A popular maxim today is that there are only two kinds of companies – those who have been breached, and those who have been breached but don’t know about it. Given that recent research has revealed that the average advanced persistent threat lurks on a business network for hundreds of days before it is discovered, how do businesses tell that their network has been compromised?
Jayson O’Reilly, director: Sales & Innovation at DRS, says there are several things an organisation can look for.
“One of the most obvious signs of a breach is anomalous traffic leaving your network. Many businesses erroneously believe that all traffic within the network is secure, when this is not the case. Look at both in and outbound traffic for any anomalies, particularly any calls to command and control (C&C) servers, which is a sure sign that something is amiss. This is a good way of stopping an attack before any serious data exfiltration has occurred, or any real damage done.”
Hand in hand with this, says O’Reilly, are unusual DNS queries. C&C traffic lets attackers manage the breach, and this traffic has very unique patterns. These patterns are a sure fire sign that all is not well on the network.
“In addition, a sudden and massive spike in DNS requests from a single host should also be viewed with suspicion.”
Something else for admins to look out for, says O’Reilly, are irregularities in location. Should they notice traffic between countries in which their organisation doesn’t conduct any business, they should take a closer look.
“This could mean that sensitive data is being sent to attackers in another country. Likewise, should one account have two logins from locations thousands of miles away from each other, within a short space of time, this should trigger an alarm.”
O’Reilly also advises to be on the lookout for multiple requests for the same data.
“APTs are complex, and far from easy to execute. They use multiple attack vectors, and have to try many different exploits to achieve their malicious ends. Once they think they are on to something, they will use slightly different arrangements of the exploit to launch it. Admins should be able to pick up if a single IP, or one user is making hundreds of the same requests, as the usual number would be in the single figures.”
Another sign, he says, is large bits of information in the wrong places.
“Cybercriminals often collect data at certain points in the system, before attempting to exfiltrate the information. Clusters of information in places where they shouldn’t be could be a sign that you have been breached. Take a close look at any files found in places they shouldn’t be.”
Finally, he says businesses should watch for any indications of DDoS attacks, as these types of attacks are often used to obfuscate more dangerous attacks.
“A sluggish network is often a sign, as is the sudden unavailability of the Web site. DDoS attacks don’t just focus on the mainstream systems, but can try to overload SIEM systems, or intrusion prevention systems. Scrutinise apparent DDos attacks for any related breach activity.”
