Identifying ‘key indicators of compromise’ crucial to data breach detection

Which is why organisations should do more to look out for “key indicators of compromise”. Odd endpoint activity The first thing includes strange activity on employee endpoints, like smartphones, tablets and laptops. Logons often are the first step to gaining access to an endpoint with valuable data on it. Anything more than two logins from that kind of person should be enough to alert you to a breach. Lateral movement Lateral movement is the process of jumping machines in an attempt to locate and access a system with valuable data — something that’s necessary for most attacks because a hacker’s initial foothold is often a low-level workstation with no access rights to anything of significant value. and authentication (read: logons) can point to indicators of a breach. Location is also an important factor — valuable data normally accessed by endpoints within the network should be monitored for access by endpoints that are either external to the network or on the perimeter. The last indicator of compromise is access to an abnormal amount of data. It’s difficult for an attacker to cause damage to your organisation unless they are able to compromise a set of employee credentials. By monitoring logon activity more closely, you can identify compromises before key actions, such as lateral movement and data access, take place.

Traditional cybersecurity protection, like anti-virus tools, perimeter defences or firewalls, are virtually powerless to defend against today’s tech-savvy cybercriminals, who now use legitimate compromised credentials of an employee within an organisation to gain access to sensitive data.

Such is the popularity of using compromised credentials that 81% of data breaches now involve them, according to Verizon’s Data Breach Investigations Report (DBIR) 2017. The sheer volume of attacks of this nature is worrying to organisations, whose security setup is unlikely to flag any malicious behaviour because access has come from a legitimate login.

Organisations have no choice therefore but to do more to find out exactly who is on the network at any given time, and what they’re doing. But monitoring networks, access and file activity manually is not a practical task for any IT team — no matter how many people you’ve got at your disposal.

Which is why organisations should do more to look out for “key indicators of compromise”. When cybercriminals are on your network, stealing your data, they leave behind clues to their existence — much in the same way a burglar in your home will leave behind clues as to how they got in and which rooms they’ve been in. But unlike common burglars, cybercriminals will do their best to cover up their tracks. However, there are a few things that they can’t cover up, which will indicate to you that you’ve got an intruder on your hands.

1. Odd endpoint activity

The first thing includes strange activity on employee endpoints, like smartphones, tablets and laptops. Because of their mobile nature, these are constantly accessible outside the perimeter — and are targets for attack. They reach beyond the network to surf the web, as well as act as receptacles for inbound email (both giving malware and ransomware from phishing a means of entry).

Indicators of compromise on endpoints involve a deep dive comparison around what’s normal for both configurations and activity for a given endpoint. One such indicator is rouge processes. Everything from malware to hacker tools can be seen as a ‘process’ that hasn’t run on an endpoint before. However, this isn’t always easy, as some hackers live ‘off the land’ using existing commands, DLLs, and executables, or use direct memory injection to avoid detection.

Another such indicator is persistence — the presence of tasks, auto-run registry settings, browser plugins, and…

Tags from the story
Written By
More from Industry News

Waterfront Montauk House With Unparalleled Privacy Hits Market for $48 Million

Waterfront Montauk House With Unparalleled Privacy Hits Market for $48 Million. That...
Read More

Leave a Reply

Your email address will not be published. Required fields are marked *