What To Look For In Logs: Hackers Being Successful

by

Today there was an interesting VISA BlackPOS informational webinar today.

What I got out of it is some more information to make sure and keep in mind these items when looking for Indicators of Compromise(IOC).

VISA¹ has a great program to help small businesses protect themselves against cyber attacks

blackpospreventionanddetection

There were a lot of good cybersecurity information tidbits, and I want to focus on Logging and indicators of compromise(IOC).

blackposattackcharacteristics

The Attack characteristics are similar to other malware like cryptowall.

The Initial attack vectors need to be reviewed to check our logs for IOC’s

  1. remote access scenarios
  2. Internet facing systems with weak authentication
  3. Botnet infection
  4. exfiltration occurs via ports/services commonly associated with data transfers.
    1. ICMP   — TLS/HTTPS — NetBIOS — SSH — FTP/SFTP

We have to create a baseline and then do checks on the traffic.

One more slide was most interesting:

blackposwarningsigns

 

During the verbal Q&A there was an interesting item that kept coming up –  It is outgoing ftp traffic is most used by the malware industry to send information to their control servers (also called command and control).

So we need to review and check ftp  outgoing traffic.

How many times are you really going to upload ftp files for your job in all positions?

If you answer that in the single digits then it is easy to set up an analysis log point.

We must have new methods of finding the IOCs.

 

 

Of course the initial method of compromise is also improtant

remoteaccesssuggestionsbyVISA

VISA finds that a lot of their merchants that get compromised have the following problems:

  1. remote Access applications use singlefactor authentication
  2. Passwords either use default settings or are easily guessed
  3. Attackers are not restricted from known attackers in east Europe or elsewhere
  4. Security controls or encryption is not used

 

Yesterday’s blogpost discussed the  Log analysis review and scripting

cybersecurityloganalysis

So the first thing we need to do is create a baseline with ftp outgoing and then add all ftp outgoing as alerts. Review all outgoing ftp alerts weekly.

Contact US Tony Zafiropoulos 314-504-3974

 

 

 

  1. https://usa.visa.com/support/small-business/security-compliance.html

1 thought on “What To Look For In Logs: Hackers Being Successful”

  1. Pingback: Society Wants Technology – Does Not Realize Security Implications – Oversite Sentry

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.