The Sony breach has become a drama in mainstream media with policy questions rising all the way to the White House.
For the rest of us it seems prudent to dust off your play book for handling destructive malware. US-CERT tips can be found here.
Tips on access control and monitoring seem to align with recent topics in our PI Square.
Security monitoring ideas includeHarvesting PI Logs for Real Time Forensics.
I wonder if we can put PI to work to monitor the first 6 indicators suggested by US-CERT?
Audit and review security logs for anomalous references to enterprise-level administrative (privileged) and service accounts.
- Failed logon attempts,
- File share access, and
- Interactive logons via a remote session.
Review network flow data for signs of anomalous activity.
- Connections utilizing ports which do not correlate to the standard communication flow associated with an application,
- Activity correlating to port scanning or enumeration, and
- Repeated connections utilizing ports which can be utilized for command and control purposes.
Hey, maybe using the ping interface or sending the firewall log to a UFL interface isn't so crazy!
Welcome to PI Square – let the fun begin! (Consuming Windows Firewall logs)