5 Everyday Activities That Could Mask Malicious Behavior

Thanksgiving is now in our rearview mirror and the excitement of the winter holidays is upon us. As we approach the end of the year, it’s fun to look back at all the things we accomplished – and perhaps finish some of those things we put off until we had more time. One of the most important things we all-too-often set aside is implementing appropriate logging and monitoring practices. There’s no better time to go back and fix auditing for all systems, including those rolled out in 2018.  Below are five commonplace tasks security professionals should monitor for suspicious or malicious activity.

1. User Account Management

Creating, managing and terminating user accounts is a basic function that all organizations manage. The task of creating users usually falls to the same person or team. If anyone other than those individuals creates an account, it should raise a red flag. Furthermore, security should monitor and review user activity like password resets, account disabling/enabling, lockouts, and new group membership or revocation regularly (probably weekly). Pay close attention to anything related to remote access, too. The bad guys want easy ways to access the network and creating a user with remote access can provide a persistent gateway if nobody’s watching the gate.

2. Software Installation and Removal

There’s software that’s authorized to run and software that isn’t. At the server level, this should be pretty easy to monitor if you have a SIEM. Any time new software is installed on a server, the security team should know. At the desktop layer, this is a little bit more difficult. The best way to monitor is with an endpoint management solution that runs an agent on all machines and oversees software management. Either way, unauthorized software installs should be monitored for unapproved software and acted on immediately. This technique also provides an avenue for controlling the installation of licensed software that may carry additional cost for each system it’s installed on.

3. Network Connections

This starts internally on the network. For example, if a guest plugs their computer into an open network jack, the security team should know. The connection of wireless access points or home-use switches/routers (typically by well-meaning employees just looking to connect multiple devices) should be identified and remediated immediately. I also like to look at new site-to-site VPN connections or additions to the WAN. All of this can be easily customized within a SIEM that is gathering logs from network devices. I like to take this a step further by monitoring endpoints for removable media like USB drives or smartphone connections (usually by users charging their phone). While not necessarily connecting to a network jack, they are still a new device on the network that can create havoc.

4. Changes to Auditing/Logging

This one’s pretty simple. Bad guys want to hide their tracks. They do that by turning off logging so you can’t see what they did. If someone turns logging off or clears logs, it should trigger an immediate response. It’s also a great way for disgruntled administrators to hide what they’re doing.

5. Privileged and Service Accounts

We all trust our administrators, but they can do the most harm, so we have to watch them closely. When they create, change, or delete privileged accounts, an alert should immediately sound.  Review of privileged account activity on a weekly basis will identify trends or unusual behavior. Failed login attempts and lockouts for these accounts are critical. If you’re allowing shared privileged accounts, monitoring becomes more important. You need to be able to quickly track down who used an account if necessary.

Like privileged accounts, service accounts usually have administrator level access. If these accounts are being used correctly, that’s fine. I like to look for interactive logins for service accounts. That’s usually a sign of a compromised (or improperly used) account. Service accounts are meant to be used by systems, so only systems should be using them. It’s easy to lose track of these too, so detecting creation and baseline the activity is critical.

Create a (Healthy) Culture of Paranoia

Security teams should be transparent in what they’re doing. None of this should be secret, and everyone should know they’re being watched all the time. Users that know security is watching tend to behave a little better (hopefully). I highly recommend SIEM technology that’s scalable, easy to use, and can seamlessly connect with different technologies. Then, take the time to set the logging correctly on devices and create alerts for suspicious activity. Follow all this up with weekly meetings to review activity for anomalies. Once these processes are up and running, the effort becomes minimal to maintain them.