I think we as security experts need to stop focusing on who or what
will attack us and start acting like we’re already owned. If we just
started thinking in terms of “I’m already compromised” the
security and monitoring of your network and systems would improve
drastically. The initial fear of security experts was of being hacked or
compromised, but in reality this is happening everyday while you’re on
the clock. If you’ve ever had malware infect a workstation you’ve been
breached. This is just a small example, but it’s true. There are two
types of security professionals:
Log for Certain Alerts
There are certain alerts on your domain or network that you know right off the bat are bad news. These alerts should be caught and notified on right away. There are many tools that will do this for you, like SIEM, but you still need to know what you’re looking for. If you don’t currently have a SIEM, you can setup similar alerts to warn you of malicious behavior. Here some examples:
- Those that know they’ve been breached.
- Those who’ve been breached, but don’t know it.
Log for Certain Alerts
There are certain alerts on your domain or network that you know right off the bat are bad news. These alerts should be caught and notified on right away. There are many tools that will do this for you, like SIEM, but you still need to know what you’re looking for. If you don’t currently have a SIEM, you can setup similar alerts to warn you of malicious behavior. Here some examples:
- Setup an alert every time the “Domain Admin Group” has a change made to it. If you’re a smaller company there should be a darn good reason this group’s just experienced a change. One of the things a bad guy want’s is complete control, and if he’s already gotten this far it may be too late, but it might give you the time needed to shut things down and save your data from leaving.
- Setup fake accounts that you think hackers will try and access. An example of this is an account named “administrator” in Active Directory. I’m assuming and hoping that you’ve already renamed the original one. On this account you can set the lockout threshold really low and alert every time someone logs into it improperly. In this example if a bad guys looking for low hanging fruit he’s going to tip you off right away.
No comments:
Post a Comment