Unauthorized Access Investigation
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Module: Network Troubleshooting
Section: Security Troubleshooting
Lesson: Unauthorized Access Investigation
Introduction: The Reality of Network Intrusions
In the modern digital landscape, the perimeter of a network is no longer a static wall. With the rise of remote work, cloud infrastructure, and interconnected Internet of Things (IoT) devices, the traditional concept of a "secure internal network" has largely vanished. Unauthorized access investigation is the systematic process of identifying, analyzing, and containing instances where an entity—whether a malicious actor, a disgruntled insider, or a misconfigured automated script—has gained access to network resources without authorization.
Why does this matter? For a network administrator or security engineer, unauthorized access is not just a technical glitch; it is a fundamental failure of the security posture. When an unauthorized party enters your network, they can exfiltrate sensitive data, install persistent backdoors, deploy ransomware, or use your infrastructure to attack others. Investigating these events is the difference between a minor security incident and a catastrophic data breach. This lesson provides the framework for identifying how attackers get in, what they do while they are there, and how you can stop them.
Part 1: Establishing the Baseline of Normalcy
Before you can identify an intruder, you must understand what "normal" looks like. If you do not have a baseline for your network traffic, user behavior, and system performance, every anomaly will look like a potential attack, leading to "alert fatigue." Effective investigation starts with observation.
Components of Network Baseline
To build a baseline, you should collect data from several layers of the network stack:
- Traffic Patterns: What are the typical bandwidth usage levels during business hours? Which internal servers communicate with each other most frequently?
- Authentication Logs: At what times do users typically log in? From which geographic locations or IP ranges do they connect?
- Process Activity: What services are expected to run on your core servers? Are there unusual background processes that suddenly spike in CPU usage?
- External Connections: Which external domains or IP addresses does your network regularly communicate with?
Callout: The Concept of "Known Good" In security, we often talk about "Zero Trust," but we also rely heavily on "Known Good." A baseline is essentially a map of your "Known Good" state. When you see a connection to a foreign IP address that has never appeared in your logs, you are not looking at a security risk yet; you are looking at an anomaly. Investigation is the process of determining if that anomaly is a new business requirement or an indicator of compromise.
Part 2: The Anatomy of an Unauthorized Access Incident
Unauthorized access typically follows a predictable lifecycle, often described by the Cyber Kill Chain or the MITRE ATT&CK framework. Understanding these stages is critical for investigation, as it helps you determine which phase the attacker is currently in.
The Stages of Intrusion
- Reconnaissance: The attacker scans your network for open ports, vulnerable services, or misconfigured web interfaces.
- Initial Access: This is the point of entry. It often occurs through phishing, exploiting an unpatched vulnerability (like a remote code execution bug), or using stolen credentials.
- Persistence: Once inside, the attacker installs a mechanism to ensure they can get back in even if the initial entry point is closed (e.g., a scheduled task or a new user account).
- Lateral Movement: The attacker moves from the initial compromised system to more sensitive areas of the network, such as database servers or domain controllers.
- Exfiltration/Impact: The final stage where data is stolen, or systems are encrypted for ransom.
Part 3: Investigating Authentication Anomalies
The most common method of unauthorized access is credential theft. If an attacker has valid credentials, they do not need to "break" the network; they simply walk through the front door.
Step-by-Step: Investigating Suspicious Logins
When you receive an alert about a suspicious login, follow this systematic approach:
- Verify the Source IP: Check the IP against known threat intelligence feeds. Is it a VPN exit node or a data center IP address? If an employee typically logs in from a residential ISP in Chicago, but suddenly logs in from a data center in a foreign country, this is a red flag.
- Analyze Time-of-Day: Does the login occur at 3:00 AM local time for the user? While remote work makes this less definitive, it should still be correlated with other activities.
- Check User Agent Strings: If a user usually logs in via a web browser on Windows, but the suspicious login shows a Python-requests library or an outdated version of an obscure browser, investigate further.
- Correlate with File Access: Did the user account immediately access a massive number of files upon logging in? This is a classic sign of a script-based data scrape.
Code Example: Log Analysis with Python
You can use Python to parse authentication logs to find anomalies. The following snippet demonstrates how to identify logins from unusual IP addresses:
import pandas as pd
# Load log data (Assuming a CSV with 'user', 'ip', 'timestamp')
logs = pd.read_csv('auth_logs.csv')
# Define a list of authorized IP ranges or known employee locations
authorized_ips = ['192.168.1.0/24', '10.0.0.0/8']
# Function to check if an IP is in the authorized range
def is_unauthorized(ip):
# In a real scenario, use the ipaddress module to check subnets
# This is a simplified placeholder for the logic
return ip not in authorized_ips
# Filter logs for suspicious activity
suspicious_activity = logs[logs['ip'].apply(is_unauthorized)]
print("Suspicious Logins Detected:")
print(suspicious_activity)
Note: Always ensure that your log files are stored in a centralized, read-only location (like a SIEM). If an attacker gains administrative access, the first thing they will do is delete the local logs to cover their tracks.
