It's every business owners nightmare: you walk into the office one morning only to discover everything is down. Your computer network has been hacked and the hackers have taken over everything. If only you had known the signs a few days ago, you could've put a stop to it! But what are the signs?
While the nature of every computer breach is different, there are often tell-tale signs days, weeks, even months before which can alert you to to the possibility of attack and help thwart it before an attacker can do any damage. Today, we'll go over a few of the most common things to watch out for.
1. Watch for stolen credentials
The most common way attackers gain entry into an environment is through stolen credentials. Almost every major cyber attack over the last 5 years has ultimately started with a simple stolen credential from someone. It doesn't even have to be yourself or any high-level employee. Even supposedly "low level" employees can have their credentials breached and then leveraged into higher privileged accounts.
As a result, it's imperative to keep tabs on any security incidents involving credentials. Whether it be the secretary who answers phones or a top-level employee. While there are technological ways to help monitor accounts for potential breaches, the best way is to build a culture of self-reporting in the event someone gets tricked or messes up. Many incidents go unreported by employees who know they've made a mistake simply due to being worried about losing their jobs. Ensuring employees are comfortable with notifying when they suspect they've lost control of an account can do far more than even the best credential monitoring services out there.
2. Performance issues
Another possible tell-tale sign of potential breach is performance issues within your environment. Some attacks, such as ransomware, will try to run processes quietly, in the background to do things like encrypt your files before erasing the usable ones and springing it's ugly surprise. These processes take up processing power and disk bandwidth, which can cause noticeable differences in network performance. If you notice a sudden slowdown in performance of your system(s), this can be a sign of some nefarious activity going on behind the scenes which should be further investigated.
3. Log monitoring
This solution is a bit more technical but can really save your bacon. Monitoring your system's log files for anomalous behavior can be another early-warning indicator of an attacker trying and/or succeeding at breaching your systems. Log entries which "don't belong" in the list of every day activities can provide an excellent way to not only detect unauthorized activity, but also locate weaknesses which need to be addressed, whether that be on PC and servers or in the network itself.
Unfortunately, monitoring logs from more than just one or two computers is a monumental task as the number of entries is enormous. Fortunately, with advancement in technology, specifically AI, most IT support companies worth their salt have automated ways of doing this, alerting when strange or abnormal activity is detected. Some systems are even able to monitor select cloud-based services like O365, which allows an even more complete monitoring picture.
4. Strange software installed
It sounds obvious, but it's amazing how little people pay attention to the software installed on business devices at a given moment. Priority number one for any business device should be to only have software installed which is required for the business to operate. Yet time and time again we see not only various software which are either severely out of date and riddled with holes or worse, development kits which are able to run compiled code which aren't even used in production (looking at you Java).
Most of the time these programs are installed by employees for troubleshooting or trying a new software. However these can be installed or used by attackers in order to execute specific attacks on your systems. It's important to have a documented software list for the systems on your network and to conduct regular audits of your systems for software which shouldn't be there.
Permissions for systems should also be limited as much as possible to prevent employees from installing, and then forgetting, about software they "just wanted to try". That even includes business owners and C-levels who are prime targets of attackers. Instead, a dedicated account/user/person should be assigned to software installation. This way they can keep track of what is installed where and effectively conduct audits when needed (and when they're not installing software, even they have a limited account).
Catching 'em in the act
The above ideas are just a few of the things you can do to catch early signs of a potential breach and, ideally, put a stop to it before it can do any damage. Of course, it's also important to have a response plan in place as a guideline for what exactly you need to do in the event something is found. All of this comes together as a part of a comprehensive security plan for a modern business or organization. Don't let yourself get caught unprepared and unawares.