Question

Case Project 13-2. Detecting Hackers in the Alexander Rocco Network

You receive a frantic call from the system administrator of the Alexander Rocco network, JW Tabacchi. He tells you he has identified several intrusion attempts from sources over the Internet. You’re not sure if the hackers have gained access to the internal network. First, based on the tools described in this chapter and some of the techniques you’ve learned in this book, write a TWO PAGE report about the things you might look for to identify an attacker or a compromised host on your network. Second, make some recommendations on how you might instrument the network with network protection systems to better detect and prevent compromises in the future.

NOTE: I WANT TWO PAGE REPORT

Answer 1

Indicators of Compromise = IOC

1. Unusual Outbound Network Traffic

Traffic inside the network, though often overlooked, can be the biggest indicator letting IT professionals know something isn’t quite right. If the outbound traffic increases heavily or simply isn’t typical, you could have a problem. Luckily, traffic inside your network is the easiest to monitor, and compromised systems will often have visible traffic before any real damage is done to the network.

2. Anomalies in Privileged User Account Activity

Account takeovers and insider attacks can both be discovered by keeping an eye out for weird activity in privileged accounts. Any odd behavior in an account should be flagged and followed up on. Key indicators could be escalation in the privileges of an account or an account being used to leapfrog into other accounts with higher privileges.

3. Geographic Irregularities

Irregularities in log-ins and access from an unusual geographic location from any account is good evidence that attackers are infiltrating the network from far away. If there is traffic with countries you don’t do business with, that is a huge red flag and should be followed up on immediately. Luckily, this is one of the easier indicators to pinpoint and take care of. An IT professional might see many IPs logging into an account in a short amount of time with a geographic tag that just doesn’t add up.

4. Log-In Anomalies

Login irregularities and failures are both great clues that your network and systems are being probed by attackers. A large number of failed logins on an existing account and failed logins with user accounts that don’t exist are two IOCs that it isn’t an employee or approved user trying to access your data.

5. Increased Volume in Database Read

An increase in the volume of database read could indicate that an attacker is in. They’ve found a way to infiltrate your network, and now they are gathering up your data to exfiltrate it. A full credit card database, for instance, would be a large request with a ton of read volume and that swell in volume would be an IOC of funny business.

6. HTML Response Size

An abnormally large HTML response size can mean that a large piece of data was exfiltrated. For the same credit card database we used as an example in the previous IOC, the HTML response would be about 20 – 50 MB which is much larger than the average 200 KB response one should expect for any typical request.

7. Large Number of Requests for the Same File

Hackers and attackers have to use a lot of trial and error to get what they want from your system. These trials and errors are IOCs, as hackers try to see what kind of exploitation will stick. If one file, maybe that same credit card file, has been requested many times from different permutations, you could be under attack. Seeing 500 IPs request a file when typically there would be 1, is an IOC that needs to be checked on.

8. Mismatched Port-Application Traffic

If you have an obscure port, attackers could try to take advantage of that. Oftentimes, if an application is using an unusual port, it’s an IOC of command-and-control traffic acting as normal application behavior. Because this traffic can be masked differently, it can be harder to flag.

9. Suspicious Registry

Malware writers establish themselves within an infected host through registry changes. This can include packet-sniffing software that deploys harvesting tools on your network. To recognize these types of IOCs, it’s important to have that baseline “normal” established, which includes a clear registry. Through this process, you’ll have filters to compare hosts against and in turn decrease response time to this kind of attack.

10. DNS Request Anomalies

Command-and-control traffic patterns are oftentimes left by malware and cyber attackers. The command-and-control traffic allows for ongoing management of the attack. IT must be secure so that security professionals can’t easily take it over, but that makes it stick out like a sore thumb. A large spike in DNS requests from a specific host is a good IOC. External hosts, geoIP, and reputation data all come together to alert an IT professional that something isn’t quite right.

Indicators of Compromise Detection and Response

These are just a handful of the ways suspicious activity can show up on a network. Luckily, IT professionals and managed security service providers look for these, and other IOCs to decrease response time to potential threats. Through dynamic malware analysis, these professionals are able to understand the violation of security and treat it immediately.

Monitoring for IOCs enables your organization to control the damage that could be done by a hacker or malware. A compromise assessment of your systems helps your team become as ready as possible for the type of cybersecurity threat your company may come up against. With actionable indicators of compromise, the response is reactive versus proactive, but early detection can mean the difference between a full-blown ransomware attack, leaving your business crippled, and a few missing files.

IOC security requires tools to provide the necessary monitoring and forensic analysis of incidents via malware forensics. IOCs are reactive in nature, but they’re still an important piece of the cyber security puzzle, ensuring an attack isn’t going on long before it is shut down.

Another important part of the puzzle is your data backup, just in case the worst does happen. You won’t be left without your data and without any way to avoid the ransom hackers might impose on you.

