How Do I Discover a Possibly Larger Attack in Progress?

Applies to Product: USM Appliance™ LevelBlue OSSIM®

Most day-to-day security monitoring work involves detecting where security controls have failed and a system has become compromised by malware or exploits. However, situations will always exist that require more investigation, with reason to believe that one compromised host may have been used to compromise others, or a more complex sequence of specific events can be used to carry out an attack or exploit, commonly referred to as an attack vector.

Indicators of Compromise (IoCs)

Indicators of compromise, or IoCs, represent pieces of information about an attack vector. An IoC can be used to observe a relationship to other attacks. In fact, if you see an IoC responsible for multiple malware infections that all take instructions from the same remote host on the internet, you should track it. This allows you to disable many infections at the same time by blocking that server

For related information about IoCs comprising Open Threat Exchange®(OTX) pulses, see Open Threat Exchange® and USM Appliance.

Common Attack Vectors and Strategies to Combat Them

The best way to determine the appropriate incident response in any given situation is to understand what types of attacks your organization may most logically face.

The National Institute of Standards and Technology (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf) publishes the following list of common attack vectors:

  • External/Removable Media

    An attack executed from removable media (for example, flash drive, CD) or a peripheral device.

  • Attrition

    An attack that employs brute force methods to compromise, degrade, or destroy systems, networks, or services.

  • Web

    An attack executed from a website or a web-based application (for example, drive-by download).

  • Email

    An attack executed via an email message or attachment (for example, malware infection).

  • Improper Usage

    Any incident resulting from violation by an authorized user of the acceptable usage policies established by an organization, excluding the above categories.

  • Loss or Theft of Equipment

    The loss or theft of a computing device or media used by the organization, such as a laptop or smart phone. Identify which pieces of equipment would cause the greatest risk to the company in the event of loss or theft. In most companies, the laptop belonging to the CFO would be included along with any server hard drive containing IP or other sensitive data.

  • Other

    An attack that does not fit into any of the other categories.

Review the foregoing list to make sure that you have security policies and controls in place to mitigate the majority of risks from these attack vectors. Also, use this list to guide your team in determining how to classify the various types of security incidents.

Alert Taxonomy

An alert taxonomy can help you to order related alerts into a picture of a larger attack in progress, as the attacker does the following:

  • Performs reconnaissance.
  • Delivers the attack to many systems.
  • Successfully exploits some of them.
  • Uses the compromised system as a base from which to attack others.

Get Inside the Mind of the Attacker Through Security Event Categorization

Traditional information security falsely assumes that you know which path an attacker will take through your network. For example, attackers rarely come through your front door, or in this context, your gateway firewall. On the other hand, each attack does generally follow a certain pattern, or what Lockheed Martin calls the Cyber Kill Chain®.

The Cyber Kill Chain is a sequence of stages required for an attacker to successfully infiltrate a network and exfiltrate data from it. Each stage demonstrates a specific goal along the attacker’s path. Designing your monitoring and response plan around the cyber kill chain model is an effective method, because it focuses on how actual attacks happen.

Cyber Kill Chain model
Intent Attacker Goal
Reconnaissance & Probing
  • Find target.
  • Develop plan of attack based on opportunities for exploitation.
Delivery & Attack
  • Place delivery mechanism on line.
  • Use social engineering to get target to access malware or other exploit.
Exploitation & Installation
  • Exploit vulnerabilities on target systems to acquire access.
  • Elevate user privileges and install persistence payload.
System Compromise
  • Exfiltrate high-value data as quietly and quickly as possible.
  • Use compromised system to gain additional access, "steal" computing resources, and/or use in an attack against someone else.

When devising an incident response plan, you may find it helpful to prioritize security events or alarms.

Sample incident response spreadsheet
Incident Type Kill Chain Stage Priority Level Recommended Action
Port scanning Reconnaissance & probing Low

You can ignore these unless LevelBlue OTX IP Reputation gives the IP responsible a bad score.

OTX IP Reputation stores reports on any suspicious IP activity, which may or may not be malicious. See Open Threat Exchange® and USM Appliance.

Malware infection Delivery & attack Low-Medium Remediate malware infections as quickly as possible before they progress. Scan the rest of your system for related IoCs, for example, MD5 hashes. See Open Threat Exchange® and USM Appliance.
Distributed denial of service Exploitation & Installation High Configure web servers to protect against HTTP and SYN flood requests. Coordinate with your Internet service provider (ISP) during an attack to block the responsible IPs.

Unauthorized access

Exploitation & Installation Medium Detect, monitor, and investigate unauthorized access attempts—with priority on those that are mission-critical and/or contain sensitive data.
Insider breach System compromise High

Identify the privileged user accounts for all domains, servers, applications, and critical devices.

Make sure that you enabled monitoring for all systems, and for all system events.

Verify that your USM Appliance raw log infrastructure is actively recording all events.

Unauthorized privilege escalation Exploitation & installation High

Through its built-in correlation directives, USM Appliance automatically records all privileged escalation events, and sends alarms for unauthorized attempts.

Depending on requirements, you may also enhance your USM Appliance environment by adding custom correlation directives.

Destructive attack on systems, data. System compromise High

Back up all critical data and systems; test, document, and update system recovery procedures.

During a system compromise, capture evidence carefully. Document all recovery steps and all evidential data.

Advanced persistent threat (APT) or multistage attack Represents all stages from reconnaissance through system compromise High

Any of the individual events illustrated could represent part of an APT, the most formidable type of security threat. For that reason, view each event as part of a larger context, incorporating the latest threat intelligence.

USM Appliance correlation directives often look at how many events of a specific nature occurred before generating an alarm, thereby increasing its reliability. OTX pulses, on the other hand, require only one event to do so.

False alarms Represents all stages. Low

Much of the job of an incident responder consists of eliminating irrelevant information and removing false positives. This process is continuous. For more information, see Establishing Baseline Network Behavior and also Policy Management.

Other All stages High Incident response never stops and provides a source for continuous improvement. Over time, as you see events turn into alarms, you gather knowledge that helps you discover new ways to categorize events and to prevent them from becoming alarms in the first place.

About Port Scanning Alarms

You may feel certain that attackers are getting no useful information from their scanning. However, if their scans of your external systems appear to be detailed and comprehensive, you can reasonably assume that they have the intent to follow up the reconnaissance with attack attempts later on.

If the scanning originates from a legitimate organization’s networks, your best approach is to contact their security team, if they have one, or network management personnel.

If no contact details are apparent, look for details about the domain in WHOIS, a link to which is available at the bottom of the USM Appliance Security Events list and also from the applicable OTX web pages for such IoCs.

Note: Blocking the source address may be counter productive, and merely cause the attacker to use a different source address.