Indicators of Malicious Activity

  • Importance of analyzing indicators of malicious activity.

    • By classifying various types of malware and identifying signs of infection, security teams can better prepare to remediate compromised systems or prevent malware execution.

    • Understanding how physical, network, wireless attacks, and credential-based attacks are perpetrated is crucial for diagnosing indicators from appropriate data sources.

TTPs and IoCs

  • Antivirus (A-V) scanners operate based on known malware code recognition.

    • Malware code is stored as a signature in the antivirus database, which must be continually updated.

    • When a file is accessed, the antivirus intercepts the file call, scans it, and if it matches a signature, it blocks access and alerts the user, logging the event.

  • Signature-based detection is important for detecting commodity malware attacks but is no longer wholly effective.

    • Malicious activity may require monitoring a wider range of indicators formed by studying threat actor behaviors.

  • Tactics, Techniques, and Procedures (TTP):

    • Tactic: High-level description of threat behavior (e.g., reconnaissance, persistence, privilege escalation).

    • Technique: Intermediate-level description of how a tactic progresses (e.g., reconnaissance achieved through active network scanning, vulnerability scanning, email harvesting).

    • Procedure: Detailed description of a technique implementation (e.g., a specific tool used to perform vulnerability scanning).

  • Example scenario of TTP analysis: Criminal gang blackmailing companies by using ransomware.

    • Goal: Infect hosts with ransomware.

    • Campaign comprised of tactics such as reconnaissance, resource development, initial access, and execution.

    • Initial access tactic might exploit vulnerabilities in network monitoring software commonly used by companies.

    • Procedures reveal how the exploited software is installed via an infected repository, leading to malware execution.

Indicators of Compromise (IoCs)

  • An Indicator of Compromise (IoC) is a sign an asset or network has been successfully attacked or is under attack.

    • IoCs serve as evidence of a TTP.

  • Example IoCs from the ransomware scenario:

    • Presence of certain compromised network monitor process versions.

    • Connections to Command and Control (C&C) networks.

    • Disabled system recovery/backup features.

    • Registry entries and script remnants for executing ransomware.

    • Encrypted files with different extensions and blackmail demand notices.

  • There are many targets and attack vectors leading to potentially thousands of IoCs.

    • Many well-documented TTPs and IoCs exist, including the MITRE ATT&CK database.

  • Modern scanning tools integrate threat feeds of published TTPs and indicators.

    • This allows automated scanning of malicious behaviors beyond signature-based detection.

  • IoCs can be definite (like a malware signature) or inferred through multiple data point correlations.

    • This makes interpretation challenging, as they often arise from patterns of anomalous activities rather than single events.

    • AI systems are employed in threat intelligence platforms for automated analysis and detection.

  • Strictly, IoCs are signs of successful attacks; the term indicator of attack (IoA) is used for ongoing intrusion attempts.

Malicious Activity Indicators

  • The variety of malware types leads to numerous potential indicators of malicious activity.

    • Some malware changes manifest visibly, like modifying browser settings or displaying ransom notices.

    • Covert malware requires detailed examinations of process, file system, and network behaviors for indicators.

Sandbox Execution

  • If malicious activity goes undetected by endpoint protection, analyze suspect code or hosts in a sandboxed environment.

    • A sandbox is isolated from the production network, preventing malware from escaping.

    • It records file system, registry changes, and network activities.

  • A sheep dip is an isolated host for testing new software and removable media for malware indicators before allowing them on the production network.

Resource Consumption

  • Abnormal resource consumption can indicate malware presence, detected through performance monitors.

    • Indicators include excessive CPU usage, memory leaks, abnormal disk activity, increased disk space usage, and high network bandwidth consumption.

    • Continuous high resource utilization may not confirm malicious activity but suggests investigation is warranted.

    • Poorly designed or intensive-operation malware typically shows these symptoms (e.g., DDoS, cryptojacking).

    • Example: A graph showing CPU utilization rarely dropping below 50% could indicate cryptojacking malware.

File System Analysis

  • Malicious code may not execute directly from a local disk process image but interacts with the file system and registry.

    • File system metadata provides insights into file creation, modification, and access times, aiding in incident timeline establishment.

    • Blocking content indicators reveal attempts to access valuable data.

    • Audit logs can also capture access denied messages when user accounts attempt unauthorized modifications.

Resource Inaccessibility

  • Resource inaccessibility indicates a network, host, file, or database is unavailable.

    • This is a typical sign of a Denial of Service (DoS) attack.

    • Denial of service can induce unavailability of gateways due to excessive resource consumption or generate many connections disrupting services.

    • Critical data resources might be subjected to ransomware attacks, or malware may disable monitoring utilities to avoid detection.

Account Compromise Indicators

  • Threat actors often exploit existing accounts to fulfill their objectives.

  • Unsuspicious account behavior indicators include:

    • Account lockout: A result of too many failed authentication attempts, or passwords changed by intruders.

    • Concurrent session usage: Indicates credentials are compromised and used on another workstation or via remote access connections.

    • Impossible travel: Suggesting access from a geographic location not feasible since the last login.

Logging Indicators

  • Threat actors erase or manipulate log entries to cover tracks, observed through:

    • Missing logs: Perhaps due to file deletion or manipulation by a sophisticated actor.

