Been caught stealing

In today’s infosec climate, many security professionals espouse the fatalistic belief that there are two types of companies: Companies that have been breached and those that don’t know it yet. It’s true that cyberspace is growing by the day, and as companies and individuals add more information to internet-accessible sources, the risk of compromise of that data grows in parallel. With this greater risk comes more responsibility.

The solution to the problem, though, is not to accept defeat. Security teams can effectively forestall many breaches—or at least halt them before they grow out of control—by following a few basic principles of information security. Budding security operations staff (and experienced practitioners who want a refresher) need only look for a few telltale signs that a breach might be brewing. These clues provide all the evidence a security practitioner needs to spring into incident response action.

I’ve been caught stealing

“One of the quirks of breach investigation,” offers Raef Meeuwisse, author of “Cybersecurity Exposed” and other titles, “is that organizations which have great security detection but lousy security protection often only succeed in proving that the breach was indeed the organization’s fault.” For those not wanting to rely on after-the-fact analysis, Meeuwisse recommends that security teams start with regular, proactive security assessments to identify—then remedy—system vulnerabilities, the most likely exploitation points.

Organizations, naturally, prefer to prevent breaches altogether, but the next best thing (and perhaps more realistic expectation in some cases) is identifying a breach before it metastasizes and lands the organization in hot water with clients, employees, regulators, banks, insurers, or a combination of all of the above.  

3Meeuwisse says security teams may already have necessary breach detection tools in place; they’re just not using them hyper effectively. He continues, “Items like log files, audit trails, data loss prevention software, privileged account access tracking, and network recordings” can supply evidence of a breach. As for what to look for, unusual patterns of transactions or usage are a good indication that something is amiss. The key to identifying unusual patterns is first having a baseline of normal activity. If your organization doesn’t keep records of what is typical when, that project should begin ASAP so that the team can track against the baseline data to easily spot unexpected spikes in activity or suspicious traffic from atypical geographic locations or through abnormal routes.

Once when I was five

Nick Selby, Managing Director of the Secure Ideas Incident Response Team, agrees. One big sign that an organization is dealing with a potential incident, he says, is an observation that “Your outbound DNS includes listings for lots of sites ‘without vowels’ – places or countries in which your organization doesn’t conduct business.” He adds that teams “should be regularly monitoring DNS logs for signs of command and control traffic from within the network,” a sure signal that someone is up to no good.

Along similar lines, Selby advises operations teams to pay particular attention to bandwidth consumption, but warns that attackers are savvy about data exfiltration; “Sophisticated operations aren’t trying to take freight trains of information from your network, but if you see unusual amounts of activity on your outbound link, check it out.” Of course, elevated activity to certain systems could also be an indication of planned business operations—expansion into a new geographic region, a targeted sales promotion—so understanding the business’s initiatives is of prime importance. Teams could spend hours chasing an anomaly in log files only to find that the organization has legitimately contracted a new partnership with a company in Singapore.

It’s just as simple as that

Asset inventory is an element of breach prevention many organizations neglect. Specifically, as it pertains to mobile devices, organizations may not have a handle on just how many—or what types of—devices are accessing the network and/or services regularly. However, every device that touches network resources poses a threat if it’s not properly configured or accounted for. “This is going to sound dumb,” says Selby, “but you should monitor the number of accounts and devices you have on your network.” He suggests companies run vulnerability scans (an out-of-date or unmanaged device is a vulnerability too!) and “audit Active Directory for accounts, matching them against known actual human beings who work in your organization. This is such valuable intelligence it can't be overlooked, which is precisely why most companies do. “

In addition to network monitoring, organizations with threat intelligence or hunt teams may be actively searching the Web for evidence of a breach or leak. Criminals like to share their booty, and so a search of Pastebin or dark Web forums could reveal some interesting tidbits about your company—stolen credentials, databases of sensitive information, or other proprietary intellectual property. Meeuwisse cautions organizations about jumping to conclusions about “evidence” of a breach; “Examining ‘stolen’ information can provide clues to its origins. If you find a full copy of your database [online], then a breach has obviously occurred. However, if you find a random selection of data that is not sequential and has no other pattern, it may well be that the data has been collated from other sources.” 

And I walk right through the door

In this day and age, security teams must allocate significant time and effort towards identifying intrusions and stopping attackers from accessing, removing, and/or distributing private data. Though one could argue that planning to find a breach is a pessimistic attitude, pretending like it can’t happen to your organization will most likely land you in the unemployment line. There are many security processes and tools that can help companies prevent breaches, though that discussion is beyond the scope of this post. Further, no system is impenetrable and, as the saying goes, security teams must defend the entire organization while adversaries need to find just one, small vulnerability. (Rapid) Breach identification is of critical importance, and teams that place a focus on security basics—monitoring, logging, baselining, auditing—will be steps ahead of the curve.