Threat, Vulnerabilities and Mitigations: Indicators of Malware Attacks

Question 1

What are malware attacks?

Answer 1

There are many types of malware:

Ransomware

Worm

Trojan

Spyware

Bloatware

Virus

Keylogger

Logic bomb

Rootkit

Question 2

What signs do you need to look out for malware attacks?

Answer 2

Poor Performance
HIgh Resource Utilization
Random System Crashes
Unusual Network Activities
Malicious software binaries
Disabled Security controls
Malicious user accounts
Missing modified files

Question 3

What are some indicators of poor performance?

Answer 3

Slow mouse and/or keyboard response

Slow network response

Slow file Read/Write

Question 4

What are some indicators of high resource utilizations?

Answer 4

CPU

Memory

Disk

Network

Question 5

What are some indicators of Random system crashes and restarts?

Answer 5

Logic Bombs

Question 6

What are some indicators of Malicious software binaries?

Answer 6

Keyloggers

Bloatware

Spyware

Remote access Trojan (RAT)

Webshells

Question 7

What are some indicators of unusual network activities?

Answer 7

Check out all the network connections via:

netstat

Wireshark

tcpdump

Question 8

What are the indicators of Disabled security controls?

Answer 8

Antivirus, endpoint detection and response (EDR), and extended detection and response (XDR)

Firewalls: Have they been disabled?

Question 9

What are the inidicators of malicious user accounts?

Answer 9

Identifying malicious user accounts in cybersecurity involves looking for various indicators that suggest suspicious or harmful behavior. Here are some common indicators:

1. Unusual Login Patterns:
   
   • Logins from multiple geographic locations in a short time span.
   • Access attempts outside normal business hours.
   • Use of anonymizing proxies or VPNs to hide the source of logins.
2. Failed Login Attempts:
   
   • High number of failed login attempts, indicating potential brute force attacks.
   • Repeated use of incorrect or old passwords.
3. Account Activity:
   
   • Sudden changes in the frequency or type of activity on an account.
   • Access to resources or data that the user typically doesn’t interact with.
   • Large volumes of data being downloaded or uploaded.
4. Behavioral Anomalies:
   
   • Actions that deviate significantly from the user’s normal behavior patterns.
   • Attempting to access restricted areas or data.
5. Security Alerts:
   
   • Triggers from security systems like IDS/IPS indicating suspicious activity.
   • Antivirus or anti-malware software detecting threats.
6. Email and Communication Patterns:
   
   • Sending phishing emails or large volumes of unsolicited emails.
   • Use of command and control servers for communication.
7. Privileged Account Abuse:
   
   • Unauthorized elevation of privileges.
   • Access to admin-level functions or tools without a legitimate reason.
8. IP Address Anomalies:
   
   • Logins from IP addresses associated with known malicious activity.
   • Rapid switching of IP addresses during a session.
9. Device Anomalies:
   
   • Access from unknown or unauthorized devices.
   • Changes in the device used for access, such as new browsers or operating systems.
10. Data Exfiltration:
    
    • Unusual data transfers, especially to external destinations.
    • Use of non-standard ports or protocols for data transfer.
11. Account Creation Patterns:
    
    • Creation of multiple accounts in a short period.
    • Use of similar or random-looking usernames and email addresses.
12. Audit and Log Analysis:
    
    • Discrepancies or gaps in logs that might indicate tampering.
    • Correlation of logs across systems revealing suspicious patterns.

Using a combination of these indicators, cybersecurity teams can better detect and respond to malicious activities, helping to protect systems and data from compromise.

Question 10

What are indicators of missing or modified files?

Answer 10

Encrypted?

Ransomware?

Large file missing or tampered or change