OK, so with all that in mind, what are the most important indicators of compromise?
Quite possibly the most obvious for the most security operators out there are going to be the simplest, such as those discrete and obvious pieces of information such as IPs and domains.
"These are easy to gather and understand for those who aren't necessarily dedicated intrusion analysts or investigators," Nick Mazitelli, Senior Consultant at Context Information Security explains. He goes on:"The event flow from them should be fairly straightforward to process." No pun intended, but context is everything and there is a risk of false positives along with the bane of 'incident fatigue' these can cause.
"These simple and discrete indicators probably have the shortest useful life due to these ease with which an attacker can churn them, so the intelligence front is likely to move much more quickly,"Mazitelli points out.
But IPs and domains are just the tip of the iceberg, with heaps of other indicators hidden below the waterline. So where should you start in really getting to grips with the serious patterns of prediction?
Jonathan Martin, Director of Enterprise Security Products (EMEA) with HP, thinks there are really three key things that all CISOs/CIOs should be on the lookout for."Unusual network traffic is usually a sign that something is awry," Martin says.
The adversary will not only attempt to penetrate the infrastructure, but once there they will try and extract valuable data which can be monetised. Which is why unorthodox outbound traffic tends to be easier to identify and analyse than incoming traffic and there are a number of tools and solutions which can do this and work to isolate the breach. Then there are the "anomalies with privileged user behaviour" whereby a common route to valuable data is for the adversary "to mimic, or to attempt to compromise privileged user accounts by using Phishing techniques," Martin continues. With the right degree of research, it is fairly easy to takeover a privileged account and gain access to the system.
"Time of activity, systems accessed, type or volume of information accessed, all will provide early indication of a breach," according to Martin. Geographical irregularities with log-ins and access patterns as well as multiple logins from different IP addresses can provide good evidence that the adversary is at work.
Then, finally, in this group of key indicators we have those incidents where attackers have attempted to make registry changes so as to establish backdoor access.
"Monitoring system files and configurations along with registry changes are a good way to identify possible incidents," Martin concludes.
Geoff Webb, Director of solution strategy at SIEM specialist NetIQ, throws in a fourth indicator: unexpected patching of systems. "While this might seem like a good thing," he explains. "This can indicate that an attacker has established a footing within your network and is busy closing vulnerabilities to keep out the competition."
Identifying risk through the security noise
The sad reality of the world we live in is that, for the most part at least, the bad guys have a pretty decent head start and are not backwards in exploiting whatever opportunities arise as a result.The role of enterprise security teams therefore has to be that of minimising the window of opportunity."Where smoke signals form, dump water by the gallon before the smoke turns into a full blown fire," says Meint Dijkstra, director of technical services at COMPUTERLINKS. In other words, to understand the risks to the organisation then visibility of how an attack is actually unfolding is key to tackling it effectively and in a timely fashion.Let's face it, most enterprises these days have data logscontaining all the evidence needed for an expert eye to prove the how, when, what and where of any attack. "The problem most organisations have," suggests Paul Pratley, Investigations Manager for the Verizon RISK Team (EMEA), "is identifying what indicators matter to them and represent organisational risk out of all the security noise."
There is a real need to carry out threat modelling and adapt the deployment of security solutions into the places that really matter. "Ask these important questions," Pratley concludes."What are my organisations highest risk assets and how am I going to know when those assets are being targeted, what will that attack look like?"
Finding the right answers will lead you to a place of understanding where patterns, prediction and protection merge...
