I like to use US Cert notifications to query my SEIM in case I can find data on known malware. However, now we are close to indexing our IT security data and I plan to use Enterprise Security for monitoring. Does anyone have suggestions how to look for cyber-attacks on my network devices other traditional network perimeter defenses? I am referring to routers and Cisco ASA devices (recent guidance from US CERT said bad actors are now compromising Cisco ASA devices using APT techniques. How would I go about selecting the correct sourcetype and create an accurate search looking for a compromise? Would I try to search on certain ports and AV logs looking for malware? An example of malicious malware is the. SYNful Knock because it silently changes a router’s operating system image, thus allowing attackers to gain a foothold on my network.
Other attacks against network infrastructure devices have also been reported, including more complicated malware that silently changes the firmware on the device that is used to load the operating system so that the malware can inject code into the running operating system. Sorry for the lengthy question and I appreciate any advice or insight you have.
↧