To limit damage from cyber security attacks we must quickly detect them.
In practice, three key indicators suggest an attack in progress: Bad login attempts, bad domains, and bad actor activity.
Bad Login Attempts
Many attacks begin with credential stuffing or similar attacks against Remote Desktop Protocol (RDP), Virtual Private Network (VPN), and other resources exposed to the internet.
Once a machine has been compromised, those credentials are tested against other resources within the network. To catch these types of attacks, you’ll need to constantly monitor your log files for failed login attempts.
For example, Windows captures failed logins with Event ID 4625. Microsoft’s research shows that brute force attacks against RDP typically last for two to three days.
This means a typical attack produces many log entries that also capture the associated usernames, IP addresses, and the times of the attacks.
Another type of bad login uses the correct credentials, but at the wrong time or on an incorrect computer. Let’s say that the VP of finance is using VPN at 3 a.m. … that should set off red flags.
VPN logs, RDP logs, and network activity logs should be reviewed for unusual time-of-access or user logins. Equivalent logs also must be viewed for all valued resources, such as Active Directory, Linux servers, Kubernetes instances, or cloud resources.
Attackers have learned to vary the number of attacks and IP addresses used to avoid automated responses, such as blocked IP addresses. However, if you take the time to look, you’ll still see the evidence of the attacks and take defensive action.
Bad Domains
When users click on phishing emails, or attackers attempt to send data to malicious domains, they use Domain Name Service (DNS) requests.
In order to capture these attempts, you’ll need to monitor your DNS server logs and firewalls. Domains coming from unusual foreign locations (Iran, Russia, etc.) can be quickly noted and blocked.
Unfortunately, local domains aren’t always safe, either. Most sophisticated hackers know to route their attacks through local access points.
To combat this, you can check for newly requested domains and the activity associated with those domains for the day, week, or month, depending upon how often the logs are reviewed. There are also DNS Threat Intelligence services from vendors such as Domain Tools or InfoBlox that can provide advanced warning of potential malware domains.
However, with a distributed workforce and encrypted browsers with built-in DNS service, you lose visibility into users’ web activity. Some attackers have even taken advantage of HTTPS to deliver malware through Google DNS – this fully encrypted delivery of malware cannot be detected by most firewalls.
To maintain visibility, your organization can implement cloud-based DNS servers, and disable browser DNS services. If remote users and cloud resources all redirect DNS queries through a single DNS source, the logs will be available for review.
Bad Actor Activity
Once inside your systems, attackers leave a trace of their activities through their exploration, their tools, and/or file activities. Once again, system logs provide the early warning.
As these bad actors explore, they first probe compromised computers. Normal users won’t log into their own computers to query domain information or check admin rights for their own credentials.
More sophisticated attackers use tools such as network scanners (Angry IP, Advanced Port Scanner, etc.), security disabling software (Process Hacker, GMER, etc.), and credential stealing software (Mimikatz, etc.). While there are legitimate uses for this software, your security team should be able to spot unauthorized use in the network and local machine log files – but only if they’re looking.
The actors also know that they leave traces in the logs, and they factor that into their attack methods. Thus, you must examine log files for signs of suppression or deletion.
Even if you don’t catch signs of the attacks early, you also have a chance to detect use of tools for backup deletion (i.e.: wbadmin.exe for Windows), unusual patterns of file copying and deleting, and the use of anonymizing software, such as TOR, that may be exfiltrating our data.
Again, logs are key.
Bringing It All Together
Effective and efficient review of log files takes experience and expertise.
The majority of log events simply reflects normal user activity, and can tempt busy IT teams into skipping log reviews to catch up on other tasks – especially when there are so many logs.
That is why we are here.
Our specialist security investigators at Ideal Integrations & Blue Bastion understand the critical role logs play in forensic research and ongoing detection of bad actors.
We can set up robust log reporting and review alerts quickly. We also have the tools to make the process efficient and effective.
Ready to get started? Complete the form below, and we’ll help your organization stay on top of your logs! Or, you can call us at 412-349-6680.
No matter where you are in your security monitoring, we’re here to help you advance it further!