Signs you have been hacked
If you still believe that your enterprise is safe from cyber threats and that your data is secure, you might be in for a rude shock.
2016 was the year of the “mega breach”.
Globally, there was a dramatic increase in the number of records that were compromised, climbing 566% from 2015. Spam was up 400% in 2016 with 44% of spam containing malicious attachments. Out of these malicious attachments, 85% contained malicious ransomware.
According to the IBM 2017 X-Force Index, the average client organization experienced 54 million security events. So unless your company has the ability to read through trillions of data points and make sense of that information, you could have already encountered cyberattacks without even knowing.
Another report by IBM Security – The Shifting Panorama of Global Financial Cybercrime – indicates that organized cybercrime groups are increasingly looking to Asia with Dridex and TrickBot being the two most prominent threats perpetrated by cyber gangs. Singapore, is particularly at risk of Trojan attacks, acting as a sort of gateway for malware families targeting Indonesia, Malaysia and India.
It goes without saying that security professionals are constantly on the hunt for potential vulnerabilities and looking for ways to defend their networks. The term “indicator of compromise” (IOC) – first coined by governments and defense contractors trying to identify advanced persistent threats (APTs) – is something that all information security experts are familiar with.
A recent IBM X-Force report looked at the top 10 indicators of compromise so you can spot them before a hacker is able to do serious damage.
1. Unusual outbound network traffic: While it is tough to keep hackers out of networks, outbound patterns are easily detectable and can be a sign of malicious activity. With visibility into this traffic, you can respond quickly before data is lost or major damage is caused.
2. Anomalies in privileged user account activity: Attackers often try to escalate privileges of a user account they have hacked. Monitoring privileged accounts for unusual activity not only opens a window on possible insider attacks, but can also reveal accounts that have been taken over by unauthorized sources. Keep an eye on systems accessed, type and volume of data accessed, and the time of the activity can give early warning of a possible breach.
3. Large numbers of requests for the same file: When a hacker finds a file they want – customer or employee information, credit card details, etc. – they will try to create multiple attacks to obtain it. Monitor for an amplified number of requests for a specific file.
4. Geographical irregularities: It may seem obvious, but it is important to track the geographic location of where employees are logging in from. If you detect logins from locations where your organization does not have a presence, it is worth investigating as it could mean you have been compromised.
5. Database extractions: Closely monitor and audit your databases to know where sensitive data resides, and to detect suspicious activity, unauthorized usage and unusual account activity. Watch closely for large amounts of data being extracted from databases. This can be a clear indicator that someone is attempting to obtain sensitive information.
6. Unexpected patching of systems: If one of your critical systems was patched without your initiation, it may be a sign of a compromise. While it seems strange that a hacker would repair a vulnerability, it is all about the value of the data to them, and keeping other interested criminals away from it. Once they get inside, they often try to add a patch to the vulnerability they used to gain access to the system so that other hackers cannot get in through the same vulnerability. If an unplanned patch appears, it is worth investigating for a potential attack.
7. Document attack tools & methods: Profile your network traffic patterns to understand what is normal. Focus your attention on main protocols, especially the ones used by attackers such as DNS and HTTPs. Collect and examine log file entries and leverage tools like log management and SIEM systems that can help automate and visualize these data patterns to detect suspicious activity. Subscribe to IOC data feeds, like IBM’s X-Force Exchange, that share reported IOCs to help investigate potential incidents and speed time to action.
8. Use intelligence to search for malicious activity: By leveraging the data that you documented in step 1, you can configure your security systems to monitor and search for malicious activity. Your defenses can be configured to block activities or trigger alerts if activity is identified from a suspicious IT address or geographical location, if an attacker tries to use a known toolkit or tries to exploit a known vulnerability. You should also look out for new user names being created locally.
9. Investigate security incidents & assess compromise levels: If a security incident occurs, the next logical step is to investigate and assess the number of systems or applications that are affected. Start with system IP, DNS, user, and timestamps to first understand the scope of the breach and the degree of penetration the attacker may have gained in the system.
Next, create a timeline to determine if any other events occurred. Examine all files with time stamps (logs, files and registry), the content of email communications and messages, information about system logon and logoff events, indications of access to specific Internet documents or sites, and the contents of communication with known individuals in chat rooms or other collaborative tools. Check for evidence of document destruction and search for incident-specific IOCs including exhibiting patterns within working directories or using particular hosts and accounts.
10. Identify, remediate & repeat: Identify all compromised hosts, user accounts, points of exfiltration, and other access points. Next, move to reset passwords, remove points of exfiltration, patch vulnerable systems being exploited for access, activate your incident response team, and set trigger points to alarm if the attacker returns. After this is complete, it is important to continue searching for IOCs to ensure remediation tactics are successful and then to repeat the process, if necessary.
With this model in place, you can identify the breadcrumbs that attackers leave behind when they compromise security defenses, enabling you to react quickly and efficiently to security incidents.