Most ThreatSTOP customers log into the portal once a day to see what has happened on their network in the past 24 hours. Even if you can’t log in, you have a summary automatically emailed to you once a day. However, most customers do log in because they realize it’s especially important to remediate infected machines in a timely manner.
A lot of the time, however, it can be hard to see the really bad stuff in the top-level dashboard summaries. You have to drill down into the data to find out if there’s anything seriously bad, or whether it’s just relatively innocuous phishing links. This is because, at the top level, it’s impossible to break out the call-homes to botnet C2s from the phishing links, the sleazy adware, and so on.
Once a week you do have that chance and the best day to check is on Monday. On Monday, you get to see what your network was doing over the weekend, allowing you to see what it was doing when there was no one in the office.
Unless you have employees working off hours, there should be little or no network traffic on Sundays. Therefore, any outbound connections that take place on Sunday are immediately suspicious because there is no reason for anything to be active, especially then.
Moreover, because there is so much less activity on a Sunday, it’s normally easier to look at the related logs of IPAM systems to track down exactly where these suspicious activities came from. (Plus, what else they may have been doing that was not necessarily captured in the logs uploaded to ThreatSTOP)
Monday’s report has another perk if you are an organization that might be attacked by a nation-state actor. Nation state actors are different from criminal ones because their attacks are typically performed by salaried employees working 9 AM – 5 PM, Monday - Friday.
I recall a Juniper security presentation some years back where they showed attack volumes by hour/day and the higher volume hours/days correlated closely with Chinese office hours. (This included drops in attacks over holidays such as Chinese New Year) Similarly, countries in the Islamic World usually work Sunday-Thursday (not Monday-Friday), which means that they too will be attacking during the Western world’s day of rest.
With all this information combined, Monday’s report is likely to be the one time of the week where you can really see previously compromised devices inside your network. Now, you can be prepared for additional activity for the rest of the week.
If you’re a ThreatSTOP customer, consider logging in next Monday to see what happened on your network over the weekend. If you aren’t, you can set up a free, 14-day trial and take a look into what happened on your network next Monday.
To learn more about ThreatSTOP and how to get started with a free trial, check us out below.