Part 4: Investigating Lateral Movement
Once an attacker has compromised a single machine, they will attempt to move laterally. This is often done using legitimate administrative tools, a technique known as "Living off the Land" (LotL).
Common Lateral Movement Techniques
- SMB/RPC Exploitation: Moving from one Windows machine to another using administrative shares.
- Remote Desktop Protocol (RDP): Using RDP to jump between systems.
- PowerShell Remoting: Executing scripts remotely on other machines within the network.
- SSH Tunneling: Creating an encrypted tunnel to bypass firewalls.
How to Detect Lateral Movement
To spot this, you need to monitor "East-West" traffic—traffic that stays inside your network rather than going out to the internet. Look for:
- Unusual Administrative Logins: A workstation connecting to another workstation via RDP. This should almost never happen in a standard environment.
- Service Installation: Look for new services being created on servers. Use
Get-Serviceor similar commands to audit your environment regularly. - Port Scanning from Internal IPs: If one of your internal machines starts scanning the rest of the network, it is almost certainly compromised.
Part 5: Practical Tools for Investigation
To conduct a thorough investigation, you need the right toolset. Do not rely on a single source of truth.
Essential Investigation Toolkit
| Tool Category | Examples | Use Case |
|---|---|---|
| SIEM | Splunk, ELK Stack, Graylog | Centralizing logs and correlating events. |
| Network Analyzers | Wireshark, tcpdump | Deep packet inspection of suspicious traffic. |
| Endpoint Detection | OSQuery, Sysmon | Auditing process creation and file changes. |
| Threat Intel | VirusTotal, AbuseIPDB | Checking if an IP or hash is known to be malicious. |
Tip: When using Wireshark to investigate a potential breach, filter by the suspicious IP address immediately. Use the filter
ip.addr == [SUSPICIOUS_IP]to isolate traffic and look for unusual protocols like DNS tunneling or non-standard ports being used for command-and-control communication.
Part 6: Best Practices for Security Response
Investigating unauthorized access is high-pressure work. Having a plan in place prevents panic and reduces the chance of making mistakes that could destroy evidence.
1. Document Everything
From the moment you suspect an intrusion, start a log. Record the time you noticed the issue, the steps you took to investigate, and the findings. This is vital for post-incident reporting and potentially for legal or insurance purposes.
2. Isolate, Don't Delete
When you find a compromised machine, the urge is often to wipe it and reinstall the OS. Do not do this immediately. If you wipe the machine, you lose the volatile memory (RAM) and the disk evidence that could tell you how the attacker got in. Isolate the machine from the network (physically or via VLAN) instead.
3. Change Credentials System-Wide
If you suspect a user account has been compromised, reset the password immediately. Furthermore, if you believe the attacker has moved laterally, you must rotate the credentials for all service accounts and local administrator accounts across the network.
4. Search for Persistence
Attackers rarely leave a door open for only a few hours. They will add backdoors. Check for:
- Scheduled Tasks: Look for tasks that run unknown scripts.
- Registry Keys: On Windows, check
RunandRunOncekeys for malicious entries. - New User Accounts: Check the local and domain user lists for accounts you do not recognize.
Part 7: Common Pitfalls to Avoid
Even experienced administrators fall into common traps when investigating security incidents. Avoiding these will save you time and prevent secondary issues.
Pitfall 1: Ignoring DNS Traffic
Many attackers use DNS to "beacon" back to their command-and-control servers. Because DNS is required for the internet to function, it is often left unmonitored. If you see high volumes of DNS queries to a single external domain or queries for strange, long, encoded subdomains, this is a major warning sign.
Pitfall 2: Over-Reliance on Automated Tools
Automated security tools are excellent at catching known threats, but they often miss sophisticated, manual intrusions. Always perform manual verification. If your tool says an alert is "Low Severity," but your gut says something is wrong, investigate the raw logs yourself.
Pitfall 3: Not Checking the "Easy" Entry Points
Often, we look for complex exploits while ignoring simple misconfigurations. Check for:
- Default passwords on network appliances.
- Open management interfaces (like IPMI or iDRAC) exposed to the internet.
- Exposed cloud storage buckets (e.g., S3 buckets without proper permissions).
Callout: The "Human Element" in Investigation A common mistake is assuming that all unauthorized access is a technical attack. Often, it is a social engineering play. If you find a compromised account, call the user. Ask them if they recently received a strange email or if they clicked on a link. The context provided by the human user can be more valuable than any log file in your SIEM.
Part 8: Step-by-Step Investigation Workflow
When the alarm goes off, follow this structured workflow to maintain order and focus.
Phase 1: Triage (Minutes 0-30)
- Confirm the alert is not a false positive.
- Identify the affected systems and user accounts.
- Isolate the affected systems from the network to prevent further spread.
Phase 2: Scoping (Hours 1-4)
- Determine the extent of the damage. Which systems did the attacker touch?
- Check authentication logs for any other unusual logins at the same time.
- Review network traffic logs for connections to known malicious domains.
Phase 3: Containment (Hours 4-8)
- Disable the compromised accounts.
- Block the malicious IP addresses at the firewall.
