[SIEM] Threat Hunting with Indicator Of Attack(IoAs)
I read about Indicators of Attack (IoAs) from McAfee Labs Threat Report 2014 then I apply this concept with SIEM for Threat Hunting.
[### This article was moved from my LinkedIn to my Medium. ###]
What is an Indicator of Attack (IOA)
IoA’s is some events that could reveal an active attack before indicators of compromise become visible. or a unique construction of unknown attributes, and contextual information (including organizational intelligence and risk) into a dynamic, situational picture that guides response.
Use of IoA’s provides a way to shift from reactive cleanup/recovery to a proactive mode, where attackers are disrupted and blocked before they achieve their goal such as data thief, ransomware, exploit, etc.
IOA’s focus on detecting the intent of what an attacker is trying to compromise your system.
Top 10 Indicators of attack (IoAs)
The following most common attack activities could have been used, individually or in combination, to diagnose an active attacks:
1) Internal hosts with bad destinations
Internal hosts communicating with known bad destinations or to a foreign country where you don’t conduct business.
Example of HP ArcSight Dashboard that show client’s hosts communicating with Feeds(IP, Domain, Url) from “ransomwaretracker.abuse.ch” website (OSINT).
[Ransomware Hunter is available as free a free package from TDM SOC Prime]
Example of Global Threat Intelligence from McAfee ESM
2) Internal hosts with non-standard ports
Internal hosts communicating to external hosts using non-standard ports or protocol/port mismatches, such as sending command shells (SSH) rather than HTTP, HTTPS traffic over port 80,443, the default web port.
Example of Internal Host using 21(FTP), 445(SMB), 137(NETBIOS-NS), 135(RPC) to Internet on RSA Security Analytics
3) Public Servers/DMZ to Internal hosts
Internet Facing servers or demilitarized zone (DMZ) hosts communicating to internal hosts. This allows leapfrogging from the outside to the inside and back, permitting data exfiltration and remote access to assets such as RDP(Remote Desktop Protocol), Radmin, SSH.
Example of a Report that monitor Top 10 Traffic from “DMZ” zone to “Internal/Client” Zone.
From this report, Security Analyst should investigate to Highlighted Servers that communicating to Internal hosts via RDP(TCP/3389), SSH(TCP/22)
4) Off-hour Malware Detection
Alerts that occur outside standard business operating hours (at night or on weekends) could signal a compromised host.
Example of IPS alerts on non-working time (Holiday) on RSA Security Analytics
5) Network scans by internal hosts
Network scans by internal hosts communicating with multiple hosts in a short time frame, which could reveal an attacker moving laterally within the network. This incidents detect from Perimeter network defenses such as firewall and IPS. You must choose Zone/Interface from “Internal” to “Internal” only. For Future, you should focus form “Internal” to “DMZ” too. It may be “Insider Threat” or “Compromise hosts” that they need more information from your networks (Reconnaissance)
Example of Network Scans Report that filters from “Internal” to “Internal” zone on McAfee ESM
6) Multiple alarm events from a single host
Multiple alarm events from a single host or duplicate events across multiple machines in the same subnet over a 24-hour period, such as repeated authentication failures. THIS IS COMMON USE CASE.
Example of Dashboard that monitoring “User Login Failures” from Single Hosts on RSA Security Analytics
Note: some login failed events form e-mail applications on mobile phones can generate events more 500 events/minute. I found this case when password of user account is expired but they have not change new password on their devices.
7) Hosts are reinfected with malware
After Infected host is cleaned, a system is reinfected with malware within 5–10 minutes, repeated reinfections signal the presence of a rootkit or persistent compromise. This incident may detect from Endpoint Security Protection or Anti Virus events.
Example of Malware Dashboard on McAfee ESM
Detection: You must create at least 3 rules on SIEM follow as
- The rule alert when it found infected host then “Add To” Current Infected Hosts List and Historical Infected Hosts List (Store at least 1 week)
- The rule alert when malware is cleaned from infected Host then “Remove To” Current Infected Hosts List
- The rule alert when it found infected host that is “Historical Infected Hosts List” with in specific time range. THAT SYSTEMs SHOULD SCAN/INVESTIGATE MALWARE AGAIN!!!
8. Multiple Login from different regions
A user account trying to login to multiple resources within a few minutes from/to different region. This is a sign that user’s credentials have been stolen or that a user is up to mischief.
Example of Correlated rule that Ideal solutions may vary based on your network conditions and security policy on McAfee ESM
This rule detect from an event in the “Login” normalization category, with an Event Outcome equal “Success” with multiple Source Geo-locations, within a specified Time Range and Events are grouped by Source User.
9. Internal hosts use much SMTP
E-Mail Protocol such as SMTP (Simple Mail Transfer Protocol), POP3 or IMAP4 should be monitoring. Some malware will use these port for send information to Suspicious or Hacker’s server.
Example of Infected client that use SMTP(TCP/25) on RSA Security Analytics
10. Internal hosts many query to External/Internal DNS
Many organization have Internal DNS servers for caching records and serve DNS service to internal hosts. DHCP configuration is define Primary DNS Server to Internal DNS server. If you found that some internal hosts query to External DNS such as 8.8.8.8, 8.8.4.4 (Google DNS), you should try scan malware on that clients.
Some Incidents found that the internal host query many requests to the internal DNS server (> 1,000 events/hour) on RSA Security Analytics
Remark: I apologize if this article is any mistakes. Please you recommend to me.
###########################################
Reference:
