Sage Advice - Cybersecurity Blog

Cyber Threat Hunting and Indicators of a Cyber Attack

indicators-of-compromise.jpgAs the number of successful cyber-attacks continues to soar, it's time to take a proactive stance to detect them. You can’t simply sit back and wait for an automated alert to let you know you’ve been breached. You need to actively seek out potentially malicious behavior on your network. Hunting down indicators of attack, so you can detect and contain an incident as quickly as possible.

Before you get started cyber threat hunting, it’s important to understand the environment you’ll be hunting in. Create a baseline of your network traffic. Document what is authorized and expected. This helps you zero in on the anomalies that require further investigation. 

As a threat hunter, you also have to know where to search for the indicators that an attack is in process. Let’s take a look at a few of the places where you should be looking – and what you are hunting for. 

Firewall Logs

Firewalls are a mandatory security control because they regulate the flow of traffic between your network and the outside world. If your firewall isn’t properly configured, your network could be completely exposed to the Internet with the potential for compromise within minutes, if not seconds. You should analyze your firewall logs to ensure it is denying unauthorized traffic from coming in.

But you should also look at what’s been allowed. Unexpected traffic to a dubious URL could signal communication with a command and control (C&C) server. A high number of file transfers, even if it’s expected traffic, can be a warning of malware or of a user violating company policy.

Not sure if you're firewall is properly configured? We can help!

Network Authentication Server Logs

Authentication server logs document account activity. You should review administrative and user activity for anything out of the ordinary including:

  • Account lockouts / invalid account logons;
  • Invalid passwords / password changes;
  • User management changes including new accounts / changed accounts;
  • Computer management events including when audit logs are cleared or computer account names are changed;
  • Group management events such as the addition of users to high security groups;
  • Server reboots; and
  • Attempted user activity during restricted logon times.

Once an attacker gets into your network, their goal is to find your assets. To do this they move laterally to other systems and look for opportunities to collect additional credentials, upgrade privileges, or just use the privileges that they have already compromised to gain access. Analysis of your Network Logs allows you to detect this lateral movement.  

Web Server Logs

Web server logs are another rich source of data to identify and thwart malicious activity. Here are a few examples of what to look for:

  • Look for entries that result in errors: users requesting pages that don’t exist – 404 Page Not Found Errors – or users trying to access directory files for which they don’t have authorization, such as 403 Forbidden Errors.
  • Monitor 500 Internal Server Errors, and 501 Header Value errors, both can indicate malicious activity and bad HTML code or malfunctioning applications.
  • Check the logs for Null Referrers to identify hackers who are scanning the website with automated tools that don’t follow proper protocols.
  • Monitor any access to pages that are used to update website content to ensure that only authorized users are attempting to get at this data.

Indicators of attack include:

  • When traffic to IIS servers is attempting to access database information via SQL injection.
  • When attempts are made to access folders on the server that aren’t linked to the HTML within the pages of the web server.
  • When execution of operating system commands is attempted.

Endpoint Activity

Most cyber-attacks start at an endpoint – many breaches are the result of a phishing attack – so analyzing endpoint data enables fast incident detection.

To be successful, all malware must persist. Hackers need their malware to survive a reboot, so they can stay in the system undetected as long as possible and maximize their reward, whether it’s personal information, credit card numbers, or company secrets. Investigating suspicious persistence mechanisms is an effective threat hunting technique.

There are many different ways malware can persist on a Windows device. The most common are:

  • Scheduling tasks,
  • Installing as a service, and
  • Using the run key.

But there are more than 50 different places that malware can hide, including:

  • Logon (Startup Menu, Microsoft Active Setup),
  • Explorer (Context Menu Handlers, Drag/Drop Handlers),
  • Internet Explorer (Browser Helpers, Extensions),
  • Drivers, Codecs, Boot Execute, Image Hijacks, AppInit DLLs, WinLogon, WinSock Providers, Print Monitors, LSA Providers, Network Providers, Sidebar Gadgets, and more!

Using threat hunting techniques, analysts can find and analyze all unique or suspicious persistence mechanisms on a device. Then using context and the latest threat intelligence, determine whether an attack was successfully deployed.

This is not an inclusive list of what you need to look at as a threat hunter. As threat hunter David Bianco stated in DarkReading, “A savvy hunter understands that the attackers can accomplish their goals in many ways and examines the data from several viewpoints to compensate. Hunting consists of spending a lot of time searching for something that is elusive by nature. To locate entrenched threats, your hunt needs to be dynamic and adaptable.”

Learn more about cyber threat hunting in our Guide to Cyber Threat Hunting.


Are you struggling with the day-to-day demands of threat hunting due to gaps in technology, manpower, or expertise? If so, nDiscovery Managed Threat Detection is a great fit for you. We combine human expertise with the latest threat intelligence and advanced data analytics to quickly and accurately detect threats across your entire environment, including Windows endpoints. When nDiscovery confirms an incident, you are notified in minutes with exact details of what happened, which files are affected, and what you should do about it.

Learn More About nDiscovery

Topics: Threat Detection Tips, Cyber Defense, Threat Hunting


The Sage Cybersecurity Lifecycle

The Sage Data Security Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More