Treat Your Network As If It’s ALREADY Been Hacked

November 5th, 2015 by admin

Silhouette of Sherlock Holmes smoking a pipe and looking through a magnifying glass

Weak IT security generally revolves around the following theory: "We'll keep hackers out of our network—everything's okay until something bad happens."

But strong security operates from an assume breach mindset: The hackers have already infiltrated our network, probably for a while now—where and how do we find them?

Paranoid? Probably. But in today's ever-evolving threatscape, absolutely necessary.

Antivirus Software Will Never Be Enough

The ugly reality is that even the best antivirus programs will always lag a step behind those worldwide legions of malicious hackers who can often disguise the detectable "signature" of malware with a just few altered lines of code.

While antivirus vendors diligently try to update their products regularly with the latest virus signatures, a new version of malware can infect a network within hours of the last update. Or a virus can simply—and silently—disable those updates or completely shut down firewalls, allowing an attacker free reign over the entire network—unleashing even more trouble.

Hacking and Malware: Hidden Clues

A single virus-infected PC is usually easy to spot; the user can immediately see that something's wrong. But intrusive malware hidden inside a network can lay dormant for days or months before wreaking havoc. Have you experienced any of these network malware symptoms recently?

  • Your company bandwidth slows down during certain periods of the workday for no apparent reason. There may be something on the network that shouldn't be there—and combing through your sensitive data.
  • Your inbound network connections spike at odd overnight hours. Your users are probably home asleep at 3:00 a.m., but hackers on the other side of the globe are wide awake.
  • One or more workstations—or the entire network—make a lot of outbound connections that don't make sense. A firewall normally ensures your mail server exclusively handles STMP (email) traffic, while other network traffic is limited to your DNS servers. Seemingly "illogical" STMP/DNS connections—such as STMP connections to an unfamiliar IP address—signal the network may have been hacked. Your company data is in danger, or spam may be discreetly spewing from your hijacked email server.

Detective Work? Where to Begin

So if you treat your network as if its security has already been compromised, where do you look for the evidence? Start with establishing comprehensive audit logs to record telltale clues within your network, such as:

  • Abnormal incoming/outgoing network activity, focusing on unusual connections among workstations' TCP ports.
  • Suspicious network traffic at odd hours (when one cyberattack is detected, it establishes a timeframe for similar attempts).
  • The sudden appearance and locations of strange new files, including malicious rootkits.

Hacking and cyberattacks are no longer a question of if, but when. And you can't limit the damage until you know what to look for. For more ideas about cutting-edge network security, contact us.

Posted in: Cyber and Data Security