All traffic in and out of your environment MUST be monitored for unknown traffic and reviewed by skilled staff and if required incident response initiated. In the following image (clickable for
large view) you can see that there are attacks from Indonesia on the Apache Struts exploit. I can note here that the server being attacked is a Hikvision security DVR. This server is targeted based and preliminary reconnaissance (high port) and sometimes a random attack hoping for the best (port 80) on the fact that it is seen as a DVR and there are admin elevation attacks for a number of these devices.
The lesson that I want a person to take away here is to think about if you have a continuous viewpoint of your network of all the ‘weird’ traffic in-and-out? The following checklist would be helpful to pick some low-hanging fruits.
I would also look at the first step in your IT risk management landscape is the asset management process. If you do not know what you have, you have no control on the actual risks present in your environment. Assets include, hardware, software, data-flow, data, users (internal and external), configuration of devices and many more.
- Do you monitor all traffic in and out of your network?
- Do you review the data using a review methodology (policies, standards, procedures and guidelines)?
- The staff reviewing the data, are they skilled based on the requirements?
- In case of an incident, what is your incident response plan?
- Is the data trustworthy for evidence selection in case of an investigation?
- Do you test your team by injecting some alerts at random times? (example: http://testmyids.com should trigger an event)
- What reports are available and how is this presented as part of your management pack?
One recommendation I can give you is NOT to have a knee-jerk reaction and spend money without having a proper PoC (Proof-of-Concept) as well as solution evaluations. If you are suspicious of your environment, there are many opensource tools as well as inherent (you already own it as part of your hardware OS or other Operating Systems).
If you would like to get additional information on services and solutions feel free to leave a message with your email address in the form below.