When a network breach occurs, it could be the beginning of the end for your company. Everything depends on how quickly you respond, and of course, what your next steps are toward fixing the problem.. What’s really scary is that most small and mid-size companies are never prepared for these types of incidents. This often causes major damage, not only for the company but also for its customers in the case of a data breach.
That’s why in this article we’ll be describing the best tools, techniques and tips for preventing and identifying an ongoing network breach.
What is a security breach?
A security or network breach consists of unauthorized third-party access to any device, server, network or application. This is possible by violating the current security system using certain types of attacks until the attacker breaks one of the security layers and gains access, or by manipulating the weakest link in any company — humans — into performing social engineering attacks.
Most people think of a security breach like the final stage of a cybersecurity attack, and while in some cases it is, in most cases, it’s just the beginning of the nightmare. Once the attacker has gained network or server access to the private area, he can extract data and migrate all the information to local or remote devices and networks causing what’s called a data breach.
Apart from extracting data, malicious attackers can also install applications, backdoors, Trojan horses, viruses, malware and much more in order to spread chaos, control the network and protocols, or simply cause damage to the attacked company.
Depending on the actions of the attacker, the involved data and affected applications, we can classify a security breach in levels of low, mid and high risk.
13 common signs of a security breach
How can I detect a network or system breach? This is one of the most common questions for new system administrators and security researchers working on a blue team when facing their first cybersecurity challenges.
The truth is that even for industry veterans, cybersecurity breaches are not easy to detect. They require fine-tuned knowledge, previous experience and tons of patience to avoid overlooking any signs an attacker may leave behind.
A few common indicators can lead you to the earliest signs and patterns of a security breach. But before we get into that, take note of the #1 golden rule of auditing a possibly compromised system: Don’t make any changes, just watch.
If you find any evidence, and modify or delete anything you’ve found, you may be altering the only source you have that could help you perform a deep analysis and mitigate the problem.
Even if you see potential danger in some files, don’t delete them Instead, try to read the content without altering an single line of code. Watch, observe and collect all the data you can for later analysis.
Keep on the lookout for the following:
- Abnormal network or app traffic: This is why network and system administrators need to monitor network graphs every day. You can also create or use specific apps that can calculate differences in terms of network bandwidth (big spikes or drops), users or resource usage in all your systems and apps, and alert you properly.
- Unexpected network activity: Weird network downloads from remote websites you don’t know, commands to extract zip files, and strange login attempts from unknown networks could be signs of a possible network breach.
- Unusual resource usage: Another frequent sign of a breach is when the disk, RAM or CPU start behaving abnormally, especially when applications are idle or don’t have a lot of simultaneous users, such as in the middle of the night.
- You can’t access your server, app or email account: Another common sign of compromise is when attackers disable your login privileges or change passwords. This type of sign is often detected quickly as these are day-to-day tasks you perform.
- File system modification and creation: Apart from web-based apps (which are always updated and modified), certain system files and directories shouldn’t be modified on a normal basis. That’s why weird file modifications, new directories, hidden folders and encrypted files, can all be signs of a past or current breach.
- Domain and DNS record modification: While a lot of system administrators and security researchers explore application and database servers when searching for signs of a breach, there’s always a DNS server or service that can be exposed to attacks. Checking your DNS records and domain information is always a good way to keep your apps secure too. If you see new subdomains, or weird types of DNS records that you didn’t create, you may want to take a look.
- Browser security warnings: If you’re receiving a virus, malware or any type of security warning from your antivirus, anti malware or the browser itself while loading any of your pages, there’s a big chance something has changed on your application side.
- Unexpected code on your applications: Attackers do this by exploiting your app vulnerabilities, or they perform it manually by uploading the new code using SSH or FTP protocols. If you find extra code that you don’t recognize from your own authorship, it may be a sign of an ongoing security breach. Code injection and modification is often used to drive normal traffic away from your website, to perform phishing attacks or infect users with malware or virus.
- Slow network access: Once they’ve logged in, attackers may alter the network usage and speed of your server — so much that you may notice slow speeds on ssh, ftp and email logins, or when loading your apps and database data.
- Unusual amounts of outgoing spam: Sometimes attackers will gain control of your email services and use your server resources to send tons of outgoing email with fake information, spreading malware across multiple users or phishing campaigns to steal sensitive data from anyone who falls into their tra.
- Unexpected service interruption and server reboots: Are your server services interrupted from time to time, or are you experiencing unwanted system reboots that apparently no one did? Stay alert and investigate those anomalies carefully.
- Suspicious bank and credit card transactions: Have you noticed any unusual transactions in your company bank account or other online payment systems? Someone could be using your company credit card or online account for malicious purposes.
- Your server IP has been blacklisted: This is often the result of outgoing spam, malware or DDoS attacks against third-party networks, prompting system administrators to report your server IP as the source of attack.
While there are other signs of an ongoing security breach, these are the most common examples you’re likely to face during your blue team inspection tasks. It’s also important to clarify that while most of these signs are evident in application-side attacks which don’t involve any administrator or root privilege access, they’re also indicators of high-level compromise cases.
Top 14 tools and services for preventing a security breach
A complete list of tools for preventing a security breach would be huge; here we’ll focus on the top 14, based on our experience.
