7 Places to Check for Signs of a Targeted Attack in Your Network
Targeted attacks are designed to circumvent existing policies and solutions within the target network, thus making their detection a big challenge. As we’ve stressed in our previous entry about common misconceptions about targeted attacks, there is no one-size-fits-all solution against it; enterprises need to arm themselves with protection that can provide sensors where needed, as well as IT personnel equipped enough to recognize anomalies within the network and to act accordingly.
In order to detect anomalies, however, IT administrators will need to know first what to look out for. Since attacks are commonly designed to leave little to no tracks at all, it is important to know where possible indicators of a compromise can be found. In this post, we will list what parts of the network IT administrators need to closely monitor for any signs of a breach.
Check for Injected DNS Records
Attackers often tamper with DNS records in order to make sure that connections to their C&Cs are not blocked. IT admins can check for the following signs for records that might have been injected by attackers:
- Unknown domains “parked” into IPs like 127.0.0.1, 127.0.0.2, 255.255.255.254, 255.255.255.255, 0.0.0.0, and 18.104.22.168. These IPs are typically used by attackers as placeholders for C&Cs that are not yet being used
- Unknown domains that were registered very recently, say 3 days ago (can be determined by using whois)
- Domains that appear to consist of random characters (examples: aeeqvsfmtstjztqwlrqknoffmozu.com, or zxcmpfwqwgqnbldzhdqsrqt.com)
- Domains that appear to imitate known entities (examples: microsoft-dot .com or goooogle.com)
Audit Accounts for Failed/Irregular Logins
Once an attacker is able to establish its presence in a network and its communication with the C&C, the next step is often to move laterally within the network. . Attackers can seek out the Active Directory, mail or file server and access them via an exploit using a server vulnerability. However, since admins will have patched and secured important servers against vulnerabilities, attackers can try to brute force administrator accounts. For IT admins, the login record is the best reference for any attempts to do this. Checking for failed login attempts, as well as successful ones made at irregular time periods can reveal attackers’ attempts to move within the network.
Study Warnings from Security Solutions
Sometimes, security solutions will flag seemingly non-malicious tools as suspect and users will ignore the warnings since the file may either be familiar to the user or not harmful. However, time and again, we encounter situations where the warning meant that there is an attacker in the network. Attackers may either be using ill-designed hacker tools or sometimes legitimate administrative tools like PsExec or others from the Sysinternals Suite to perform diagnostics on the system or network. Some security solutions will flag these non-malicious tools if these are not preinstalled in the user computer. The IT admin must ask why the user is using this tool and if there is no good reason, the IT admin may have stumbled upon the attacker’s lateral movement.
Check for Strange Large Files
Unknown large files found in a system need to be checked as it may contain data stolen from within the network. Attackers often store these files in their targets’ systems prior to exfiltration, often hiding them through “normal-looking” file names and file types. IT administrators may be able to check for these through file management software.
Audit Network Log for Abnormal Connections
Consistently auditing the network monitoring logs is critical as it can help identify anomalies in the connections within the network. For this, it would require the IT administrators to be fully knowledgeable of the network and the activities that happen within it at any given time. It is only through having awareness of the network’s “normal” can possible anomalies be identified. For example, network activity found happening within what should be idle hours can be a sign of an attack.
In relation to abnormal connections, IT administrators also need to check for the protocols used in these connections, especially for those coming from inside the network. Attackers often choose the protocol they use based on what is allowed in the network, so it is important to inspect the connections even when they are using normal protocols.
For instance, we have seen attackers use https (port 443) protocol to connect to the outside, but when we inspected the content, it only contains http data. IT admins will not bother to inspect https connections because they always assume they are encrypted.
Increased Email Activity
IT administrators can check the mail logs to see if there are strange spikes for individual users. Abnormal peaks in email activity should be investigated as that user might be in the midst of a targeted spear-phishing attack. Sometimes, if the attacker does research, the attacker may know that an employee will be going to an important meeting and will send spear phishing emails as early as 3 months before the meeting. This is another clue.
Reading through this list now, I am pretty sure IT administrators are thinking that they have a tough job ahead of them. I won’t disagree; guarding a network against targeted attacks is a tall order. In the past we talked about ways how organizations can ensure that their IT personnel are empowered enough to do this, and I fully recommend the said steps. The cost of preparing for an attack can easily be overshadowed by the cost of mitigating one, so it is critical that IT administrators — the company’s first line of defense — are fully-equipped.