Manually searching for IOC’s to find APT’s

Lets go hunting. Grab your pitch forks!! Okay, Okay your mouse and keyboard will do. Here's some ideas to help get you started identifying indicators of compromise (IOC) and Advanced Persistent Threats (APT's). Even if you think you have tools to identify this, I would still run through this occasionally to ensure everything's working. Also when you are looking, look over numerous time periods like 24h, 7 days, 30 days.

Proxy Logs

  • Traffic to .cn domains
  • Traffic to .ru domains
  • Traffic to .su domains - after all the USSR was is dissolved in 1991
  • Identify your top source traffic
  • Identify your top destination hits - you'll need to apply a lot of filters to get accurate data
  • Dynamic DNS - e.g. * (only one provider though)
    HTTP POST traffic to pastebin

Firewall Logs - look for both allows and denies

  • Traffic to Chinese IP address space
  • Traffic to Russian IP address space
  • Traffic From your firewall addresses - is it being used as a pivot point
  • Identify your top talkers
  • Tor traffic - look for traffic to TCP port 9001

DNS Logs

  • Top Sources
  • Top Destination addresses
  • Dynamic DNS domains
  • If you are logging it - top domain requests that don't get resolved