Hunting cyber threats may not be as complex as you might first think. Access to proxy logs and antivirus logs is all you need to do a basic pursuit. Don’t be put off if you have lots of events to go through (billions, even); these seven actions will help you quickly shave off the unimportant actions to leave you with threats that could potentially harm your business:
Cyber threats: what to look out for:
- Low and slow connections through proxy servers: Sift through any events that point to traffic being sent out of port 22, firewalls, or any exfiltration patterns in the data.
- Patterns of bytes: Look out for network connections that display the same pattern of bytes in and bytes out each day. Malware still leverages this technique (even though it is 5+ years old) to let the master know the malware’s been installed successfully.
- Suspicious sites: Recognise any DNS sites that are visited by endpoints and look specifically at the outliers across your organisation, which could point to command and control infrastructure.
- Failed logon attempts: Look out for failed access attempts across single or multiple accounts.
- Explicit credentials: Find event logs that note “A logon was attempted using explicit credentials” – this happens when a user connects to a system or runs a program locally using alternate credentials.
- Privilege changes: Look out for escalation of privileges.
- Dropper programs: Identify any detections with the name ‘dropper’ in it. A dropper program is intended to download/install a backdoor or virus, only initiating the download when the ‘coast is clear’
Source: Infosecurity Magazine
While you can hunt for cyber threats manually, there is a great margin for error using this method. With so much data to sift through, you can easily miss something obvious, which is why many organisations conduct penetration testing to properly test their systems.
Regularly testing your systems is a requirement of the PCI DSS, an essential component of ISO 27001, and is generally considered good cybersecurity practice for ensuring safe and secure systems.
- Infrastructure (Network) Penetration Test
- PCI Compliance Penetration Testing
- Web Application Penetration Test
- Wireless Network Penetration Test