Some time back, I blogged about the true intent of a denial of service attack, (DDoS). In that post I discussed that the true intent of a DDoS attack is usually to create a distraction, forcing the IT staff to focus on the outage while data is ex-filtrated by criminals who have already established a presence in the business. While sophisticated criminals are good at covering their tracks, many data breaches do leave behind clues.
While some business owners or managers may not necessarily possess the technical expertise to check for some of these clues, the following suggestions can serve as a checklist to have the IT staff check and report back for further discussion and review.
- Have systems such as file servers containing sensitive data gone down or rebooted for unexplained reasons? Many Windows systems are set to automatically update and while updates do occasionally require a reboot, any reboot or shutdown should be examined carefully to determine the cause and ensure that the reboot was not caused by unauthorized activity.
- What about services? Here, checking the service stop/start/change activity in the logs can indicate that a service was either started or stopped. Some malware installs as a service on a Windows system and others alter or disable existing services.
- Also look for unexplained changes in the Windows registry. Added services will alter the registry and some malware will tamper with the registry entries for existing applications.
- There are many ways of tracking geographical access and even very basic WordPress reporting can track views and logins by geography. If a business primarily operates in a limited geographic area, and all customers are within that area, logins from other countries and geographies where the business has no customers should be suspect and may be an indicator of a breach.
- Have files been changed in the system directory or have new files appeared? Compare the file names and dates in the Windows system directory for clues.
- If outbound traffic is tracked, has there been an increase in outbound activity for a server or system containing sensitive business data? Keep in mind that a criminal is likely to try to cover their tracks so would often attempt to ex-filtrated data during business hours to avoid suspicions. Look for unexpected and unexplained spikes in outbound activity, particularly during business hours.
Determining if a system has been breached is not always an easy task and often requires forensic skills beyond the capabilities of most IT staff and small business. Looking for some of these indicators help the decision process around incurring the cost of bringing in a forensics expert or continuing to take the risk if a system breach is suspected. Often, correlating several items such as experiencing a DDoS along with one or more of the above examples will make a strong case that a system has been breached. Then, it makes business sense to spend the money to hire an expert to investigate further.