No one wants to join the growing list of companies that have announced they’ve been hacked and suffered a data breach. As CIO, you have confidence in your IS staff but you’re still wondering if an undetected attack has already occurred.
Attacks begin with a tiny, difficult-to-detect event such as a single infection or the take-over of a single computer. The good news is that, as attackers invariably increase their activity on your network, you can stop them if you know how to unmask them. Here are five strategies to identify attackers and stop them.
Look for telltale signs of a breach
Repeated port scans and an excessive number of failed log-ins indicate reconnaissance as attackers map out your network. These telltale events occur because attackers need to understand the topology of the network they have infiltrated as a prelude to creating havoc. First attackers will look for additional vulnerable workstations and poorly configured servers. Then they will zero in on administrative accounts and valuable datastores.
Identifying the follow-on from the initial breach will require persistence because there are a lot of chatty workstations and applications on your network. It will take a while to filter out your legitimate traffic from the attacker-initiated traffic.
Look for a normal end-user performing administrative tasks
Increasingly, attackers use your network and data management tools, rather than known attack tools and malware, to avoid detection by your signature-based anti-virus and anti-malware software.
This tool usage by attackers is an anomaly that you can detect. You know who your authorized admin accounts are. You know what tools your administrators use and what applications and file servers they typically manage, such as an ERP database, a document management application or an Intranet website. With that knowledge, you can spot when attackers take over a non-admin workstation and start performing unexpected administrative tasks often at an unusual time of day.
Unfortunately, performing this analysis isn’t as easy as it sounds because legitimate administrative activity is so sporadic. Monitoring Secure Shell (SSH) and Remote Procedure Call (RPC) usage provides a good starting point. Using your list of approved administrative workstations as a baseline, you can detect the administrative activity initiated by attackers.
Look for workstations using multiple accounts
Attackers love using valid credentials to advance their nefarious activity and remain undetected. First they hijack existing accounts. Then they generate new accounts. Attackers use both to explore and to gain more privileged access. Analyze account usage to spot excessive usage that is indicative of such attack activity.
Network traffic logs from your authentication and authorization infrastructure are your best resources for account abuse indications. Scanning for anomalies, starting with your high volume end-users, should help you spot attacker-commandeered workstations and accounts.
Look for attackers searching for valuable data
Attackers almost always look for file shares and database access credentials that are broadly accessible to hunt for important data, such as intellectual property or credit card numbers. Important data can then be copied or remotely encrypted for ransom. Spotting anomalies in file and database access can be a valuable signal of attackers at work.
The data about your file share and database accesses can be messy and difficult to gather and analyze but will reveal attackers.
Look for command and control activity
Attackers need a way to communicate between the workstations they control in your network and the Internet. Attackers use Remote Access Trojans (RATs) for this communication.
Keep an eye on strange, outbound communications for indications of malicious software phoning home. Attackers may attempt to contact Amazon Web Services (AWS), Microsoft Azure resources or invalid servers that aren’t part of your network. Large numbers of Domain Name System (DNS) look-ups indicate malware trying to find command and control servers. Attackers can mask their outbound communication by using Twitter, Craigslist, Gmail, and many more websites.
Once you unmask an intrusion, there is often sufficient time to root out attackers and malware before a serious data breach inflicts damage.
What is your experience with unmasking network attackers? Share your thoughts below!