Here are some indicators which will help you detect a compromise :
- Identification of same email from public domain to significant number of users or C-level employees or high value targets; encrypted attachments, password protected and zipped and protected to escape email malware filter; (put user in the reference list)
- End point alert / HIPS / Host based malware alerts for local script execution for the same user, raise incident
- Identify usual traffic volumes to multiple ports or IP addresses or excessive packet loss (connection over 4 hours to external IP )
- Examine abnormal services on known ports and abnormal ports for well-known services, verify reputation scores of IP (SSH to port 80)
- EDR and WAF alerts for scripts, hash mismatch
- Botnet filter alerts for traffic to blacklisted domains
- Email / SPAM filter misbehavior / maintainance activity followed by suspicious activity on the network specially related to unknown / suspicious remote destinations
- Monitor packet flow inside and outside from the network for likely patterns of Command and Control (C + C) traffic, outbound custom encrypted communications, covert communication channels with external entities etc.
- Threat intelligence alerts for connections / data sent to suspicious destination outside organization specially belonging to less reputed geographic location and at odd hours
- Examine if any data breach has occurred like large HTML packet
- Review hourly and daily reports of network usage to identify unusual occurrences and spikes in traffic
This was presented at SACON - The Security Architecture Conference - largest security architecture conference in the region. You can find the full presentation here. SACON International 2017 will be hosting a Cyber Security Workshop by Dr. Phil Polstra (Author Of 'Linux Forensic').
Dr. Phil Polstra (Author of 'Linux Forensic' & many more books) will be conducting Linux and Windows Forensic Workshop at SACON 2017. Check workshop agenda here