Hunting Hackers: Reducing the Time to Discovery

Research conducted by IBM and the Ponemon Institute shows the time to detect a data breach for businesses averages 280 days – a significant gap between the time a network is compromised and its discovery. The Codecov and SolarWinds are strong, loud proof points to the widespread damage possible if hackers achieve undetected, unfettered access to a company’s systems, networks and partners or customers.

But stealthily surveilling a network is not a tactic exclusive to highly sophisticated threat actors targeting enterprise businesses. While the chances of being targeted for a long-term, covert surveillance operation by state-backed actors with deep pockets are slim for most small to mid-sized businesses, increasing reliance on third-party vendors means it’s possible for any business to fall victim. The 2021 Webroot BrightCloud Threat Report provides insight into which industries are more targeted than others, with the highest infection rates in 2020 belonging to Wholesale Trade (up 32.2%), Mining/Oil/Gas (up 32.0%), Manufacturing (up 25.9%) and Public Administration (up 25.0%).

Reducing the time to discovery is significant for businesses; it means less data on the dark web, fewer important pieces of intellectual property leaked, ransomware attacks thwarted and less reputational damage. Here are some ideas IT admins can use to detect a network compromise sooner, potentially limiting the damage of an adverse cyber event.

Consider booby-trapping your network

As swashbuckling as it sounds, adopting an “offensive defensive” posture against cyberattacks can help level the playing field against attackers. Because so much of cybersecurity relies on passive forms of protection (think firewalls, antivirus solutions, password protection, etc.), hackers have an asymmetrical advantage when probing defenses. Passive protection is good and necessary, to be sure, but network “booby traps,” sometimes called canary tokens, can help reduce the advantage held by hackers. 

These measures rely on the principal of an action being taken by an attacker that would typically not occur otherwise. While they may not reveal who is behind the attack or their motivations, booby traps trigger a response alerting admins and allowing time to react. This could include setting up a domain administrator account that is bound to look like a juicy target to a network intruder. It may be configured according to default settings or with a particularly weak password – some way that makes it easy for a determined hacker to access. Once inside, though, the intruder’s presence triggers alarms alerting IT staff that an attack is underway and even locking out the suspicious user.

Configure and pay close attention to failed login attempts

Allowing attackers unlimited tries at cracking passwords is never wise, but sometimes the configurations for preventing this are overlooked. This is especially dangerous when remote desktop protocol (RDP) is enabled. RDP-enabled machines can often be located using search engines like Shodan.io, making them sitting ducks for attackers armed with brute-force tools.

When configured properly, however, RDP and other password-protected tools should lock users out after a given number of incorrect attempts and alert an admin. This would force a user, legitimate or otherwise, to wait some predetermined time before attempting to login again. Reaching out to the locked-out user could then help determine if the credentials have been stolen or if it is a genuine case of “fat fingers.”

If credentials have been compromised, it is a good idea to force password resets and keep an eye out for further failed login attempts. If there is no limit to the number of times a password can be tried without being timed out, an organization may never know it is in an attacker’s crosshairs.

Monitor anomalous web traffic

Skilled threat actors like those involved in the SolarWinds attack take steps to conceal their true locations when attempting to compromise a network. This can prevent alarm bells from ringing when an IP address from Eastern Europe is suddenly trying to connect to a network housed in Silicon Valley. Other times, malicious hackers do not have the skills or resources to cover their tracks. Their attack may also be so broadly aimed they simply do not care to.

That is why the difference between looking for malware and looking for “weird stuff” matters. It takes time to gather the data to truly know what constitutes “anomalous activity,” but once it is there it can automatically alert admins when it occurs. This could include communication with previously unknown IP addresses or uncommon application traffic patterns. In other words, a platform that has never talked to a domain in China but now does so often should be cause for alarm.

Monitoring access lists, including who is logged into what and whether anything is out of the ordinary, is another good option for spotting potential breaches early on. These so-called “spot-checks” can be too resource-intensive for small businesses without dedicated IT positions, and too expensive to farm out to MSPs, but they are good to consider for businesses with dedicated IT resources.

Stay on guard against attacks

The best strategies for ensuring that cyberattacks are unsuccessful – or do not go unnoticed – involve a mix of active and passive defenses. But poor configurations can undermine both. There are steps to make sure defenses are not undermined by the same common tactics. 

Here are a few quick tips:

• Do not rely on the default configuration for RDP. Enforce 2FA and passwords time outs.
• Disable powerful tools like PowerShell, Office macros and WMI where not needed.
• Limit access rights on your internal network so that only those who need access have it.
• Strictly control access to the dev and QA processes if these take place within your organization.