It is generally understood that most, if not all, companies will suffer a breach at some point, even if they are not aware it has happened.
In addition, recent research shows that the average advanced persistent threat (APT) will remain undetected on a company's network for hundreds of days before it is discovered.
Jayson O'Reilly, director of sales and innovation at DRS, says there are several indicators of a breach that companies should keep an eye out for.
"One of the most obvious signs of a breach is anomalous traffic leaving your network. Many businesses erroneously believe that all traffic within the network is secure, when this is not the case. Look at both in- and outbound traffic for any anomalies, particularly any calls to command and control (C&C) servers, which is a sure sign that something is amiss. This is a good way of stopping an attack before any serious data exfiltration has occurred, or any real damage done."
Businesses should also look out for unusual domain name system (DNS) queries. O'Reilly adds that C&C traffic lets cyber criminals manage the breach, and this traffic has very unique patterns. Companies noticing these patterns have something to worry about, as do those that notice huge spikes in DNS requests from a single host.
Irregularities in location should also be investigated, adds O'Reilly. He cites an example of traffic between countries in which the company does not conduct any business, as it could be a sign that sensitive data is being sent to attackers in another country. "Likewise, should one account have two logins from locations thousands of miles away from each other, within a short space of time, this should trigger an alarm."
He says multiple requests for the same data should also raise a red flag. APTs are complex, difficult to execute and use multiple attack vectors, adds O'Reilly. They also need to try many different exploits to achieve their malicious ends. "Once they think they are on to something, they will use slightly different arrangements of the exploit to launch it."
He said IT should be able to see if a single IP or one user is making hundreds of the same requests, as the normal number would be in single figures only.
O'Reilly also advises to be on the lookout for large bits of information in the wrong places. "Cyber criminals often collect data at certain points in the system, before attempting to exfiltrate the information. Clusters of information in places where they shouldn't be could be a sign that you have been breached. Take a close look at any files found in places they shouldn't be."
Lastly, he says organisations should keep an eye out for any signs that a distributed denial of service (DDoS) attack has, or is, taking place, as they are often used as a smokescreen to hide a more serious attack. Signs of DDoS attacks include a sluggish network, and the sudden unavailability of the Web site. He says these attacks don't focus on the mainstream systems only, and can also try to overwhelm security information and event management (SIEM) systems or intrusion prevention systems.
"Scrutinise apparent DDoS attacks for any related breach activity," he concludes.
Share