15 Indicators of Compromise on your network.
Most people don’t like to compromise; people dislike it even more when it jeopardizes our network. Below we highlight the ways you can see a compromise coming and perhaps even stop it before it becomes an incident.
- Unusual Outbound Network Traffic
You may not be able to keep people out of your network, but you can stop them from taking valuable data when they leave if you monitor your outbound traffic.
- Privileged User Account Anomalies
Are you alerted when a user does something they don’t normally do? It may not be against the rules, but if it’s out of the ordinary, it is worth investigating.
- Geographic Irregularities
Is there traffic coming from areas where you don’t do business. Is there a spike in traffic or use from a specific geography that cannot be explained?
- Log-In Red Flags
Has there been a spike in log-in failures? Are you seeing more successful log-ins than normal? This could be an indicator of network compromise.
- Swells in Database Read Volume
A key indicator is the extraction of data results in large amounts of read volume. For example, when an attacker attempts to extract a full credit card database, it will automatically generate an enormous amount of read data – way higher than you would normally expect.
- HTML Response Sizes
If you are seeing larger than normal numbers, this may be a sign of an extraction already in progress
- Large number of Requests for the Same File
If you’re receiving this type of inquiry, it could signal trial and error attempts to get to valuable data.
- Mismatched Port/Application Traffic
Masked DNS requests could use either well-known or obscure ports in an attempt to get around web filtering techniques
- Suspicious Registry or System File Changes
If you have a baseline you would be alerted to any deviations or changes. It’s a good best practice to define a clean template of your network and create alerts on deviations or changes to that baseline.
- DNS Request Anomalies
Where are the queries going and where are they being made from? What patterns are emerging and do they make sense in the context of your business?
- Unexpected Patching of Systems
Patches should not happen on their own. If the IT admin is not pushing it, who is?
- Mobile Device Profile Change
These changes and adjustments could signal the creation of backdoors which limit security. The poisoning of mobile configuration can lead to the routing of data and credentials through fake applications. It’s important to monitor and correlate MDM logs in order to spot unusual mobile traffic patterns.
- Bundles of Data in the Wrong Places
Is sensitive data suddenly sitting in a public space on your network? If so, something has gone wrong and needs to be investigated.
- Web Traffic with Un-Human Behavior
Are things happening that humans would not initiate? Are you suddenly seeing 20 browser windows opened to different sites on a single machine? Why and how would someone do that quickly?
- Signs of DDoS Activity
While you are surely monitoring for DDoS – those attacks may not be the problem. Frequently DDoS attacks are used as a smokescreen for other attacks.
Feel free to contact E-SPIN for the solution for your system and operation to reduce risk of your businesses and organization. We can secure and protect your businesses with our various software security technology , include indicators of compromise technologies and solutions.