Five signs an attacker is already in your network
- 17 June, 2016 07:15
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
According to some estimates, attackers have infiltrated 96% of all networks, so you need to detect and stop them before they have time to escalate privileges, find valuable assets and steal data.
The good news is an attack doesn’t end with an infection or a take-over of an endpoint; that is where it begins. From there an attack is highly active, and the attacker can be identified and stopped if you know how to find them. These five strategies will help.
* Search for the telltale signs of a breach. Look for port scans, excessive failed log-ins and other types of reconnaissance as an attacker tries to map out your network.
An attacker will initially need to understand the topology of the network they have infiltrated. They will look for vulnerable end points and servers, and zero in on administrative users and valuable data stores.
Most intrusion detection tools can detect known port scanners. However, distinguishing between covert reconnaissance and legitimate scanning used in network broadcasts is more difficult. Let’s face it; most computers and applications are chatty. However, you can find the anomalies indicative of an attack if you’ve established how many ports and destinations the various devices on your network would usually access.
- Data Source: network monitoring or management tools, NetFlow aggregation
- Challenges: Attackers can go “low and slow” though, so you may need to do some time based analysis. Also, there can be a lot of chatty tools and protocols, so it takes a while to filter out the noise.
* Look for a “normal” user performing administrative tasks. Increasingly, attackers are using native tools on computers and servers, rather than known attack tools and malware, to avoid detection by anti-virus and EDR software. But, this is itself an anomaly that you can detect. Try to determine who your admins are. Directory services such as Active Directory can help you establish user roles and privileges within your organization. Then ascertain what tools your administrators use and what applications or devices they typically manage, such as an ERP database or an Intranet website. With that knowledge, you can spot when an attacker takes over a machine and starts performing administrative tasks in an unexpected manner.
- Data Source: A combination of network information (network packets or NetFlow data) and directory services information gives are the best way to identify administrative behavior.
- Challenge: Unfortunately, there isn’t a single source of information that will tell you exactly who your administrators are and what they assets they manage. However, just monitoring SSH and RPC usage from a course perspective can give you a good starting point. You’ll probably end up with a lot of false positives, but over time you can winnow down the list of approved admins, and from that have a baseline you can detect against.
* Look for a device using multiple accounts and credentials to access network resources.
Attackers love credentials to ease their process and stay undetected. They steal or generate accounts and use those to explore and gain access. This is a mark of both external and internal attackers. Analyze credential usage to spot outliers that are indicative of such attack activity.
- Data Source: Monitoring network traffic or analyzing logs from your authentication and authorization infrastructure are your best resources for credential abuse. Extract the data and analyze it to get a sense for how many systems each user generally interacts with. Then monitor for anomalies.
- Challenges: There is a lot of variability between users, but you can try to baseline the “average” user. Even just listing out your high volume users should give decent visibility - if you see a new name pop onto the list you can check it out.
* Look for an attacker trying to find valuable data in file servers. One step an attacker will typically take is to figure out what Windows files shares are broadly accessible in order to either hunt for important data—such as intellectual property or credit card numbers—or to remotely encrypt data for ransom. Spotting anomalies in file share access can be a valuable signal, and may also alert you to an employee who is considering insider theft.
- Data Source: logs from your file servers are the best bet to do this yourself. But it will take some analysis to turn this into a view from the users’ perspective, and thus grant the ability to see user-access anomalies.
- Challenges: Some file shares are truly commonly accessed, and a large spike as a user goes there for the first time might generate a false positive. In addition, the data on access is pretty messy and hard to analyze. This can be seen with network tools as well, but it is a lot of work to extract the information that matters.
* Look for the command and control activity or persistent access mechanisms. Attackers need a way to communicate between the Internet and endpoint(s) they control in your environment. While there is less malware in use throughout the attack than there used to be, there can still be malware and Remote Access Trojans (RATs) in place. Keep an eye on outbound communications for indications of malicious software phoning home.
- Data Source: Many perimeter security tools already seek out command and control activity. Targeted malware may attempt to contact AWS or Azure resources or new servers that won’t be recognized by traditional threat intelligence services.
You can augment your existing security by looking at DNS logs for patterns of DNS look-ups that indicate malware trying to find command and control servers. Lots of failed DNS requests or requests that look like machine-generated domain names are a sign of malware programmed to avoid reputation-based blocking.
- Challenges: Attackers have a lot of ways to conceal command and control traffic, so it is good to keep an eye out, but don’t depend on this type of detection alone to discover malware. You can never tell what combination of normal Internet sites, including Twitter, Craigslist, Gmail, and many more, that malware might exploit for command and control communications. So, it is worth spending some effort to track this activity, but isn’t as important as tracking lateral movement or excessive credential use, which are much more difficult for an attacker to conceal.
As you can see, there are a lot of tools and procedures at your disposal to help spot attackers. There are many activities that attackers must engage in to learn and expand in an environment. Getting in, for them, is just the first step. At a minimum, a bot needs to connect back and monetize the intrusion through bitcoin mining, click fraud, spam, or other nefarious means. In the more serious cases, the initial intrusion is just the beachhead the attacker uses to then learn and expand on your network in the pursuit of your data. In either case, all is not lost upon intrusion - there is still plenty of time to find and root out attackers and malware before serious damage is done.
Further, it is actually possible to spot all these activities, and more, directly from the network - if you are able to extract the right metadata from the packet flows. This is harder to do manually, but is a great option for an automated tool. By analyzing network traffic with Deep Packet Inspection, an automated security solution can identify the anomalies indicative of a live attack.
If you are interested in automating these detection steps and more, find a solution that uses machine learning to automate the baselining process on your network so you can quickly find and stop attackers who have circumvented traditional security controls.