Indicators of Attack - 2.4

Events to look out for that might indicate with high confidence that an attack has occurred.

• Account Lockout
• Concurrent Session Usage
  • Concurrent session usage refers to multiple active sessions under the same user account, often from different devices or locations. While some users may intentionally have concurrent sessions (e.g., on a phone and a computer), it can also indicate account compromise if the sessions occur from unexpected locations or devices.
  • This differs from impossible travel in that concurrent sessions do not necessarily involve impossible geographic distances or travel times. Instead, it focuses on the simultaneous use of an account, which could suggest that credentials have been shared or stolen.
• Blocked Content
  • Blocked content refers to instances where legitimate users are prevented from accessing certain content or resources due to unauthorized filtering, censorship, or security controls enacted by a malicious actor. This can indicate an ongoing attack or unauthorized changes in access permissions.
• Impossible Travel
  • Physical travel, not directory traversal
  • Impossible travel refers to login attempts or access from geographically distant locations within a timeframe that makes such travel impossible. This is a strong indicator of compromised credentials.
• Resource Consumption
• Resource Inaccessibility
• Out-of-Cycle (Irregular) Logging
• Published/Documented (Exposure of Sensitive Data)
  • This refers to the exposure of sensitive data through unauthorized publication or documentation, which can result from data breaches or leaks.
• Missing Log Files