What you don’t watch for could be exactly what attackers exploit.

Ethical Threat Insight: Security Alerts No One Sets Up (But Should)

Most orgs watch for malware, phishing, account compromise and a whole host of other attacks.

But so often I see, what I would consider low-hanging fruit detections, missed by security teams.

Here’s a few high value alerts not enough orgs have implemented:

• Active Directory enumeration - especially when privileged (tier 0) resources are touched, like Domain Admins. But also, looking at volume of LDAP traffic from a single host can also be a great indicator of recon activity. By the way, according to a recent CrowdStrike report, 50% of TTPs they see are recon activities.
• Adding users to local admins on workstations - this one should be obvious, but in reality, I’ve almost never seen orgs alerting on this. The telemetry is there in your EDR waiting for you to use it.
• Lateral movement with RDP, PSRemoting, SMB - if you’ve done the work to understand your environment, then writing rules to detect when Suzie is attempting to RDP to a domain controller should be easy. But most don’t do the upfront work to get to this point.
• Hosts without EDR installed - I suspect this should be fairly easy for most orgs. If there are hosts in your network, that you control, that support EDR and it’s not installed, you should know it immediately.

Here’s a few other ideas for alerts that not enough folks have turned on:

• Service Account Logins (outside expected systems/times)
• New Domain Admins being added
• Disabling Security Tools (AV, EDR, logging)
• Mass File Access (precursor to data theft or ransomware)

Too many organizations rely too much on out of the box configurations of their security tools.

It’s especially evident with EDR.

There are few tools that are truly set it and forget it.

If you don’t create any custom alerts and you don’t review your existing alerts for effectiveness and completeness, you’re leaving room for attackers.

And by the way, one of the best things you can do from a security monitoring perspective, is to setup deception assets.

Whether you’re trying to better detect enumeration/recon, lateral movement, privilege escalation or even credential access…

Deception can be used very effectively for all those use cases.

If you want to see how deception can be used at various stages of an attack, watch the recording of my deception webinar.

P.s. Its helpful to think of attackers like raccoons…they’ll usually jiggle the handle before they try breaking the window. The trick is to have the alert go off when the handle moves. 🦝🔔

All the best​
Spencer Alessi

"Spirit of a hacker heart of a defender"
​All My Links | super cool cybersecurity shirts & stickers​