Have You Been Compromised? 7 Signs to Detect a Hidden Data Breach

With the average data breach potentially going unnoticed for several months, companies often find themselves blindsided when things “suddenly” go wrong. Thankfully, a few telltale signs can reveal even the most subtle breaches so you can act quickly and prevent any impact on your business.

Though hacking might look intense in the movies, the real thing is often unremarkable— at least until money and files start disappearing!

Unfortunately, it’s this “unremarkable” quality that makes so many breaches so hard to notice.

According to Sophos, the average cost of remediating a ransomware attack more than doubled in the last 12 months and IBM says companies took an average of 280 days to identify a breach in 2020, suggesting that most breaches go entirely unnoticed when they occur.

As a result, many companies probably have a breach but don’t even know it.

But how can you tell if you’ve been breached?

Detecting a breach can take a keen eye, but it’s not impossible if you look in the right places— and for the right signs. Since most breaches involve some form of file tampering or unauthorised access, keeping a close eye on key resources and system activity is a great place to start.

However, a close eye isn’t always enough: Hackers are really good at blending in. To see past their disguises (perhaps they’re called “netmasks?”), we first need to understand why they’re so effective.

How Breaches Go Unnoticed

Though a breach can go unnoticed for many different reasons, lack of oversight is usually the root cause. While that may seem obvious, “oversight” is more involved than many companies imagine— and basic monitoring tools often aren’t enough to provide it.

Assuming only “suspicious” activity is dangerous.

Suspicious activity is fairly easy to notice, and basic log review and monitoring systems are often good enough to handle it. To their credit, they’re perfectly capable of denying and cataloguing login requests from foreign IPs, preventing file access from unauthorised users, and so on.

But what about the non-suspicious “regular” activity?

While suspicious activity is the low-hanging fruit on the “threat tree”, the real danger lies in the non-suspicious activity performed with malicious intent— in other words, the cybersecurity equivalent of a wolf in sheep’s clothing.

For example, a skilled hacker might get their hands on the credentials of a high-level user and use them to access sensitive data. The tricky part here is that by accessing data with these credentials, it looks perfectly normal, even though the data is actually being stolen. As a result, during log review, what’s actually a breach only looks like a user accessing the data they’re supposed to access.

Siloed networks and security systems

As a network grows in size and complexity, parts of the network can drift apart into fragments known as “silos.” Here, each silo is independent of the other, and many organisations fall into the trap of managing them independently rather than reintegrating resources.

Such a fragmented environment presents several security challenges. For one, since the network is no longer a single entity, administrative and security staff become fragmented as well. This dynamic not only spreads resources thin but also limits total visibility into the network.

Hackers, however, enjoy a different perspective: While administrative and security staff are forced to work in fragmented environments, hackers are still able to handle the siloed network as a single, exploitable entity. As a result, breaches are easily undetected in siloed networks since teams often lack the visibility to notice.

Limited ongoing commitment to security

Effective security is an active, ongoing effort. Unfortunately, too many companies make the mistake of implementing a “one and done” approach to security that only involves setting up monitoring software or a firewall and then leaving it alone.

While these tools are certainly useful, what’s most important is how they’re used. Though some security tools are getting better at detecting threats by themselves, they rarely have the intuition to match a human security team.

As a result, detecting threats and hidden breaches require an ongoing commitment to security where all network activity is regularly monitored and questioned by people (not just software) familiar with the network.

Lack of accountability

When nobody’s sure what role they play in security, important tasks such as patching and certificate renewal are easily forgotten. As a result, security holes arise without anyone noticing, resulting in breaches like the $2 billion Equifax data breach, which was caused by an expired certificate.

Unfortunately, this situation is common in many organisations that have difficulty defining security as a distinct function; whether it’s letting the software do all the work or simply pushing the responsibility onto IT without clear guidelines, many security roles and accountabilities are left undefined— and companies are left vulnerable.

7 Signs of a Hidden Data Breach

Even if you and your team have your eyes peeled, there’s always a chance of a breach. While you’re keeping a lookout, look for the following signs that might indicate an existing data breach in your system.

