• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • About
    • Secure360
    • UMSA
    • Get Involved
  • Events
    • Secure360 2021
    • Student360
    • Past Events
      • 2020 Secure360 Twin Cities
      • 2020 Student360
      • 2019 Secure360 Twin Cities
      • 2019 Student360
      • 2018 Secure360 Twin Cities
      • 2018 Secure360 Wisconsin
      • 2018 Student360
      • 2017 Secure360 Twin Cities
      • 2017 Student360
      • 2016 TC Secure360 Conference
      • 2015 Secure360 Conference
      • 2014 Secure360 Conference
      • 2013 Secure360 Conference
        • 2013 Secure360 Conference Speaker Presentations
      • 2012 Secure360 Conference
  • For Sponsors
    • Secure360 Twin Cities
    • Student360 Sponsors
  • For Speakers
    • Secure360 Speaker Details
    • Student360 Speaker Details
  • Blog
  • Nav Social Menu

    • Facebook
    • LinkedIn
    • Twitter
    • Vimeo

Secure360

Predicting attacks before they happen

September 8, 2015 by Secure360 and UMSA

Screwdriver drilling in to data

Copyright: 123rf/Paul Fleet

We’ve written a few articles about what steps to take after your company has been breached and how to repair damages made by attacks, but it’s time to shift from defensive to offensive mode. It is natural for a company to want to work out what went wrong, acting reactively to chase the symptoms of an attack. There is a focus on the indicators of an attack and identifying the attackers, victims and damage, but this approach only addresses the problem after it has happened.

Changing the perspective

Our goal is to challenge you to predict and stop attacks before they’ve happened, by keeping an eye on the indicators of an attack: changes in system behavior, signs someone is probing for vulnerabilities and evidence that an attacker is acting as legitimate user. Predicting early warning signs will allow companies to contain and prevent suspicious activities before they can escalate into a full-blown attack resulting in a compromised system and data loss.

Only 24% of companies feel confident in their ability to detect an attack within minutes, and just under half said it would take days, weeks, or even months before they noticed suspicious behavior. Below we have highlighted a few common attack activities that successful organizations should be tracking in order to detect and prevent attacks before they even happen:

  • Internal hosts communicating with known or corrupt destinations or foreign countries where the company is not doing business.
  • Internal hosts communicating with external hosts using protocol or ports that are not standard.
  • Publically accessible or demilitarized zone hosts communicating with internal hosts, allowing data to be ex-filtrated and assets to be accessed.
  • Alerts that occur outside of standard business operating hours, signaling a compromised host.
  • Network scans by internal hosts communicating with multiple hosts in a short time frame could reveal an attacker within the network. Perimeter network defenses, such as firewalls, are rarely configured to monitor traffic on the internal network, but could be used to effectively detect the early stages of such an attack.
  • Multiple alarm events from a single host or duplicate events across multiple machines in the same subnet over a 24-hour period.
  • Repeated infections signal the presence of a rootkit or persistent compromise. If a system is cleaned and becomes re-infected within a short period of time, this could indicate an ongoing attack.
  • A user account that tries to log in to multiple resources in a short period of time from different regions could be a sign that the user’s credentials have been compromised or that a user is causing trouble within the network.
  • Users trying to cover their tracks or obscure their presence within your system
  • Signs of ARP cache poisoning, ARP spoofing, and other man-in-the-middle attacks.
  • Changes in any of the following: local firewall configurations and local user accounts; listening ports, system services and drivers, startup tasks, and scheduled tasks; DNS servers or IP routings.

While the list is somewhat extensive, all of these can be early indicators of a compromised system. By focusing on the indicators of an attack, including changes in network traffic patterns or volumes or programmed access to systems used only by humans, companies can stay ahead of their attackers. With the ability to detect these indicators early on, organizations can respond to and learn from events, shifting themselves into a position of offense, rather than defense.

Filed Under: Business Continuity Management, Cybersecurity, Risk and Compliance

About Secure360 and UMSA

The Secure360 and UMSA team is made up of professionals in the security and risk management industries. Topics of expertise range from physical security, IT, risk management, cybersecurity, cloud, information security and records management.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Categories

  • Uncategorized
  • Guest Posts
  • Business Continuity Management
  • News and Events
  • Physical Security
  • Cybersecurity
  • Professional Development
  • Risk and Compliance

latest tweets

  1. Marketing Envy
    Marketing Envy: [New Blog] 2020 saw in-person conferences evaporate, but with vaccines rolling out, 2021 could be different. H… https://t.co/4YONwZNsDa
    about 4 days ago

  2. Secure360 Conference
    Secure360 Conference: We are honored to be listed on the Top 20 Cyber Conferences for 2021 -> https://t.co/MnrQ3E5ifw
    about 5 days ago

  3. Secure360 Conference
    Secure360 Conference: Fascinating stuff about the shift from brick & mortar to e-commerce, from Diamond Sponsor @cisco! https://t.co/4GaYGQKZ1a
    about 1 week ago

Footer

Contact

For more information about UMSA events, contact: Marie Strawser

Email List Signup

Join our email list for monthly Secure360 news and updates!




Join our tradeshow email list for updates on sponsorship opportunities and upcoming exhibitor deadlines.

Sponsored by:
© 2021 Secure360. All rights reserved.