How do you know that your network is being hacked?

Posted by Geraldine Hunt on Wed, Nov 18th, 2015

Without proper tools and processes, it is unlikely that you would ever know that your network is under attack. Let’s assume that you have hardened your network perimeter and implemented defense-in-depth. (See the Web and SpamTitan blog, “Why defense in depth is so important? Reduce the possibility of a successful hacking attack” (May  2015). That’s great, and it will screen out most “casual” attacker, but there is always the possibility of a break-in by a persistent actor.

Could it be a mistake?

Attack by outsiders is not the only reason that sensitive company information is made public or leaked to other parties. According to the 2015 Verizon Data Breach Report, an astounding 30% of data breaches occurred when sensitive information was sent to the incorrect recipients.

Make sure your web server is not a free buffet

Before even considering the treasure trove of information on your internal network, look at your web servers. If sensitive data is posted to a public server, how can it be protected? According to Verizon, this was the situation with 17% of data breaches involved.

Long ago and far away, one of the best ways of sharing information was an FTP server. Unfortunately, most FTP servers on the web are unsecured; anyone can access the contents. One World Labs (OWL), an enterprise security assessment and consulting firm, believes that FTP servers are one of the greatest risks to company and individual data integrity. If your company must use an FTP server, then make sure it is locked down with secure passwords.

Logins

Before gaining access, an attacker may try some passwords hoping to get lucky. Make sure that you implement user lockout after multiple failed attempts. This feature will screen some would-be attackers.Look for changes in access patterns by users. Possible signals of a break involve login during non-business hours or spending more time logged in.

Attackers take their time so no red flag are raised

Let’s say that, despite your best efforts, a savvy attackers penetrates the perimeter of your network. Most feel no sense of urgency to “get in, get the goods, and get out”. They know that a flurry of atypical activity could lead to them being discovered. There is a lesson here. Sure you need to examine transmissions at the border, such as at the firewalls. But the attacker will spend most of his/her time inside the network. You could be missing the signs of a hack by ignoring internal network activity.

Traffic volumes can signal a hack but is only a benchmark

The system administrator (SA) should regularly create benchmarks for traffic volumes between departments as well as at the routers. These benchmarks show some type of cyclic pattern over time. For example, when budget documents are due, traffic to the accounting department jumps. Ditto during year-end close. Benchmarks can help uncover the anomalies that indicate attacker activity. An anomaly is something different to normal. It sounds obvious. But what is normal? That is the hard question for an SA. Consider the following situations:

• The amount of data transfer between the executive offices and the legal department increases exponentially.
• Port mapping is occurring from a PC in the IT services section.
• There is a spike in traffic between the accounting and the legal departments.

These scenarios sound fishy. However, they could represent normal traffic. Possible explanations, which would not be known to the SA, could be, respectively:

• There is a possible merger underway.
• The IT department is running low on IP addresses and is performing a port scan to find which PCs are in use. (NOTE: Port scans should never happen without the SA’s involvement, but …)
• The company is involved in an audit.

So, simply monitoring the volume of traffic is insufficient to determine if a hacker is in the mix or not.Still, an increase in large e-mail attachments or uploads might indicate a breach, especially taken together with other indicators. 

Types of hacker activity

The attacker doesn’t know your network, so you’ll see activity such as port scans and attempted escalations of privilege. These are not normal, and they should create system log entries, and preferably software alarms.

Often, software is downloaded to help wander around the network for goodies. This is a one reason that software downloads should be either not permitted or logged and alarmed. Contrary to popular opinion, most attackers do not download malware to a system if their goal is data theft. Of course, if their goal is to collect a ransom, then ransomware is installed if it is permitted by the network. One activity that almost invariably signals a breach is a DNS web-proxy request. This shows an effort to conceal the identity of the initiator.

Can we know for sure?

In many cases, there is no “smoking gun” that proves a data breach is underway. However, by piecing together the clues discussed above, you can be pretty sure whether an attack has succeeded or not. Sometimes you just take a step back and look at your network as a whole and approach your network as an outsider would. Take a look at our guide on how to cultivate a hacker mindset so you can start better protecting your network. 

Guide : Learning to think like a hacker to prevent attacks.