(10) Indicators Of Compromise Definitions_Concepts Flashcards
In terms of Indicators of Compromise (IoCs), how can unusual network traffic be difficult t identify?
Bad people can mask unusual network behavior by using TLS to mask traffic
What are common outbound traffic Indicators of Comprimise (IoC)?
Traffic to unexpected locations
Unusual volumes of outbound traffic
DNS queries for unexpected domains or domains flagged as malicious in reputation tools
Outbound traffic at weird times
How can resource utilization be an Indicator of Compromise (IoC)?
Resource utilization could be an attacker consuming CPU or memory due to tools or utilities, or data can be gathered, which could take up more space.
How can Unusual Account Behavior be an Indicator of Compromise (IoC)?
Unusual Account Behavior can be an indicator in case a user account has been cracked by an adversary. Profiling, baselines, etc. can help identify these behaviors even more easily.
What specific user account behaviors need to be monitored?
Account behaviors such as privileged account behaviors, specifically if those accounts are doing things that they don’t normally do.
Escalation of privileges. New privileges being added should be flagged for monitoring.
Bot like behaviors. If many different commands are being run on a system at a faster rate that humans could run them it can flag as being an issue,
When it comes to user and account behaviors, how can we avoid false positives?
We can avoid false positives by being as aware as possible of behaviors that we can expect the user to do based on the situation at hand. It could be a user doing something new or a one off situation, so we want to be careful to not falsely accuse
What do we need to remember about login and rights usage anomalies?
It can be tricky to figure out if there is an issue since VPNs use this type of technology often, but if a user logs in from many different geographic locations within a very short time, it can be an issue, so be sure to investigate it. Proper expectations and full knowledge of VPN proxy server locations help can be helpful in reducing false positives
What do we need to be aware of when trying to identify an (Indicator of Compromise (IoC)?)
Sometimes an IoC may look like a specific thing like a DoS attack, when actually it is the result of an exploit or other non-DoS activity
What is a DNS amplification attack?
DNS amplification is where a bad actor uses DNS resolvers to increase attack volume by sending many small queries that require large responses
How have amplification attacks historically been deployed?
Amplification attacks have historically used service vulnerabilities that ramped up traffic without needing the service or system to be compromised