Know Network Defenses

Using the proper devices and solutions can help you defend your network. Here are the most common ones you should know about:

• Firewall — One of the first lines of defense in a network, a firewall isolates one network from another. Firewalls either can be standalone systems or included in other devices, such as routers or servers. You can find both hardware and software firewall solutions; some firewalls are available as appliances that serve as the primary device separating two networks.
• Intrusion detection system (IDS) — An IDS enhances cybersecurity by spotting a hacker or malicious software on a network so you can remove it promptly to prevent a breach or other problems, and use the data logged about the event to better defend against similar intrusion incidents in the future. Investing in an IDS that enables you respond to attacks quickly can be far less costly than rectifying the damage from an attack and dealing with the subsequent legal issues.
• Intrusion prevention system (IPS) — An IPS is a network security solution that can not only detect intruders, but also prevent them from successfully launching any known attack. Intrusion prevention systems combine the abilities of firewalls and intrusion detection systems. However, implementing an IPS on an effective scale can be costly, so businesses should carefully assess their IT risks before making the investment. Moreover, some intrusion prevention systems are not as fast and robust as some firewalls and intrusion detection systems, so it might not be an appropriate solution when speed is an absolute requirement.
• Network access control (NAC) involves restricting the availability of network resources to endpoint devices that comply with your security policy. Some NAC solutions can automatically fix non-compliant nodes to ensure it is secure before access is allowed. NAC is most useful when the user environment is fairly static and can be rigidly controlled, such as enterprises and government agencies. It can be less practical in settings with a diverse set of users and devices that are frequently changing, which are common in the education and healthcare sectors.
• Web filters are solutions that by preventing users’ browsers from loading certain pages from particular websites. There are different web filters designed for individual, family, institutional and enterprise use.
• Proxy servers act as negotiators for requests from client software seeking resources from other servers. A client connects to the proxy server, requesting some service (for example, a website); the proxy server evaluates the request and then allows or denies it. In organizations, proxy servers are usually used for traffic filtering and performance improvement.
• Anti-DDoS devices detect distributed denial of service (DDoS) attacks in their early stages, absorb the volume of traffic and identify the source of the attack.
• Load balancers are physical units that direct computers to individual servers in a network based on factors such as server processor utilization, number of connections to a server or overall server performance. Organizations use load balancers to minimize the chance that any particular server will be overwhelmed and to optimize the bandwidth available to each computer in the network.
• Spam filters detect unwanted email and prevent it from getting to a user's mailbox. Spam filters judge emails based on policies or patterns designed by an organization or vendor. More sophisticated filters use a heuristic approach that attempts to identify spam through suspicious word patterns or word frequency.

Segregate Your Network

Types of Network Segments

Network segments can be classified into the following categories:

• Public networks allow accessibility to everyone. The internet is a perfect example of a public network. There is a huge amount of trivial and unsecured data on public networks. Security controls on these networks are weak.
• Semi-private networks sit between public networks and private networks. From a security standpoint, a semi-private network may carry confidential information but under some regulations.
• Private networks are organizational networks that handle confidential and propriety data. Each organization can own one or more private networks. If the organization is spread over vast geographical distances, the private networks at each location may be interconnected through the internet or other public networks.
• Demilitarized zone (DMZ) is a noncritical yet secure region at the periphery of a private network, separated from the public network by a firewall; it might also be separated from the private network by a second firewall. Organizations often use a DMZ as an area where they can place a public server for access by people they might not trust. By isolating a server in a DMZ, you can hide or remove access to other areas of your network. You can still access the server using your network, but others aren’t able to access further network resources.
• Software-defined networking (SDN) is a relatively recent trend that can be useful both in placing security devices and in segmenting the network. Essentially, in an SDN, the entire network is virtualized, which enables relatively easy segmentation of the network. It also allows administrators to place virtualized security devices wherever they want.

Use Network Address Translation

• Network address translation (NAT) enables organizations to compensate for the address deficiency of IPv4 networking. NAT translates private addresses (internal to a particular organization) into routable addresses on public networks such as the internet. In particular, NAT is a method of connecting multiple computers to the internet (or any other IP network) using one IP address.

• Don’t Disable Personal Firewalls

• Use Centralized Logging and Immediate Log Analysis

• Use Web Domain Whitelisting for All Domains

• Route Direct Internet Access from Workstations through a Proxy Server

• Monitor and Baseline Network Protocols

• Use Multiple Vendors

• Use Your Intrusion Detection System Properly

  An IDS can be an important and valuable part of your network security strategy. To get the most value from your IDS, take advantage of both ways it can detect potentially malicious activities:

• Automate Response to Attacks when Appropriate

  Many network devices and software solutions can be configured to automatically take action when an alarm is triggered, which dramatically reduces response time. Here are the actions you can often configure:

• Block IP address — The IDS or firewall can block the IP address from which the attack originated. This option is very effective against spam and denial-of-service attacks. However, some attackers spoof the source IP address during attacks, so the wrong address will be blocked.
• Terminate connections — Routers and firewalls can be configured to disrupt the connections that an intruder maintains with the compromised system by targeting RESET TCP packets at the attacker.
• Acquire additional information — Another option is to collect information on intruders by observing them over a period of time. By analyzing the information you gather, you can find patterns and make your defense against the attack more robust. In particular, you can:
  • Look for the point of initial access, how the intruders spread and what data was compromised. Reverse-engineer every piece of malicious software you find and learn how it works. Then clean up the affected systems and close the vulnerability that allowed initial access.
  • Determine how malicious software was deployed. Were administrative accounts used? Were they used after hours or in another anomalous manner? Then determine what awareness systems you could put in place to detect similar incidents in the figure.

• Physically Secure Your Network Equipment

  Physical controls should be established and security personnel should ensure that equipment and data do not leave the building. Moreover, direct access to network equipment should be prohibited for unauthorized personnel.