Threat Hunting for Unusual Logon Activity

What is one of the first things that you think of when thinking of potential threat activity on your network? Most would probably say that there has been some unusual login activity occurring, either on endpoint computers or systems with more sensitive data (domain controllers, databases and so forth). This article will examine threat hunting for unusual login activity and will detail what you should be looking for in your threat investigation.

Indicators of Compromise

When threat hunting, information security professions focus their search on what are called Indicators of Compromise, or IoCs. IoCs are forensic data found in system files and log entries, which identify potentially malicious network or system activity. IoCs help information security professionals detect data breaches, malware attacks or other threat activity on their systems and network.

Using IoCs as the basis for threat hunting allows organizations to detect attacks and act quickly to prevent breaches from occurring or mitigate damages from an ongoing attack.

Unusual Login Activity as an Indicator of Compromise

Unusual or failed logins can provide excellent clues of network and system probing by attackers. According to Scott Pierson, product specialist for Beachhead Solutions: “If you see John in accounting logging into the system after work hours and trying to access files for which he is not authorized, this bears investigation.” This can provide a threat hunter with clues that this is not actually John, but rather an attacker trying to gain authorization with John’s credentials.

Likewise, checking for failed logins via nonexistent user accounts is sound threat-hunting practice. “Check for failed logins using accounts that don’t exist – these often indicate that someone is trying to guess a user’s account credentials to gain authorization,” says Pierson. Unusually large numbers of failed logins that do not exist is another “must look for” (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Greg Belding. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/9LP0VsOWCdE/