Traditional cybersecurity protection, like anti-virus tools, perimeter defences or firewalls, are virtually powerless to defend against today’s tech-savvy cybercriminals, who now use legitimate compromised credentials of an employee within an organisation to gain access to sensitive data.
Such is the popularity of using compromised credentials that 81% of data breaches now involve them, according to Verizon’s Data Breach Investigations Report (DBIR) 2017. The sheer volume of attacks of this nature is worrying to organisations, whose security setup is unlikely to flag any malicious behaviour because access has come from a legitimate login.
Organisations have no choice therefore but to do more to find out exactly who is on the network at any given time, and what they’re doing. But monitoring networks, access and file activity manually is not a practical task for any IT team — no matter how many people you’ve got at your disposal.
Which is why organisations should do more to look out for “key indicators of compromise”. When cybercriminals are on your network, stealing your data, they leave behind clues to their existence — much in the same way a burglar in your home will leave behind clues as to how they got in and which rooms they’ve been in. But unlike common burglars, cybercriminals will do their best to cover up their tracks. However, there are a few things that they can’t cover up, which will indicate to you that you’ve got an intruder on your hands.
1. Odd endpoint activity
The first thing includes strange activity on employee endpoints, like smartphones, tablets and laptops. Because of their mobile nature, these are constantly accessible outside the perimeter — and are targets for attack. They reach beyond the network to surf the web, as well as act as receptacles for inbound email (both giving malware and ransomware from phishing a means of entry).
Indicators of compromise on endpoints involve a deep dive comparison around what’s normal for both configurations and activity for a given endpoint. One such indicator is rouge processes. Everything from malware to hacker tools can be seen as a ‘process’ that hasn’t run on an endpoint before. However, this isn’t always easy, as some hackers live ‘off the land’ using existing commands, DLLs, and executables, or use direct memory injection to avoid detection.
Another such indicator is persistence — the presence of tasks, auto-run registry settings, browser plugins, and…