Skip to main content

4.4 Detecting Attacks on Devices

Topic 4.4: Detecting Attacks on Devices

Detecting attacks against individual devices, or endpoints, is crucial for identifying and responding to security incidents. This process relies on analyzing various forms of data generated by the device to find indicators of compromise (IoCs), which are the digital breadcrumbs that an adversary leaves behind.

Computing systems generate extensive log files that record a wide range of activities, including system processes, user actions, login attempts, and file modifications. These logs are a primary source of evidence for security analysts. Authentication logs, for example, record every successful and failed login attempt on a system and are invaluable for detecting password attacks.

IoCs on a device can be categorized in several ways:

  • Host-based IoCs: These are discovered by analyzing a device's logs and configuration settings. Indicators include the creation of unusual files, the presence of unexpected running processes or services, unauthorized changes to system configurations, or the installation of unapproved software.
  • File-based IoCs: These relate to malicious files themselves. An indicator could be a file whose hash matches that of known malware, or the presence of files with names or located in file paths that are associated with specific malware campaigns.
  • Behavior-based IoCs: These are found by analyzing logs for anomalous user or system behavior. Examples include multiple failed login attempts from a single IP address, logins at unusual times or from strange locations, unauthorized attempts to access sensitive files, or attempts by a user to elevate their privileges to gain administrative control over a system.

When selecting controls for detecting attacks on devices, several factors must be considered. The performance impact of the detection tool is a key criterion. Anomaly-based detection tools, which are resource-intensive, may not be suitable for older devices or embedded systems with limited processing power. Cost is another factor, as organizations must budget for software licenses or third-party Endpoint Detection and Response (EDR) services. The sensitivity of the device also plays a role; a server storing critical data warrants more robust and potentially more expensive detection methods.

Analyzing authentication logs is a primary technique for detecting password attacks. An online password attack where an adversary is trying to guess a password can be identified by a large number of failed login attempts from a single user account. Password spraying is indicated by many different user accounts having a single failed login attempt with the same password, often originating from one IP address. Credential stuffing can be detected by a series of login attempts using default or known-breached user-password combinations. It is important to note that offline password attacks, where an adversary has already stolen the password hash file, cannot be detected through logs as the cracking process happens on the adversary's own computer. However, an unusual login from a new location or at an odd time may indicate that a user's password has been successfully compromised through an offline attack.