Network Defense – Think of Network Intruders Like Tourists Giving Themselves Away

This recent post by Brian Krebs is an interesting read for everyone, but security analysts, sysadmins, and other network defenders particularly should find this perspective interesting. This article suggests that a great many initial intrusions that lead to data theft could be nipped in the bud if more organizations started looking for the telltale signs of newly-arrived cybercriminals behaving like network tourists and how doing so can mean the difference between catching a compromise in week-1 (before the attackers dig in) and learning about the attack on CNN.

Some food for thought posed in the post:

• Examples we have observed include threat actors performing a ‘show config,’ ‘show interface,’ ‘show route,’ ‘show arp table’ and a ‘show CDP neighbor’
• This fundamental reality about modern cyberattacks — that cybercriminals almost always orient themselves by “looking up” who and where they are upon entering a foreign network for the first time
• There are a handful of commands that are overwhelmingly run by attackers on compromised hosts (and seldom ever by regular users/usage)

For more considerations and which alerts to configure for detecting unwanted network tourists, visit KrebsOnSecurity.