A ransom note with a heavy sum needed to get your encrypted files back is actually the last step to a hacker’s attack. How do you identify when a hacker is already in your system, plotting to take over and release malware or encrypt your data?
There are in fact several early indicators that will help you spot if a cyber thief is already there, silently waiting for his grand entrance.
Weeks or longer are spent researching and investigating a network for weaknesses, so there is plenty of opportunity to catch cyber threats in the act. One of the most common points of entry for an attacker to worm their way into a corporate network is RDP: Remote Desktop Protocol.
RDP links allow employees to access company files and information while working remote (which has drastically increased, becoming the new normal) however, if they are left open to the internet they pose a serious security risk. Jared Phipps, VP at SentinelOne suggests, “Look at your environment and understand what your RDP exposure is, and make sure you have two-factor authentication on those links or have them behind a VPN.”
To ensure there is no one lurking behind an open RDP, businesses should consistently scan their internet-facing systems for open RDP ports.
Additional warning signs could include “unexpected software tools appearing on the network.” Legitimate admin tools that might be overlooked by someone who is unaware of their companies operating software.
One of these unexpected software tools to look out for is “a network scanner, especially on a server.”
With access to even one PC, a bad actor is able to thumb through the company network and determine what is accessible. Scanning the network is the easiest way to find these threats, is a scanner “such as AngryIP or Advanced Port Scanner” is found and doesn’t belong to the security team, there’s a problem.
Other tools that indicates a red flag, are tools that disable anti-virus software. With admin rights, hackers will do their best to disable network security and use applications “created to assist with the forced removal of software, such as Process Hacker, IOBit Uninstaller, GMER, and PC Hunter.”
Legitimate commercial tools, but “in the wrong hands, security teams and admins need to question why they have suddenly appeared.”
Another software that should be immediately investigated is MimiKatz. This is one of the most commonly used hacking tools to steal passwords and credentials, and has no business residing anywhere on your companies network. Microsoft Process Explorer is commonly used to dump memory from a system, which hackers then use with MimiKatz for full lists of usernames and passwords.
These are dead giveaways that something is suspicious, but if any pattern of behavior seems abnormal it could be an indication that something malicious is going on behind the scenes.
Employing a security team who is well-established in the industry and has years of experience to ensure there is nothing lurking in the shadows of your network, is also highly recommended. Give DarkHound a call today (714) 266-3790 or [email protected].
-Emmy Seigler
Image Source: https://www.canva.com/design/DAEFWP5J0dQ/qjiZICKNFuf_sJ3HwkMkSQ/edit?category=tACFajEYUAM