10 Signs Your Business Has Been Breached
Bolstering Monitoring, Reducing Risk
Criminals leave what are called "indicators of compromise" when they establish a foothold on an infected system. Those indicators include the interaction, communication and other activity controlled by the remote attacker.
Businesses can learn to spot the warning signs and cut off an attacker before data is stolen, according to Trustwave. The company, which reviewed 691 breach investigations conducted in 2013, said many criminal groups use automated tools to conduct attacks. About 85 percent of the exploits targeted third-party plug-ins, including Java, Adobe Flash and Acrobat Reader.
Credit card theft remains high. However, the theft of financial credentials, internal communications, personally identifiable information and other customer records was on the rise and accounted for 45 percent of data thefts in 2013, according to the 2014 Trustwave Global Security Report.
Anomalous Account Activity
Once a criminal establishes a presence on a system the next move typically is to elevate system privileges or move laterally to users with higher privileges. System monitoring can establish a baseline for the type of systems accessed regularly along with information such as when and which files were accessed and altered.
Trustwave said the suspicious activity should prompt an investigation, account disabling or removal of rogue accounts. Two-factor authentication and more-complex passwords can thwart an attacker or extend the time it takes for a determined criminal to break into an account, increasing the chance the attack will be spotted.
Suspicious Outbound Activity
Network security pros should be trained in monitoring firewalls and intrusion-prevention and -detection systems to identify outbound activity to suspicious locations. Attackers also will use obscure ports to bypass security filtering mechanisms. The goal is to pass through network devices as legitimate traffic. The malicious traffic could signal a botnet infection and communication to a command-and-control server. Shutting down unnecessary ports can block malicious communication and help increase visibility, Trustwave said.
New, Suspicious Files Dropped
Suspicious files can be timed to execute at a certain time or remain dormant if specific software is running or until a certain user activity takes place. Incident responders can create a forensic copy of the suspicious files for later analysis and then remove or isolate the files, Trustwave said.
Geographic Login Anomalies
One of the most common ways to spot a malicious attempt to gain remote access into systems is a login attempt from an unusual, remote location. The latest identity and access control software contains account monitoring features designed to take a snapshot or fingerprint of typical user login behavior. That information can be set to alert a system administrator or challenge users when unusual login attempts are spotted. Trustwave said admins can disable accounts until a thorough investigation can take place or remove remote access to systems.
Changes To Windows Registry
Malware can use the registry to find out many of the installed applications on the infected system. Malware that executes modified registry changes can make the program appear legitimate to security systems. Unexplained registry changes should be investigated immediately. Systems can be wiped and rebuilt and a forensics image should be taken for further analysis, Trustwave said.
Evidence Of Log Tampering
Attackers tamper with logs in an attempt to cover their tracks. A remote log server can be set up with restricted access for more-sensitive systems, while log system redundancy helps reduce an attacker's ability to tamper with logs, security experts say. Finally, a process called hash chaining provides added protection against tampering. Tampered logs could signal a serious problem and should be thoroughly investigated, Trustwave said.
Antivirus Services Tampering
Malware often contains a component that can disable or corrupt antivirus software running on the infected system. Many enterprise-grade, endpoint security suites contain tamper-resistant mechanisms, but attackers can still take advantage of functions and settings changes to disable or weaken a scan's efficacy. Incident responders should update and run antivirus scans and review logs, Trustwave said.
Anomalous Services Activity
Malware also can trigger additional services on an infected system or can be programmed to pause or halt system services. A best practice is to ensure that ports, protocols and services associated with validated business processes are running on systems. Remove or deactivate anomalous services and the associated executables, Trustwave said.
Interruption Of Payment Processing
Point-of-sale system breaches are gaining attention following the Target breach. However, financially motivated cybercriminals are increasingly targeting e-commerce systems, according to Trustwave and other companies analyzing credit card breaches. Trustwave advises keeping services up to date, adding that administrators should immediately investigate a disrupted payment gateway, restore the gateway to its original configuration and verify that no code has been added to the shopping cart software.
Access To Web Admin Consoles
Unexplained access to website or Web application administration consoles should be thoroughly investigated. Criminals are breaking into Web admin consoles with automated tools and brute-forcing the weak and default passwords. Increase password complexity and rotate passwords more frequently, Trustwave said.