Disappearing files, phantom administrators, suspect logs. Unless you’re the suspicious type, you might have written these off as non-critical issues without any nefarious source. But what if there’s a maliciousness behind this madness? What if there are ghosts in your business machines?

For almost every hack, there are warning signs. Sometimes small and unnoticed, but they are still there, haunting your infrastructure. Most don’t notice them till it’s too late, and even more don’t notice them at all, only to be caught by surprise when their sensitive data is “possessed” during a breach.

How do you detect and excise these unwanted guests before any damage is done? Well, the simple answer is “in-depth network monitoring.” But do you know what you’re looking for?

So, in the spirit of Halloween – and cyber security best practices – we’re clearing out the cobwebs and helping you probe deeper into your network to see what’s lurking between your cyber defenses. Actively looking for network security threats is the most reliable way to reduce the risk of a breach and drive down your dwell time – a key metric for measuring the time between detection and remediation.

Be warned, though, while it’s likely that these “spooks” are just in your imagination – you never know what you might find when you draw back the curtain and perform networking monitoring.

Looking for Network Security Threats

Compromises, both successful and unsuccessful, will commonly leave traces of evidence on the targeted endpoints. Additionally, your network monitoring by means of activity and logs can uncover all sorts of  ‘”treats.”

Regardless of where you decide to look, here are some of the common indications that the spooky behavior you’re noticing might be more than a harmless “trick” and actually a network security threat.

Things to observe on the endpoint:

1. Unexpected system outages – This happens when an exploit or malicious code crashes a system or process causing it to hang or reboot unexpectedly.

2. System monitoring files/logs wiped – This happens when an attacker or malware uses a heavy hand to cover their tracks.

3. Unexpected system configuration changes – If antivirus is disabled when it shouldn’t be, new software installed that wasn’t previously there, or some other unexpected changes to the system have been applied it should raise some red flags.

4. Other weird things… – Humans make mistakes and code isn’t always perfect. These can lead to situations where files are accidentally changed, a user is suddenly disconnected from their system for no real reason, new files suddenly appear, access times on files don’t match up with user activity, antivirus alerts on files or activity get triggered, etc. While these don’t guarantee that something malicious is afoot, they can be the initial breadcrumb that highlights a bigger problem.

Things to observe on the network:

1. External network traffic patterns change from the norm – users signing in outside business hours or from new locations, a surge in outbound web traffic during odd hours, protocol use changes (spike in DNS traffic could indicate exfil via DNS, etc.).

2. Internal network traffic patterns change from the norm – users accessing boxes (or attempting to) that they don’t normally, two systems that normally don’t communicate begin communicating, logs from a system suddenly stop showing up in centralized logging solution.

3. NIDS alerts – NIDS alerts appear or change, indicating that one system might be seeing or generating known malicious traffic.

4. Network/archived log contents differ from live system contents – probably won’t be noticed until after something else tips you off but can provide insight.

Guarding Against Cyber Ghouls

In order to identify and even see these “ghosts” (early indicators), networks need to be configured to provide insight/analytics on a variety of sources, while positively impacting your dwell time.

  • Centralized logging needs to be configured so that endpoint actions can be observed from a centralized point.- Logging needs to be robust enough to catch all sorts of different actions (i.e. failed logins to a system are important to see but so are the antivirus logs that might be generated).- Logging also needs to be monitored/analyzed, just setting it up is useless unless it provides some insight and is referenced.
  • Netflow and traffic analysis can allow you to see anomalies and potential network security threats.- How can you know if your web server suddenly starts scanning your domain controller if you’re not instrumented to see the traffic?
  • Network segmentation can prevent a lot of lateral movement and funnel attacker actions towards more controlled and instrumented choke points.
  • Use of honey-traps (systems with no legitimate use other than to be a target) can allow for an attacker to be identified while they are exploring your environment.

This list is by no means exhaustive; there’s always more to say and more to do. Of course, nothing is 100% and while a careful attacker can mitigate/act to not trip most of these defensive measures, bugs still happen and people make mistakes. These bugs and mistakes allow a vigilant defender to identify and react to network security threats which leads to shorter dwell times and a security outlook that won’t keep you up at night.