Cross Organisation Attacks

Wiki > Cross Organisation Attacks
Description Kill Chain Stage
Cross firm attacks are launched when the attacker seeks to move laterally within a network and gain persistent access. This will involve reconnaissance activities, to identify weak points to exploit to either disrupt to disrupt vital systems or to steal vital data.
Threat type to monitor
■    An attacker was successfully able to break in and is trying to achieve a lateral movement to other firms
Monitoring setup
■    Active Directory

■    DHCP

■    DNS

■    Firewall

■    VPN Concentrator

Events Indicators
■    Failed account login across firms

■    Suspicious outbound firewalls to single destination across all member firms

■    Sudden increases in cross member firewall traffic

■    Sudden loss of similar services or resources across member firms

■    Detection of high amount of inter firewall traffic across member firms

■    Detect high number of connection toward similar suspicious domains from different member firms

■    Multiple failed logins observed across member firms for same user name

■    Outbound connections to known command and control centres