    • Out-of-cycle logging: Involves manipulating timestamps or entries to hide activity.

Physical Attacks

  • Definition of a physical attack: An attack targeting cabling infrastructure, hardware devices, or environmental systems.

Various Forms of Brute Force Physical Attacks

  • Physical denial of service (DoS) can manifest as:

    • Smashing hardware devices.

    • Breaking into facilities using forced entry methods, often indicating theft or tampering.

    • Detectability through tamper-evident systems, showing clear signs of forced entry.

Environmental Attacks

  • Environmental attack examples: Attempted Denial of Service.

    • Threat actors may destroy power lines, sever network cables, or disrupt cooling systems.

    • Environmental maintenance systems can serve as pathways for network compromise.

    • Monitoring for physical damage or rogue devices is essential due to risks from these attacks.

RFID Cloning

  • RFID Technology: Encodes information into passive tags, utilized for contactless access control.

  • RFID Cloning and Skimming:

    • Card Cloning: Duplicating a lost/stolen card without cryptographic protections; immediate report and revocation is critical.

    • Skimming: Using counterfeit readers to extract card details for duplication; typically targets simple access cards without advanced security.

    • Potential indicators include impossible travel and concurrent use access patterns.

  • NFC Technology: Derived from RFID, allows closer range two-way communications.

Network Attacks

  • Network attack: A general category of methods for disrupting or gaining access via networks.

  • Network attack stages often align with the cyberattack lifecycle:

    • Reconnaissance: Scanning tools for host discovery (IP addresses), service discovery (open TCP/UDP ports), fingerprinting (application versions and OS identification).

    • Rapid scanning can generate detectable traffic but is challenging to differentiate from benign activity.

    • Credential Harvesting: Attempting to learn user passwords for authenticated access.

    • Denial of Service (DoS): Causes server/service unavailability, detectable through monitoring tools for non-responsive hosts or abnormal request volumes.

    • Weaponization, Delivery, Breach: Techniques allowing unauthorized access through malicious code targeting vulnerable applications or users.

    • Command and Control (C2): Techniques for remote operation and access persistence, disguised as normal network traffic.

    • Detection relies on identifying anomalous connection endpoints and compromised host indications.

  • Lateral Movement/Pivoting: Techniques allowing movement between hosts or network segments, requiring detection of anomalous logins and privilege use.

  • Data Exfiltration: Involves covertly obtaining and transferring data to the attacker's machine, often characterized by untraceable small data movements.

Wireless Attacks

  • Wireless networks pose specific security challenges and are frequent attack vectors.

Rogue Access Points

  • Rogue access point: Installed without authorization, can be intentional or accidental.

    • An unauthorized access point creates backdoor vulnerabilities.

    • An evil twin masquerades as a legitimate access point, using name manipulation techniques.

  • Detecting rogue access points may require physical inspections or wireless intrusion detection systems.

Wireless Denial of Service Attacks

  • Wireless DoS: Prevents clients from accessing legitimate points through intentional jamming.

    • Management frame vulnerabilities allow disassociation attacks targeting clients by spoofing networks.

Wireless Replay and Key Recovery Attacks

  • Wireless authentication can be victimized by replay attacks capturing hashes used in associations with access points.

    • KRACK Attack: A specific replay mechanism targeting WPA/WPA2 handshakes; both clients and access points should be patched against such attacks.

Credential Replay Attacks

  • Threat actors often first compromise a single workstation to launch subsequent attacks across a network.

    • Objective includes lateral movement and privilege escalation through exploiting stored secrets in memory.

    • Works primarily against Windows Active Directory networks and targets cached credentials within the LSASS process.

Conclusion of Credential Management Security

  • Ensure proper security against credential replay attacks through patching hosts and utilizing secure configurations; avoid legacy NTLM usage unless essential.

    • Employ detection systems for correlated security log events for proactive threat monitoring.

Malicious Code Indicators

  • Many network attacks are launched by compromised hosts running various types of malicious code. Indicators of malicious code execution are either caught by endpoint protection software or discovered after the fact in logs of how the malware interacted with the network, file system, and registry.

  • Main types of malicious activity:

    • Shellcode: A minimal program designed to exploit a vulnerability in the OS or in a legitimate app to gain privileges, or to drop a backdoor on the host if run as a Trojan. Having gained a foothold, this type of attack will be followed by some type of network connection to download additional tools.

    • Credential dumping: The malware might try to access the credentials file (SAM on a local Windows workstation) or sniff credentials held in memory by the lsass.exe system process. Additionally, a DCSync attack attempts to trick a domain controller into replicating its user list along with their credentials with a rogue host.

    • Pivoting/lateral movement/insider attack: The general procedure is to use the foothold to execute a process remotely, using a tool such as PsExec or PowerShell. The attacker might be seeking data assets or may try to widen access by changing the system security configuration, such as opening a firewall port or creating an account. If the attacker has compromised an account, these commands can blend in with ordinary network operations, though they could be anomalous behavior for that account.

    • Persistence: This is a mechanism that allows the threat actor's backdoor to restart if the host reboots or the user logs off. Typical methods include:

    • Use of AutoRun keys in the registry.

    • Adding a scheduled task.

    • Using Windows Management Instrumentation (WMI) event subscriptions.