I am going direct to the point and make it short.
Some ideas on what to monitor
- Active directory object creation
- User creation, and change
- Group creation and change
- PC account creation and change
If you have not added, created, changed accounts chances are someone did it. If it was not created by IT, changes are, it was an attacker. If you are monitoring closely your AD, then you have a good chance of catching it before the accounts can be used to do any real damage.
- Data deletion and data growth
I think this one is pretty obvious, if a large chunk of data has just vanished, something is seriously wrong, right? If I see a volume let's say which had 1TB and all of a sudden, it gone down to 500GB, I would jump on it right away and start asking questions to all users, have you deleted this data, if no one raises their hand up, something somewhere needs to be investigated. There is a good chance you've been attacked. So monitor data deletion.
- Monitor Interface Band Width
- Monitor email Queue
The same principal applies. Knowing how many emails, hourly, daily, weekly and monthly will help you in the fight. Know what is normal condition for your system.
- Monitor web server hits
- Monitor user creation, deletion and modification for Linux servers
- Monitor file changes, especially config files servers and devices
- Scan and monitor for new hosts and devices
If you see a host you don't know or recognize, investigate it. Check its MAC address, its IP address, check who has such device. Never leave an unknown device without tracking it down!
- Monitor your Internet access
- Monitor Successful and unsuccessful login attempts
It is important to have a monitoring in place, but it is also very important to watch closely this system. And follow up in any alerts generated by the systems.
These are just some of the things you can monitor to help you in the fight against attackers, there are many more and it is one of your tasks to study your system really well and analyse the entry points, and put monitoring in place.
Hope this is useful to you and if you have some other ideas, please share with us and we would very much appreciate it.
Renato
No comments:
Post a Comment