Threat Hunting for Anomalies in Privileged Account Activity
Introduction
A tell-tale sign of your network being hacked is that a privileged account, such as a system administrator account, has been compromised. Attacks of this kind can come from anyone – either a malicious insider or a computer hacker. This article will examine threat hunting for anomalies in privileged account activity including what to look for when determining whether threats have impacted your information security environment.
How Do Anomalies in Privileged Account Activity Fit into The Big Picture?
Anomalies in ‘Privileged Account Activity’ is considered to be an Indicator of Compromise (IoC). Indicators of Compromise are artifacts observed on an operating system or a network that indicate possible breach or intrusion. In other words, IoCs can act as intrusion breadcrumbs for Information Security professionals to use to track down threats. The idea is that by following IoCs, threats can be detected and stopped in their earliest stages to prevent or mitigate the impending attack.
Information Security professionals often use IoCs to better analyze a malware’s behavior, patterns, and techniques. IoCs also provide actionable threat intelligence that can be shared within the greater Information Security community to further improve incident response and remediation strategies about a particular piece of malware. This helps to educate the Information Security community as a whole and will frustrate the cybercriminals that are performing these network attacks.
Anomalies in Privileged Account Activity as an Indicator of Compromise
According to Geoff Webb, director of solution strategy for NetIQ, “Changes in the behavior of privileged users can indicate that the user account in question is being used by someone else to establish a beachhead in your network. Watching for changes — such as time of activity, systems accessed, type or volume of information accessed — will provide early indication of a breach.”
When attackers leave a (Read more...)
*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Greg Belding. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/jPMnmRd81fs/