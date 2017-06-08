How can I tell if I’ve been hacked?

Understanding the indicators of compromise

Intrusion detection systems and firewalls that detect and prevent network compromise are critical elements in any secure network environment. But, let's get real: Many people lack working backups and decent password controls, let alone dedicated defensive gear.

Most small to medium enterprise organisations have limited investment in security. They also lack the capacity to maintain security systems: Intrusion detection signatures and firewall rules need regular updates; log files need analysis; and policies need updating.

So, are you compromised and how would you know?

Human resources

When I have responded to cyber attacks, frequently it's the client and their staff who have noticed "something odd going on". Maybe they've noticed their Internet traffic increasing, a computer running slower than normal, or the light on a specific port of their Internet router flashing like crazy.

It's quite a testament to everyday users just how much they notice changes in their computer's behaviour. Unfortunately it often takes too long to join the dots, by which time the damage is done.

Things behaving badly

Let's take a brief look at some 'everyday' indicators of compromise. I'm not talking about formal malware signatures or technical descriptions of file system detritus. More generally, we'll look at the anomalous behaviour of computers and networks under a few common attacks.

· General malicious software

General malware infections can exhibit a range of behaviours. They can be a prelude to installation of ransomware, credential stealers, back-doors, bot-net clients and much more.

Most malicious software arrives in an email as an attachment, or infects devices through a compromised website.

Email attachments from malware often have interesting subject lines. They are crafted to appeal to a wide audience and may even seem relevant to your business. E.g. "Hi, here's the resume we discussed" or "Invoice for work".

If you open an attachment accidentally, you'll notice pretty quickly that the content is nonsense, it's not relevant to you, the application crashes straight away, or nothing seems to happen.

If you're running up-to-date systems, network malware installers from compromised sites may cause a pop-up security warning that users might accidentally approve.

· Ransomware

Digital muggings from ransomware are pretty noisy. Once you're infected, your files are scrambled and you are presented with a ransom message.

Because file encryption can be a slow process, there's a small window of time between infection and complete encryption where you may notice your computer running slowly.

Current ransomware strains usually scan external hard disks and network shares. This means network and hard disk lights will be thrashing even when you're doing nothing at all.

· Botnet clients

Botnet software (clients) can infect a range of computers and devices. These clients help spammers and hackers by recruiting your equipment to do their bidding.

