Precursor warnings can only go so far when it comes to prevention of possible forthcoming attacks. While staying up to date on vendor advisories, intelligence sources, and security blogs are certainly important, it comes as too little too late for some victims. According to FireEye’s “M-Trends 2018” report, the global median dwell time between infiltration and discovery was 101 days in 2017, ranging from 75.5 days in the Americas to a whopping 498 days in Asia-Pacific. Do you know how to detect a breach on your network?
Here are three typical event indicators that may signal your system is compromised.
- Unusual Activity. Unusually high system or network activity, abnormal login times, abnormal login locations, unexpected user lockouts and unusual network ports activity can all be signs someone is working within your system.
- Software Issues. Every system has glitches, but repeated application crashes can signal something deeper. Configuration changes that can’t be traced back to approval, firewall changes, the presence of unexpected software or system processes, installation of startup programs, even repeated pop-ups on the web browser are all signs you need to look into a possible breach.
- Alerts. Notifications from your malware protection solutions as well as disabled solutions are obvious signs of an issue. So is a ransomware message from an attacker. Internal reports can be very valuable sources, as often employees are the ones reporting issues. More subtle alerts, such as reports from outside contacts that they received unusual messages from your email or social media accounts should also raise suspicion of attack.
If you experience any of the indicators above do NOT alter anything on the suspected systems. Contact your IT expert immediately. If you are the IT guru, collect as much evidence of the breach as possible: log files, disk information, malware samples. Make a list of active users and network connections. Obviously, if the breach involves leaking personal information or intellectual property, it is better to stop the leak before gathering all the evidence. Also, check with your peers for potential containment solutions. This allows you to learn what others have already done to contain the incident and recover from it.
If you need help contact us HERE