this isn’t always easy, as some hackers live ‘off the land’ using existing commands, DLLs, and
               executables, or use direct memory injection to avoid detection.


               Another such indicator is persistence — the presence of tasks, auto-run registry settings, browser
               plugins, and even tampering with service settings all demonstrate an endpoint is compromised.

               2. Strange contextual information around logins
               More indicators of compromise can be found by analysing the contextual information around login
               attempts. Logons often are the first step to gaining access to an endpoint with valuable data on it.
               Indicators of a breach include a login on an endpoint that isn’t usually used by the person who owns

               those login credentials, like the CEO logging on from a machine in the accounts department. Another
               indicator might be a logon at a strange time of day, for example a user with a 9–5 job function logging in
               on a Saturday at 3:00am. Abnormal login frequencies are another red flag, especially for those that login
               once at the beginning of the day and log out at the end of the day. Anything more than two logins from
               that kind of person should be enough to alert you to a breach. Finally, login concurrency is a huge
               indicator of a breach. Most users log on to a single endpoint, so seeing a user like that suddenly logged

               onto multiple endpoints simultaneously is sign of something bad.

               3. Lateral movement
               Lateral movement is the process of jumping machines in an attempt to locate and access a system with
               valuable data — something that’s necessary for most attacks because a hacker’s initial foothold is often a
               low-level workstation with no access rights to anything of value. The analysis of the combination of
               connection types (via RDP, SMB, etc.) and authentication (read: logons) can point to indicators of a

               breach. For example, low-level users rarely use IT-related tools, scripting or RDP sessions, so if you find
               someone using those, you’ve possibly had a breach. Abnormal network traffic is yet another indicator of
               compromise — tools like Netcat can direct communications over allowed ports, and any kind of existence
               or excess of traffic not normally seen (for example SMB, RPC, RDP, etc.).

               4. Suspicious data access

               Even access to data is relatively predictable over time, which means that any access at a strange time of
               day or after hours can indicate a compromise. Location is also an important factor — valuable data
               normally accessed by endpoints within the network should be monitored for access by endpoints that are
               either external to the network or on the perimeter. The last indicator of compromise is access to an
               abnormal amount of data. Sudden increases in data being sent out of the network or increases in data
               reads, exports, copies or saves of valuable data is a clear sign that something malicious is going on.





                    77   Cyber Warnings E-Magazine – August 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.