So You’ve Found An Attacker On Your Network – Don’t Panic

If you find a cybercriminal has penetrated your organisation’s security defences and has entered the corporate network, don’t panic. Just because there’s an intrusion doesn’t mean that data has been stolen just yet. There may still time to stop attackers from getting away with any valuable information assets. Here’s why.

Firstly, what you need to understand is that, in an IT security context, there’s a distinction between an intrusion and a breach. An intrusion means that an intruder has gained access into a network while a breach means that there was actually data leakage.

It’s difficult to prevent intrusions entirely; they could be a result of attackers using sophisticated means to force their way onto a corporate network, or human error. A data breach, on the other hand, could be prevented or contained.

“When an attacker first gets into your environment — the first intrusion — it could take several months for them to find those critical data assets and actually exfiltrate them,” RSA CTO Zulfikar Ramzan told Lifehacker Australia. “… Don’t focus on the intrusion; just make sure you can stop the breach.”

A lot of that comes from having visibility over your IT environment, from your networks and endpoints to cloud services your organisation is connected to, he said. Ramzan recounted an incident when a customer found that an intrusion had occurred on the corporate network and the RSA incident response team was called in to assess the situation.

“Turns out even though the network was compromised by a very advanced threat actor, it still hadn’t found any critical assets. So we took our time because if you let the bad guys know you’re onto them, then all of a sudden they start erasing their tracks — they make it very difficult for you to proceed,” he said. “You have to very carefully monitor them and understand everything they have compromised and then holistically stop them; not stop them in between, because it then becomes very dangerous.”

The RSA team continued to monitor the attackers’ activities and, at one point, saw that they had found a way into an email server with critical data.

“They were getting ready to send [the files] back to their home server. Just before they did that we swapped the files out with dummy files,” Razman said. “They copied all the dummy files and then we shut down all their access at once and completely kicked them out of the network.

“You can tell they were extremely frustrated because they kept trying to log back in and then, later, instead of trying real usernames and passwords, they started typing expletives in the username and password fields.”

He noted this was a positive sign because if the attackers left without a peep then the team would have thought they had another way of gaining access again.

“But the point is that it was an advanced threat actor; they had already been in the network for God knows how long at that point and they still hadn’t found the crown jewels yet,” Razman said. “So there is an opportunity to really stop attackers even in the middle of the attack before they have accomplished their goals. If you can do that you would have accomplished your business objective.”

That doesn’t mean organisations should be lax about how they approach intrusions just because they might still have time to prevent a data breach. Early awareness of attackers on your network is key to fending off breaches.

According to Microsoft, it usually takes an enterprise more than 200 days to detect a security breach and 80 days to contain it.

One option for early detection is to implement “network canaries”. Thinkst’s Canary appliance that works in conjunction with an online monitoring service that alerts users when an attacker enters the network as they scan for vulnerabilities that they can exploit. You can either configure the canaries to send back a vulnerable reply to the scan, essentially setting up a honeypot to bait the attackers, or you can simply receive the alerts.

The company has also released a free software-only version called OpenCanary on GitHub, which doesn’t come with support and has scaled down tools and capabilities. It’s a decent option if you just want to try implementing network canaries but don’t want to shell out the cost to buy the full-blown appliance just yet.

Spandas Lui travelled to Singapore as a guest of RSA