Are You Breached? Know What To Look For

The average number of days between a network intrusion and it’s detection by the victim is around 200 days, which is at least 199 days too long.  Sooner or later your company will suffer an network intrusion, computer incident, or data breach, in spite of your best efforts to prevent it.  The goal is to shorten the time between intrusion and detection.

A recently article on Tech Republic discusses the sort of detective work that a network admin or cybersecurity analyst needs to undertake to make quicker detection happen.  A good place to start is in your event logs.  What sorts of indicators should you be looking for?

  • Failed logon attempts – Event IDs 4625, 529-539.
  • Explicit credentials – Event ID 4648 and/or 552
  • Privilege changes – Event ID 4728, 4732, 4756.
  • Suspicious sites – Look for DNS records about connections to sites.  If an unusual site or address appears repeatedly, it could indication C2 (command and control) connections.
  • Slow connections – if your Internet connection is unusually slow, it could indicate data exfiltration activities.
  • Activity on port 22 – Hey, this should already be blocked at your firewall, but outbound traffic on using File Transfer Protocol could also show that data is leaving the building.
  • Password dumping programs – Check your AV logs for evidence of these programs
  • Droppers – If your endpoint AV or other security systems detects one of these, it means someone is trying to install malware on your system.
  • Backdoors – programs such as Pirpi, Derusbi, Winnti, Nettraveler, PlugX, and 9002 RAT create an return point for the attacker.  Look for these in your AV logs too.
  • Log clearing events 104 and 1102
  • EMET crash logs
  • Applications that crash or hang.
  • Windows Defender errors – Windows Events 1005, 1006, 1008, 1010, 2001, 2003, 2004, 3002, 5008

Of course this process works best when automated, so finding the right tool and budgeting for it is going to be critical to early detection and remediation of a network intrusion.  Good luck and good hunting!

More information:


About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.