Most people don’t like to compromise; people dislike it even more when it jeopardizes our network. Below we highlight the 15 Indicators of Compromise on your network and perhaps even stop it before it becomes an incident.
You may not be able to keep people out of your network, but you can stop them from taking valuable data when they leave if you monitor your outbound traffic.
Are you alerted when a user does something they don’t normally do? It may not be against the rules, but if it’s out of the ordinary, it is worth investigating.
Is there traffic coming from areas where you don’t do business. Is there a spike in traffic or use from a specific geography that cannot be explained?
Has there been a spike in log-in failures? Are you seeing more successful log-ins than normal? This could be an indicator of network compromise.
A key indicator is the extraction of data results in large amounts of read volume. For example, when an attacker attempts to extract a full credit card database, it will automatically generate an enormous amount of read data – way higher than you would normally expect.
If you are seeing larger than normal numbers, this may be a sign of an extraction already in progress
If you’re receiving this type of inquiry, it could signal trial and error attempts to get to valuable data.
Masked DNS requests could use either well-known or obscure ports in an attempt to get around web filtering techniques
If you have a baseline you would be alerted to any deviations or changes. It’s a good best practice to define a clean template of your network and create alerts on deviations or changes to that baseline.
Where are the queries going and where are they being made from? What patterns are emerging and do they make sense in the context of your business?
Patches should not happen on their own. If the IT admin is not pushing it, who is?
These changes and adjustments could signal the creation of backdoors which limit security. The poisoning of mobile configuration can lead to the routing of data and credentials through fake applications. It’s important to monitor and correlate MDM logs in order to spot unusual mobile traffic patterns.
Is sensitive data suddenly sitting in a public space on your network? If so, something has gone wrong and needs to be investigated.
Are things happening that humans would not initiate? Are you suddenly seeing 20 browser windows opened to different sites on a single machine? Why and how would someone do that quickly?
While you are surely monitoring for DDoS – those attacks may not be the problem. Frequently DDoS attacks are used as a smokescreen for other attacks.
Feel free to contact E-SPIN for the solution for your system and operation to reduce risk of your businesses and organization. We can secure and protect your businesses with our various software security technology , include indicators of compromise technologies and solutions.
