How to Recognize Breaches When Hackers Shift Their Focus

The security profession doesn't only have to bear bad news. Reasons to be hopeful do occasionally emerge, such as a finding from the just-released 2016 Trustwave Global Security Report which indicated that the share of security incidents affecting point-of-sale environments dropped 18 percentage points, from 40 percent in 2014 to 22 percent last year.

We have been screaming from the rooftops about point-of-sale (POS) malware for some time, and our SpiderLabs team has researched several new strains of the nasty stuff over the past couple of years. But if this new data is any indication, it appears as if the industry has collectively turned a corner in response to a threat that is purposely conceived to steal credit card numbers from payment terminals.

The EMV standard, which now requires that merchants in the United States transition to readers that can accept chip-based cards, is also aiding the fight by disincentivizing cybercriminals from attacking these POS assets. Another consideration is that crooks are finding that they can earn much more money by stealing sensitive data beyond credit card numbers. That includes not just other personally identifiable information, but also intellectual property and other proprietary information belonging to corporations.

Is that where the good news ends? In the security industry, cybercrime trends tend to be inversely proportionate because professional fraudsters shrewdly shift their tactics so they can continue to revel in robust returns-on-investment. So where one area improves, another suffers. In that vein, the 2016 Trustwave Global Security Report showed that the share of incidents affecting corporate and internal networks increased to 40 percent last year, up from 18 percent in 2014.

But instead of waving the white flag and suggesting that the fight can ultimately never be won because your adversaries will always transition to something else, consider this: According to the report, 41 percent of data breaches were detected by the victims themselves, up from 19 percent in 2014 - a huge rise.

While it's impossible to perfectly explain why this change occurred, it is a potentially significant development. Spotting breaches internally - and not relying on an outside party to do it for you - is immensely important to limiting the amount of damage that your adversaries can cause. Our numbers show self-detection drastically cuts down on the median time between intrusion to detection - and containment.

  intrusion-detection-days

                                    (Source: 2016 Trustwave Global Security Report)

More and more organizations are accepting that intrusions are an inevitable prospect - and are prioritizing their security programs accordingly to focus on detection as much as protection.

It's important to remember, however, that this trend may merely be a blip on the radar - especially with hackers deftly and regularly shifting their tactics - so it's critical that you embrace the momentum by continuing to fixate your attention on the attacks and compromises themselves.

Here are three signs that may indicate a data breach is underway:

1) The Operation

A rise in unusual data access, strange or uncommon network traffic, account logins (and failed logins), and newly installed programs - much of this happening at odd times - can signal network inhabitants who are up to no good.

2) The Transfer

Suspicious outbound traffic, especially to systems outside your control, typically is a tell-tale symptom that hackers are attempting to exfiltrate sensitive information outside of your walls.

3) The Cover-Up

Criminals often will try to introduce a decoy, such as a DDoS attack, so your eyes are diverted elsewhere. And once they've completed their mission, they'll attempt to hide their tracks through log tampering.

An important note to keep in mind is that many companies are not equipped with the in-house skill sets to accomplish these tasks effectively and achieve optimum security outcomes. Partnering with a managed security services provider that offers threat intelligence, detection, mitigation and protection can help offset this gap in acumen and extend your IT team.

Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor. 

banner-security-list 

 

 

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.