Ultimate magazine theme for WordPress.

12 Steps to Finding Malicious Activity Within Your Infrastructure


By Kashif Iqbal

One of the biggest challenges a security analyst faces is identifying and detecting potential malicious activities. I remember that when I started detecting potential malicious behaviour within my organization roughly seven years ago, I found little information on the best way to sift and sort all those event logs without buying expensive solutions.

So I picked a SIEM solution and began importing every possible log I could think of, ranging from firewall and domain controllers to proxy, AV and Exchange services. Once I had all the data, the real hunt began to find the needle in the haystack.

I attended several security conferences and asked a lot of people: “How do you detect abnormalities in your logs?”. I always received a huge variety of answers, from very expensive products to ingenious ways of using a SIEM solution. I started recording every method I came across in a diary, and couple of months ago, I decided I should share my findings with my security members.

The key points below really helped me gain visibility into the network and detect anomalous behaviours. Is the list comprehensive? Hardly. But this is definitely a good place to start to flag suspicious activity that sets off an incident response.

  1. Monitor entry points into the network. Since we all love to work from home these days, one of the key entry points into the network in every organization has become a remote access VPN. Monitor:
    • Passed and failed VPN accounts and map them against geographical locations.
    • Any geographical location change for a successful user’s login (i.e.,a user login from the USA at 8:00 in the morning and again from Russia at 8:30 a.m. the same day).
    • How many users are logging on to VPN and how long they remain connected.
  2. Look for mismatched ports with protocols. For instance, identify any non-SSH applications using port 22 or port 3389 that isn’t an RDP application.
  3. Consider how many successful and unsuccessful Active Directory logins are happening in working and non-working hours. And, are there any unsuccessful logins attempts triggering an unknown username or a username that doesn’t exist?When we put this dashboard up initially, it assisted our help desk a lot.
  4. Examine what types of files extensions are traversing through your network, such as PDF, ZIP, RAR and many more.You can also correlate the file type with the file size.
  5. See if you can pick any suspicious file names,such as g.exe,m.bat,and p.js,where there is no legitimate use of these types of files.
  6. Keep an eye on your Windows registry or manual registry Keys creation.
  7. Baseline your DNS requests, and keep an eye on too many DNS requests from any specific IP address or machine. You can also look for DNS requests host machines are making in regular intervals that might be coning the host.
  8. Look in the Web Proxy to monitor parked domains and unknown categories of URLs. Also, look for any machine trying to access those domain names.
  9. Scrutinize RDP sessions made outside of office hours. If you pick an RDP session on Sunday at 5:00 in the morning, it may signal malicious activity, since all the tech guys presumably are sleeping in after a fun and exhaustive Saturday night.
  10. Monitor for abnormal amounts of traffic to malicious domains. You can import feeds and use lookups or watch lists for this.
  11. Determine uncommon ports opened on the systems,which may indicate a new application and also some potential zero-day attacks.
  12. Look at more than baseline event logs over the last couple of days to see if there’s any pattern in events. Be sure to compare your daily firewall logs to compare alerts against the baseline.

As I already mentioned, this is not an exhaustive list, but it does cover the basics. I am still learning new ways to identify abnormalities in today’s continuously evolving landscape. Just keep asking yourself,“Do I have this level of visibility in my infrastructure to correlate with the intrusion kill chain?” If not, it’s time to get started.

Kashif Iqbal

— Kashif Iqbal, CISSP, is Head of Corporate IT  & Cyber Security SEGA Europe in the United Kingdom and also a founding member of URDU IT Academy