<img src="https://ws.zoominfo.com/pixel/0nVRFDqEc4KEsx6wmKaS" width="1" height="1" style="display: none;">

Indicators of Compromise: How to Tell If You’ve Been Breached

Indicators of Compromise (IoC)

According to the Ponemon Institute’s most recent Cost of a Data Breach Report, it takes U.S.-based companies an average of 245 days to discover and contain a breach—longer than a baseball season, a school year, or the time needed for an apple tree to bud, flower, and bear fruit. Firms that are able to identify breaches quickly see far lower costs and less damage—including loss of business and customer trust—than those that take longer. Leaders therefor find it critical to ensure that their organization can detect cybercriminal activities taking place in its IT environment as rapidly as possible.

But this is no easy task. “Today’s bad actors tend to prioritize stealth over target acquisition,” says Matthew Barnett, Managing Consultant at BTB Security. “That means that it’s more profitable for them to stay hidden for as long as possible than it is to exfiltrate as much data as possible, as fast as possible.”

Let’s take stolen credit card information as an example. If a cybercriminal is able to exfiltrate the entire contents of a large database of customer payment details, but this activity is detected, the credit card issuer will be notified and the affected accounts locked, rendering the information worthless. If, in contrast, the cybercriminal can withdraw the data slowly, little by little, while retaining access to the network for an extended period of time, its contents will be worth much more. Threat actors thus are strongly motivated to conceal all evidence of their actions for as long as they can.

Given that cybercriminals will draw upon all their expertise and sophistication when it comes to hiding their presence in your network, is it possible that your business’s IT systems have already been compromised and you just don’t know it yet? Are there signs to look out for? And what protections should you put in place?

We recommend exercising care and vigilance, and following industry best practices, which include maintaining logs, auditing them regularly, and implementing ongoing security monitoring. A majority of breaches begin with the compromise of an individual user account through a phishing attack or socially engineered scam, so anything you can do to safeguard your employees will protect the organization as a whole. With that in mind, we offer the following tips:

Tip #1: Keep an eye on your email inbox.

Because phishing and other email-based attacks are so common, your email servers—and your employees’ mailboxes—are likely to serve as a point of entry for attackers.

Email management applications allow users to set rules that determine how the contents of the inbox will be treated or can set them automatically on your behalf. This enables the program to automatically mark messages as “spam” and delete them. But it’s also possible to configure these rules in more complex and nefarious ways. A hacker could, for instance, set a rule that automatically opens a command prompt, establishes a connection to a remote server, and then deletes the message containing these instructions—giving them access to your network whenever they want it.

Ever notice email messages that behave oddly, arriving only to delete themselves a few seconds later? This is a warning sign, says Barnett. “People tend to write these things off as tech glitches, instead of paying attention to small indicators like disappearing email messages or system slowdowns. And the hackers take advantage of this tendency.”

Tip #2: Beware of employees “working” at odd hours.

Today’s cybercriminals are highly skilled professionals, often working in office settings or under the auspices of government-sponsored espionage programs. They try to time their activities so as to give them the greatest chances of success.

“People tend to imagine that a hacker is a teenage kid in a hoodie, drinking Mountain Dew and playing video games on a second monitor late into the night,” says Barnett. “That stereotype is no longer true.” Typically, attackers make the initial attempt to gain access during working hours, since that’s when an employee is most likely to click on a phishing email or follow a malicious link. Once it’s time to exploit that access, though, they’ll switch to the middle of the night. That’s when they’re better able to explore the environment furtively. They’ll always look for ways to do so without creating an audit trail.

Tip #3: It’s not only accounts with administrative privileges that carry risk.

In many organizations, accounts with elevated privileges are subject to additional monitoring or more frequent auditing. “An attacker who truly prioritizes stealth will avoid using privileged accounts,” says Barnett. “Instead, they’ll choose the least privileged user to target—because this is often the easiest way in. Then they can sit back and watch the organization to figure out their next steps.”

Whether they work in sales, marketing, or other non-technical roles, it’s often the employees who think of themselves as “small fish” that pose the greatest risk. At the same time, members of the IT team have a great deal of power within the organization’s IT environment, including the ability to erase logs, reset passwords, disable monitoring, or change configuration settings. It makes sense to look out for credentialed workers who feel overworked, underpaid, or simply disgruntled.

Safeguards and best practices

In reality, it’ll never be possible to stop every attack. That’s why a “Defense in Depth” strategy, one involving multiple layers of protection and control across the entire organization, is key. You need to establish enough individual defenses that malicious activities will be detected even if one safeguard fails. This is the rationale behind supplementing a firewall with antivirus software and an endpoint monitoring solution to protect end user devices. “The idea is that if you set up enough tripwires, your odds of catching an attacker greatly increases,” says Barnett.

Every organization should consider putting ongoing security monitoring in place as well. If the company is large enough to have a security department, this can be performed in-house. If not, the job can be outsourced to a Managed Detection and Response (MDR) provider whose services can improve your visibility and speed detection and response times cost effectively.

Want to explore how MDR services can give your organization an edge in the war against cybercrime? Contact us to learn more about our Rapid Advanced Detection and Response (RADAR) modular platform and services today.

 

 

Related Posts