Park in a well lit area and check your car before getting in it!

It may only seem like advice a mother tells her child when they first start driving. But she does have a good point – checking for tampering and dangers gives us visibility and allows us to keep ourselves safe from threats.

The concept can very easily be extended to Information Security.  How? By giving yourself visibility and not leaving yourself in the dark.  Sometime you need to look a little deeper before making assumptions about threats.

This all sounds good, but how do we put this into play without creating an unnamable stream of data?  Let’s start out with one basic tool that is often overlooked; Integrity Monitoring.

Most of the time when organizations deploy Integrity Monitoring they do it because they want to meet a compliancy requirement.  Compliancy writes these requirements because by monitoring key parts of your system, it can point to potential security concerns. So now not only has your Mother been giving you security advice but so has your compliancy officer.  The issue here is that we could monitor everything and try to look at every change.  This however gets us back to the unmanageable stream of data that tends to get overlooked and not reviewed.

There are many sources that you can read that point out the advantages of monitoring key system locations:

These two resources point to key items to monitor in a system.  There are many more out there that a simple Google search will reveal.

Here are 5 points that are a good starting point for monitoring with a brief explanation:

  1. Files being dropped onto a system that could be remote tools or have other malicious intent. Most often these are dropped in locations that they can easily be overlooked or disguised, such as the recycle bin.
  2. Installation of new software.
  3. A new process or service is set to start up on reboot. This could indicate an attacker trying to create persistence on a system.
  4. New registry values. These could point to malicious software.
  5. System files being modified – attackers will often try to inject into existing systems to disguise their software.

Trend Micro’s Deep Security has the capability to monitor the integrity of key locations of your system.  Below are outlines of some of our base rule sets that should tie back to these 5 points.

By using some very basic Integrity Monitoring Rules you can easily identify some of these noted concern areas.

1005041 – Malware – Suspicious Microsoft Windows Files Detected

1005042 – Malware – Suspicious Microsoft Windows Registry Entries Detected

TMTR-0022: Suspicious Files Detected In Recycle Bin

TMTR-0002: Suspicious Files Detected In Operating System Directories

1002776 – Microsoft Windows – Startup Programs Modified

            This rule alerts when there is any change in file attributes of user Startup programs located under Profiles directories. The rule also monitors directory permissions of Startup Programs found under Profiles directory and modifications in the registries entries created by the Startup Programs and Winlogon.

The rule provides configuration options to select file attributes to monitor and also to enter files to ignore monitoring which were located under %ProfilesDir%\username\Start Menu\Programs\Startup.

1002778 – Microsoft Windows – System .dll or .exe files modified

            This rule alerts when there is a change in file attributes Created, LastModified, Permissions, Owner, Group, Size and Contents of .dll or .exe files under %WINDIR%\system32 path. Also, the rule provides a configuration option to ignore files for monitoring and to select the file attributes to monitor.

1006799 – TMTR-0014: Suspicious Service Detected

            Microsoft Windows – ‘Hosts’ file modified. This rule alerts when there is any change in file attributes of Windows ‘Hosts’ file found under %WINDIR%\system32\drivers\etc (e.g., C:\WINDOWS\system32\drivers\etc) directory.

TMTR-0016: Suspicious Running Processes Detected By implementing the simple rules above you will be able to gain insight into possible security concerns that could easily be over looked. So listen to your mother and park in a well lit area. Here is more detailed information for each of the rules listed.

1005041 – Malware – Suspicious Microsoft Windows Files Detected

Screen Shot 2016-06-15 at 4.22.56 PM

1005042 – Malware – Suspicious Microsoft Windows Registry Entries Detected

Screen Shot 2016-06-15 at 4.24.41 PM

1002776 – Microsoft Windows – Startup Programs Modified

Screen Shot 2016-06-15 at 5.11.20 PM Screen Shot 2016-06-15 at 5.11.48 PM

Written by Cloud Security Expert Tony Allgrati