Seven signs your company has been hacked

One way of finding out your company has been hacked is by reading it in the news. Thankfully there are signs that could indicate an attack is happening now, giving you the chance to stop it. Crazy traffic spikes, weird emails and flashing lights might be the clues an organisation needs to prevent a security incident becoming a PR crisis.

Here are seven signs that your company could be under attack.

1. No, that emailed attachment wasn't from your boss


The soft underbelly of any organisation is the trust colleagues have for one another, which attackers exploit to burrow deeper into the target, for example by sending fraudulent emails to reach the person they want.

"If someone compromises the boss's laptop and sends an attachment from their email account, the likelihood of getting compromised is close to 100 per cent," says Yogi Chandiramani, director of security engineering at FireEye.

Oddly for a computer incident, this indicator will more likely surface around the water-cooler — when the penny drops that no one requested a meeting via email — than through computer logs.

"The human factor is much more difficult to deal with,"
says Chandiramani.

2. Abnormal activity on privileged user accounts


Attackers from inside or outside the company hunt for accounts with higher privileges.

"Abnormal behaviour includes unusual times of user activity, attempts to edit log files or event sources, and access to critical data outside of standard business hours," said Ian Yip, security specialist at NetiQ.

To know what's abnormal though, the company must know what's normal. And that's often overlooked for higher ranked personnel.

"Many organizations trust privileged users," notes Yip.

3. Failed log-in attempts — retailers beware


A new wave of malware from Eastern Europe is stealing credit card details from retail point of sale (PoS) systems. US retailer Target knows this, having recently lost details of more than 70 million customer credit cards this way.

PoS systems are often networked to Windows PCs. A sign PoS systems are under attack is a surge in failed log-in attempts to PCs equipped with Microsoft's Remote Desktop Protocol (RDP), says Andrey Komarov, CEO of IntelCrawler.

"There will be lots of security events related to 'Failed logon' in Event Viewer. Through network logs it will be also possible to understand that they were done from the same location," says Komarov.

NetIQ's Yip agrees. "A high number of log-in failures at any time of the day warrants concern."

4. Whacky Internet Control Message Protocol (ICMP) traffic.


Why find the backdoor when you can slip out the front door in disguise?

ICMP is a protocol used on the internet to send things like error messages between network devices such as routers. The messages are small and infrequent, so fatter ICMP packets could mean an attempt to squirrel data out of the organization.

"If you see a steady stream of fat ICMP with weird data attached, it may be someone exfiltrating data over a channel not normally considered for data transport, or an ICMP-based botnet control protocol,"
says Tod Beardsley, Metasploit Engineering Manager at Rapid7.

5. Your webcam light flickers on briefly


Hackers are known to have used a PC's webcam to take a pound of flesh from victims in the home, but the same trick can be used in an enterprise or political environment.

If you're writing an email and the webcam light suddenly turns on, there's a chance someone's staking out the company, says FireEye's Chandiramani.

"That means the attackers most probably are trying to understand where your workstation is, who are certain individuals, and the processes that are in the office."

This makes more sense if the ultimate goal is to become a fly on the wall in a private meeting.

6. Strange large files appear on the network.


Unlike the webcam, there's no light on a PC indicating its microphone has been activated, yet it’s an equally effective spy tool.

"If you're in the boardroom you can identify that through the webcam, shut that off, then start the microphone. There's no way you can know your microphone is recording the conversation because there's no screen indicator, it's not noisy,
" says Chandiramani.

The indicator here might be an unusual transfer of file data. "If you're recording a long conversation, that's not as easily compressible."

7. Sudden spikes in outbound DNS traffic


To prevent staff from surfing porn at work, many companies already keep an eye on outbound "DNS" traffic, the bits that connect domain names with number-based addresses on the internet.

A surge in outbound DNS traffic is a "near certain" sign the network has been co-opted into a criminal network of infected machines known as a botnets.

"Botnets often use DNS names to locate command and control servers and lots of peer-level bots, so many botnets today make a tonne of noise on outbound DNS," Rapid7's Beardsley says.

The Age.com