• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Student360
  • About
    • Secure360
    • UMSA
  • Secure360 2022
  • For Sponsors
  • For Speakers
  • Get Involved
  • Blog
  • Nav Social Menu

    • Facebook
    • LinkedIn
    • Twitter
    • Vimeo

Secure360

Predicting attacks before they happen

September 8, 2015 by Secure360 and UMSA

Screwdriver drilling in to data

Copyright: 123rf/Paul Fleet

We’ve written a few articles about what steps to take after your company has been breached and how to repair damages made by attacks, but it’s time to shift from defensive to offensive mode. It is natural for a company to want to work out what went wrong, acting reactively to chase the symptoms of an attack. There is a focus on the indicators of an attack and identifying the attackers, victims and damage, but this approach only addresses the problem after it has happened.

Changing the perspective

Our goal is to challenge you to predict and stop attacks before they’ve happened, by keeping an eye on the indicators of an attack: changes in system behavior, signs someone is probing for vulnerabilities and evidence that an attacker is acting as legitimate user. Predicting early warning signs will allow companies to contain and prevent suspicious activities before they can escalate into a full-blown attack resulting in a compromised system and data loss.

Only 24% of companies feel confident in their ability to detect an attack within minutes, and just under half said it would take days, weeks, or even months before they noticed suspicious behavior. Below we have highlighted a few common attack activities that successful organizations should be tracking in order to detect and prevent attacks before they even happen:

  • Internal hosts communicating with known or corrupt destinations or foreign countries where the company is not doing business.
  • Internal hosts communicating with external hosts using protocol or ports that are not standard.
  • Publically accessible or demilitarized zone hosts communicating with internal hosts, allowing data to be ex-filtrated and assets to be accessed.
  • Alerts that occur outside of standard business operating hours, signaling a compromised host.
  • Network scans by internal hosts communicating with multiple hosts in a short time frame could reveal an attacker within the network. Perimeter network defenses, such as firewalls, are rarely configured to monitor traffic on the internal network, but could be used to effectively detect the early stages of such an attack.
  • Multiple alarm events from a single host or duplicate events across multiple machines in the same subnet over a 24-hour period.
  • Repeated infections signal the presence of a rootkit or persistent compromise. If a system is cleaned and becomes re-infected within a short period of time, this could indicate an ongoing attack.
  • A user account that tries to log in to multiple resources in a short period of time from different regions could be a sign that the user’s credentials have been compromised or that a user is causing trouble within the network.
  • Users trying to cover their tracks or obscure their presence within your system
  • Signs of ARP cache poisoning, ARP spoofing, and other man-in-the-middle attacks.
  • Changes in any of the following: local firewall configurations and local user accounts; listening ports, system services and drivers, startup tasks, and scheduled tasks; DNS servers or IP routings.

While the list is somewhat extensive, all of these can be early indicators of a compromised system. By focusing on the indicators of an attack, including changes in network traffic patterns or volumes or programmed access to systems used only by humans, companies can stay ahead of their attackers. With the ability to detect these indicators early on, organizations can respond to and learn from events, shifting themselves into a position of offense, rather than defense.

Filed Under: Business Continuity Management, Cybersecurity, Risk and Compliance

About Secure360 and UMSA

The Secure360 and UMSA team is made up of professionals in the security and risk management industries. Topics of expertise range from physical security, IT, risk management, cybersecurity, cloud, information security and records management.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Categories

  • Uncategorized
  • Guest Posts
  • Business Continuity Management
  • News and Events
  • Physical Security
  • Cybersecurity
  • Professional Development
  • Risk and Compliance

latest tweets

  1. Secure360 Conference
    Secure360 Conference: New post alert! Learn more about our awesome 2022 @UMSAOrg #scholarship winners https://t.co/C8VnqX3wWW
    about 8 hours ago

  2. Secure360 Conference
    Secure360 Conference: With so much fun had this year, we're eager for next year! Mark your calendars for May 9-10, 2023 back at Mystic La… https://t.co/Cbk0abnNSO
    about 1 day ago

  3. Secure360 Conference
    Secure360 Conference: With #Sec360 2022 officially in the books, we wanted to share a little recap of the fun! https://t.co/iMPwAp1Kac … https://t.co/kk7xRUXoRo
    about 4 days ago

Footer

Contact

For more information about UMSA events, contact: Marie Strawser

Email List Signup

Join our email list for monthly Secure360 news and updates!




Join our tradeshow email list for updates on sponsorship opportunities and upcoming exhibitor deadlines.

Sponsored by:
© 2022 Secure360. All rights reserved.