1. Unusual Outbound Network Traffic

When a successful breach is established, sensitive data is sent over the network and back to the hacker. During this time, you’ll likely notice a portion of outbound network traffic headed somewhere unusual or unknown.

Depending on the goals of the hacker, the breach might last just long enough to get what they need or on an ongoing basis. In any case, a thorough log review is your best tool for detecting unusual outbound traffic.

2. Critical File Changes

Many hackers make changes to critical files or manipulate databases in an effort to escape detection. Though that might sound counterintuitive, these changes are often more subtle than we might think; with normal IT operations already accounting for a massive amount of critical file changes every day, one or two from a hacker can easily slip by undetected.

While the methods for monitoring critical files vary by organisation, linking documented procedures and tasks to their respective file changes is a great start.

3. The appearance of Unknown Files

In addition to tampering with critical files, hackers might insert a few files of their own. These files are often scripts meant to assist the breach in some way, such as automatically reading a database or rounding up stolen data.

Being stealthy as ever, a hacker will likely try to hide these files deep within your network. As a result, visibility is especially important here.

4. Locked Accounts

If a user is locked out of their account despite having valid credentials, it may be a sign that a hacker has accessed the account and changed the password. A hacker might do this in order to gain (and keep) access to an account with enough privileges to access the data they need.

Whenever a user reports a locked account, IT and security teams should be quick to review changed password records. Alternatively, implementing multi-factor authentication can help prevent this problem altogether. You can set and should set up 2FA/MFA as a minimum for any critical systems, and this can be done with little or no disruption in signing in when configured correctly. 

5. Unusual Administrative Activity

Though administrators are expected to access sensitive data and make the odd permission change, a high volume of these activities could indicate a compromised account. During log review, pay extra attention to administrator activity, especially when it involves modifying data or user permissions.

Administrators aren’t the only users at risk. Superusers and other high-profile accounts are desirable targets, too. A compromised account may also try to modify logs in an attempt to cover its tracks. To prevent this kind of tampering, IT and security teams should run some form of file integrity monitoring software.

6. Slow Internet

High amounts of outbound network traffic resulting from a breach can slow down Internet speeds, especially during an ongoing breach. Further, if a device has been compromised due to a breach, then malware can slow down device speeds as well. While there can be many reasons for slow Internet and sluggish devices, a breach shouldn’t be ruled out.

7. Missing Funds and Identity Theft

Money is the ultimate goal of many data breaches, but it’s not always as blatant as draining the corporate account; In some cases, hackers will get their hands on enough personal data to access bank accounts or commit identity theft. South Australia’s Tailem Bend Netball Club was recently targeted with losses of $150,000 in an online invoice scam, and this was done via access to only one part of their email system where a genuine-looking invoice with altered bank details was used. 

Both companies and users should be on alert for missing funds and cases of identity theft. When these events occur, it’s more than likely the work of a data breach.

Takeaways: Avoiding and Detecting Breaches

When it comes to data breaches, an ounce of prevention is worth a pound of cure— especially considering how difficult they can be to detect. To help avoid and detect data breaches, make sure your security strategy includes the following:

  • Multi- or two-factor authentication (MFA/2FA) for all users
  • Log reviews of network and user activity (including file integrity monitoring)
  • A “zero trust” approach scrutinising all user activity
  • Defined security roles and accountability measures
  • An ongoing commitment to security with new threat reviews
  • New staff security training and ongoing training for existing users

Implementing these features can be a challenge, especially for small to midsize companies. For companies that can’t support a full-time security staff, Blackbird IT’s managed cybersecurity services can help you build a strategy, implement the right tools and the right mindsets to avoid today’s biggest security threats. For more information, stay tuned to the Blackbird IT blog or contact us to speak with a member of our team on how we can assist. We are passionate cybersecurity experts. 

About Blackbird IT

Blackbird IT strategically implements technology in workplaces to deliver powerful operational efficiencies, competitive advantage and innovation for every business. See some of our client case studies and partnerships here. Enabling a security-minded culture for the Australian business community is our goal and we pursue an outcome-driven approach for managing all your technology needs, and to help you realise your potential.

microsoft mfa banner gotham white final big
Recommended Posts
cyberhp20140818102 scaled