Tim Bandos, director of cybersecurity, Digital Guardian, shares common indicators that say a threat is underway.
Threat actors do everything in their power to blend in and attempt to become a ghost in your network, so it is the job of the security professional to be the ‘ghostbuster.’ Here are 10 things threat hunters watch for:
Low and slow connections
Proxy logs are a great place to start the hunt, and there are a number of telltale signs to look out for that can clue you in that something is amiss. It’s good practice to source restrict this clear-text protocol, but if it’s not locked down, look for any exfiltration patterns in the data.
Same number of bytes in and out
Do any network connections exhibit the same pattern of bytes in and bytes out each day? Monitor for the same amount of bytes up and bytes down on a frequent basis, as this could be a sign of suspicious activity.
Identify a listing of all dynamic DNS sites that are visited by endpoints and look specifically at the outliers across your organisation. If only three machines out of 20,000 visit one specific site, command and control infrastructure may be at fault.
Failed logon attempts
It might sound obvious, but looking for successive failed access attempts using multiple accounts could indicate a brute force. Focusing on one failed attempt per account may signify a threat actor trying to log in with passwords they’ve previously dumped from the environment in the hope that one may still work.
Profile your “A logon was attempted using explicit credentials” event logs and whitelist out normal activity. This log kicks off when a user connects to a system or runs a program locally using alternate creds.
Escalation of privileges will often occur once a foothold has been achieved within an environment. It’s good to profile your IT administrator’s legitimate activities as well since they’ll more often than not cause a bit of noise themselves.
Signs of password dumping programmes
Research what your antivirus provider flags as a password dumping program and go searching. For example, one of McAfee’s password dumping detection tools is called HTool-GSECDump.
Know your adversary so that you can begin to profile their tactics, techniques, and procedures. Some common advanced threat backdoors include PlugX, 9002 RAT, Nettraveler, Derusbi, Winnti and Pirpi. If you come across names like these within your antivirus logs, you’ll know something untoward is taking place.
Identify any detections with the name ‘dropper’ in it. A dropper programme is intended to download/install a backdoor or virus, only initiating the download when the ‘coast is clear’. If a dropper has been detected, it’s possible there is still something lurking in the depths of the OS it was detected on.
Some anti-virus solutions have the ability to create custom detections for ultra-effective threat hunting. Creating an alert to log executions of binaries from a user’s APPDATA directory, for example, will generate a log and send it to your console any time a program launches from that directory.