Cybercriminals are more skilled than ever, searching for ways to get into organizations’ networks or systems. This is why organizations must do more to know who is on their network and what they are doing there. However, monitoring network users manually is not an easy task. Organizations need to look out for crucial indications of compromise.
When hackers have been on your network, they leave behind clues, in the same way, burglars leave behind clues at a theft scene. Unlike a common burglar, however, hackers try to cover up their tracks by destroying any evidence of their entry. Despite these efforts, there are certain signs that simply cannot be covered up.
In a Simplilearn webinar, Dr. James Stanger, Senior Director of Products at CompTIA, discussed the practical steps to follow when you’re hunting down cyber threats to safeguard the IT network and systems.
You can watch the webinar below, or keep reading to learn more. The article below describes what hackers are after, how they work, signs to look for, and the best practices to help you safeguard cyber attacks.
What Are Hackers After?
Usually, hackers seek any information that has value, such as confidential data and customer personally identifiable information (PII). They steal this information to make money from it in a variety of ways, such as:
- Sell it on the dark web.
- Commit ad fraud.
- Send out spam.
- Rent out hijacked infrastructure to criminals.
They can also make money by manipulating your organization’s account information to either wreak havoc or demand a ransom to get your company’s systems back in place.
The Hacker Lifecycle
Hackers are both skillful and determined. A recent Nuix Black Report surveyed 70 of the world's best professional hackers and found that 88 percent of hackers can get through cybersecurity defenses in 12 hours or less. Then it only takes an additional 12 hours for 81 percent of hackers to find and take valuable data.
You need to know how hackers operate so that you can quickly detect if there is an attack on your system. The earlier you know of an attack, the easier it is to minimize the damage.
The cycle starts when hackers assess your resources and determine if it is worth hacking your system or not. Next, they make their move and exploit a vulnerability by infiltrating your network, executing code or installing malware. Finally, they attack to get what they’re after.
Indications That Your System Has Been Hacked
You can learn to spot suspicious activity. Below are ways to identify signs that your system has been compromised:
1. Lateral Movement
Lateral movement involves moving from one machine to the other in order to find and access a system containing valuable data. This is important for hackers because their first footprint is mostly a low-level workstation with little to no access rights to valuable data.
2. Strange Login Attempts
Logins are the first step to having access to an endpoint with valuable data. When you find a login on an endpoint that is not always used by the owner of the login credentials, it is an indicator of a compromise. For example, if you find out the CEO attempted to log in from a computer in the finance department or someone is logging in at a strange time of the day or night, it may indicate a breach.
Hackers need access to log in to your network before they can gain access to it. Monitoring logins is very important for that reason.
3. Questionable Data Access
You can always predict access to data on your network over time. This means that you will know if there is any strange access at an odd time of the day. You can also search for the amount of data accessed within a period of time. If the amount of data accessed is more than normal, it may indicate a compromise. In addition, a sudden increase in outgoing data is also an indication of a compromise.
4. Strange Endpoint Activity
If any of your employees notice strange activities on their smartphones, tablets or laptops such as a rogue process or persistence tasks, auto-run registry settings, or browser settings, it may be an indication of a breach.
Your First Steps to Cyber Security
Now that you know what you’re looking for, your next step is to map essential security controls to the most important aspects of your business. In mapping out control for your business, you have to figure out your company’s problems and then apply the controls correctly. You can use different kinds of cyber-security frameworks such as NIST from the United States, Cosco, or ISO worldwide standard. You have to customize these frameworks to your company because each company is different.
Mapping your controls means using tools like firewall or intrusion detection systems or security information and event monitoring software and applying them to your essential resources. Your essential resources might be SharePoint Server, WordPress server, an e-commerce database or something else.
As a cyber security professional, you assume you've already been hacked. You have to be aware of your environment situationally and start testing out what works and what does not. Engage in threat intelligence by going out there to search the systems in your network.
Next, you apply the controls. The following steps will help you to map essential security controls to the most important aspects of your business.
1. Engage in Behavioral Analytics
In most cyber attacks, the end users are the major targets. Employ user behavior analytics to identify where most of those attacks are coming from. Then educate those users and change processes to lower the risk. You can also look at behaviors and check out the report of a log or tool such as SIEM, Bro or Syslog to see who is logging on and who is not, and which accounts are being used.
2. Use Informed Hunches
Pay attention to your hunches to detect attacks.
3. Engage in Intelligence Analytics
Read the news and industry reports to find out what hackers are doing on the particular version of your company systems. Know the kind of attacks that are happening, so you can watch for them.
4. Know What the Adversary Is Doing
Find out if somebody is conducting scans of the system reconnaissance. Is there an initial compromise? Are people moving from one system to the next and taking over systems? Are they stealing information (data egress)?
5. Network Behavior Analytics
Network behavior analytics will show you traffic anomalies as well as user behaviors. You will know how specific users are working and you can model them accordingly.
This is where you do an inventory of various systems and devices on your network and create a baseline so you know what is normal. Do a software inventory as well. Configure secure configurations for hardware and mobile devices, notebooks, workstations, servers, and IOT devices. Carry out continuous vulnerability assessment and remediation. Control the use of administrative privileges and cut down on “too much information.”
Outliers are threats to a network. They represent unusual data or traffic that can be evaluated and analyzed for a likely cause or source. Find out if your outliers are important, or something you can ignore.
8. Engage in Endpoint Monitoring
Endpoints are known as weak points found on the network, after the protective layers of internal security. When the end users engage in behaviors such as hooking up to unsecured WiFi networks, browsing dangerous websites, opening spam emails, or clicking on suspicious links, endpoints can have unfettered access to your organization's network. These points can be explored by hackers if you don’t monitor them. To combat them, you have to engage in endpoints monitoring. You can use the endpoint as a sensor, collect information, and compare the normal and abnormal behaviors.
9. Killer Apps
The following apps and tools can help you in your cyber security role:
- Excel spreadsheets help to create tables for analysis and reporting.
- VirusTotal helps you to analyze suspicious fields and URLs to search for malware such as viruses, worms, and Trojans.
- Sqrrl data is a company that helps organizations to target, hunt for, and stop advanced threats.
- Endgame helps to stop advanced attacks before damage and loss take place.
- Ntop helps to detect and fight ransomware.
- Infocyte helps to detect breaches and limit risk.
- Splunk helps to search and analyze data.
Best Practice for Cyber Security Professionals? Get Trained
Cyber attacks are an ongoing battle. Defend your business from one, and you’ll only have another headed your way soon. You have to be prepared to restrict potential hacks. The best way to be prepared is to be on top of best practices through IT security training. The Simplilearn’s CompTIA security plus certification can teach you in-depth IT security skills so that you’re able to effectively do threat analysis and know how to respond with appropriate mitigation techniques.