Have I been hacked? The indicators that suggest you have

John Kuhn, Senior Threat Researcher, IBM X-Force

Security professionals are constantly on the hunt for potential vulnerabilities and looking for ways to defend their networks. The term “indicator of compromise” (IOC) – first coined by governments and defense contractors trying to identify advanced persistent threats (APTs) – is something that all information security experts are familiar with.

Traditionally, investigators gather IOC data after they’ve been informed of a potential breach or discover a suspicious incident during a routine, scheduled scan. A recent IBM X-Force report looked at the top indicators of compromise so you can spot them before a hacker is able to do serious damage.

Let’s take a look at some of the top IOCs that your network has been breached by an attacker and how you can leverage them to detect irregularities in your system.

Unusual outbound network traffic: While it’s tough to keep hackers out of networks, outbound patterns are easily detectable and can be a sign of malicious activity. With visibility into this traffic, you can respond quickly before data is lost or major damage is caused.

Anomalies in privileged user account activity: Attackers often try to escalate privileges of a user account they’ve hacked. Monitoring privileged accounts for unusual activity not only opens a window on possible insider attacks, but can also reveal accounts that have been taken over by unauthorized sources. Keep an eye on systems accessed, type and volume of data accessed, and the time of the activity can give early warning of a possible breach.

Large numbers of requests for the same file: When a hacker finds a file they want – customer or employee information, credit card details, etc. – they will try to create multiple attacks focused it obtain it. Monitor for an amplified number of requests for a specific file.

Geographical irregularities: It may seem obvious, but it’s important to track the geographic location of where employees are logging in from. If you detect logins from locations where your organization does not have a presence, it’s worth investigating as it could mean you’ve been compromised.

Database extractions: Closely monitor and audit your databases to know where sensitive data resides, and to detect suspicious activity, unauthorized usage and unusual account activity. Watch closely for large amounts of data being extracted from databases, this can be a clear indicator that someone is attempting to obtain sensitive information.

Unexpected patching of systems: If one of your critical systems was patched without your initiation, it may be a sign of a compromise. While it seems strange that a hacker would repair a vulnerability, it’s all about the value of the data to them, and keeping other interested criminals away from it. Once they get inside, they often try to add a patch to the vulnerability they used to gain access to the system so that other hackers cannot get in through the same vulnerability. If an unplanned patch appears, it’s worth investigating for a potential attack.

Searching for indicators of compromise

These are just a handful of the different indicators of compromise that you should be on the lookout for, however, what are the steps to actually searching for them? A good rule of thumb is to implement a defense-in-depth lifecycle – Document, Search, Investigate, Remediate, Repeat.

Document attack tools & methods: Profile your network traffic patterns to understand what’s normal. Focus your attention on main protocols, especially the ones used by attackers such as DNS and HTTPs. Collect and examine log file entries and leverage tools like log management and SIEM systems that can help automate and visualize these data patterns to detect suspicious activity. Subscribe to IOC data feeds, like IBM’s X-Force Exchange, that share reported IOCs to help investigate potential incidents and speed time to action.

Use intelligence to search for malicious activity: By leveraging the data that you documented in step 1, you can configure your security systems to monitor and search for malicious activity. Your defenses can be configured to block activities or trigger alerts if activity is identified from a suspicious IT address or geographical location, if an attacker tries to use a known toolkit or tries to exploit a known vulnerability. You should also look out for new user names being created locally.

Investigate security incidents & assess compromise levels: If a security incident occurs, the next logical step is to investigate and assess the number of systems or applications that are affected. Start with system IP, DNS, user, and timestamps to first understand the scope of the breach and the degree of penetration the attacker may have gained in the system. Next, create a timeline to determine if any other events occurred. Examine all files with time stamps (logs, files, registry), the content of email communications and messages, information about system logon and logoff events, indications of access to specific Internet documents or sites, and the contents of communication with known individuals in chat rooms or other collaborative tools. Check for evidence of document destruction and search for incident-specific IOCs including exhibiting patterns within working directories or using particular hosts and accounts.

Identify, remediate & repeat: Identify all compromised hosts, user accounts, points of exfiltration, and other access points. Next, move to reset passwords, remove points of exfiltration, patch vulnerable systems being exploited for access, activate your incident response team, and set trigger points to alarm if the attacker returns. After this is complete, it’s important to continue searching for IOCs to ensure remediation tactics are successful and then to repeat the process, if necessary.

With this model in place, you can identify the breadcrumbs that attackers leave behind when they compromise security defenses, enabling you to react quickly and efficiently to security incidents.