Detecting Attacks on Devices
| English | Chinese | Pinyin |
|---|---|---|
| indicator of compromise | 入侵指标 | rù qīn zhǐ biāo |
| password spraying | 密码喷洒 | mì mǎ pēn sǎ |
| credential stuffing | 撞库 | zhuàng kù |
| endpoint detection and response | 端点检测与响应 | duān diǎn jiǎn cè yǔ xiǎng yìng |
Indicators of compromise
- Logs reveal an indicator of compromise (IoC) 入侵指标 — evidence an adversary got in.
- Host-based IoCs: unexpected processes or changed settings.
- File-based IoCs: a file whose hash matches known malware.
Reading auth logs
- Many wrong passwords for one user = a guessing attack.
- Many users failing from one IP = password spraying 密码喷洒.
- A burst of default credentials = credential stuffing 撞库.
Read the log: which password attack?
One user + many wrong passwords = guessing; many users + one IP = spraying; default credentials = stuffing.
Evidence in a log that an adversary has compromised a device is an...
An IoC is an indicator of compromise.
Many different users failing to log in from ONE IP address suggests...
One IP, many users = password spraying.
A powerful third-party device-detection service is called ____ (endpoint detection and response).
EDR is powerful but expensive.
Which are kinds of indicators of compromise? (Choose all)
There is no weather-based IoC.
Choosing detection
- Signature-based is lighter — better for weak devices.
- An endpoint detection and response (EDR) 端点检测与响应 service is powerful but costly.
- Some attacks cannot be detected on the device at all.
Offline password attacks cannot be detected. The adversary already stole the hash database and is cracking it on their own computer, far from your logs. This is a favourite exam "gotcha" — the only defense is strong, salted hashing.
Offline password attacks generally cannot be detected on your systems.
The cracking happens on the adversary's own machine.
An auth log shows 50 failed logins for user admin in 30 seconds, all from one IP. That pattern — one account, many wrong passwords, fast — is the signature of an online password-guessing attack that can be blocked with a lockout policy.
Device attacks leave an IoC in logs (host-based, file-based, behaviour-based). Auth logs distinguish guessing (one user), spraying (many users, one IP), and stuffing (default credentials). Pick detection by device power (EDR is powerful but costly). Offline attacks cannot be detected.