As a cyber-security company, we get asked many times: “How do I know if my company is breached” and the obvious follow up question, “What should I do”?
We turned to the obvious person to answer this, Elad Shapira, Panorays Head of Research.
Elad is a well-known figure in the security field. He leads and trains many “white-hat hackers." Earlier this year, Elad held back-to-back hacking trainings at Microsoft’s BlueHat event.
Always Be On Guard
It’s important to recognize that even if there are no signs for compromise it does not mean the company was not hacked or compromised. Often times, the breach may have gone unnoticed, not raising any security flags, or the IT staff may lack the awareness, and skills to recognize a breach.
My experienced, proven advice? Always look for the unusual.
Attacks can originate from different vectors. For example:
- Internal threats such as employee that are about to leave the company
- External threats such as a website that is hacked to deface the site, or as a stepping stone to enter the organization
- Threats at a third party. For instance, a supplier that holds sensitive and confidential data and has access to the company’s network
- Social Networks such as spewing malicious tweets under the company’s name thus tarnishing the company brand, or even impersonating a company’s employee.
The point is that each threat needs to be dealt with their own mitigation steps.
Tell-Tale Signs You’ve Been Hacked
Some less obvious signs that you’ve been hacked include the following as listed below. Each of these on their own is not a sure piece of evidence, but certainly requires further investigation. Especially, if some of these signs come together.
Signs on Personal Devices
- Your computer runs abnormally slow
- You receive fake antivirus or security solution messages
- You are locked out of your computer and there are ransomware messages on your computers
- Your friends or colleagues receive suspicious messages and e-mails supposedly coming from you
- Software programs you’ve never heard of begin installing themselves and appearing on your computer without your consent
- There are random computer shutdowns and restarts, and you discover devices that are running even after you turned them off
- Although there is a patching or upgrading mechanism, your software or computer is not updated
- Employees receive and increasing amount of pop ups on their browser, or have browser add-ons that they are not familiar with.
- You’re being redirected to websites other than the ones you intended to navigate to, including redirects of your internet searches
- In case of mobile: you notice inexplicable data usage increase
Signs from Your Organizational Network
- Users complain that they are locked out of their own accounts. This would indicate that either someone else has been trying to log into their account which caused the system to lockout the account, or that the threat actor has already changed their account password.
- Your company has unexplained financial transactions or your employees are receiving calls from stores about non-payment of shipped goods
- You notice critical file changes, unexpected file activity or unusual log-in patterns.
- There is an abnormally large amount of data and files that have been copied or downloaded from your data repositories such as certain drives, servers, Cloud storage, etc. This is particularly a recurring theme with departing employees.
- There are many network requests to certain organizational assets. This could indicate that a Distributed Denial of Service (DDOS) attack is under way.
- There is a sudden burst of new phishing websites impersonating your company. This may indicate that a malicious individual is running a campaign against your company.
- Your company’s website is defaced. For example, malicious links are added to your website or your home page was changed to display something other than your company.
Signs You Receive from Your Security Mechanisms
- Security flags are set off in your deployed honeypot solution, IDS/IPS and other similar deception or detection solutions
- You find emails or company details employees on hacker forums, Darkweb, Pastebin, etc.
- Security solutions or mitigation mechanisms are suddenly disabled for no apparent reason.
Signs You May Not Have Noticed – But Should
- Suspicious log activity. In particular, multiple errors taking place in a short period within the database logs.
- Suspicious inbound and outbound network connections. For instance, sudden peaks in traffic may indicate exfiltration attempts. At other times, an outbound connection might erratically send out signals to an unknown site. The latter was the case in the OPM breach where the malware was pinging a similarly-named domain as OPM, but was not a domain belonging to OPM.
- Inconsistent admin-level tasks (e.g., user account creation). For example, in order for malware to install itself and propagate itself within the network, it will typically create a new account. Furthermore, to go under the detection radar of security products, the malware will work to gain higher privileges under that account. A company should monitor activities that enable the creation of privileged accounts as well as unfamiliar or unrecognized account names. These may indicate that there's unusual behavior or that inner systems were breached.
- Modified code in any software development. In this case, a malware or attacker is targeting the code repositories of software companies. How does infection happen? An attacker adds malicious or spy code to the company’s products or software. Once the malicious code becomes part of the product, it is propagated to other companies and users, thus infecting them. In addition, a company may become infected through a third party software component that they integrate with. In order to minimize risk, companies need to map their code libraries and products to verify that they are using the latest safe versions. Companies using third party software need to consider these third parties as an additional risk factor introduced to their company.
- Strange characters that appear in the DB (might be tries for an SQL injection attack). For instance the format of a SQL Injection attack has unique characters within it, so a database record containing free text such as a Name or Address should not contain these characters.
- Servers or computers running unknown processes (though note that the list is not limited only to these). If a service begins to run without the user actively requesting it, it may indicate an infected program. Another indicator would be some strange process name that is not part of the operating system and is not identified as belonging to a legitimate software running on the machine.
What Can You Do to Avoid Being Hacked (and Detect if You Are)?
Having these following policies and processes in place will pay off big dividends in improving and maintaining a solid security posture:
- Define and implement security policies, such as a password policy which requires having complex passwords and updating them, not re-using them, on a regular basis.
- Know your network. For example what assets do you have under your domains, which users can connect to which asset. Track the relationship between your users, activities and the various security systems as well as have appropriate tools, policies, and procedures for monitoring assets on a regular basis.
- Consistently monitor your network and devices for unusual traffic, behavior, or other suspicious activities, per the above “Tell-Tale Signs” list
- Create a security policy for your third parties, and use an automated tool that monitors the third parties and ensures the enforcement of that policy.
- Logs must be reviewed on a regular basis, including the activities of administrative users
- Utilize scanners. Many scanners are free and open-sourced, while others cost money. Take what works for you, but you should have scanners running the gamut such as malware scanners, source code scanners, or remote scanners in order to detect anomalies.
- Ensure you have backups and the ability to restore the backups
- Verify what has been done on version controls
- Harden server and applications
- Pen test your own infrastructure twice a year
- Include a dedicated security team with a CISO in charge, and a technical leader to implement the policies and procedures and you can turn to in time of need.