- System monitoring and log auditing tools: When it comes to system monitoring, the hands-down king is Nagios. Nagios will help you identify any abnormal system load, network peaks, resource usage, service interruptions and much more, thanks to the huge amount of plugins and the ease with which you can write your own to enhance its core capabilities. For log auditing, one of the best tools we can recommend is auditd, which will help you keep your system logs organized and watched all the time.
- System firewalls: System firewalls are necessary in order to secure all the incoming and outgoing packets on your system. For Linux, there are a number of solutions like ufw on Ubuntu, or firewalld on CentOS. Another great solution is to switch to the popular CSF firewall, which works as a complete security suite for traffic inspection and incident prevention. On the other hand, pfSense is one of the most popular and robust firewalls for any FreeBSD-based system.
- Malware and antivirus scanners: This is another important part of any intrusion prevention system, as preventing the upload of malicious files or detecting them on your file system immediately can make all the difference between a clean system and a compromised one. When it comes to malware detection, two solutions may fit your needs: Maldet and cxs are nowadays the top used anti-malware solutions for production Linux servers. Clamav and VirusTotal are other useful tools to use in your daily scanning reports for effective virus detection.
- Vulnerability scanners: Part of preventing a security breach is scanning your own apps and servers against common vulnerabilities, and this is done by using vulnerability scanners. Fortunately, there are many solutions available, such as online vulnerability scanners, system-side vulnerability scanners or cloud based solutions. Nessus, OpenVAS, Nexpose, Nmap and Nikto are probably the most popular solutions blue teams use to stay one step ahead of the bad guys.
- Encryption tools: When it comes to data safety, there are always good reasons to encrypt your most critical data, whether you want to encrypt your disk partitions with LUKS, or files with Tomb or CryFS. Another great way to prevent security breaches is to start handling all your infrastructure passwords securely, by using tools like 1Password, Dashlane and others.
- Penetration testing tools: Blue teams always need red team tools to test their own defenses — that’s why using security frameworks like Metasploit or the ever-popular Kali Linux tools isn’t a bad idea. Test, penetrate, and make sure everything is well-secured before any malicious attackers do.
- Data security and integrity services: Tools like these are especially useful for letting you know when files or directories have been modified or altered in any way. Comparing the digital signature of files and protocols against a local database from a previous time serves as a quick way to identify file system-based attacks, and Tripwire is our recommended tool for getting it done.
- Intrusion detection systems: Also known as IDS, these software applications are designed to prevent and detect signs of a breach on any device connected to the Internet. Intrusion detection systems run as a system daemon and are constantly watching for suspicious activity over protocols and software running on the system. Once an incident is detected, it will be reported to the system administrator for further analysis. Most of the modern IDS are able to interact with firewalls, so once an attack is detected it can be automatically banned from the server to prevent moving forward. Some of the most popular IDS options available are be OSSEC, Snort and Fail2Ban.
- Network mappers: Running your own network mapping could help you discover weak points within your online infrastructure, whether they’re open ports, unpatched software versions or even CVEs. Nmap is the tool we recommend for these tasks.
- Security auditing tools: Lynis is one of the best tools available for running daily health scans against all your Linux servers. Rootkithunter, on the other hand, will help you identify rootkits, trojans, exploits, backdoors and more. It also searches for hidden files, suspicious strings in kernel modules and default rootkit directories.
- DDoS mitigation systems: While anti-DDoS systems aren’t part of a real breach prevention system, you should always include them in your prevention list. Why? Because a common technique used by malicious attackers is to distract attention from the server’s administrators by launching DDoS and floods. This keeps you busy mitigating the incident while they’re hard at work on a real intrusion attack behind the scenes on a real intrusion attack. The best enterprise-grade solutions we can recommend when it comes to anti-DDoS work are Cloudflare and Incapsula.
- Honeypots: one of the best ways to prevent cybersecurity incidents is by using a honeypot, that can be used as a trap system for malicious attackers. You will be able to analyze all the attack data, analyze and create new procedures in order to prevent attacks in the future. Explore more about this topic in our previous blog post: Top 20 HoneyPots to Detect Network Threats.
- Attack Surface Reduction tool: Analyzing your attack surface with the proper tools should be one of your top priorities. The SecurityTrails Attack Surface Reduction tool will help you discover critical information about your online assets before the bad guys do. With it, you can find software versions, open ports history, exposed IPs, domain names, quickly and easily and associated domains. You can also pivot between all the important data, and manage your inventory in a simple and speedy way to prevent incidents from becoming a real threat.
Today we’ve explored the key things to keep in mind when it comes to preventing and detecting a security breach on general Unix/Linux based systems. We also revealed the most important tools and techniques you can use when facing a possible system compromise.
While technology is your best ally for preventing a security breach, the truth is that it only provides numbers. The reports and alerts technology yields still need interpretation and intervention from the people who receive the data. And whether we’re talking about a system administrator or security researcher, 60% of proper prevention and detection relies on human ability to detect and identify attacks and signals and patterns of compromise.
Are you a security researcher, or do you work for a private or public agency? Do you want to prevent and monitor security issues? Check out our latest enterprise-grade pilot product: Attack Surface Reduction – ASR, our full command intelligence center that will help you reduce your attack surface area in a fast, thorough and effective way.