Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Five signs an attacker is already in your network

Kasey Cross, Senior Product Manager, LightCyber | June 17, 2016
And what you can do about it.

This vendor-written tech primer has been edited by Exeutive Networks Media to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

According to some estimates, attackers have infiltrated 96% of all networks, so you need to detect and stop them before they have time to escalate privileges, find valuable assets and steal data. 

The good news is an attack doesn’t end with an infection or a take-over of an endpoint; that is where it begins. From there an attack is highly active, and the attacker can be identified and stopped if you know how to find them. These five strategies will help.

* Search for the telltale signs of a breach.  Look for port scans, excessive failed log-ins and other types of reconnaissance as an attacker tries to map out your network.

An attacker will initially need to understand the topology of the network they have infiltrated. They will look for vulnerable end points and servers, and zero in on administrative users and valuable data stores.

Most intrusion detection tools can detect known port scanners. However, distinguishing between covert reconnaissance and legitimate scanning used in network broadcasts is more difficult. Let’s face it; most computers and applications are chatty. However, you can find the anomalies indicative of an attack if you’ve established how many ports and destinations the various devices on your network would usually access.

  • Data Source: network monitoring or management tools, NetFlow aggregation
  • Challenges: Attackers can go “low and slow” though, so you may need to do some time based analysis. Also, there can be a lot of chatty tools and protocols, so it takes a while to filter out the noise.

* Look for a “normal” user performing administrative tasks. Increasingly, attackers are using native tools on computers and servers, rather than known attack tools and malware, to avoid detection by anti-virus and EDR software. But, this is itself an anomaly that you can detect. Try to determine who your admins are. Directory services such as Active Directory can help you establish user roles and privileges within your organization. Then ascertain what tools your administrators use and what applications or devices they typically manage, such as an ERP database or an Intranet website. With that knowledge, you can spot when an attacker takes over a machine and starts performing administrative tasks in an unexpected manner.

  • Data Source: A combination of network information (network packets or NetFlow data) and directory services information gives are the best way to identify administrative behavior.
  • Challenge: Unfortunately, there isn’t a single source of information that will tell you exactly who your administrators are and what they assets they manage. However, just monitoring SSH and RPC usage from a course perspective can give you a good starting point. You’ll probably end up with a lot of false positives, but over time you can winnow down the list of approved admins, and from that have a baseline you can detect against.


1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.