mailing list archives
Seven signs your business is being hacked
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 22 Jan 2014 16:59:32 -0700
One way of finding out your company has been hacked is by reading it in the
news. Thankfully there are signs that could indicate an attack is happening
now, giving you the chance to stop it. Crazy traffic spikes, weird emails
and flashing lights might be the clues an organisation needs to prevent a
security incident becoming a PR crisis.
Here are seven signs that your company could be under attack.
1. NO, THAT EMAILED ATTACHMENT WASN’T FROM YOUR BOSS
The soft underbelly of any organisation is the trust colleagues have for
one another, which attackers exploit to burrow deeper into the target, for
example by sending fraudulent emails to reach the person they want.
“If someone compromises the boss’s laptop and sends an attachment from
their email account, the likelihood of getting compromised is close to 100
per cent,” says Yogi Chandiramani, director of security engineering at
Oddly for a computer incident, this indicator will more likely surface
around the water-cooler — when the penny drops that no one requested a
meeting via email — than through computer logs.
“The human factor is much more difficult to deal with,” says Chandiramani.
2. ABNORMAL ACTIVITY ON PRIVILEGED USER ACCOUNTS
Attackers from inside or outside the company hunt for accounts with higher
“Abnormal behaviour includes unusual times of user activity, attempts to
edit log files or event sources, and access to critical data outside of
standard business hours,” said Ian Yip, security specialist at NetiQ.
To know what’s abnormal though, the company must know what’s normal. And
that’s often overlooked for higher ranked personnel.
“Many organisations trust privileged users,” notes Yip.
3. FAILED LOG-IN ATTEMPTS — RETAILERS BEWARE
A new wave of malware from Eastern Europe is stealing credit card details
from retail point of sale (PoS) systems. US retailer Target knows this,
having recently lost details of more than 70 million customer credit cards
PoS systems are often networked to Windows PCs. A sign PoS systems are
under attack is a surge in failed log-in attempts to PCs equipped with
Microsoft’s Remote Desktop Protocol (RDP), says Andrey Komarov, CEO of
“There will be lots of security events related to ‘Failed logon’ in Event
Viewer. Through network logs it will be also possible to understand that
they were done from the same location,” says Komarov.
NetIQ’s Yip agrees. “A high number of log-in failures at any time of the
day warrants concern.”
4. WHACKY INTERNET CONTROL MESSAGE PROTOCOL (ICMP) TRAFFIC.
Why find the backdoor when you can slip out the front door in disguise?
ICMP is a protocol used on the internet to send things like error messages
between network devices such as routers. The messages are small and
infrequent, so fatter ICMP packets could mean an attempt to squirrel data
out of the organisation.
“If you see a steady stream of fat ICMP with weird data attached, it may be
someone exfiltrating data over a channel not normally considered for data
transport, or an ICMP-based botnet control protocol,” says Tod Beardsley,
Metasploit Engineering Manager at Rapid7.
5. YOUR WEBCAM LIGHT FLICKERS ON BRIEFLY
Hackers are known to have used a PC’s webcam to take a pound of flesh from
victims in the home, but the same trick can be used in an enterprise or
If you’re writing an email and the webcam light suddenly turns on, there’s
a chance someone’s staking out the company, says FireEye’s Chandiramani.
“That means the attackers most probably are trying to understand where your
workstation is, who are certain individuals, and the processes that are in
This makes more sense if the ultimate goal is to become a fly on the wall
in a private meeting.
6. STRANGE LARGE FILES APPEAR ON THE NETWORK.
Unlike the webcam, there’s no light on a PC indicating its microphone has
been activated, yet it’s an equally effective spy tool.
“If you’re in the boardroom you can identify that through the webcam, shut
that off, then start the microphone. There’s no way you can know your
microphone is recording the conversation because there’s no screen
indicator, it’s not noisy,” says Chandiramani.
The indicator here might be an unusual transfer of file data. “If you’re
recording a long conversation, that’s not as easily compressible.”
7. SUDDEN SPIKES IN OUTBOUND DNS TRAFFIC
To prevent staff from surfing porn at work, many companies already keep an
eye on outbound “DNS” traffic, the bits that connect domain names with
number-based addresses on the internet.
A surge in outbound DNS traffic is a “near certain” sign the network has
been co-opted into a criminal network of infected machines known as a
“Botnets often use DNS names to locate command and control servers and lots
of peer-level bots, so many botnets today make a tonne of noise on outbound
DNS,” Rapid7’s Beardsley says.
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
sales () riskbasedsecurity com
Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus
on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
- Seven signs your business is being hacked Audrey McNeil (Jan 28)