1) Unusual Network Traffic:
As part of regular monitoring and vigilance, look out for
a) Unexpected outbound connections (IP address and port) from internal systems. This could be primary indication of C2C, RAT or remote control by malicious actors.
b) Unexplained traffic spikes or bandwidth consumption which could be early indicators for DDoS or cryptojacking attacks.
c) Unfamiliar IP addresses or domains in network logs. Often it could be part of reconnaissance. Keep close watch on the activity.
2) Anomalous System Behavior:
Key indicators to look out for
a) Performance degradation, system crashes, or frequent errors. Usually this may be reported by end users or application system owners. Do not ignore.
b) Unauthorized changes to configurations or files.Unless a robust change mgmt and configuration mgmt process is in place, this may be difficult to detect.
c) Unusual processes or services running on systems. A strong indication of unauthorized malicious access to the system.
3) Abnormal activities in the logs
Most organizations do not make significant efforts to enable critical logging and conduct timely review/analysis for potential breaches.
a) Increased failed login attempts, especially on critical systems may be indicator for unauthorized access attempts.
b) Unusual logins from unfamiliar locations or outside normal business hours. Check for these activities or logs from UBA tools.
c) Log entries indicating privilege escalation or unauthorized access attempts. Monitoring usage of PID is critical tasks and use of these privileged accounts must be reviewed.
4) Unexpected Data transfers
Data exfiltration attempts must be monitored in real time.
a) Unexplained large data transfers - Check source /destination and identify if its a legitimate activity.
b) Unusual file modifications or deletions is again a sign of malicious activity. File integrity controls help track the changes.
5) Alerts from SOC / monitoring tools
What to look for?
a) Don't ignore notifications from intrusion IDS/IPS systems as it can detect fraudulent activity early.
b) Anti-malware /EDR detecting suspicious or malicious files. This could be potential sign of malware attack.
c) Firewall / VPN notifications indicating unauthorized access attempts.
6) Social engineering
Don't ignore social engineering incident reports. It might turn out to be false alerts, but early detection can save you from major data breach.
a) Increased reports of phishing emails, social engineering attempts such as fake LinkedIn requests.
b) Employees falling victim to social engineering attacks.
c) Incidents such as data leakage resulting from access to unauthorized print outs or poor data disposal hygeine.
7) Open vulnerabilities in applications & infrastructure
Systems that aren't patched or have reached its end of life - are prime targets for criminals.
a) Unpatched or outdated software with known vulnerabilities. Check if known vulnerabilities like log4j are remediated.
b) Exploited vulnerabilities from penetration test reports, if not remediated, could lead to data breaches.
8) External Threat intelligence & staff incident reports
Don't ignore incident reported by external partners or your staff.
a) Notifications from third-party security vendors or threat intelligence feeds.
b) Reports from employees, customers, or partners regarding suspicious activities. Some of these may be false alerts, but could be potential indicator for data breach.
9) Web 3.0 / Blockchain based systems.
Web3 / blockchain based systems have unique characteristics
a) Unauthorized Transactions and smart contract behaviour:
- Sudden or unexpected movement of funds or assets within the blockchain network.
- Unexpected changes to the code or logic of smart contracts without proper notification or approval.
b) Smart contract functions executing differently than expected or
producing unexpected results.
c) Multiple failed login attempts or unauthorized access attempts to wallets.
d) Evidence of attempted or successful attacks targeting the blockchain or
Web3 system, such as DDoS attacks, 51% attacks, or known vulnerabilities
being exploited.
No comments:
Post a Comment