More

    Indicator of Attack(IoA) and Activities

    SOC

    What is an attack indicator (IOA)

    E.g. events that can reveal an active attack before signs of compromise are visible.

    The use of IoTs allows you to switch from a reactive clean-up/recovery mode to a proactive mode where intruders collapse and crash before reaching their target, such as data theft, ransom, exploitation, etc.

    The IOA focuses on uncovering the intent of the attacker, regardless of the malware or exploits used in the attack. As with audiovisual signatures, the IOC-based detection approach cannot detect the growing threats of zero-day intrusions and malware-free exploits. As a result, the security solutions of the next generation are evolving towards an AIO-based approach.

    10 Indicators of attacks (IoA)

    To diagnose an active attack, you can use the following most common actions, individually or in combination:

    1) Internal hosts with poor instruction

    Domestic guests communicate with unfamiliar places or in a foreign country where you do not do business.

    http://31.220.61.170/wp-content/uploads/2020/05/1589401381_28_Indicator-Of-AttackIoAs-And-Activities.jpg

    An example of an HP ArcSight dashboard that allows client hosts to communicate with ransomwaretracker.abuse.ch feeds (IP, domain, url).

    Ransomware Hunter is available as a free package included in SOC Prime’s HPE Protect724.

    http://31.220.61.170/wp-content/uploads/2020/05/1589401381_41_Indicator-Of-AttackIoAs-And-Activities.jpg

    Example of McAfee Global Threat Intelligence

    2) Internal hosts with non-standard ports

    Internal hosts communicate with external hosts via non-standard ports or protocol/port mismatches, for example B. Transmission via Shell (SSH) instead of HTTP, HTTPS traffic on port 80.443, the default web port.

    http://31.220.61.170/wp-content/uploads/2020/05/1589401381_523_Indicator-Of-AttackIoAs-And-Activities.jpg

    Example of an internal host using 21(FTP), 445(SMB), 137(NETBIOS-NS), 135(RPC) to access the Internet.

    3) State/DMZ servers to internal hosts

    Publish in the DMZ servers or hosts that communicate with internal hosts This enables remote access, data filtering and remote access to facilities such as RDP (Remote Desktop Protocol), Radmin, SSH.

    http://31.220.61.170/wp-content/uploads/2020/05/1589401381_690_Indicator-Of-AttackIoAs-And-Activities.jpg

    Example of a report following the top 10 traffic from the DMZ to the Internal/Customer Area.

    In this report, a security analyst should examine
    dedicated servers that communicate with internal hosts via RDP(TCP/3389),
    SSH(TCP/22).

    4) Detection of malicious software outside office hours

    Warnings occurring outside normal working hours (night or weekend) may indicate that a host or hostess is in danger.

    http://31.220.61.170/wp-content/uploads/2020/05/1589401382_471_Indicator-Of-AttackIoAs-And-Activities.jpg

    Example of IPS notifications outside working hours (public holidays)

    5) Searching for internal hosts on the network

    The network scans internal hosts that interact with multiple hosts in a short period of time, so that an attacker on the side of the network can be detected.

    These incidents are detected using edge network security tools such as firewall and IPS. You must select Zone/Internet from Internal to Internal. In the future, you will also have to focus the shape of the interior on the DMZ. This can be an internal threat or a compromising host that needs more information from your network (intelligence).

    http://31.220.61.170/wp-content/uploads/2020/05/1589401382_93_Indicator-Of-AttackIoAs-And-Activities.jpg

    Example of an array scan message that filters from the inner area to the inner area

    6) Multiple alarm events from the same host

    Multiple alarm events from a single host or duplicate events on multiple machines on the same subnet over a 24-hour period, such as repeated authentication failures. THIS IS NORMAL USE.

    http://31.220.61.170/wp-content/uploads/2020/05/1589401382_293_Indicator-Of-AttackIoAs-And-Activities.jpg

    Example of a dashboard that tracks connection errors for each host.

    Hint: Some unsuccessful login events of email applications on mobile phones can generate more than 500 events per minute. I found this case when the account password had expired, but they hadn’t changed the new password on their devices.

