• Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Menu
  • Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Search
Close
  • Home
  • 2019
  • April
  • 30
  • SOC/SIEM – Indicator of Attacks Explained

SOC/SIEM – Indicator of Attacks Explained

April 30, 2019July 7, 2019 Comments Off on SOC/SIEM – Indicator of Attacks Explained
siem explained siem indicator of attacks soc explained soc indicator of attacks

IoAs is some events that could reveal an active attack before indicators of compromise become visible. Use of IoAs provides a way to shift from reactive cleanup/recovery to a proactive mode, where attackers are disrupted and blocked before they achieve their goal such as data thief, ransomware, exploit, etc.

IOAs focus on detecting the intent of what an attacker is trying to accomplish, regardless of the malware or exploit used in an attack. Just like AV signatures, an IOC-based detection approach cannot detect the increasing threats from malware-free intrusions and zero-day exploits. As a result, next-generation security solutions are moving to an IOA-based approach

10 Indicators of attack (IoAs)

The following most common attack activities could have been used, individually or in combination, to diagnose an active attacks:

1) Internal hosts with bad destinations

Internal hosts communicating with known bad destinations or to a foreign country where you don’t conduct business.

Example of HP ArcSight Dashboard that show client’s hosts communicating with Feeds(IP, Domain, Url) from “ransomwaretracker.abuse.ch” website.

[Ransomware Hunter is available as free a free package included at HPE Protect724 from SOC Prime]

Example of Global Threat Intelligence from McAfee

2) Internal hosts with non-standard ports

Internal hosts communicating to external hosts using non-standard ports or protocol/port mismatches, such as sending command shells (SSH) rather than HTTP, HTTPS traffic over port 80,443, the default web port.

Example of Internal Host using 21(FTP), 445(SMB), 137(NETBIOS-NS), 135(RPC) to Internet

3) Public Servers/DMZ to Internal hosts

Publically servers or demilitarized zone (DMZ) hosts communicating to internal hosts. This allows leapfrogging from the outside to the inside and back, permitting data exfiltration and remote access to assets such as RDP(Remote Desktop Protocol), Radmin, SSH.

Example of a Report that monitor Top 10 Traffic from “DMZ” zone to “Internal/Client” Zone.

From this report, Security Analyst should investigate to Highlighted Servers that communicating to Internal hosts via RDP(TCP/3389), SSH(TCP/22)

4) Off-hour Malware Detection

Alerts that occur outside standard business operating hours (at night or on weekends) could signal a compromised host.

Example of IPS alerts on non-working time (Holiday)

5) Network scans by internal hosts

Network scans by internal hosts communicating with multiple hosts in a short time frame, which could reveal an attacker moving laterally within the network. This incidents detect from Perimeter network defenses such as firewall and IPS. You must choose Zone/Interface from “Internal” to “Internal” only. For Future, you should focus form “Internal” to “DMZ” too. It may be “Insider Threat” or “Compromise hosts” that they need more information from your networks (Reconnaissance)

Example of Network Scans Report that filters from “Internal” to “Internal” zone

6) Multiple alarm events from a single host

Multiple alarm events from a single host or duplicate events across multiple machines in the same subnet over a 24-hour period, such as repeated authentication failures. THIS IS COMMON USE CASE.

Example Dashboard that monitoring “User Login Failures” from Single Hosts

Note: some login failed events form e-mail applications on mobile phones can generate events more 500 events/minute. I found this case when password of user account is expired but they have not change new password on their devices.

7) System is reinfected with malware

After Infected host is cleaned, a system is reinfected with malware within 5-10 minutes, repeated reinfections signal the presence of a rootkit or persistent compromise. This incident may detect from Endpoint Security Protection or Anti Virus events.

This is Example Maleware Dashboard.

Detection: You must create at least 3 rules on SIEM follow as

  1. The rule alert when it found infected host then “Add To” Current Infected Hosts List and Historical Infected Hosts List (Store at least 1 week)
  2. The rule alert when malware is cleaned from infected Host then “Remove To” Current Infected Hosts List
  3. The rule alert when it found infected host that is “Historical Infected Hosts List” with in specific time range. THAT SYSTEMs SHOULD SCAN/INVESTIGATE MALWARE AGAIN!!!

8. Multiple Login from different regions

A user account trying to login to multiple resources within a few minutes from/to different region. This is a sign that user’s credentials have been stolen or that a user is up to mischief.

Example of Correlated rule that Ideal solutions may vary based on your network conditions and security policy.

