The Indicators of Compromise: Have You Been Hacked?

Not a day passes by without people hearing of a new data breach that has just been leaked. The reasons for this are numerous, and we’ve already dug into some of them in our previous blog posts. We’ve also explained what hackers do and dug into the methods you can use to protect from attacks that hackers use to harm your infrastructure, however, we have not yet provided you with a list of the indicators of a possible compromise.

Indicators of Compromise: Why are They Important?

The indicators of compromise help you figure out whether you’ve been impacted by an attack on the web. They’re important to everybody, but they might have even more impact on your day-to-day life if you find yourself spending a significant amount of time online (perhaps you’re working remotely or you’re spending time to educate yourself on technology outside of work?)

The more indicators of compromise you can recognize, the better it is for your cyber safety – they will help you better protect your employees, friends, and family, since a potential compromise of your online accounts can affect both your online and offline life. Attackers are ruthless – if they get ahold of your password and you find yourself re-using those across multiple online mediums, they will surely take advantage of that and you could find yourself losing access to even more online accounts such as Gmail, perhaps even Facebook or PayPal – depending on where that password was re-used.

If attackers take control of your credit or debit cards, that’s a different story – oh, and have we told you that attackers are also interested in other kinds of identification like Social Security Numbers and driver’s licenses?

The Indicators of Compromise

You get it – the consequences of a potential data breach can be very severe. However, there are multiple things we can do to familiarize ourselves with the data breach landscape and protect ourselves from a data breach in the future. By knowing at least a couple of the indicators of compromise, you and the people working in your company could not only protect themselves from identity theft, but advice other people how best to deal with such incidents. Everyone wins!

However, it’s important to note that indicators of compromise, frequently referred to as “IoC”, most of the time are highly technical in nature – indicators are everything that can indicate that a breach has already occurred and immediate action is necessary.

To help protect your staff from the dangers of identity theft, look for these signs within the infrastructure of your company:

• The precence of new, unrecognized files – while these can be created by a web developer employed at your company, sometimes the most likely cause of unrecognized files being uploaded to a server is a data breach. An unrecognized file can be a shell (shells allow attackers to access files in a web server and they’re frequently uploaded onto a server after a data breach has taken place) or even a deface page put up on your website after a successful data breach.
• Suspicious queries within your database – these can be hard to detect at first, but if your company is using any kind of database monitoring software or you have a seasoned DBA on scene, give him a task to review database logs and activity within your database within the last week or two and see if anything suspicious comes up – if your DBA tells you that your database is going crazy and you’ve never seen anything like that before, that’s likely to be an indicator of a compromise.
• Too many backups of your database – once an attacker breaches a website or any application, taking a copy of the user table is one of the first things that are on his mind. That’s the case because data is then used to mount credential stuffing attacks, and once that’s done, sold off for a hefty price tag to other nefarious parties. Once people buy access to stolen data, they add it to their “collection” of data breaches and mount credential stuffing attacks again – the cycle continues.
• Failed login attempts – too many login attempts could be an indicator of a bruteforce attack where an attacker tries all kinds of username and password combinations to access the administration control panel of your website. Be wary of that and tell your web developers to consider installing bruteforce detection tools that detect anomalies in login forms and alert the security staff of any suspicious acitivity.
• Beware of users with suspicious geographical locations associated with their accounts – attackers frequently use proxy and VPN services to hide their original location. If you see many login attempts from an IP address your systems don’t recognize, or you notice suspicious activity (weird URLs, etc.) originating from a random IP address, that’s a likely attack vector too.

Familiarize yourself with these indicators of compromise and keep them in mind for future reference – if your security staff comes to you with a concern involving one or more of these likely indicators, alarm bells should be setting off.

Protecting Your Team From Identity Theft

Now that you know what might be the most likely indicators of compromise, it’s time to familiarize yourself with the methods you can employ to protect yourself and your teammates from an incoming attack. Here’s what you should do:

• Follow the security practices outlined by your local cyber incident response team (CERT.)
• Make sure that your organization is employing the capabilities of an Intrusion Detection System (IDS), Intrusion Prevention System (IPS), or a web application firewall (WAF) – all of those security appliances serve a purpose to either detect a breach, prevent a breach, or detect and block attack vectors before they reach your application protecting the most important secrets of your company as a result. We’ve already dug into what a good WAF should entail, so if you’re interested, do have a read.
• Make sure your company complies with all regulations applicable to it, whatever they should be – ISO 27001, GDPR, HIPAA, etc. – while the compliance with some (or all) of these regulations won’t ensure that your company won’t suffer a data breach in the future, they will surely make your company stand its ground in terms of security.
• Ensure that everyone in your organization is making use of the capabilities provided by two-factor authentification, or 2FA – that way, even if an attacker successfully penetrates the security of your infrastructure, an SMS will be sent to your phone with a code that you must enter to access a sensitive part of your infrastructure. Without the code contained in the message, no one will be able to gain access to it.

Finally, consider using a data breach search engine like the one provided by BreachDirectory – data breach search engines are famous for letting companies and individuals alike evaluate the extent of their exposure to identity theft. BreachDirectory will not only let you know whether you’ve been exposed to a data breach in the past, but also let your company secure its employees by running a bulk account search through its API offering, and if that’s not enough, it will also notify you if your account appears in any of the data breaches that are going to be imported into the data breach search engine in the future.

Summary

In this blog post, we’ve walked you through a couple of potential indicators of compromise (IoC) that could signal that a data breach has taken place and provided some advice on how you should act in order to protect yourself, your team, and your loved ones from a data breach in the future.

We hope that this blog post has been informational and that you will come back to the blog of BreachDirectory to learn more about threats on the web in the future and until next time!