IT security managers and IT teams can install the latest antivirus software and firewall appliances to protect their computers and networks. However, there are also other signs to look out for, which software and hardware products are not always smart enough to see. Human beings on the other hand are naturally gifted in spotting strange behaviour. When patterns change or get disrupted, we notice. Here’s a checklist of ‘indicators of compromise’ to look out for, where changes might indicate an IT security attack in progress.
Possible attack starting:
- Log-in anomalies. Large numbers of attempts to log in on the same user ID, attempts to log into non-existent user IDs or out of hours log-in activities.
- Multiple requests for the same file. Whether or not the requests are successful, they may indicate systematic or brute force attempts to enter into a system.
- DDoS attacks. The distributed denial of service attack may be obvious. What may be less obvious is that it is a smokescreen to hide other penetration attempts at the same time.
Possible attack in progress:
- Strange system file/registry changes or patching. New software installed by attackers often needs registry changes to work. Similarly, unexpected patching is a strong indicator.
- Abnormal outbound traffic. Compromised servers often connect to an attacker’s remote command and control server – perhaps in a country with which you never normally do business. Unexpected DNS requests should trigger an alarm for the same reason.
- Bizarre super-user activity. The accounts with the most power are the ones attackers ultimately want to control. If a privileged user account behaves strangely, investigate immediately.
Possible attack completion:
- Increases in database transmission volume. Once they get into a system, attackers may start to steal data. The size of database reads and also of HTML responses (SQL injection attacks over the web) are tell-tale signs.
- Stockpiles of data in strange places. To get ready for exfiltration, attackers may move or copy data to other compromised servers with better networking connectivity.
Indicators of compromise don’t stop here. However, this initial list can get you into the good habit of continually monitoring your IT systems for strange behaviour, and then taking appropriate action.