This rule detect from an event in the “Login” normalization category, with an Event Outcome equal “Success” with multiple Source Geo-locations, within a specified Time Range and Events are grouped by Source User.

9. Internal hosts use much SMTP

E-Mail Protocol such as SMTP (Simple Mail Transfer Protocol), POP3 or IMAP4 should be monitoring. Some malware will use these port for send information to Suspicious or Hacker’s server.

Example of Infected client that use SMTP(TCP/25)

10. Internal hosts many query to External/Internal DNS

Many organization have Internal DNS servers for caching records and serve DNS service to internal hosts. DHCP configuration is define Primary DNS Server to Internal DNS server. If you found that some internal hosts query to External DNS such as 8.8.8.8, 8.8.4.4 (Google DNS), you should try scan malware on that clients.

Some Incidents found that the internal host query many requests to the internal DNS server (> 1,000 events/hour)

Reference: http://www.mcafee.com/cf/resources/reports/rp-when-minutes-count.pdf

Original Source & Credit:  Sittikorn Sangrattanapitak, CISSP

Also read

Security Information and Event Management (SIEM)- Explained

Better Visibility for an Analyst to Handle an Incident

How to Respond to Cyber Attacks

Post navigation

Top 10 Hacker Forums on Darknet and Clearnet
Intrusion Prevention Systems(IPS) and Its Detailed Function

Related Articles

A Guide to Crypto Self-Custody

A Guide to Crypto Self-Custody

- Dark Web News
February 1, 2023
Austrian Resold Drugs Purchased on The Dark Web

Austrian Resold Drugs Purchased on The Dark Web

- Dark Web News
January 29, 2023
Former Doctor Imprisoned for Attempting to Hire Hitmen

Former Doctor Imprisoned for Attempting to Hire Hitmen

- Dark Web News
January 26, 2023
hacker gadgets
hacker phone covers

Recent Posts

Suborner - The Invisible Account Forger

Suborner – The Invisible Account Forger

February 2, 2023
DefaScan: Defacement Scan and Alert

DefaScan: Defacement Scan and Alert

February 2, 2023
curio: finds risks and vulnerabilities in your code

curio: finds risks and vulnerabilities in your code

February 1, 2023
Monomorph - MD5-Monomorphic Shellcode Packer - All Payloads Have The Same MD5 Hash

Monomorph – MD5-Monomorphic Shellcode Packer – All Payloads Have The Same MD5 Hash

February 1, 2023
A Guide to Crypto Self-Custody

A Guide to Crypto Self-Custody

February 1, 2023
CVE-2023-23924: Critical-Severity RCE Flaw Found in Popular Dompdf Library

CVE-2023-23924: Critical-Severity RCE Flaw Found in Popular Dompdf Library

February 1, 2023

Social Media Hacking

SocialPath – Track users across Social Media Platforms

SocialPath – Track users across Social Media Platforms

- Social Media Hacking
October 16, 2019October 16, 2019

SocialPath is a django application for gathering social media intelligence on specific username. It checks for Twitter, Instagram, Facebook, Reddit...

SocialScan – Check Email Address and Username Availability on Online Platforms

SocialScan – Check Email Address and Username Availability on Online Platforms

June 17, 2019
Shellphish – Phishing Tool For 18 Social Media Apps

Shellphish – Phishing Tool For 18 Social Media Apps

June 10, 2019July 27, 2019
WhatsApp Hacking using QRLJacking

WhatsApp Hacking using QRLJacking

May 2, 2019May 19, 2019
How to Hack any Facebook Account with Z-Shadow

How to Hack any Facebook Account with Z-Shadow

April 26, 2019June 29, 2020
hacker buffs

About Us

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Join Our Community!

Please wait...
Get the latest News and Hacking Tools delivered to your inbox.
Don't Worry ! You will not be spammed

Active Members

Submit a Tool

Hackers Handbook 2018


Grab your copy here

ABOUT US

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Our primary focus revolves around the latest tools released in the Infosec community and provide a platform for developers to showcase their skillset and current projects.

COMPANY
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Menu
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Live Chat
RESOURCES
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Menu
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Get Started
TOOLBOX
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Menu
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Tools Directory

2014 – 2020 | Haxf4rall.com               Stay Connected:

Facebook Twitter Google-plus Wordpress
Please wait...

Join Our Community

Subscribe now and get your free HACKERS HANDBOOK

Don't Worry ! You will not be spammed
SIGN UP FOR NEWSLETTER NOW