Every time you log into your laptop, download a file, or install an app, your device quietly writes it down. Those records, called logs, are like a security camera for your computer. When something goes wrong, like a hacker sneaking in or malware getting installed, those logs are often the first place defenders look to figure out what happened. This topic is all about reading the clues your device leaves behind and spotting attacks before they cause real damage.
How to Detect Attacks Against Devices
Computers log a ton of stuff automatically: system processes, configuration changes, login attempts, file downloads, and user actions. If something sketchy happens, security analysts can pull these logs to reconstruct what went down before, during, and after an incident. Think of it like reviewing the security footage after a break-in.
When analysts find evidence that an attacker actually got in, that evidence is called an indicator of compromise (IoC). An IoC is basically proof that a device or network has been hit. IoCs come in three main flavors, and you need to know all of them.
Host-Based IoCs
Host-based IoCs are clues you find by analyzing logs and configuration settings on the device itself. You're looking at authentication logs, user activity logs, and system config files for signs like:
- Unusual files being created or modified (a random
.exeshowing up in a system folder) - Unexpected processes or services running in the background
- Unauthorized changes to system configuration settings (like firewall rules being turned off)
- Unauthorized software installation or updates
If your computer suddenly has a new "service" running that you've never heard of, that's a host-based IoC worth investigating.
File-Based IoCs
File-based IoCs show up when you analyze files on a device, usually executable files. These include:
- Files whose hash matches known malware (a hash is a unique fingerprint of a file, so if a file on your system has the same hash as a known virus, that's a problem)
- File names known to be created by specific malware (like a file called
cryptolocker.exe) - File paths associated with malicious activity (malware often hides in weird locations like
C:\Users\Public\AppData\Temp\)
Antivirus software relies heavily on file-based IoCs because they're concrete and easy to match against a database.
Behavior-Based IoCs
Behavior-based IoCs come from analyzing patterns in logs, especially authentication and access logs. Instead of looking for a specific file, you're looking for behavior that doesn't make sense:
- Multiple failed login attempts in a short window
- Unusual login times or locations (your account logs in at 3 AM from another country)
- Unauthorized attempts to access sensitive data
- Attempts to elevate user privileges (a regular user suddenly trying to gain admin access)
Authentication logs (often called auth logs) record every attempted login on a system, successful or not. They're gold for catching behavior-based IoCs because most attacks start with someone trying to get in.
Choosing Controls for Detecting Attacks
Not every detection method works for every device. When picking what to use, organizations weigh three main criteria.
Performance
Detection tools eat up memory and processing power. Anomaly-based detection (which watches for unusual behavior) uses way more system resources than signature-based detection (which matches activity against a database of known threats).
For devices with limited resources, like older laptops or IoT gadgets, signature-based detection is the smarter pick because it's lighter. In fact, many embedded devices (think smart thermostats or industrial sensors) don't have enough horsepower to run any detection tools on the device itself.
Cost
Detection software isn't free. If a company has 10,000 devices, they need 10,000 licenses, and that adds up fast. Some organizations outsource this entirely by buying an endpoint detection and response (EDR) service from a third-party vendor. EDR is pricey, but it gives a unified, organization-wide view of threats. It usually comes with a centralized dashboard where security teams can monitor alerts from every device in one place.
Sensitivity or Criticality of the Device
A laptop that holds patient medical records or controls a power grid is way more attractive to attackers than a random kiosk computer. Devices that store sensitive data or run critical services should get a hybrid-detection model when possible, meaning both signature-based and anomaly-based detection working together for maximum coverage.
Evaluating the Impact of a Detection Method
Once you've picked a method, you need to think about how it actually affects the device and the bigger security picture.
Speed and Performance
Signature-based detection is generally faster than anomaly-based detection because it's just matching patterns against a known list. Anomaly-based tools have to learn what "normal" looks like and constantly compare, which takes more CPU and memory.
On devices that already lack processing power, running a heavy anomaly-based tool can seriously slow things down. Nobody wants their work laptop frozen because the antivirus is scanning every keystroke.
Phase of the Attack
Before an attacker can do anything on a device, they have to get past physical security, network defenses, and other layers. If detection at the device level catches them at this final stage, you can stop them from actually stealing data or breaking critical services. Device-level detection is kind of the last line of defense, so it matters a lot.
False Positives vs. Ease of Bypassing
Most device-level detection is signature-based, which has a low rate of false positives (it doesn't cry wolf often). The tradeoff? Signature-based detection is easier to bypass. If an attacker tweaks their malware just slightly, the hash changes and the signature no longer matches. Anomaly-based detection is harder to dodge but throws more false alarms.
This tradeoff is the core tension in detection: accuracy vs. resilience.
Detecting Password Attacks in Log Files
Authentication logs are where password attacks reveal themselves. Different attacks leave different fingerprints, so being able to read auth logs is a key skill.
Online Password Attacks
An online password attack is when the attacker tries passwords directly against a live login system. These show up in auth logs as repeated failed login attempts. If one user account has 50 failed login attempts in two minutes, that's a huge red flag.
Here's a simplified auth log example showing an online attack:
</>Code2024-03-15 14:22:01 FAIL user=jsmith ip=203.0.113.45 2024-03-15 14:22:03 FAIL user=jsmith ip=203.0.113.45 2024-03-15 14:22:05 FAIL user=jsmith ip=203.0.113.45 2024-03-15 14:22:07 FAIL user=jsmith ip=203.0.113.45 2024-03-15 14:22:09 FAIL user=jsmith ip=203.0.113.45
One user, one IP, tons of failures, all within seconds. Classic online attack.
