, or do you wait for your tools to tell you?

Every organization should perform a breach indicator assessment on a regular basis to identify potential indicators of compromise (IOCs). Without knowing if you have IOCs, you can’t mitigate and remediate potential unwanted software on your network. Additionally, by identifying IOCs on your network, you can identify security, configuration, and design gaps that will lead to network security enhancements and further people, process, and tool improvements.

The scope of your breach indicator assessment (BIA) should include both network communication and endpoint systems. The network communication BIA should include a real-time collection and analysis of network traffic with the sole purpose of identifying anomalies. The endpoint system BIA should look for anomalous process, files, and behaviors resident on internal workstations, servers, and mobile devices. In the end, you should have a report of a snapshot in time listing quantities of IOCs identified, their potential impacts to the organization, and recommended remediation activities.

The BIA can be thought of as a “hunt and expose” analytical search for IOCs in real time and may include static forensic analysis if a system is found to be associated with suspicious activity.

Network Breach Indicator Assessment

The network BIA should include monitoring network traffic and exposing IOCs in real-time. While you may already have firewalls, proxies, and advanced threat detection appliances on your network, you should also use a tool different than what you already have to compare results with what your SOC, MSSP, or SIEM sees. In other words, while your day-to-day security operations continue, you should use a network BIA to validate the accuracy of the data your teams analyze and the precision of the tools and processes with which the data is adjudicated.

You should deploy sensors as close to choke points as possible to get the most quantity of data flowing into and out of your networks. You should also consider deploying sensors at jump points between network segments to evaluate internal-to-internal traffic. All of the sensors should look for any IOCs from available threat intelligence databases that have access to both open and closed sources. So as to not impact operations, it is common to deploy these BIA sensors off of a mirror or span port and in promiscuous or “listen-only” mode.

Your edge-deployed sensors should pay attention to unusual amounts of data transmitted from a specific source or to a specific destination. The sensors should focus on misuse of standard ports and protocols; use of non-standard ports and protocols; and malformed packet transmission. The sensors should alert on communications originating from the internal network destined for systems with known connections to “botnets” or other malicious Internet-based networks. Lastly, the sensors should alert on attacks to third parties originating from your internal network address space. These types of attacks may be indications of botnet activity.

When looking at internal-to-internal communication, your internal sensors should look at activity patterns used by attackers targeting internal systems and segments for lateral movement. Specific misuse of system administrator programs and credential-gathering tools are good indications of lateral movement IOCs. Attackers commonly target less secure networks and systems as their initial entry point and then work their way laterally to escalate their access privileges so they can gain access to more secure targets containing sensitive data.

Your sensor tools should give you full network visibility of both encrypted and non-encrypted channels and remain protocol and port agnostic. The sensors should be able to function at line-speed in real time and detect advanced threats, infiltration, and data leakage.

When performing your network BIA, you will want to obtain data over at least one week to include a weekend. Weekend traffic is often different than business-hours traffic. Of course, the more data you obtain, the more comprehensive your analysis will be, but this must be balanced with resources available to complete the assessment. In other words, the more data you obtain, the more time will be required for your team to analyze the output.

During your assessment, engage with technology owners and stakeholders within your organization so that they can help you understand if certain network communication is normal or suspicious. Don’t work in a vacuum. If you should happen to find a critical IOC that points to a potential intrusion, then you should immediately escalate the finding to the appropriate security operations personnel for response.

System Breach Indicator Assessment

When hunting and exposing IOCs on endpoint systems, you should use an automated scanning tool to look at system registries, file date-time stamps, file metadata, processes running in memory, and other system artifacts. Your scope should include servers, workstations, and mobile devices regardless of operating system.

This collection of data can then be analyzed and adjudicated for any IOCs present. Scanning should be performed on systems while they are running and processing data. You must ensure that when you are performing your scanning that your tool is appropriately tested for your environment and minimizes any impact to operations and performance of your systems.

You should analyze the memory of systems to look for IOCs of running processes, handles, files, keywords, network communications, privileged user account misuse, and other items. You should analyze file systems by looking at programs that are set to run automatically such as pre-fetch actions, registry files, master file tables, installed services, file date-times, and other artifacts.

If you do find suspicious IOCs, then you can escalate the system BIA for that specific system with forensic tools to further adjudicate the alert. This may include taking an image of the hard drive, capturing memory, isolating the system from the network, or taking the system offline completely.

In the end, you should produce a report that includes the scope of activities you performed, your approach to the assessment, a timeline of your activities, and the results of the BIA. You should follow your results and observations with a concrete set of tactical recommendations that can enhance the security of network communication and system security. As always, it is recommended that you maintain a graded chart so as you perform additional assessments in the future, you can evaluate your organization’s improvement.

Ryan Vela is a Regional Director for Fidelis Cybersecurity. He has 15-years' experience in conducting investigations and digital forensic analysis. Ryan served as a Strategic Planner at the Defense Computer Forensics Laboratory (DCFL), where he established plans for the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7753
PUBLISHED: 2020-10-27
All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) [DNP] via trim().
CVE-2020-27182
PUBLISHED: 2020-10-27
Multiple cross-site scripting (XSS) vulnerabilities in konzept-ix publiXone before 2020.015 allow remote attackers to inject arbitrary JavaScript or HTML via appletError.jsp, job_jacket_detail.jsp, ixedit/editor_component.jsp, or the login form.
CVE-2020-27183
PUBLISHED: 2020-10-27
A RemoteFunctions endpoint with missing access control in konzept-ix publiXone before 2020.015 allows attackers to disclose sensitive user information, send arbitrary e-mails, escalate the privileges of arbitrary user accounts, and have unspecified other impact.
CVE-2020-8956
PUBLISHED: 2020-10-27
Pulse Secure Desktop Client 9.0Rx before 9.0R5 and 9.1Rx before 9.1R4 on Windows reveals users' passwords if Save Settings is enabled.
CVE-2020-15352
PUBLISHED: 2020-10-27
An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.