Five signs an attacker is already in your network
According to some estimates, attackers have infiltrated 96% of all networks, so you need to detect and stop them before they have time to escalate privileges, find valuable assets and steal data.
The good news is an attack doesn’t end with an infection or a take-over of an endpoint; that is where it begins. From there an attack is highly active, and the attacker can be identified and stopped if you know how to find them. These five strategies will help.
* Search for the telltale signs of a breach. Look for port scans, excessive failed log-ins and other types of reconnaissance as an attacker tries to map out your network.
An attacker will initially need to understand the topology of the network they have infiltrated. They will look for vulnerable end points and servers, and zero in on administrative users and valuable data stores.
Most intrusion detection tools can detect known port scanners. However, distinguishing between covert reconnaissance and legitimate scanning used in network broadcasts is more difficult. Let’s face it; most computers and applications are chatty. However, you can find the anomalies indicative of an attack if you’ve established how many ports and destinations the various devices on your network would usually access.
* Look for a “normal” user performing administrative tasks. Increasingly, attackers are using native tools on computers and servers, rather than known attack tools and malware, to avoid detection by anti-virus and EDR software. But, this is itself an anomaly that you can detect. Try to determine who your admins are. Directory services such as Active Directory can help you establish user roles and privileges within your organization. Then ascertain what tools your administrators use and what applications or devices they typically manage, such as an ERP database or an Intranet website. With that knowledge, you can spot when an attacker takes over a machine and starts performing administrative tasks in an unexpected manner.
* Look for a device using multiple accounts and credentials to access network resources.
Attackers love credentials to ease their process and stay undetected. They steal or generate accounts and use those to explore and gain access. This is a mark of both external and internal attackers. Analyze credential usage to spot outliers that are indicative of such attack activity.
* Look for an attacker trying to find valuable data in file servers. One step an attacker will typically take is to figure out what Windows files shares are broadly accessible in order to either hunt for important data—such as intellectual property or credit card numbers—or to remotely encrypt data for ransom. Spotting anomalies in file share access can be a valuable signal, and may also alert you to an employee who is considering insider theft.
* Look for the command and control activity or persistent access mechanisms. Attackers need a way to communicate between the Internet and endpoint(s) they control in your environment. While there is less malware in use throughout the attack than there used to be, there can still be malware and Remote Access Trojans (RATs) in place. Keep an eye on outbound communications for indications of malicious software phoning home.
You can augment your existing security by looking at DNS logs for patterns of DNS look-ups that indicate malware trying to find command and control servers. Lots of failed DNS requests or requests that look like machine-generated domain names are a sign of malware programmed to avoid reputation-based blocking.
As you can see, there are a lot of tools and procedures at your disposal to help spot attackers. There are many activities that attackers must engage in to learn and expand in an environment. Getting in, for them, is just the first step. At a minimum, a bot needs to connect back and monetize the intrusion through bitcoin mining, click fraud, spam, or other nefarious means. In the more serious cases, the initial intrusion is just the beachhead the attacker uses to then learn and expand on your network in the pursuit of your data. In either case, all is not lost upon intrusion - there is still plenty of time to find and root out attackers and malware before serious damage is done.
Further, it is actually possible to spot all these activities, and more, directly from the network - if you are able to extract the right metadata from the packet flows. This is harder to do manually, but is a great option for an automated tool. By analyzing network traffic with Deep Packet Inspection, an automated security solution can identify the anomalies indicative of a live attack.
If you are interested in automating these detection steps and more, find a solution that uses machine learning to automate the baselining process on your network so you can quickly find and stop attackers who have circumvented traditional security controls.