How to stop a data breach before it happens

Cybersecurity breaches are keeping more IT leaders awake than ever before - but what if you could predict where and when they’ll occur? Almost every cybersecurity threat - including malware, DDoS and cyber-espionage - is preceded by early warning signs that any IT manager can look out for.

Seeing the signs

As the costs and sophistication of cybersecurity attacks increase, IT managers are finding themselves under growing pressure to tighten their defences. In SolarWinds’ recent Network Complexity survey, the Australian IT managers we interviewed cited security as the top cause amongst core business operations of network complexity today. By analysing their networks more rigorously, however, IT leaders can pick up on many of the tell-tale signs that typically presage a malicious attempt to gain or deny access.

It’s not just brute-force threats like DDoS and malware which exhibit these signs, however, almost all but the most sophisticated threats have their own early warning signatures which the canny IT manager can pick up on. And by monitoring the areas where these signatures usually present themselves, organisations can greatly reduce the incidence - and subsequent costs to profits and market share - of successful breaches. In fact, businesses need to focus on pre-emptive measures rather than picking up the pieces after a breach - doing so will prove far more cost-effective for them in the long run.

Friend or foe?

The signs of an imminent attack are often blatant: a rapid increase in packet transfers and WAN traffic, for example, is often evidence that a DDoS attempt is underway. The high traffic is generated by bots sending traffic to the service the DDoS is intended to bring down. This increase in traffic can be observed. But how do you differentiate between a simple performance issue and the beginnings of a malicious breach? IT leaders need to not only adopt the ‘think like a hacker’ mentality often proposed by cybersecurity experts, but also apply it to how hackers might go about crafting and executing their attacks.

In a DDoS attack, the hacker is likely to take control of the security vulnerabilities to control your system and use it to attack other systems in the network. A perfect example of this is sending out spam - sending overloaded information to a website. In simple terms, the attack is distributed, where the user uses multiple computers to launch the DoS attack.

Symptoms like slow network performance, a sudden spike in receiving spam content and inability to access certain websites suggest that there are chances your network is under attack.

A DDoS attempt, for example, will usually involve a flood of bad or malformed packets which are far more effective at crashing the protocol stack of a system. So if you test the quality of the spike in traffic, you can tell whether your network is experiencing peak demand or the first stages of an attempt to take your servers offline. In addition, malicious breaches will often trigger unusual activity across a whole range of network assets, not just a single indicator. In the case of a virus, the spike in traffic is more likely to traverse unused ports or come from invalid IP addresses, further raising suspicions about its legitimacy.

Just like in Minority Report, thorough surveillance is essential to stopping (cyber) crime before it happens. Monitoring, detection and alerting tools can not only pick up on breach warning signs, but also alert IT staff or even take automatic action when they’re detected.

Through the back door

What about more subtle threats - particularly the growing issue of cyberespionage and sabotage? While a comprehensive security information and event management (SIEM) tool may be enough to pick up on more obvious attacks, IT leaders also need to apply their own organisational intelligence to how they position their defences. Businesses should take a structured approach to how they store their data, which will in turn allow them to identify and track access to sensitive information with greater ease. They can also apply different levels of access control to different parts of the network, effectively locking out the casual hacker from gaining entry without having to resort to more obvious brute force means. This is not only essential to maintain network integrity, but it is also a key element of compliance.

Most attacks come with an intent to crack financial data, sometimes business information, and can thus come in the form of data theft attempts, SQL injection, spyware, phishing attempts, hacking and other kinds of malware.

A recent survey conducted by Verizon on data breach revealed the victims by industry:

• 37% - financial organisations
• 24% - retail and restaurants
• 20% - manufacturing, transportation and utilities
• 20% - information and professional services

Regardless of industry, the hardest cybersecurity threats to detect are actually the ones which arise within the organisation, ranging from careless BYOD usage to malicious infiltration via USBs or other physical media. But even breaches from these sources exhibit certain patterns which can and should be tracked. Unusual access patterns or after-work network activity can be a sign of corporate espionage or sabotage in progress - particularly if your system is logging higher-than-average login attempts on sensitive financial or R&D areas of the network. These login attempts can be generated automatically in large quantities in a brute force attack. And tracking LAN traffic can help pinpoint BYOD-introduced malware based on how it tries to access other ports or network hosts, allowing IT teams or even the system itself to automatically contain the threat from its point of origin. By doing so, IT leaders can prevent data leaving the organisation even through offline means.

Predictive analytics

For too long businesses and IT leaders alike have assumed a reactive stance when it comes to cybersecurity responsiveness. With an SIEM solution and a structured approach to monitoring, however, organisations can catch and stymie a wide range of threats before they even start to breach internal defences.

*Don Jacob is Head Geek at SolarWinds.