[BreachExchange] How Can You Tell If Your Enterprise Has Been Hacked?
Audrey McNeil
audrey at riskbasedsecurity.com
Tue Apr 24 18:43:21 EDT 2018
https://solutionsreview.com/security-information-event-
management/how-can-you-tell-if-your-enterprise-has-been-hacked/
In cybersecurity, half of the struggle is simply preventing a data breach
or cyber attack on your enterprise. The other half is dealing with a hacker
once they have infiltrated your enterprise’s network, as is sadly bound to
happen one day. This can and often does involve closing the security hole
that let the hacker in, removing their malicious presence from your
servers, evaluating the damage, and alerting those affected by the breach.
A less-discussed but invaluable part of dealing with an infiltration is
detecting that there even is a threat on your network in the first place.
Modern malware is designed to evade notice, hiding its presence in remote
places or using other functions as camouflage. Not every hacker is “kind”
enough to put up a notice as seen in a ransomware attack. A SIEM or
security analytics solution can help you in detecting a threat via data
aggregation, data correlation, and threat analysis. But if your legacy
solution isn’t up to the task, and your team is handling threat analysis
manually, how can you tell if your enterprise has been hacked? What
activity is sufficiently suspicious?
Here are some key indicators to look for to tell if your enterprise has
been hacked?
Watch for Spearphishing Campaigns
Spearphishing is perhaps one of the most persistent and successful
infiltration tactics hackers have at their disposal. After all, humans are
hardwired to respect authority. If a message from the CEO—in their typical
style and at a reasonable hour—asks for their payment information, most
employees would hand it over without a thought. And that’s where hackers
can get you.
Your IT security teams should be on the lookout for emails coming from
outside the network and dressed up to look like internal emails, and to
block those emails’ sources if possible. Your employees should also be
trained to confirm emails that ask for vital payment or credentials
information before handing over the data. If your enterprise seems to be
receiving more spearphishing emails than usual, you may want to look at
your network to see if anyone unwanted presences have been conducting
espionage on you.
Be on the Lookout for Suspicious User Activity
One way to tell if your enterprise has been hacked is to observe the
behavior of your users. Users typically follow patterns in their behavior,
including what they access, when they access them, and what they may
request permission to access in the course of their day-to-day jobs. This
applies both to the average user and the privileged account user.
Unusual user activities, including off-hours privileged logins, multiple
failed login attempts, and odd permissions requests, raises serious red
flags about the security of your users’ credentials. Also, keep an eye out
if your employees changed their credentials recently for no clear reason: a
hacker may have stolen their credentials and changed them to lock them out
of the system.
Additionally, you should keep an eye out for suspicious new accounts and
disable them if you can’t confirm their legitimacy. You can use the audit
logs to find out a timeline for the hack on your enterprise, which can help
detect the security hole.
Unusual Network Activity is the Clearest Sign of a Hack
In order to tell if your enterprise has been hacked, SIEM and security
analytics solutions collect the disparate information from across the
network. No hacker is an H.G. Wells character—that is to say, completely
invisible. If you are manually evaluating network activity for signs of an
attack, here are some signs that someone unwelcome is on your servers:
Sudden spikes in outbound traffic
Unusual files appearing on your network
Unauthorized downloads or software installations
Misaligned system log information, especially for off-hours activity
Internet searches are redirected
Frequent DOS attacks (these can be smokescreens for other data breaches)
Flickering webcam lights on employee’s endpoints (this might be a hacker
keeping a literal eye on your enterprise)
Rogue applications creating open ports into your network
Preventative measures can include the tight regulation of downloads (watch
for rogue programs bundled with freeware), careful monitoring of
applications, and caution concerning email attachments. But as we’ve noted
before, prevention can only protect you so far.
Above All, Respond Immediately To The Out-Of-Place
Financial information going to unexpected places? Mysterious orders
stemming from your network? Unusual connections to your enterprise
network? Employee applications or endpoints crashing at random times?
Yes, there can be perfectly mundane explanations to all of these suspicious
activities. But assuming benevolence on your enterprise’s IT environment is
absolutely the wrong course of action, regardless of your enterprise’s
sign. The overriding principle of how to tell if your enterprise has been
hacked is this: if something looks wrong, take the time to investigate it
to the best of your abilities.
This will be a hassle without a SIEM or security analytics solution (and it
may be good time to look into that). The time and effort can be a serious
drain on your time and resources. Yet the alternative is unacceptable. You
need to do whatever is necessary to keep your data and employees safe from
digital threats.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180424/70bdc8ba/attachment.html>
More information about the BreachExchange
mailing list