What is an attack indicator (IOA)
E.g. events that can reveal an active attack before signs of compromise are visible.
The use of IoTs allows you to switch from a reactive clean-up/recovery mode to a proactive mode where intruders collapse and crash before reaching their target, such as data theft, ransom, exploitation, etc.
The IOA focuses on uncovering the intent of the attacker, regardless of the malware or exploits used in the attack. As with audiovisual signatures, the IOC-based detection approach cannot detect the growing threats of zero-day intrusions and malware-free exploits. As a result, the security solutions of the next generation are evolving towards an AIO-based approach.
10 Indicators of attacks (IoA)
To diagnose an active attack, you can use the following most common actions, individually or in combination:
1) Internal hosts with poor instruction
Domestic guests communicate with unfamiliar places or in a foreign country where you do not do business.
An example of an HP ArcSight dashboard that allows client hosts to communicate with ransomwaretracker.abuse.ch feeds (IP, domain, url).
Ransomware Hunter is available as a free package included in SOC Prime’s HPE Protect724.
Example of McAfee Global Threat Intelligence
2) Internal hosts with non-standard ports
Internal hosts communicate with external hosts via non-standard ports or protocol/port mismatches, for example B. Transmission via Shell (SSH) instead of HTTP, HTTPS traffic on port 80.443, the default web port.
Example of an internal host using 21(FTP), 445(SMB), 137(NETBIOS-NS), 135(RPC) to access the Internet.
3) State/DMZ servers to internal hosts
Publish in the DMZ servers or hosts that communicate with internal hosts This enables remote access, data filtering and remote access to facilities such as RDP (Remote Desktop Protocol), Radmin, SSH.
Example of a report following the top 10 traffic from the DMZ to the Internal/Customer Area.
In this report, a security analyst should examine
dedicated servers that communicate with internal hosts via RDP(TCP/3389),
4) Detection of malicious software outside office hours
Warnings occurring outside normal working hours (night or weekend) may indicate that a host or hostess is in danger.
Example of IPS notifications outside working hours (public holidays)
5) Searching for internal hosts on the network
The network scans internal hosts that interact with multiple hosts in a short period of time, so that an attacker on the side of the network can be detected.
These incidents are detected using edge network security tools such as firewall and IPS. You must select Zone/Internet from Internal to Internal. In the future, you will also have to focus the shape of the interior on the DMZ. This can be an internal threat or a compromising host that needs more information from your network (intelligence).
Example of an array scan message that filters from the inner area to the inner area
6) Multiple alarm events from the same host
Multiple alarm events from a single host or duplicate events on multiple machines on the same subnet over a 24-hour period, such as repeated authentication failures. THIS IS NORMAL USE.
Example of a dashboard that tracks connection errors for each host.
Hint: Some unsuccessful login events of email applications on mobile phones can generate more than 500 events per minute. I found this case when the account password had expired, but they hadn’t changed the new password on their devices.
7) The system has been re-infected with malware.
After cleaning the infected node, the system is re-infected with malware within 5-10 minutes, repeated infections report the presence of a rootkit or persistent compromises. This incident can be detected by means of access point security protection or anti-virus events.
Here is an example of the malware dashboard.
Recognition: You must draw up at least 3 lines for SIEM, as follows
- Specify the rule if an infected host is detected and add it to the current list of infected hosts and the historical list of infected hosts (keep at least 1 week).
- Warn the rule when malware is removed from an infected host and then remove it from the current list of infected hosts.
- The rule warns if it finds an infected host, i.e. a list of infected hosts within a certain time interval. THAT THE SYSTEMS HAVE TO SCAN/INVEST THE MALWAIN-ÄNEAS !
8. Multiple entrances from different regions
A user account that tries to connect to multiple sources from/to different regions in minutes. This indicates that the user’s access data has been stolen or that the user has performed indecent acts.
An example of a rule related to Cor that ideal solutions may vary depending on network conditions and security policies.
This event-driven rule in the Connection Normalization category, where the result of an event equals the successful geolocation of multiple sources in a given time interval, and events are grouped by user source.
9. Internal hosts use a lot of SMTP
Monitoring should be performed using e-mail protocols such as SMTP (Simple Mail Transfer Protocol), POP3 or IMAP4. Some malicious programs use this port to send information to a suspicious or hacker server.
Example of a client infected with the SMTP protocol (TCP/25)
10. Multiple internal hosts multiple external/internal DNS queries
Many organizations have internal DNS servers to cache records and provide DNS services to internal hosts. The DHCP configuration is defined as the primary DNS server relative to the internal DNS server. If you notice that some internal hosts query the external DNS, such as B. 8.8.8, 220.127.116.11 (Google DNS), you should try scanning for malware on these clients.
Some incidents have shown that the internal host asks a lot of questions to the internal DNS server (> 1000 events/hour).
Original source and reference : Sitticorn Sangrate apitak, CISSP
- Intrusion prevention system (IPS) and its detailed function – SOC/SIEM
- Intrusion Detection System (IDS) and its detailed function – SOC/SIEM
indicators of attack list,indicators of compromise threat intelligence,siem indicators of compromise,indicators of compromise repository,list of iocs,atomic ioc,behavioral indicators of compromise,apt indicators of compromise