Indicators of Compromise

The Indicators of Compromise policy requires investigators to diligently gather computer-based IOCs whenever they detect suspicious incidents or activity during regular scans. Following this policy enhances our capability to promptly identify and respond to security breaches, ultimately improving the overall security stance of our organization. [FII-SCF-026-THR-02]

LIST OF Indicators of Compromise

• Unusual outbound network traffic: - investigate patterns of unusual traffic leaving your network perimeter. Modern attack methods make it difficult to keep attackers out of a network, but outbound patterns are much more easily detectable. Victims may be able to see visible command and control (C&C) traffic from compromised servers, enabling them to respond before losing data or experiencing damage.
• Anomalies in privileged user account activity: - Attackers often attempt to escalate privileges of a user account they have hacked. Monitoring privileged accounts for unusual activity not only provides insights into possible insider attacks but also helps identify accounts that have been compromised by unauthorized sources. Vigilantly observing the systems accessed, types and volumes of data accessed, and the timing of activities can provide early warning signs of a potential breach.
• Geographical irregularities: - Login pattern irregularities can provide reasonable evidence of compromise. Connections to locations where your organization does not typically conduct business may indicate the theft of sensitive data. If accounts are observed logging in from multiple IPs within a short timeframe, along with location tagging, there may be enough evidence to warrant a deeper investigation into that activity.
• Other login red flags: - Excessive failed logins or attempts on non-existent accounts indicate that an attacker is attempting to guess credentials. Pay specific attention to login attempts with usernames of employees who would not typically be working after hours. This could indicate the presence of a perpetrator rather than the actual employee, serving as a red flag for investigation.
• Surges in database read volume: - If an attacker successfully breaches your database storage, they will generate a significantly higher read volume for those tables, particularly the credit card tables, when exfiltrating the data.
• Large HTML response sizes: - When an attacker employs a SQL injection attack against your database, they will generate a larger than normal volume of HTML responses. For instance, if a query typically results in a response of around 200 KB but the attacker triggers a 20 MB response, it indicates a successful execution of a SQL injection attack, potentially resulting in the dumping of the entire credit card or user account table.
• Large numbers of requests for the same file: - When an attacker identifies a valuable target on your network, such as a vulnerable PHP-based web application, they will attempt multiple attack strings targeting a specific file. If you notice a single source generating a high volume of requests to a particular file like “anyfilename.php,” you should be immediately suspicious.
• Mismatched port-application traffic: - Communications on non-standard ports may indicate foul play, such as command and control traffic disguising itself as “normal” application behavior.
• Suspicious registry changes: - Malware frequently maintains persistence across system reboots by modifying the registry to initiate a startup process or store operational data. It is important to always create a clean baseline registry snapshot and actively monitor for any changes to this “template” that could potentially indicate a registry-based Indicator of Compromise (IOC).
• DNS request anomalies: - A significant increase in DNS (Domain Name Service) requests from a particular host can suggest potential malicious activity. Monitor patterns of DNS requests to external hosts and compare them with geographic region and host reputation data. Utilizing filtering solutions integrated with threat intelligence tools can aid in the detection and mitigation of malware by identifying its communication with command and control (C&C) infrastructure.
• Unexpected patching of systems: - Patching systems is a common occurrence on a network, but patching critical systems outside of the regular cycle may indicate malicious activity. When attackers compromise a system, they aim to prevent access by other groups, so they patch and fortify it to impede other attackers’ entry.
• Bundles of data in the wrong places: - In many cases, attackers store significant amounts of compromised data before exfiltrating it. They attempt to conceal it in unconventional locations, such as the root directory of the recycle bin on a Windows-based server or directories on Linux machines containing temporary files or cached data.
• Web traffic with superhuman behavior: - Infected machines compromised by click-fraud campaigns can generate significantly higher volumes of web traffic at a much faster rate than users browsing the web manually. In corporate networks where users are mandated to use a specific browser, monitoring user agent strings that do not align with the internal mandate can aid in identifying malicious web traffic.

Searching for Indicators of Compromise

Step 1: Document attack tools and methods

• Profile your network traffic patterns to gain an understanding of what is considered normal. Focus on main protocols, particularly those commonly used by attackers, such as DNS and HTTPs.
• Collect and analyze log file entries. Utilize tools like log management and Security Information Event Management (SIEM) systems to automate this process and visualize data patterns, facilitating the detection of suspicious activity.
• Utilize metadata to hunt for Indicators of Compromise (IOCs).
• Subscribe to IOC data feeds from organizations that analyze malicious tools to maintain an up-to-date repository.

Step 2: Utilize harvested intelligence to search for attacker activity

• Configure your security defense tools to identify attacker activity using the data gathered in step 1, including IOCs and deviations from normal behavior. These configurations may involve blocking or alerting on:
• Activity originating from suspect IP address ranges or regions known for hosting attacks (IP reputation).
• Attempts to exploit vulnerabilities, with intrusion prevention systems (IPS) and endpoint security systems issuing alerts on patterns indicating exploit activity, including specific vulnerabilities and known exploits.
• Hashes of known tools in the attacker’s arsenal, as attackers commonly upload their toolkit once they have established a foothold in the victim’s environment.
• Newly created local usernames.
• Usernames that have been probed on other systems.

Step 3: Investigate security incidents and assess the extent of compromise

• Begin with obvious information: system IP, DNS, user, timestamp. Determine the number of affected systems or applications, the number of access attempts, and the level of penetration achieved by the attacker.
• Establish a timeline to identify any additional events. Analyze files with timestamps (logs, files, registry), examine email communications and messages, review system logon and logoff events, investigate access to specific Internet documents or sites, and analyze communication with known individuals in chat rooms or other collaborative tools.
• Look for evidence of document destruction.
• Search for incident-specific IOCs, such as patterns within working directories or the use of specific hosts and accounts.

Step 4: Remediate

• Identify:
  • Compromised hosts and user accounts.
  • Active (beaconing) and passive (listening) exfiltration points.
  • Other access points, including web servers, virtual private networks (VPNs), and terminal services.
• Take the following actions:
  • Reset passwords.
  • Remove exfiltration points.
  • Patch vulnerable systems exploited for access.
  • Activate the incident response team.
  • Continuously search for IOCs to ensure successful remediation.
  • Set trigger points to raise an alarm if the attacker returns