SecuritySecurity
Trust & IdentityTrust & Identity
NetworkNetwork
Infrastructure & Data ServicesInfrastructure & Data Services
Digital Solutions & CoordinationDigital Solutions & Coordination
WeitereWeitere
Corporate
Community work
Innovation
Karriere
Newsroom
Tags
Alle Stories

Intrusion Attempts

 

Events with this classification type identify a system that was likely performing excessive access attempts also known as brute-forcing attempts on a system or service. This usually means that the system excessively tries to access the resource and repeatedly fails.

This is commonly caused by tools trying a large number of possibilities to gain unauthorized access. These tools commonly use a list of known common users, passwords, variations, etc. or even a custom list with information specifically to the target. There is also the possibility of human, configuration and/or software error, without malice or gross neglect being involved. Like a misconfiguration that a service tries to access a resource it does not have the proper authorization for.

The system identified by source was likely performing excessive access attempts. While it is possible that the user performed these, such activity is a strong indicator for malicious intent. The system should be regarded as compromised, until further investigation has proven otherwise.

Recommendations:

  • Please handle the incident according to your policies and guidelines.
  • Change the access credentials of potentially affected users.
  • Scan the system for malicious software.
  • Check the logs for suspicious activity.

Events with this classification type identify a system that was likely targeted by an exploit. An exploit usually takes advantage of of bug or vulnerability to cause unintended behavior. Such an event can for example be triggered by sending the exploit data the the system or service, or when the vulnerable system or application accesses a service responding the exploit data.

This is commonly used to gain unauthorized access or changing the configuration of the system or service. It might be also be used to install malicious software on the device.

The system identified by source was most likely compromised through an exploit. It is unlikely that the user performed this intentionally. The system should be regarded as compromised, until further investigation has proven otherwise.

Recommendations:

  • Change the access credentials of potentially affected users.
  • Scan the system for malicious software. Offline scan from CD or USB if possible.
  • Check the logs for unusual behavior.
  • Update the software running on the system.
  • Check for known vulnerabilities for any service running on the system. Apply the patches and/or configuration changes.

Events with this classification type identify a system that triggered an alert on an Intrusion Detection System (IDS). An IDS, depending on its function, scans network traffic or system activity for malicious activities. IDS systems are commonly used to monitor enterprise infrastructure.

Creating good IDS detection patterns is difficult and while a pattern might work well for one organization it might not work at all for an other organization. Therefore, IDS systems have the reputation to create many false positives.

Nonetheless, such detections are an indicator that the monitored system is probably being attacked. Often systems compromised with malicious software are abused by attackers to hide their identity, to reduce the risk that they are caught in case such alerts are triggered.

The system identified by source triggered an Intrusion Detection System alert and therefore most likely performed or executed malicious activities. The system should be regarded as likely compromised, until further investigation has proven otherwise.

Recommendations:

  • Change the access credentials of potentially affected users.
  • Scan the system for malicious software. Offline scan from CD or USB if possible.
  • Check the logs for unusual behavior.
  • Update the software running on the system.