The comprehensive list of IR sources and alerts (work in progress)

December 8, 2015 in Compromise Detection, Incident Response

Having security controls in place is a win only if we can leverage these controls to deliver alerts to us. Once delivered we can classify them as noise, events, near-misses and incidents, and … take it from there.

In today’s post I am making an attempt to create a comprehensive list of alerts that one can retrieve from the various security controls.

This is work in progress. If you find something stupid or missing please send comments via email/twitter and I will amend the list. Thanks.

Note: these are potential sources of alerts; classification, prioritization, severity, etc. is not the scope of this list although I add a lot of examples/hints (all these that are specifically named).

This is because:

  • you need to know which controls are available first
  • then you need to look at the raw data they collect i.e. take a snapshot and analyze it
  • and only then use logic applicable to your organization to determine how to work this huge amount of data

I also do not mention how these alerts need to be set up – whether it is via SIEM, Splunk, manual analysis – it doesn’t matter. Treat is more as a bunch of ideas to cherry-pick from than an ultimate guideline how to secure your org. It’s your job after all 🙂

Here it goes…

  • Antivirus software
    • this is IMHO still one of the most important security controls to look at
    • if you don’t handle these as a minimum, you are doing it wrong
    • what helps is analysis of all threats ever detected by creating a matrix representing threat taxonomy and then defining priorities f.ex.
      • alerts from C-level, Senior Management, sysadmins, CERT group, internal pentesting team, and other privileged groups
      • rootkits, known infostealers, hacking tools, etc.,
      • plus alerts from drive C: (indicating infection)
        – all of these are top priority
      • PUA/PUP/adware, stuff on removable devices go at the end, but should not be discarded
      • you can create exclusions/filters for eicar, etc.
    • doing analysis of historical data of AV alerts is very useful; you can immediately spot heavy offenders and try to work with their managers to change the employees’ habits, or business process (f.ex. someone bringing CD/USB from the vendor and sticking it into a production box w/o checking for malware)
    • get to know the AV names that your AV vendor uses for threats of primary interest (even though these will often be very inconsistent)
    • recurring infections on the same system
    • same infections on various systems (potential worm, spam campaign/carpet bombing, outbreak of any sort)
    • prioritize systems where malware was detected, but not removed, especially on C: drive
    • do not forget that detected and removed malware is not equal eradication; imagine a dropper that drops 2 files – one detected and removed by AV, one unknown piece and happily running on the system
  • EDR software
    • this is emerging class of alerts, this pretty much tells you sth is wrong immediately
  • Other HIPS software
  • Whitelisting software
  • Data loss prevention software
  • DNS requests
    • log all of these and keep the history
  • Honeypots
  • FIM (File Integrity Monitors) – tools that ensure no unauthorized file is created or executed on the system (f.ex. Bit9, Solidcore)
  • Network Intrusion Detection systems
    • ‘First Time Seen’ logic bubbles uncommon events up (any signature seen in the previous day but not seen for the n days prior)
  • Firewall logs
  • DHCP logs
  • Unix logs
    • syslog
    • auth
  • Proxy logs
    • since this is a huge amount of data, review categorization used by vendors; look at all malicious, suspicious traffic
    • do not forget questionable traffic f.ex. porn, warez sites, access to public proxies that may indicate the user wants to bypass controls, etc.
    • also include access to web sites that provide code snippets and programming modules; this is a tough one, especially in a development environment and with ‘stack overflow’ effect where people download and execute quite blindly lots of snippets of code
    • traffic related to IMs; many ppl install unapproved IM clients
    • Tor traffic
    • pay special attention to (often abused) dynamic dns domains (find or build a list; it will never be complete, but it will be worthwhile)
    • pay special attention to “uncategorized” sites if your vendor offers categorization
    • proxy-bypass traffic f.ex. glype
  • Web Application Firewall (WAF) logs
  • Content Filtering software
  • Server logs
    • From various servers
      • IIS
      • Apache
      • Nginx
    • Server Web Requests
      • can prioritize file uploads, keywords detected in queries, unusual IPs
      • can whitelist internal pentesting teams boxes, known external vulnerability scanners [external vendors running scans on your systems]
  • Client Web Requests [mainly browser requests, but can be also self-updates, etc.]
    • GET on .exe files (it may sound overwhelming at first, but worth at least analysing it)
    • GET on all archive file types (f.ex. zip, rar, 7z, tar.gz, bzip2, etc.)
    • GET on .pdf files
    • GET on .swf files
    • GET on .jar files
    • GET on .class files
    • Large POST requests (suggesting uploads/exfiltration)
    • Long duration POST requests
    • Large number of requests to the same address
    • Frequent POST requests (f.ex. 1/hour) to the same address
    • Requests that end up with HTTP errors (these may help to find new drive-by patterns, phishing campaigns)
    • Unusual User Agents
    • Access to file hosting portals
      • Dropbox
      • Box
      • Google Drive
      • OneDrive
      • Internal / External solutions for sharing data with customers/internally
    • Access to sensitive systems
      • HR
      • Payroll
      • Databases
      • Backups
  • Business-specific systems
    • Ticketing systems
    • Systems within the scope of PCI DSS
    • Systems processing regular data dump exchanges (f.ex. between client and vendor, conversion of data between two different database systems, etc.)
  • Logs from Custom applications
    • May require enabling of logging/debug logs
  • Successful and unsuccessful logon attempts from any system offering logs really
    • SSH
    • VPN
    • (S)FTP
    • Remote access tools
      • RDP
      • pcAnywhere
      • LogMeIn
      • gotomypc
      • TeamViewer
      • vnc (including various clones)
    • Databases
      • MSSQL
      • Oracle
      • etc.
    • Outlook Web Access
    • Employee Support Pages
  • Email server
    • Emails with subjects including commonly used social engineering keywords
      • dhl
      • fedex
      • paypal
    • All URLs extracted from emails
    • Potentially other metadata
  • Domain Controllers/Windows Event Logs
    • AppLocker logs (in a comment I received the adviser suggested that it is even better malware detector than AV – provided it is configured properly)
    • Creation of user accounts
    • Adding systems to the domain
    • Creation of services associated with remote execution
      • psexec (psexesvc.exe)
    • Creation of all services (analysis may help to whitelist most)
    • Execution of programs (requires sysmon installed)
    • Successful and Unsuccessful Logons
  • Physical controls
    • any access controls (proximity cards, etc.)
  • Systems used for issuing security tokens
  • Local wi-fi access points
  • Mobile phones
  • Other security controls and asset inventory tools
    • SCCM
      • Regular ‘sweeps’ for presence of
        • single-character and two-character executable file names (p.exe, cc.exe, etc.)
        • executable files including keywords:
          • crack
          • warez
          • keygen
          • hack
          • porn
        • Tor
          • tor.exe
          • vidalia.exe
        • Portable applications
          • typically used to bypass/hide installation
        • Commonly used command line versions of archivers
          • rar.exe
          • 7z.exe
          • pkzip.exe
          • winrar.exe
        • Commonly used tools for hacking
          • nmap.exe
          • psexec.exe
          • mimikatz.exe
          • pwdump.exe
        • P2P applications
          • utorrent.exe
    • LanDesk instances

Thank you to everyone who helped to expand this list. Much appreciated!!!

Share this 🙂

Comments are closed.