    7) The system has been re-infected with malware.

    After cleaning the infected node, the system is re-infected with malware within 5-10 minutes, repeated infections report the presence of a rootkit or persistent compromises. This incident can be detected by means of access point security protection or anti-virus events.

    http://31.220.61.170/wp-content/uploads/2020/05/1589401382_957_Indicator-Of-AttackIoAs-And-Activities.jpg

    Here is an example of the malware dashboard.

    Recognition: You must draw up at least 3 lines for SIEM, as follows

    1. Specify the rule if an infected host is detected and add it to the current list of infected hosts and the historical list of infected hosts (keep at least 1 week).
    2. Warn the rule when malware is removed from an infected host and then remove it from the current list of infected hosts.
    3. The rule warns if it finds an infected host, i.e. a list of infected hosts within a certain time interval. THAT THE SYSTEMS HAVE TO SCAN/INVEST THE MALWAIN-ÄNEAS !

    8. Multiple entrances from different regions

    A user account that tries to connect to multiple sources from/to different regions in minutes. This indicates that the user’s access data has been stolen or that the user has performed indecent acts.

    http://31.220.61.170/wp-content/uploads/2020/05/1589401383_455_Indicator-Of-AttackIoAs-And-Activities.jpg

    An example of a rule related to Cor that ideal solutions may vary depending on network conditions and security policies.

    This event-driven rule in the Connection Normalization category, where the result of an event equals the successful geolocation of multiple sources in a given time interval, and events are grouped by user source.

    9. Internal hosts use a lot of SMTP

    Monitoring should be performed using e-mail protocols such as SMTP (Simple Mail Transfer Protocol), POP3 or IMAP4. Some malicious programs use this port to send information to a suspicious or hacker server.

    http://31.220.61.170/wp-content/uploads/2020/05/1589401383_911_Indicator-Of-AttackIoAs-And-Activities.jpg

    Example of a client infected with the SMTP protocol (TCP/25)

    10. Multiple internal hosts multiple external/internal DNS queries

    Many organizations have internal DNS servers to cache records and provide DNS services to internal hosts. The DHCP configuration is defined as the primary DNS server relative to the internal DNS server. If you notice that some internal hosts query the external DNS, such as B. 8.8.8, 8.8.4.4 (Google DNS), you should try scanning for malware on these clients.

    http://31.220.61.170/wp-content/uploads/2020/05/1589401383_681_Indicator-Of-AttackIoAs-And-Activities.jpg

    Some incidents have shown that the internal host asks a lot of questions to the internal DNS server (> 1000 events/hour).

    Original source and reference :  Sitticorn Sangrate apitak, CISSP

    Read it:

    1. Intrusion prevention system (IPS) and its detailed function – SOC/SIEM
    2. Intrusion Detection System (IDS) and its detailed function – SOC/SIEM

    indicators of attack list,indicators of compromise threat intelligence,siem indicators of compromise,indicators of compromise repository,list of iocs,atomic ioc,behavioral indicators of compromise,apt indicators of compromise

    Recent Articles

    X-rated ads on the derelict corner of the accountants’ website • Register

    A forgotten subdomain on PricewaterhouseCoopers’ dotcom has been hacked to promote pornographic sites and applications, which clearly shows why DNS records should not be...

    CERT-GIB records upsurge of phishing resource blockages as duration of attacks growsSecurity Affairs

    Group-B, a Singapour-based cyber security company, has noted an increase in the life expectancy of phishing attacks in the second half of 2019. This trend,...

    GSP COVID-19 App-The Peak of Neoliberal Paternalism or National Benevolence?

    There is no doubt that technology made life more bearable during the global pandemic. From the use of unmanned aircraft to deliver medicines and...

    Getting Zoom Security Right-8 Family and Friends Tips

    If you have read the newspaper or seen the news in recent weeks, you will notice a general topic discussed by all the major...

    Nemty Ransomware-Teaching by Doing

    Brief summary The 20th. In August 2019, McAfee’s Advanced Threat Research Group (ATR) discovered a new family of repayable programs called Nemti. This is a time...

    Related Stories