Latest news
With the proliferation of Advanced Persistent Threats (APTs), it's paramount for those who are charged with defending the systems and networks of likely targets to know that these attackers often utilize legal and common tools whose use is more difficult to spot by forensic investigations.FTP applications, data compression tools, tools used for file manipulation and for creating scheduled tasks, password recovery apps and user account clone tools are all types of software that can be legally bought from companies that make them, and are regularly used for making users' life and work easier.
Trend Micro Threat Researcher Roland Dela Paz helpfully offered a few good tips on what kind of things security administrators should be on the lookout for.
He says that most of the aforementioned tools are either command line tools or run both in command line and via GUI, so suspicious instances of command shell process could be one way to spot their use, and by using process utilities that task can be made easier.
Occasionally checking what tools are installed on a system you are responsible for, as well as for unusual file names and bogus file extensions, is also a simple way of spotting things that have no business being there.
"It may be tedious, yes, but being vigilant to files present in your system could spell the difference between mitigating an APT compromise and mass pilfering of your organization’s classified documents," Dela Paz points out.
Don't forget to occasionally review scheduled jobs, as they are a common auto-start method both for APTs and malware infections. By doing this, you could spot both the existence of an attack attempt and discover how the attack is supposed to unfold.
Finally, keeping an eye on FTP connections in the network logs is a simple way to spot APT attacks.
"In a corporate setting, FTP sites are usually Intranet sites. Thus, it is easier to sort out legitimate FTPs from malicious ones," explains Dela Paz. "FTP transactions are significantly smaller than other type communications in the network, which may allow you to identify a breach faster. Furthermore, checking for archive files or files with odd file names being uploaded to a remote site may also suggest compromise."
Spotlight
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
Ransomware adds password stealing to its arsenal
Posted on 17 May 2013. | Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds.
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Hacking charge stations for electric cars
Posted on 15 May 2013. | Ofer Shezaf talks about what charge stations really are, why they have to be ‘smart’ and the potential risks created to the grid, to the car and most importantly to its owner’s privacy and safety.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
