When it comes to Incident Response, the two biggest questions are:
- If someone was in your network, would you know?
- If someone was sending your data out the back door of your network, could you tell?
To answer these questions, you must first understand your networking environment, and what “normal” on that environment looks like given a typical second/minute/hour/day/week/month. How do you start to figure out what “normal” looks like on your network? Here’s a start.
Key Risk Indicators
Before we get into Indicators of Compromise (IoCs), it’s important to understand, monitor, and receive alerts for Key Risk Indicators (KRIs). A Key Risk Indicator is a logging metric used to establish the upper and lower bounds of “normal” on our network or client-server infrastructure. To measure a Key Risk Indicator, we must first know what ”normal” looks like in our environments before we can understand “abnormal.” You can do this by studying your network environment in the following places, so you can develop baselines. The following chart is not an exhaustive list of Key Risk Indicators on which to alert, but rather the minimum of what we would recommend while developing KRI baselines.
- Total Network Logs per Second
- Patch Management % / Known Vulnerabilities
- Denied FTP Requests
- Denied Telnet Requests
- Failed Remote Logins
- VPN Connections / Failed VPN Connections
- Blacklisted IP Blocked
- Branch Connectivity Lost
- New Admin Credentials created
- Threshold for successive account lockouts
- VLAN ACL violations
- Changes to Group Policy
- Increase in network bandwidth
- Increase in outbound email traffic
- DNS Request anomalies
When any of these metrics stray from what you have determined to be ‘normal’, you have something that may be indicative of a compromise and thus a potential Indicator of Compromise (IoC). The following is a malware IoC example:
Malware Key Risk Indication of Compromise
Key terms and Meanings:
- Steady Elevated: this measure is above normal and keeps increasing in a mostly linear progression
- Intermittent Elevated: this measure is above normal and occasionally rises and falls
- Sharp Sporadic Increase: this measure is above normal and sporadically rises and falls in sharp linear progressions
- Log Generating Systems: any system on the network that is creating a logging event. Examples: firewall, router, switch, Active Directory, VPN, file servers, email systems, etc…
A "Blue Team" Kill Chain of How To Fight Malware IoCs
A kill chain is an old military term that describes from beginning to end how you achieve a “kill,” or to get out in front of an attack and cut it off before it escalates further. In this case, you are “killing” the attackers’ capability on your network and data devices. A blue team is the security and network/server technicians employed to protect your network.
Learn more about the cyber kill chain with our blog How the Cyber Kill Chain Can Help You Protect Against Attacks.
Incident Response Preparedness
As part of incident response preparedness, your ability to set good Key Risk Indicators in your environment is in direct correlation with your ability to detect intrusion and compromise. Without measuring something, we cannot truly manage it. Creating these metrics as part of being ready for an incident is paramount to being successful at incident response. Check out our 50+ Incident Response Preparedness Checklist Items download for more ideas.
Written by: Buzz Hillestad
SVP Information Security Consultant, DFIR Lead, and CBFI Instructor - SBS CyberSecurity, LLC
Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.