In cybersecurity, half of the struggle is simply preventing a data breach or cyber attack on your enterprise. The other half is dealing with a hacker once they have infiltrated your enterprise’s network, as is sadly bound to happen one day. This can and often does involve closing the security hole that let the hacker in, removing their malicious presence from your servers, evaluating the damage, and alerting those affected by the breach.
A less-discussed but invaluable part of dealing with an infiltration is detecting that there even is a threat on your network in the first place. Modern malware is designed to evade notice, hiding its presence in remote places or using other functions as camouflage. Not every hacker is “kind” enough to put up a notice as seen in a ransomware attack. A SIEM or security analytics solution can help you in detecting a threat via data aggregation, data correlation, and threat analysis. But if your legacy solution isn’t up to the task, and your team is handling threat analysis manually, how can you tell if your enterprise has been hacked? What activity is sufficiently suspicious?
Here are some key indicators to look for to tell if your enterprise has been hacked?
Watch for Spearphishing Campaigns
Spearphishing is perhaps one of the most persistent and successful infiltration tactics hackers have at their disposal. After all, humans are hardwired to respect authority. If a message from the CEO—in their typical style and at a reasonable hour—asks for their payment information, most employees would hand it over without a thought. And that’s where hackers can get you.
Your IT security teams should be on the lookout for emails coming from outside the network and dressed up to look like internal emails, and to block those emails’ sources if possible. Your employees should also be trained to confirm emails that ask for vital payment or credentials information before handing over the data. If your enterprise seems to be receiving more spearphishing emails than usual, you may want to look at your network to see if anyone unwanted presences have been conducting espionage on you.
Be on the Lookout for Suspicious User Activity
One way to tell if your enterprise has been hacked is to observe the behavior of your users. Users typically follow patterns in their behavior, including what they access, when they access them, and what they may request permission to access in the course of their day-to-day jobs. This applies both to the average user and the privileged account user.
Unusual user activities, including off-hours privileged logins, multiple failed login attempts, and odd permissions requests, raises serious red flags about the security of your users’ credentials. Also, keep an eye out if your employees changed their credentials recently for no clear reason: a hacker may have stolen their credentials and changed them to lock them out of the system.
Additionally, you should keep an eye out for suspicious new accounts and disable them if you can’t confirm their legitimacy. You can use the audit logs to find out a timeline for the hack on your enterprise, which can help detect the security hole.
Unusual Network Activity is the Clearest Sign of a Hack
In order to tell if your enterprise has been hacked, SIEM and security analytics solutions collect the disparate information from across the network. No hacker is an H.G. Wells character—that is to say, completely invisible. If you are manually evaluating network activity for signs of an attack, here are some signs that someone unwelcome is on your servers:
- Sudden spikes in outbound traffic
- Unusual files appearing on your network
- Unauthorized downloads or software installations
- Misaligned system log information, especially for off-hours activity
- Internet searches are redirected
- Frequent DOS attacks (these can be smokescreens for other data breaches)
- Flickering webcam lights on employee’s endpoints (this might be a hacker keeping a literal eye on your enterprise)
- Rogue applications creating open ports into your network
Preventative measures can include the tight regulation of downloads (watch for rogue programs bundled with freeware), careful monitoring of applications, and caution concerning email attachments. But as we’ve noted before, prevention can only protect you so far.
Above All, Respond Immediately To The Out-Of-Place
Financial information going to unexpected places? Mysterious orders stemming from your network? Unusual connections to your enterprise network? Employee applications or endpoints crashing at random times?
Yes, there can be perfectly mundane explanations to all of these suspicious activities. But assuming benevolence on your enterprise’s IT environment is absolutely the wrong course of action, regardless of your enterprise’s sign. The overriding principle of how to tell if your enterprise has been hacked is this: if something looks wrong, take the time to investigate it to the best of your abilities.
This will be a hassle without a SIEM or security analytics solution (and it may be good time to look into that). The time and effort can be a serious drain on your time and resources. Yet the alternative is unacceptable. You need to do whatever is necessary to keep your data and employees safe from digital threats.
Latest posts by Ben Canner (see all)
- Everything We Know About the Macy’s Data Breach - November 20, 2019
- The 20 Best Cybersecurity Books for Enterprises in 2020 - November 20, 2019
- Critical SIEM Statistics (Your Enterprise Needs to Understand) - November 15, 2019