NetworkTigers on security alert services.
Security alerts help with detecting advanced cyberattacks in organizations. Most of the time, your organizations IT team gets bombarded with security alerts from several IT devices in use. However, most of these alerts turn out to be false positives. The most challenging task for your IT team would be to figure out the normal behavior, the false positives, and what the actual threats are.
Your security team should focus on the right security alerts. Below are some must-have security alerts to subscribe to and begin sifting through the false alerts.
1. Privileged User and Account Monitoring
One of the biggest security weaknesses for an organization is its privileged user accounts. End users with endpoints can have root or administrator privileges, leading to malware infiltration. This can further lead to changes to system networks or settings or even letting bad actors or hackers access sensitive data.
Dashboards should be created to monitor privileged user activity. Since privileged accounts are entry points to other systems and applications in your network, hackers always attempt to obtain access to them and escalate privileges. With access to these accounts, there is potential to work through firewalls or the Intrusion Detection Systems (IDS).
2. Abnormal Outbound Activity
Inbound traffic is always monitored by the security teams but are the abnormal outbound activity monitored similarly? External network communication can occur through an abnormal port or protocol. A firewall can only work on traffic filtration and may not catch everything. These external communications may deploy malware, carry on command-and-control activities or conduct swarm and hive bot activities.
Your security team should deploy mechanisms to filter, monitor, and block external communication. External communication towards an open source is normal until the communication is not for public resources. This could mean that it is an unauthorized communication. Any suspicious activity should be checked against your security policy and malicious patterns. Security alerts can be made from your firewalls, IDS/IPS, and switches to monitor these outbound activities. The best tried and tested way to monitor is with a Security Information and Event Management or SIEM.
3. Acceptable Use Policy Violations
As part of the onboarding process, every employee should undergo a security briefing, an annual review, and a sign-off. Your employees usually sign acceptable use policies while they join, but their importance may be ignored without the briefing and frequent check-ins. These policies are security rules employees need to follow regarding organizational technologies. AUPs protect the company’s network and resources from bad actors but are often not monitored as intended.
Dashboards to review security alters need to be set up by security teams. Downloading torrent content, browsing through inappropriate content, or phishing scams are just a few instances where your company’s network is vulnerable to malicious activity. Frequent check-ins and alerts can help find endpoints with malware quickly and thus help mitigate risk factors,
4. Data Exfiltration
One of the main purposes behind advanced persistent threats (APTs) is data exfiltration or unusual port activity. Ports that are used frequently can be used to go past firewalls and IDS, leading stealing of company information. Phishing scams and social media can also be used to infiltrate your company’s network. Ports like TTCP: 80 (HTTP), TCP: 443 (HTTPS), TCP/UDP:53(DNS)
Techniques used by hackers to conduct an attack is as follows:
- Web applications: Ports can be used to access your data directly by threat actors.
- Backdoors: It can be used to collect files and use ports to hide traffic
- File Transfer Protocol: Hackers may use FTP or FTPS for transferring files or may use a cloud provider
- Windows Management Instrumentation: This can be used to access files and mail accounts on Microsoft Outlook
Security alerts can be set up with network intrusion and prevention systems logs to identify any malicious activity mentioned above. Alerts may be set up to let your security teams know when data is being shared externally beyond recommended. SIEM configurations that help identify what normal traffic looks like and send alerts when traffic goes beyond this baseline will also be helpful.
5. File Integrity Monitoring
File Integrity Monitoring (FIM) is a tool that needs to be looked into closely. Alerts and dashboards that show file status when unexpected changes are made need to be set up. File access auditing lets your team know if any files were created or deleted, programs being used to execute a file, and what file is being viewed. Any unusual files must be run through an anti-virus tool to identify the malware.