Also: if a user:password hash database ever gets stolen, every password in it should be treated as compromised. All users need to reset their passwords immediately, because attackers can crack those hashes offline at their own pace.
Compromised Account Indicators
If a legitimate user suddenly logs in from a strange location, a new IP address, or at an unusual time (like a 9-to-5 employee logging in at 3 AM from a different country), their password may already be compromised. The login itself succeeds, but the context is suspicious.
Password Spraying
Password spraying is when an attacker tries one common password (like Password123) against many different usernames. This avoids triggering account lockouts because each individual account only sees one or two failed attempts.
In the logs, password spraying looks like many different users failing to log in within seconds of each other, often from the same IP or a few unusual IPs:
</>Code2024-03-15 09:00:01 FAIL user=alice ip=198.51.100.7 2024-03-15 09:00:02 FAIL user=bob ip=198.51.100.7 2024-03-15 09:00:03 FAIL user=carlos ip=198.51.100.7 2024-03-15 09:00:04 FAIL user=diana ip=198.51.100.7 2024-03-15 09:00:05 FAIL user=ethan ip=198.51.100.7
Different users, same IP, all failing back to back. That pattern is the giveaway.
Credential Stuffing
Credential stuffing is similar but uses default or leaked username/password combos. Attackers grab a list of leaked credentials from a previous data breach and try them on a new system, betting that people reuse passwords. The indicator is a rapid series of default or known user:password combinations being attempted on a device, usually from the same IP.
The difference from password spraying: spraying uses one password against many users, while stuffing uses known pairs (often defaults like admin:admin or leaked combos) against a system.
Offline Password Attacks Can't Be Detected
Here's the catch: offline password attacks are invisible to your logs. In an offline attack, the adversary already has a stolen hash database and is cracking passwords on their own computer, completely off your system. Your auth logs won't show anything because no login attempts are happening on your server. The only defense is preventing the hash database from being stolen in the first place, and forcing password resets if it ever is.
That's why protecting password databases and using strong hashing matters so much. Once a hash file walks out the door, the attack moves to a place where you can't see it.
Vocabulary
The following words are mentioned explicitly in the College Board Course and Exam Description for this topic.Term | Definition |
|---|---|
anomaly-based detection | A detection technique that identifies potential threats by analyzing deviations from normal network behavior patterns. |
authentication logs | Records of login attempts and authentication events that can be analyzed to detect suspicious activity or unauthorized access attempts. |
behavior-based IoCs | Indicators of compromise discovered by analyzing logs, including multiple failed login attempts, unusual login times or locations, unauthorized access attempts, or privilege escalation attempts. |
cost | A criterion for determining detection methods, including the expense of purchasing software licenses and detection services for multiple devices. |
credential stuffing | An attack where default or previously compromised user:password combinations are attempted in rapid succession on a device, typically from the same IP address. |
cyber incident | A security event involving unauthorized access or attack on a computing system or network. |
detection method | A technique or tool used to identify and alert to potential security attacks or threats on a device. |
detective security controls | Security measures designed to identify and detect attacks or unauthorized activities after they occur. |
deterrent security controls | Security measures designed to discourage or prevent adversaries from attempting attacks. |
device performance | The speed and efficiency with which a device operates, which can be degraded by resource-intensive security tools. |
embedded devices | Specialized computing devices with limited system resources that may lack sufficient processing power to run detection tools. |
endpoint detection and response (EDR) | A third-party service that provides centralized, unified threat detection and monitoring across an organization's devices with a centralized alert platform. |
false positives | Instances where a detection method incorrectly identifies legitimate activity or files as malicious threats. |
file-based IoCs | Indicators of compromise discovered by analyzing files on a device, including files with hashes matching known malware, suspicious file names, or file paths associated with malicious activity. |
host-based IoCs | Indicators of compromise discovered by analyzing logs and configuration settings, such as unusual files, unexpected processes, unauthorized system changes, or unauthorized software installations. |
hybrid-detection model | A detection approach that combines multiple detection methods to provide maximum protection for devices storing sensitive information or providing critical services. |
indicator of compromise (IoC) | Evidence that an adversary has compromised a device or network. |
IP address | A unique numerical identifier assigned to a device on a network, used to track the source of login attempts and network activity. |
network-layer protective controls | Security measures that protect against unauthorized access and attacks transmitted through network connections. |
offline password attacks | Password attacks that occur on an attacker's own computer using stolen password hashes, making them undetectable through log file analysis. |
password attack | Adversarial techniques used to compromise user passwords and gain unauthorized access to accounts or systems. |
password spraying | An attack where many users are targeted with common passwords from one or a few IP addresses, often to avoid detection by spreading attempts across multiple accounts. |
performance | A criterion for selecting detection controls, considering how detection tools impact a device's system memory and processing power. |
phase of the attack | The stage of an attack sequence, such as initial access, lateral movement, or data exfiltration, at which detection and prevention can occur. |
physical-layer protective controls | Security measures that protect against physical access to devices and infrastructure. |
sensitivity or criticality of the device | A criterion for selecting detection methods based on whether a device stores sensitive information or provides critical services that make it a likely target for adversaries. |
signature-based detection | A detection technique that identifies known malware and attacks by matching network traffic against predefined patterns or digital signatures. |
system configuration settings | Parameters and options that control how a computing system operates, which are logged and can reveal unauthorized changes. |
system processes | Programs and operations running on a computing system that are logged and can be analyzed to detect attacks. |
user:password hash database | A database containing encrypted representations of user passwords that, if compromised, requires all users to reset their passwords. |