When I was an IT Manager and had to deliver daily, weekly and monthly reports that "showed" how secure the business was, I used different products that would just pump out a lot of noise. None of them would explain what to filter for and why. So here are a few metrics to filter for and measure over time to spot a compromised workstation:
1. Your firewall monitor connections from your internal servers to external hosts (The Internet). This log record should return the following:
- packet time
- packet interval
- packet size
- The number of packets
Tracking these to give a basic metric for for your network. Then use a tool like Splunk to filter for any activity over the thresholds. The indicator here is if any workstation is sending large packets out of your network for a sustained amount of data then this is a potential breach unless the behavior can be explained.
2. LDAP Query Traffic
2. LDAP Query Traffic
Active Directory is an easily exploitable source of information regarding your network. It's designed to be helpful and as such can be used by bad actors to get information. So too many queries to AD can be an indicator of compromise that you want to look out for. These queries will show up in your DC's event logs which will allow you to capture and filter for any workstation making too many of these query. Your looking for a spike that stands out the norm. Using LDAP traffic as a metric from your endpoints to map or use as a metric possible compromised workstations.
If you want to look more into this, visit Paul's Security Weekly on audiboom