- Close any open ports that were used for the initial entry.
Phase 4: Eradication and Recovery (Days 1-3)
- Remove the persistence mechanisms (tasks, backdoors, etc.).
- Restore systems from known-good backups.
- Patch the vulnerabilities that allowed the initial access.
Part 9: Advanced Concepts: Memory Analysis
When you have a truly sophisticated attacker, they may operate entirely in memory (fileless malware). In this scenario, disk forensics will show you nothing. You must perform memory analysis.
Using Volatility for Memory Analysis
Volatility is the industry-standard framework for analyzing memory dumps. If you suspect a machine is compromised by fileless malware, you can capture the RAM and run it through Volatility.
- Capture RAM: Use a tool like
DumpItorMagnet RAM Captureto save the memory to a file. - Analyze Processes: Use
volatility -f mem.raw --profile=Win10x64_XXXX pslistto see a list of running processes. - Find Injected Code: Use
malfindto search for memory segments that have execute permissions but are not backed by a file on disk—a classic sign of code injection.
This is an advanced technique, but it is necessary for detecting modern, persistent threats that avoid writing files to the disk.
Part 10: Best Practices and Industry Standards
To maintain a professional security posture, align your operations with recognized frameworks.
- NIST Cybersecurity Framework (CSF): Use this to structure your incident response process. The framework provides a common language for identifying, protecting, detecting, responding, and recovering.
- Principle of Least Privilege (PoLP): This is your best defense against lateral movement. If a user account only has access to what it absolutely needs, an attacker who compromises that account is severely limited in what they can do.
- Logging Policy: Ensure you are logging enough data to be useful. If your logs only show "User Logged In," you have no context. Ensure you are logging successful and failed logins, process creation, network connections, and file access.
Comparison: Proactive vs. Reactive Security
| Feature | Proactive Security | Reactive Security |
|---|---|---|
| Focus | Prevention and hardening | Detection and mitigation |
| Timing | Before the incident | After the incident |
| Goal | Reduce attack surface | Minimize damage/downtime |
| Methodology | Hardening, patching, training | Forensics, log analysis, containment |
Part 11: Summary and Key Takeaways
Unauthorized access investigation is a core skill for any IT professional. It requires a blend of technical knowledge, analytical thinking, and the ability to remain calm under pressure. By focusing on baselining, monitoring, and structured investigation, you can significantly reduce the risk and impact of security incidents.
Key Takeaways for Your Security Toolkit:
- Baseline is Everything: You cannot identify an anomaly if you do not know what normal looks like. Spend time documenting your network's standard traffic and user behavior.
- Don't Rush to Wipe: When you find a compromised system, your first priority should be isolation, not deletion. Preserving volatile memory is essential for understanding how the attacker got in.
- Lateral Movement is the Real Danger: An attacker's goal is rarely the first machine they hit. They want to move to your most sensitive data. Monitor your internal East-West traffic to stop them in their tracks.
- Use the Right Tools: A SIEM is helpful, but it is not a magic bullet. Learn to use Wireshark, command-line auditing tools, and memory analysis frameworks to get the full picture.
- Think Like an Attacker: Look for the "easy" holes—default passwords, open management ports, and unpatched web interfaces. These are the most common entry points for unauthorized access.
- Persistence is Key: Always look for backdoors, scheduled tasks, and new user accounts after a compromise. Attackers want to stay in your network for as long as possible.
- Document Your Work: Every investigation should be a learning experience. Keep a detailed log of your findings to improve your defenses and satisfy compliance requirements.
By following these principles, you move from being a reactive administrator to a proactive defender of your network. Security is not a product you buy; it is a process you maintain. Stay vigilant, keep your systems updated, and never stop learning about the evolving tactics used by those who seek unauthorized access.
Frequently Asked Questions (FAQ)
Q: How do I know if an alert is a false positive? A: A false positive often occurs when an administrative action mimics malicious behavior. For example, a system administrator running a network scan will trigger the same alerts as an attacker. Always check the identity behind the action. If it is a known admin account and a scheduled maintenance window, it is likely a false positive.
Q: What is the most important thing to do if I find an attacker in my network? A: Do not panic. If you start making random changes, you might tip off the attacker, causing them to move to a different part of the network or trigger a destructive payload (like ransomware). Isolate the affected system, then gather information before taking further action.
Q: Should I block all traffic from foreign countries? A: While geoblocking can reduce the noise in your logs, it is not a complete security solution. Attackers use VPNs and compromised servers within your own country to bypass these filters. Use it as a layer of defense, but do not rely on it as your primary security control.
Q: How often should I review my logs? A: Ideally, you should have a SIEM that alerts you in real-time. If you do not have a SIEM, you should perform a manual review of critical logs (authentication, firewall, and process creation) at least weekly.
Q: What is the difference between an intrusion detection system (IDS) and an intrusion prevention system (IPS)? A: An IDS monitors traffic and sends an alert when it detects something suspicious. An IPS sits in-line with the traffic and can automatically block or drop the connection when it detects a threat. Both are useful, but an IPS provides a more immediate, automated response.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons