Intrusion detection systems and firewalls that detect and prevent network compromise are critical elements in any secure network environment. But, let’s get real: Many people lack working backups and decent password controls, let alone dedicated defensive gear.
Most small to medium enterprise organisations have limited investment in security. They also lack the capacity to maintain security systems: Intrusion detection signatures and firewall rules need regular updates; log files need analysis; and policies need updating.
So, are you compromised and how would you know?
When I have responded to cyber attacks, frequently it's the client and their staff who have noticed “something odd going on”. Maybe they’ve noticed their Internet traffic increasing, a computer running slower than normal, or the light on a specific port of their Internet router flashing like crazy.
There are two types of companies: those that have been hacked, and those who don't know they have been hacked.
It’s quite a testament to everyday users just how much they notice changes in their computer’s behaviour. Unfortunately it often takes too long to join the dots, by which time the damage is done.
Things behaving badly
Let’s take a brief look at some ‘everyday’ indicators of compromise. I’m not talking about formal malware signatures or technical descriptions of file system detritus. More generally, we’ll look at the anomalous behaviour of computers and networks under a few common attacks.
· General malicious software
General malware infections can exhibit a range of behaviours. They can be a prelude to installation of ransomware, credential stealers, back-doors, bot-net clients and much more.
Most malicious software arrives in an email as an attachment, or infects devices through a compromised website.
Email attachments from malware often have interesting subject lines. They are crafted to appeal to a wide audience and may even seem relevant to your business. E.g. “Hi, here’s the resume we discussed” or “Invoice for work”.
If you open an attachment accidentally, you’ll notice pretty quickly that the content is nonsense, it’s not relevant to you, the application crashes straight away, or nothing seems to happen.
If you’re running up-to-date systems, network malware installers from compromised sites may cause a pop-up security warning that users might accidentally approve.
Digital muggings from ransomware are pretty noisy. Once you’re infected, your files are scrambled and you are presented with a ransom message.
Because file encryption can be a slow process, there’s a small window of time between infection and complete encryption where you may notice your computer running slowly.
Current ransomware strains usually scan external hard disks and network shares. This means network and hard disk lights will be thrashing even when you’re doing nothing at all.
· Botnet clients
Botnet software (clients) can infect a range of computers and devices. These clients help spammers and hackers by recruiting your equipment to do their bidding.
Botnets use your computer and network connection to participate in further attacks, spam email or malware distribution, or network scanning. These attacks are usually very active on the network; they’ll hammer your link and chew through your data cap, or result in additional Internet charges.
· Automated and scripted attacks
Hackers use scripted attacks for reconnaissance, and to get their foot in the door. They use automated attacks to cast a wide net and find vulnerable servers or software.
Because hacking scripts work by trial-and-error, they’ll test your system to see if it’s vulnerable to hundreds of exploits. An up-to-date system will be safe from most and will simply block the attempt, or create an error message. Often these errors will be visible in server logs.
If a scripted attack succeeds in identifying vulnerabilities, your attack might turn from automated to directed. Instead of dealing with a random script flailing about, you’ll have a hacker directing their efforts at your network.
· Directed attacks
Directed attack behaviours vary greatly as they’re being staffed by hackers instead of automatic scripts. They’re less noisy than malware and scripted attacks because the hackers can be more judicious in how they attack your network.
A hacker moving through your network will still leave a trail of evidence. Their initial goal will be to establish a presence in your network. To do this they’ll often modify configurations, install software, download malware, and create or modify user and system accounts.
You might notice new software installed on your computer. I’ve seen common desktop sharing tools, remote presentation and meeting software installed on compromised PCs. On windows you can check for ‘recently added’ programs, and on Mac you can check the ‘System Report’ for software applications and installations.
If you’re familiar with task-manager on Windows or Activity Monitor on your Mac, you might see unexpected processes. A Google search of the process name can help identify real tasks from malicious ones.
Because these types of attackers are seeking to maintain access, they may install hard to detect root-kits and backdoors. But, more often they’ll use less sophisticated ways of maintaining access such as adding new users, and modifying router and firewall rules.
· Online, webmail and the cloud
Breaches of online systems and cloud services will leave different footprints depending on the service.
Many online services have the ability to check your login history, reviewing these could provide evidence of online breaches - hackers will leave evidence of strange connection times and weird IP addresses.Read more: Chatbots: Opportunity and threat
Web based email clients may also indicate the presence of a compromise through other activities like sent or deleted email messages, as well as emails marked as read unexpectedly.
All common security incidents leave a trail of evidence. By being familiar with your device configuration, active users, and Internet data usage you’ll be better placed to use your dual-shoulder-mounted anomaly detectors.
Be aware of the threats and how to recognise some when something’s not right. If something seems out of place, it might be an indication of compromise and warrant further investigation.
[Takes steps to improve your security: Quick and dirty guide to security policy creation]
If you’ve been breached, you need to move quickly and decisively. You can significantly minimise damage if you disconnect suspected equipment, shut down networks, change passwords and freeze bank accounts.
In an ideal world secure operating systems, applications and networks will stop you from being compromised in the first place. But seeing as that’s fantasyland, you’ll just have to keep your wits about you.
Nikolai Hampton holds a Master's Degree in Cyber Security and is a director of Impression Research. He consults on matters of privacy, security, digital forensics, and incident response. His focus is on the correct application of cryptography. He is passionate about educating business on complex security issues. Follow Nikolai on Twitter: @NikolaiHampton