Last week, Australian Catholic University suffered from a data breach caused by a phishing email. The login credentials of some of their staff were exposed, giving hackers access to their email accounts, bank account details and other information.
This is the second data breach to happen to Australian Universities in recent months. A serious data breach that occurred in late 2018 was just detected by the Australian National University (ANU) last month. Over the course of more than six months, a large amount of credential information like passport details, bank account details and payroll information was stolen by the hackers.
These accidents indicate a cyber-attack technique used by most experienced hackers, which is called Lateral Movement. This typically involves gaining access to a particular user’s account, then using that information to access more specific data from the networks said the user is part of.
Unlocking user accounts through phishing and social engineering is relatively easy. However, the results are always devastating and increasingly expensive to recover from.
That said, here are seven ways one can detect Lateral Movement activity in a hack attack:
1. Audit Logins
Monitoring the login activities of staff and network administrators can provide some insight into a possible breach. For instance, if you know the times your staff login and out of their accounts, you can launch an immediate investigation when you notice login attempts after work hours, or weekends, for instance.
2. Carefully Inspect Your Administrative Tasks
Modern Anti-Virus software and Endpoint Detection and Response (EDR) technology is quite advanced and can detect infiltration attempts within a short time. As such, hackers tend to camouflage their attacks using native tools such as Administrative Tasks.
If you suspect a breach, try to establish all the tools that both you and your network administrators use, and what information they can access. You should then scan through the administrative panel with a keen eye, looking for any disparities such as repeated attempts at accessing a particular database. Directory services such as Active Directory and Apple Open Directory can also help detect any strange requests and behaviours.
3. Monitor Devices Using Multiple Credentials
As mentioned earlier, hackers prefer stealing individual user credentials and using them to gain access to networks, as it’s easier and less likely to be detected quickly. As such, it’s essential to regularly check how your staff use their credentials and what devices they use. This way, you can easily spot inconsistencies and get to the bottom of them.
Additionally, you can perform log analysis to identify instances of credential misuse. You can get the necessary information for log analysis from your authorisation and authentication protocols.
4. Look for Any Outliers in File Server Usage
Cyberpunks usually target and manipulate file servers to extract the data they want. It, therefore, makes sense to carefully scrutinise file share access permissions to identify any abnormal actions. Doing that may open your eyes to not only Lateral Movement attempts but also sabotage and data theft by malicious insiders.
5. Analyse the Network Command and Control Activities
Decent perimeter security tools and firewalls automatically monitor command and control activities and act as the first line of defence. Nonetheless, hackers may use malware to precisely target new servers or cloud networks that may not be covered by Anti-Virus and other security tools. As such, it is crucial to go the extra mile and to look up abnormal DNS patterns, such as multiple failed requests, that may indicate Lateral Movement.
6. Use Machine Learning Solutions
Network traffic data can typically give you a clue on possible breaches within the network. To better detect and interrupt hacker access to a network, consider integrating machine learning in your security systems. Hence, the security systems will ‘learn’ how regular traffic looks like and will be able to detect any unusual traffic.
7. Take All the Security Red Flags Seriously
A lot of people are quick to click “Agree” or “Accept” on every pop up without even going through it. For improved network security, make a habit of reading all pop-up notifications before clicking “Skip” as they may be red flag alerts.
Notably, hackers who carry out Lateral Movement hacks tend to use legit tools like Windows Sysinternals to snoop on networks as opposed to malware, which may expose their steps. When this happens, security tools may raise a red flag as these diagnostic (snooping tools) are not pre-installed in the system. Hence, it is critical to be alert of these security flags and not to take any warning for granted.
All said and done, preventing cyber-attacks is better (and cheaper) than reacting to one. Of course, no Anti-Virus software will guarantee you 100% protection, so it’s essential to take the above precautions to protect your network.
getNEXT‘s Cloud Secure gives you comprehensive protection against any cyber-attacks. Let getNEXT provide you with peace of mind without worrying about data breaches or system downtime and improve your current IT performance.