Advanced Persistent Threats (APTs) rely on our inability to detect, alert and respond to any indicators that may suggest that our system has been compromised. Such indicators include; unusual account activity, traffic patterns, registry changes, and anomalous file and folder activity. Below are the top 10 different ways to tell if your system has been compromised.
1. Suspicious Privileged Account Activity
Should an attacker gain access to a user account on your network, they will often seek to elevate the account’s privileges, or use it to gain access to a different account with higher privileges. We need to watch out for things like out-of-hours account usage, the volume of data accessed, and be able to determine if the account activity is out of character for that particular user.
2. Suspicious Outbound Traffic
We tend to focus a lot on the traffic that enters our network, and not so much on the traffic that goes out. Yet hackers often make use of command-and-control servers to enable threat persistence. This type of network activity is generally easier to spot than most incoming attacks – precisely because they are persistent. We need to be able spot any unusual patterns of outbound network traffic.
3. Anomalous logon failure
Should a user repeatedly fail to log-in to an account, or simply fail to log-in to an account that no longer exists, this is a clear sign that someone, or something, is up to no good. These types of log-in failures will be recorded in the server logs. However, we don’t want to wait until the hackers have successful forced their way into the network. Instead, we will need to automate a response based on a threshold condition. For example, if X number failed log-in attempts are recorded over Y time, we will need to execute a custom script which can either shut down the server, change the firewall settings, disable a user account or stop a specific process.
4. Geographical Irregularities
According to a report published by F-Secure, the majority of cyber attacks originate from “Russia, the Netherlands, the United States, China, and Germany”. Of course, cyber-attacks can originate from anywhere in theory, but it can be useful to bear this information in mind and keep an eye on what countries our incoming network traffic is coming from, and where our outbound network traffic is going. Additionally, should a user log-in from an IP address in one country, and then log-in from an IP address in a different country within a relatively short period of time, this may indicate that a cyber-attack has, or is taking place.
5. HTML Response Sizes & Spikes in Database Activity
Should an attacker attempt to perform an SQL injection attack – where malicious code is injected into a web form in order to gain access to the underlying database – the HTML response size will likely be larger than it would be for a normal HTML response. For example, the attacker may try to download a database containing credit card details, which could be tens of gigabytes in size. Anything this size would be considered very unusually for a standard web form response. SQL injection is just one of the many ways hackers can gain access to your database.
They can also scan for missing SQL Server patches, configuration weaknesses, hidden database instances, or scan for SQL Servers that are not protected by a firewall. Alternatively, they may just try to crack the System Administrator (SA) password (assuming one has been set). Should, for whatever reason, an attacker gain access to your database, they will likely attempt to download large amounts of sensitive data in a short period of time. So in addition to monitoring HTML response sizes, we should also closely monitor any spikes in database activity, as that could be a clear indicator that your database has been compromised.
6. Signs of a distributed denial-of-service attack (DDoS)
DDoS attacks are often used as a smokescreen to enable hackers to initiate other, more sophisticated forms of attack. DDoS attacks are easy to spot as they usually result in poor system performance, such as a slow network, unavailable websites, and any other systems operating at their maximum capacity.
7. Anomalous registry changes
One of the ways APTs are able to establish persistence and remain covert is by making changes to the system registry. We must therefore ensure that we know what the registry is supposed to look like, and should the registry deviate from its typical state, we should be informed in real-time in order to minimize the potential damage caused by the attack.
8. Unusual port usage
Hackers will often use obscure port numbers in order to circumvent firewalls and other web filtering techniques. We must keep a record of which ports are being used, and for what purpose. Should a port be used that is not our whitelist, we must be informed immediately and be able to automate a response accordingly.
9. Suspicious DNS Requests
As mentioned, hackers often make use of command-and-control servers to establish a communication channel between the compromised system and their own server. There are, however, other suspicious DNS requests that we can look out for. For example, some strains of click-fraud malware open up a large number of browser windows at the same time. It is clearly unnatural for a user to open so many browser windows in one session, and doing so will create a short burst of web traffic. Keeping track of any suspicious DNS activity, such as a spike in DNS requests, will help us to identify potentially malicious activity.
10. Suspicious File and Folder Activity
Such activity may include suspicious file or folder creation, modification or deletion. It can include excessive requests for a single file. Hackers will often try a number of different exploits before they can successfully gain access to the system, and it is usually quite easy for us to observe, assuming we know where to look. For example, should you see that login.php has been accessed a thousand times by a single IP address, there’s a pretty good chance that you’re under attack.
We may notice large amounts of data in the wrong place, or files being encrypted in bulk. There are many different ways for us to tell if our system has, or is being compromised, but unless we are able to detect, alert, and respond to these indicators in real-time, our ability to stop a cyber-attack in its tracks will be very limited. It is imperative that we take advantage of the latest file auditing solutions to ensure that we know exactly who has access to what data, where our data resides, and when the data is being accessed.