Incident Response Process - Signs Of Compromise

Here are some indicators which will help you detect a compromise :

  • Identification of same email from public domain to significant number of users or C-level employees or high value targets; encrypted attachments, password protected and zipped and protected to escape email malware filter; (put user in the reference list)
  • End point alert / HIPS / Host based malware alerts for local script execution for the same user, raise incident
  • Identify usual traffic volumes to multiple ports or IP addresses or excessive packet loss (connection over 4 hours to external IP )
  • Examine abnormal services on known ports and abnormal ports for well-known services, verify reputation scores of IP (SSH to port 80)
  • EDR and WAF alerts for scripts, hash mismatch
  • Botnet filter alerts for traffic to blacklisted domains
  • Email / SPAM filter misbehavior / maintainance activity followed by suspicious activity on the network specially related to unknown / suspicious remote destinations
  • Monitor packet flow inside and outside from the network for likely patterns of Command and Control (C + C) traffic, outbound custom encrypted communications, covert communication channels with external entities etc.
  • Threat intelligence alerts for connections / data sent to suspicious destination outside organization specially belonging to less reputed geographic location and at odd hours
  • Examine if any data breach has occurred like large HTML packet
  • Review hourly and daily reports of network usage to identify unusual occurrences and spikes in traffic

This was presented at SACON - The Security Architecture Conference - largest security architecture conference in the region. You can find the full presentation here. SACON International 2017 will be hosting a Cyber Security Workshop by Dr. Phil Polstra (Author Of 'Linux Forensic').


Dr. Phil Polstra (Author of 'Linux Forensic' & many more books) will be conducting Linux and Windows Forensic Workshop at SACON 2017. Check workshop agenda here

E-mail me when people leave their comments –

CISO Platform

You need to be a member of CISO Platform to add comments!

Join CISO Platform

RSAC Meetup Banner

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)