How do I detect compromise?
Cyber attacks are increasingly pervasive among small and medium-sized organizations. How does a person recognize they have become a victim? A vital part of this intelligence lies in understanding the signs of a compromise – indicators that a company may have fallen prey to cyber criminals. In this article, we will explore the fundamentals of such signals within cyber threat intelligence, focusing primarily on detection from outside an organization’s network using threat feeds.
Threat feeds are dynamic repositories which grow and change as new threats arise. They are useful for distributing information pertaining to the networks exhibiting indicators of compromise. These feeds can be collaborative and promote collective defense against cyber threats, in which participating organizations contribute to the shared pool of intelligence and benefit from its depth. Threat feeds can include lists of known malicious IP addresses associated with cyber threats. Threat feed monitoring is a method for organizations to determine if a cyber attack has hit them.
Understanding Signs of Compromise
Signs of compromise indicate when protective measures may have failed, and an intruder has gained access to systems, networks or confidential data. These signs may appear in various ways, such as atypical network behavior, break-in attempts, and the discovery of harmful software (malware). Compromise indicators such as these can be detected from outside of an organization’s network, which will be explained in more depth below. Irrespective of the behavior or method of discovery, organizations must swiftly recognize and interpret compromise signs to effectively identify and neutralize potential threats. The following examples illustrate activities that may be detected as a sign of compromise.
- Port & Vulnerability Scanning – Bad actors may leverage an organization’s network to scan other networks for accessible ports and services as a means to find possible weak points. In the same context as port scanning, a malicious outsider may run automated scans to detect vulnerabilities on other networks in order to plan an attack.
- Malicious File Hosting – A platform may be serving harmful malware or unauthorized files. This can include websites that attempt to install malware without visitor knowledge.
- Command & Control (C2) Communication – One or more servers may act as a command and control center, facilitating interaction between malicious software and its operators.
- Hosting Phishing Content – Scam websites may be hosted by a server to deceive users and trick them into revealing sensitive information. Websites that participate in redirects to malicious domains may also be included. A website owner may not realize either of these malicious actions are taking place on their application or server.
- Brute Force Attacks – Devices may generate repeated attempts to gain access into systems or services using techniques such as brute force and credential stuffing.
- Involvement in Botnets – Hosts may become infected as a member of a botnet, which is a network of compromised devices all under remote control by a malicious actor for nefarious intentions. In some instances, third-parties can pay for the use of an existing botnet to carry out nefarious activities such as those listed above.
It’s crucial to acknowledge that these are only a few examples of the types of behaviors that could land an IP onto a threat feed. The actual method of external detection of these behaviors varies, and can involve a combination of automation, human analysis, and collaboration between various entities. Below are some examples of the methods involved in detection.
- Sinkholes and Honeypots – Cybersecurity experts and institutions may utilize internet-based traps like honeypots and sinkholes. Honeypots act as decoy systems intended to lure attackers, whereas sinkholes function to redirect harmful online traffic away from its original destination. These tools enable researchers to study and comprehend the strategies, methods, and protocols employed by attackers in great detail.
- Comprehensive Online Surveillance – Security firms and researchers execute expansive, automated surveys of IP address ranges. This process may incorporate tools or initiatives that actively investigate IP addresses for open ports, vulnerabilities, or indications of malicious activities.
- Monitoring the Dark Web – Cybersecurity specialists and threat intelligence experts survey underground online forums, marketplaces, as well as other sectors of the dark web to amass data on rising threats, cyber intrusion techniques, and breached systems. This acquired information may encompass directories of infiltrated IP addresses.
- Collaboration & Knowledge Exchange – Data related to malicious IP addresses is commonly exchanged between entities specializing in cybersecurity, groups focusing on threat intelligence, and regulatory authorities. This process of information exchange aids in establishing a unified safeguard against digital threats.
- Observing Botnet Operations – Botnet activities may be monitored and examined by researchers. The moment a botnet is detected or disassembled, data regarding its structure, such as IP addresses, may be distributed with the cybersecurity community.
- Traffic Irregularity – Large corporations and internet service providers (ISPs) with extensive network infrastructures deploy systems for identifying irregularities in web traffic. Unforeseen surges, characteristics suggestive of Distributed Denial of Service (DDoS) attacks, or other atypical activities could facilitate the recognition of harmful IP addresses.
- Automated Threat Detection – Purpose-built systems continuously collect and consolidate data from multiple sources. These systems utilize established rules, machine learning models, and heuristics to pinpoint compromised IP addresses.
Leveraging Threat Feeds
Although integrating threat feeds is key to robust cybersecurity, businesses may need help with how best to employ them. One common problem is the sheer volume of data generated by threat feeds. Another obstacle is that there are so many different sources of threat intelligence. Threat feeds are represented in different formats and structures. The integration and normalization of this disparate data necessitates using appropriate methods to achieve a unified, standardized approach.
Online intelligence services such as ThreatHarvest enable organizations to continuously monitor these feeds to check if any of their organization’s IP addresses appear on these lists. If the IP address of an organization is mentioned in a threat feed, then it has likely been targeted or compromised. Such understanding allows organizations to move quickly with countermeasures once they learn of a potential compromise.
