Spotting The Breach: What Are The Indicators Of Compromise?

ITSP Magazine, July 18, 2018, with comments by Shauntinez Jakab

Are businesses missing the signs of cyberattacks?

One of the biggest challenges businesses face today is knowing how to detect a breach when they’ve been breached versus finding out about it days, weeks, months or even years after the fact. The signs are not always obvious and are getting less so as attacks are getting increasingly stealthy as time goes by. One takeaway piece of information from a recent report from Accenture reveals as certain: if you think your business is safe from cyberattack, it isn’t, and you’re probably not even as secure as you might think. Many companies have allocated resources to being in compliance with regulations such as PCI-DSS and HIPAA and they may think (falsely) that this makes them secure. But preparedness in one area is not adequacy in the other.

According to Accenture, organizations are prepared themselves to defend against most targeted attacks (87%). The report also reveals that despite their security stance, companies are still encountering 2-3 security breaches every month. And the even scarier part is some attacks make it through because there are no defenses in place to stop them. In those cases, the door is wide open.

Phishing attacks continue to be highly successful

One especially interesting reveal from the report is that, despite many efforts and resources businesses have put into training and deterrents, 96% of all cyberattacks start with an phishing email that an employee is deceived by.

Alert systems can produce the haystack that needles hide in

Seventy one percent (71%) of organizations questioned by Accenture said that cyberattacks felt like a “bit of a black box” to them and they didn’t know how the attacks would affect their organization or when. Other data outside the report reveals companies expressing that they aren’t always certain how to spot an attack unless their security and monitoring systems alert them that something could be happening. Most companies do rely on security technology to sound the alarm if something seems amiss. But another challenge is alerts can go off relentlessly, including a multitude of false positives to overloaded staffs to check them out, as only checking them out can determine what’s false and what’s not. It’s an exhausting cycle many businesses are facing daily. Sometimes, the signs a breach has happened may come with the discovery that data is damaged, destroyed or stolen. But if the breach has happened slowly, an organization may miss the signs altogether.

The signs of cyberattack can appear seemingly mundane

Sometimes the signs appear to be typical malfunctions. As Shauntinez Jakab, director, product marketing at Virsec describes, “These days, malware or threatening methods are highly sophisticated, so don’t expect the system to be merely running sluggish all the time. Performance may only be affected when a certain function or app component is in use or at certain times of the day. So, understand how the system is running when certain tasks or operations are being performed and if they spawn additional processes. One banking exploit only surfaced when the system was being used and a specific service was activated.”

Jakab continues, "Unusual reboots can be an indication of compromise. Be sure to look for servers or desktops running unknown processes. Cold and warm boots could allow sensitive data to be read after supposedly having been deleted. Side-channel attacks are commonly used with cryptography to gather encryption keys on a cold boot, for example. The attack relies on the data remanence property of DRAM and SRAM to retrieve memory content that remains readable in the seconds to minutes after power has been removed."

Jakab recommends that companies “review all warnings and errors generated to determine any unusual fault patterns or attempts. Faults often provide a wealth of information to an attacker about the security in place and the application infrastructure. Properly configured alerts can actually indicate that systems have been compromised and data is being exfiltrated by bad actors. Review logs and analyze the events across the system.”

Many security experts contributed to ITSP’s article.

Read full Spotting the Breach article for a list of specific cyberattack signs to look for.