In addition, he adds, brute-force password activity be detected by scrutinizing server logs for any server that is integrated into the organization's IdAM (identity access and management) infrastructure (e.g. Microsoft Active Directory) or by observing network behavior across a number of different protocols (e.g. SMB, Kerberos, RDP, VNC, SSH, HTTP, HTTPS).
Finally, exfiltration can be exceedingly difficult to detect on a smaller scale, but it's best to have a strategy for detecting large-scale exfiltrations.
"Look for patterns of behavior where a host on your network acquires large amounts of data from internal servers and subsequently sends a significant amount of data to an external system," Tavakoli said.
"Also, look for significant outbound flows of data from hosts on unusual channels (e.g. 10Gb outbound via FTP). The higher the volume of data acquired and sent increases the business risk and priority for investigation. This type of alert should be of the highest priority since it represents the last step of the attack chain and your last chance to prevent or mitigate data loss."
Doing more with less
Given that most organizations have a good deal of security infrastructure already in place, plenty can be done to better tune their devices and filter out the noise. Again, the key is to identify the most critical assets, and what it would take to attack them.
"For example, if your crown jewel is your Oracle database, you should have a well-established baseline for which hosts connect to it, the queries they perform on a regular basis and the amount of data transacted as a result of those queries," Tavakoli explained.
"A baseline provides an immediate intuitive reaction of whether a report showing 100,000 hosts connecting to the Oracle database performing 5 million queries in one day is normal or anomalous. You may be able to use products and technology you have (e.g, NetFlow analyzers), or you may need to evaluate new technology to accomplish this."
A good starting point is to practice good security hygiene by following the Critical Security Controls for Effective Cyber Defense, published by the Council on Cyber Security. The controls themselves can help protect against a number of common attacks, and improve the amount of actionable signals generated by the monitoring systems.
"For example, you can identify the exfiltration behavior of hosts, which represent a key part of your attack surface, by baselining the amount of data they send to the outside and setting a trigger to alert when that baseline is exceeded by a significant amount," Tavakoli said.
To put that in perspective, if a host that normally sends 20 MB of data on average is observed sending 2 GB in one day, this should raise alerts for possible exfiltration.