Cross Organisation Attacks

Wiki > Cross Organisation Attacks
Description Kill Chain Stage
Cross firm attacks are launched when the attacker seeks to move laterally within a network and gain persistent access. This will involve reconnaissance activities, to identify weak points to exploit to either disrupt to disrupt vital systems or to steal vital data.
7
Threat type to monitor
■    An attacker was successfully able to break in and is trying to achieve a lateral movement to other firms
Monitoring setup
■    Active Directory

■    DHCP

■    DNS

■    Firewall

■    VPN Concentrator

Events Indicators
■    Failed account login across firms

■    Suspicious outbound firewalls to single destination across all member firms

■    Sudden increases in cross member firewall traffic

■    Sudden loss of similar services or resources across member firms

Rules
■    Detection of high amount of inter firewall traffic across member firms

■    Detect high number of connection toward similar suspicious domains from different member firms

■    Multiple failed logins observed across member firms for same user name

■    Outbound connections to known command and control centres

Category: