Signs you have been hacked
By: Gene Ng, IBM ASEAN Security Lead
If you still believe that your enterprise is safefrom cyber threats and that your data is secure, you might be in for a rude
shock.
2016 was the year of
the “mega breach”.
the “mega breach”.
Globally, there was a dramatic
increase in the number of records that were compromised, climbing 566% from
2015. Spam was up 400% in 2016 with 44% of spam containing malicious
attachments. Out of these malicious attachments, 85% contained malicious
ransomware.
increase in the number of records that were compromised, climbing 566% from
2015. Spam was up 400% in 2016 with 44% of spam containing malicious
attachments. Out of these malicious attachments, 85% contained malicious
ransomware.
According to the IBM 2017 X-Force Index, the
average client organization experienced 54 million security events. So unless
your company has the ability to read through trillions of data points and make
sense of that information, you could have already encountered cyberattacks
without even knowing.
average client organization experienced 54 million security events. So unless
your company has the ability to read through trillions of data points and make
sense of that information, you could have already encountered cyberattacks
without even knowing.
Another
report by IBM Security – The
Shifting Panorama of Global Financial Cybercrime – indicates
that organized cybercrime
groups are increasingly looking to Asia with Dridex and TrickBot being the two
most prominent threats perpetrated by cyber gangs. Singapore, is particularly
at risk of Trojan attacks, acting as a sort of gateway for malware families
targeting Indonesia, Malaysia and India.
report by IBM Security – The
Shifting Panorama of Global Financial Cybercrime – indicates
that organized cybercrime
groups are increasingly looking to Asia with Dridex and TrickBot being the two
most prominent threats perpetrated by cyber gangs. Singapore, is particularly
at risk of Trojan attacks, acting as a sort of gateway for malware families
targeting Indonesia, Malaysia and India.
It goes without saying that security professionals are constantly on the
hunt for potential vulnerabilities and looking for ways to defend their
networks. The term “indicator of compromise” (IOC) – first coined by
governments and defense contractors trying to identify advanced persistent
threats (APTs) – is something that all information security experts are
familiar with.
hunt for potential vulnerabilities and looking for ways to defend their
networks. The term “indicator of compromise” (IOC) – first coined by
governments and defense contractors trying to identify advanced persistent
threats (APTs) – is something that all information security experts are
familiar with.
A recent IBM X-Force report looked at the top 6 indicators of compromise
so you can spot them before a hacker is able to do serious damage.
so you can spot them before a hacker is able to do serious damage.
1. Unusual outbound network traffic: While it is tough to keep
hackers out of networks, outbound patterns are easily detectable and can be a
sign of malicious activity. With visibility into this traffic, you can respond
quickly before data is lost or major damage is caused.
hackers out of networks, outbound patterns are easily detectable and can be a
sign of malicious activity. With visibility into this traffic, you can respond
quickly before data is lost or major damage is caused.
2. Anomalies in privileged user account
activity: Attackers
often try to escalate privileges of a user account they have hacked. Monitoring
privileged accounts for unusual activity not only opens a window on possible
insider attacks, but can also reveal accounts that have been taken over by
unauthorized sources. Keep an eye on systems accessed, type and volume of data
accessed, and the time of the activity can give early warning of a possible
breach.
activity: Attackers
often try to escalate privileges of a user account they have hacked. Monitoring
privileged accounts for unusual activity not only opens a window on possible
insider attacks, but can also reveal accounts that have been taken over by
unauthorized sources. Keep an eye on systems accessed, type and volume of data
accessed, and the time of the activity can give early warning of a possible
breach.
3. Large numbers of requests for the
same file: When
a hacker finds a file they want – customer or employee information, credit card
details, etc. – they will try to create multiple attacks to obtain it. Monitor
for an amplified number of requests for a specific file.
same file: When
a hacker finds a file they want – customer or employee information, credit card
details, etc. – they will try to create multiple attacks to obtain it. Monitor
for an amplified number of requests for a specific file.
4. Geographical irregularities: It may seem obvious, but it is
important to track the geographic location of where employees are logging in
from. If you detect logins from locations where your organization does not have
a presence, it is worth investigating as it could mean you have been
compromised.
important to track the geographic location of where employees are logging in
from. If you detect logins from locations where your organization does not have
a presence, it is worth investigating as it could mean you have been
compromised.
5. Database extractions: Closely monitor and audit your
databases to know where sensitive data resides, and to detect suspicious
activity, unauthorized usage and unusual account activity. Watch closely for
large amounts of data being extracted from databases. This can be a clear
indicator that someone is attempting to obtain sensitive information.
databases to know where sensitive data resides, and to detect suspicious
activity, unauthorized usage and unusual account activity. Watch closely for
large amounts of data being extracted from databases. This can be a clear
indicator that someone is attempting to obtain sensitive information.
6. Unexpected patching of systems: If one of your critical
systems was patched without your initiation, it may be a sign of a compromise.
While it seems strange that a hacker would repair a vulnerability, it is all
about the value of the data to them, and keeping other interested criminals
away from it. Once they get inside, they often try to add a patch to the
vulnerability they used to gain access to the system so that other hackers
cannot get in through the same vulnerability. If an unplanned patch appears, it
is worth investigating for a potential attack.
systems was patched without your initiation, it may be a sign of a compromise.
While it seems strange that a hacker would repair a vulnerability, it is all
about the value of the data to them, and keeping other interested criminals
away from it. Once they get inside, they often try to add a patch to the
vulnerability they used to gain access to the system so that other hackers
cannot get in through the same vulnerability. If an unplanned patch appears, it
is worth investigating for a potential attack.
Here
are three proactive measures you can take to protect your business:
are three proactive measures you can take to protect your business:
1.
Document
attack tools & methods: Profile
your network traffic patterns to understand what is normal. Focus your
attention on main protocols, especially the ones used by attackers such as DNS
and HTTPs. Collect and examine log file entries and leverage tools like log
management and SIEM systems that can help automate and visualize these data
patterns to detect suspicious activity. Subscribe to IOC data feeds, like IBM’s
X-Force Exchange, that share reported IOCs to help investigate potential
incidents and speed time to action.
Document
attack tools & methods: Profile
your network traffic patterns to understand what is normal. Focus your
attention on main protocols, especially the ones used by attackers such as DNS
and HTTPs. Collect and examine log file entries and leverage tools like log
management and SIEM systems that can help automate and visualize these data
patterns to detect suspicious activity. Subscribe to IOC data feeds, like IBM’s
X-Force Exchange, that share reported IOCs to help investigate potential
incidents and speed time to action.
2.
Use
intelligence to search for malicious activity: By leveraging the data that
you documented in step 1, you can configure your security systems to monitor
and search for malicious activity. Your defenses can be configured to block activities
or trigger alerts if activity is identified from a suspicious IT address or
geographical location, if an attacker tries to use a known toolkit or tries to
exploit a known vulnerability. You should also look out for new user names
being created locally.
Use
intelligence to search for malicious activity: By leveraging the data that
you documented in step 1, you can configure your security systems to monitor
and search for malicious activity. Your defenses can be configured to block activities
or trigger alerts if activity is identified from a suspicious IT address or
geographical location, if an attacker tries to use a known toolkit or tries to
exploit a known vulnerability. You should also look out for new user names
being created locally.
3.
Investigate
security incidents & assess compromise levels: If a security incident occurs,
the next logical step is to investigate and assess the number of systems or
applications that are affected. Start with system IP, DNS, user, and timestamps
to first understand the scope of the breach and the degree of penetration the
attacker may have gained in the system.
Investigate
security incidents & assess compromise levels: If a security incident occurs,
the next logical step is to investigate and assess the number of systems or
applications that are affected. Start with system IP, DNS, user, and timestamps
to first understand the scope of the breach and the degree of penetration the
attacker may have gained in the system.
Next, create a timeline to determine
if any other events occurred. Examine all files with time stamps (logs, files and
registry), the content of email communications and messages, information about
system logon and logoff events, indications of access to specific Internet
documents or sites, and the contents of communication with known individuals in
chat rooms or other collaborative tools. Check for evidence of document
destruction and search for incident-specific IOCs including exhibiting patterns
within working directories or using particular hosts and accounts.
if any other events occurred. Examine all files with time stamps (logs, files and
registry), the content of email communications and messages, information about
system logon and logoff events, indications of access to specific Internet
documents or sites, and the contents of communication with known individuals in
chat rooms or other collaborative tools. Check for evidence of document
destruction and search for incident-specific IOCs including exhibiting patterns
within working directories or using particular hosts and accounts.
4.
Identify,
remediate & repeat: Identify
all compromised hosts, user accounts, points of exfiltration, and other access
points. Next, move to reset passwords, remove points of exfiltration, patch
vulnerable systems being exploited for access, activate your incident response
team, and set trigger points to alarm if the attacker returns. After this is
complete, it is important to continue searching for IOCs to ensure remediation
tactics are successful and then to repeat the process, if necessary.
Identify,
remediate & repeat: Identify
all compromised hosts, user accounts, points of exfiltration, and other access
points. Next, move to reset passwords, remove points of exfiltration, patch
vulnerable systems being exploited for access, activate your incident response
team, and set trigger points to alarm if the attacker returns. After this is
complete, it is important to continue searching for IOCs to ensure remediation
tactics are successful and then to repeat the process, if necessary.
With this model
in place, you can identify the breadcrumbs that attackers leave behind when
they compromise security defenses, enabling you to react quickly and
efficiently to security incidents.
in place, you can identify the breadcrumbs that attackers leave behind when
they compromise security defenses, enabling you to react quickly and
efficiently to security incidents.
For the LATEST tech updates,
FOLLOW us on our Twitter
LIKE us on our FaceBook
SUBSCRIBE to us on our YouTube Channel!
