Predicting attacks before they happen

We’ve written a few articles about what steps to take after your company has been breached and how to repair damages made by attacks, but it’s time to shift from defensive to offensive mode. It is natural for a company to want to work out what went wrong, acting reactively to chase the symptoms of an attack. There is a focus on the indicators of an attack and identifying the attackers, victims and damage, but this approach only addresses the problem after it has happened.

Changing the perspective

Our goal is to challenge you to predict and stop attacks before they’ve happened, by keeping an eye on the indicators of an attack: changes in system behavior, signs someone is probing for vulnerabilities and evidence that an attacker is acting as legitimate user. Predicting early warning signs will allow companies to contain and prevent suspicious activities before they can escalate into a full-blown attack resulting in a compromised system and data loss.

Only 24% of companies feel confident in their ability to detect an attack within minutes, and just under half said it would take days, weeks, or even months before they noticed suspicious behavior. Below we have highlighted a few common attack activities that successful organizations should be tracking in order to detect and prevent attacks before they even happen:

• Internal hosts communicating with known or corrupt destinations or foreign countries where the company is not doing business.
• Internal hosts communicating with external hosts using protocol or ports that are not standard.
• Publically accessible or demilitarized zone hosts communicating with internal hosts, allowing data to be ex-filtrated and assets to be accessed.
• Alerts that occur outside of standard business operating hours, signaling a compromised host.
• Network scans by internal hosts communicating with multiple hosts in a short time frame could reveal an attacker within the network. Perimeter network defenses, such as firewalls, are rarely configured to monitor traffic on the internal network, but could be used to effectively detect the early stages of such an attack.
• Multiple alarm events from a single host or duplicate events across multiple machines in the same subnet over a 24-hour period.
• Repeated infections signal the presence of a rootkit or persistent compromise. If a system is cleaned and becomes re-infected within a short period of time, this could indicate an ongoing attack.
• A user account that tries to log in to multiple resources in a short period of time from different regions could be a sign that the user’s credentials have been compromised or that a user is causing trouble within the network.
• Users trying to cover their tracks or obscure their presence within your system
• Signs of ARP cache poisoning, ARP spoofing, and other man-in-the-middle attacks.
• Changes in any of the following: local firewall configurations and local user accounts; listening ports, system services and drivers, startup tasks, and scheduled tasks; DNS servers or IP routings.

While the list is somewhat extensive, all of these can be early indicators of a compromised system. By focusing on the indicators of an attack, including changes in network traffic patterns or volumes or programmed access to systems used only by humans, companies can stay ahead of their attackers. With the ability to detect these indicators early on, organizations can respond to and learn from events, shifting themselves into a position of offense, rather than defense.