The world of cybersecurity is constantly changing and both attackers and defenders are trying to pull in their direction. One of the tactics used by defenders to increase cybersecurity is the use of IoC (Indicators of Compromise) blacklists, which are essential in protecting digital assets against intruders. These lists are created by the collaboration of various cyber communities, industries, cybersecurity specialists, and users to form trustworthy threat intel repositories to consult when suspicious behavior is on the rise.
However, hackers are not just going to sit there and take it. They are always looking for ways to be as anonymous and stealthy as possible. One of the easiest ways to achieve this is by using the Tor network or proxies spread across the world. This allows them to change IP addresses several times when jumping around from host to host inside the Tor network, making it difficult to trace the source of the attack.
With no interest in getting caught and becoming a part of any IoC blacklists, they tend to use volatile cloud-based proxies since they are easy to set up, cheap, powerful, and easy to remove once the attacks are executed. However, using Tor is a bit more dangerous since many registrations of middle- and exit nodes are currently registered at a high frequency.
Hackers always try to stay a step ahead and they subscribe to known IoC lists too. This gives them insight into what IP addresses and domains are block-listed, and they will avoid using those as their origins. They also go through overviews of blacklisted filenames and use them to craft payloads that do not contain the listed names and extensions.
If any of your devices communicate with any blacklisted sources or receives black-listed files, your network is probably under attack. Therefore, it is crucial to be alerted immediately when such an incident occurs.
IT teams are always on the lookout for potential security breaches, and one key indicator they rely on is outbound network traffic. When traffic patterns appear suspicious or out of the ordinary, IT teams know how to take a closer look. After all, this traffic originates from within the network, making it easier to monitor and identify anomalies that could be indicative of an attack.
By keeping a watchful eye on outbound traffic, IT teams can prevent a range of cyber threats from infiltrating the network. But it's crucial that action is taken swiftly to stop an attack in its tracks and minimize potential damage.
Privileged user accounts are the crown jewels of any network. These accounts possess access to the most sensitive areas of the network or applications, making them a prime target for cybercriminals. Spotting anomalies in the activity of these accounts can help IT teams detect potential attacks early in the process, before any significant damage is done. Anomalies could manifest in various ways, such as a user attempting to escalate privileges of a particular account or using the account to gain access to others with more privileges.
Unusual login attempts from countries that are not typically associated with an organization's business can be a red flag for IT security teams. Such attempts may indicate that hackers from other countries are trying to gain unauthorized access to the system. The location of these login attempts can provide valuable information for IT teams, as they can use it to narrow down potential sources of the threat and take necessary actions to protect the system.
Typically, a legitimate user can log in within a few tries, but if someone attempts to login excessively, it could signify an attempted breach by a malicious actor. Even more concerning is when there are failed login attempts with nonexistent user accounts, as this is a clear sign that someone is testing for vulnerabilities in the system.
Swells in Database Read Volume
One sign of data exfiltration is a surge in read volume, which can indicate that an attacker is actively collecting data and preparing to extract it.
The size of a Hypertext Markup Language (HTML) response can provide a valuable clue for detecting data exfiltration. Normally, the response size is relatively small, but if it suddenly spikes, it may be a red flag that a hacker is stealing data. They may use this technique to smuggle sensitive information out of your network undetected, and the larger response size is a telltale sign that they are in the process of transmitting data to an external destination.
Another telltale sign of an attack is when the same file is repeatedly requested by an unauthorized user. Hackers will try a multitude of methods to gain access to the file, and the frequent requests are a clear indication that they are trying to find the one that will work.
Attackers may attempt to exploit obscure ports to infiltrate the network. Ports are the gateways through which applications exchange data with a network. If an unusual port is being used, it could be a red flag for your IT team as it may indicate an attempt by the attacker to penetrate the network through the application or to manipulate the application itself.
Malware is designed to cause damage to your network system by altering important registry and system files. When attackers embed such malicious code, it can trigger suspicious changes that could be an IoC. Establishing a solid baseline is crucial to detect any subsequent changes made by the attackers.
In their quest to unleash malware on a network, hackers frequently use command-and-control (C&C) servers. These servers are used to issue commands to the malware to steal sensitive data, disrupt web services, or infect the system. One way to identify a potential security breach is by monitoring Domain Name System (DNS) requests, especially those originating from a particular host. If such requests appear unusual or out of the norm, it could indicate an IoC.
To address the limitations of IoC blacklisting, organizations can implement several countermeasures to improve their security posture. One countermeasure is to complement IoC blacklisting with other security measures, such as behavior-based analysis and threat intelligence. Behavior-based analysis looks for anomalies in network traffic and user behavior, which can detect new and unknown threats that may not be captured by IoC blacklisting.
Muninn can help detect and analyze your networks' traffic patterns to identify any malicious activities. Our system uses Alienvault as the professional intel resource and several different underground lists. It compares hashes such as MD5, SHA1, and SHA256 with the IoC lists to match suspicious patterns detected in the network traffic. We have for example detected a transfer of a blacklisted file between two internal devices via SMB. In this case the SHA1 hash value of ‘33738cf695a6ac03675fe925d62ecb529ac73d03’ pointed to the blacklisted file AnyDesk.exe. Using Alienvault to verify and subsequently VirusTotal and other underground lists to provide more details, our system was able to provide a solid indication of the malicious activity.
A rule of thumb: when relying on public information, it is always a good strategy to use several independent intel repositories. Thus, using official and underground IoC sources may be of great value when taking reliability and speed into account.
Another countermeasure is to implement whitelisting, which allows only approved traffic or applications to run on the network. This can be done by creating a whitelist of approved IP addresses, domain names, and applications that are allowed to access the network. Whitelisting can be an effective way to prevent unknown threats from entering the network, as it blocks everything that is not explicitly allowed.
Subscribe to our newsletter to receive new posts straight to your inbox