From the very start, a network intrusion may lead you in many different directions. This can be confusing to narrow down if you’ve never dealt with this kind of issue before within your company. With so many other pertinent tasks to manage, it’s easy to get off track and delay the investigation and mitigation of the security threats – which might cause additional harm in the meantime. Fortunately, there are 7 core objectives to keep in focus when addressing a corporate network issue:
- Collection of evidence.
- Identify the source and target of the intrusion.
- Identify the method of the intrusion.
- Identify the cause of the intrusion.
- Identify the extent of the intrusion.
- Identify what data was accessed.
- Assessment of the network and all its resources.
Understand these goals and objectives, and be able to distinguish between them. For example, many IT technicians might consider the method and cause of the intrusion to be the same, but they are not. The method of a network intrusion might be RDP, but the cause of the intrusion might be the rules on the firewall that created that vulnerability.
It’s also important to remember that these may change according to your investigation, as not every intrusion fits into a cookie-cutter template. In this article, our team of cyber security professionals in New Jersey will cover steps one through three. Stay tuned for part two that will cover steps four through seven.
Step 1: Collection of evidence
There may be many sources and types of potential evidence and intrusion investigations. Some is evidence you collect, and some is evidence you create as part of the preservation process. For example, you may gather network and computer logs which is evidence you collect, but you may also forensically image computers and other devices, which is evidence you create. Forensic imaging is essential to preserving the computer and its current state as of that specific date and time. You must do so using industry-accepted standards to make sure the evidence holds up in court. Well, you never know if the case will go to court, you must always be prepared and proceed as if it will, for the sake of your company. Additional types of evidence that you might collect can be firewall logs and configurations, router logs and configurations, security event logs, application event logs, email, provider logs, network logs, intrusion detection system logs, bandwidth monitoring logs, and web filtering logs – to name a few.
Step 2: Identify the source and target of the intrusion
The source of the intrusion is the location that the hackers launched the attack from. The target of the intrusion is the point of the infrastructure where the hacker attacked, or entered the network. These are important to the investigation, because they also might help you identify the method, cause, and extent of the intrusion. However, once you identify a source in target of the intrusion, you can’t stop there. You must continue to make sure that this was the only source and only target. In larger complex networks, an investigation may reveal many sources, as there may be multiple gateways, or multiple users clicked on a malware application. There is no quick way to conduct these investigations, and you must collect all sources of evidence from every device. This includes workstations, laptops, servers, firewalls, routers, and more. If you do not collect this information from every device on the network, you may not get a complete picture of the attack, and that can lead to detrimental consequences.
Step 3: Identify the method of intrusion
We defined the method of intrusion as the technical method that the hacker used to access the network. The hacker might have directed an attack against the firewall, exploited a firewall rule vulnerability, or used a keylogger or other software product that was delivered to an end user via email, then clicked on the attachment that gave the hacker access to the network. The method may also include a combination of the two. For example, if a hacker exploited a firewall rule vulnerability, such as RDP, they would still need a username and password to access the computer that they connected to. The hacker likely got the username and password from an installed keylogger or another type of malware. There’s also the rare possibility that the company’s website listed employees, and the hacker derived the username from that source and was able to guess the password. Many corporate networks that we have assessed over the years have had no user account expiration dates and no lockout policy after X number of attempts. That’s not good practice, and it weakens the overall security posture of a network.
Corporate Network Security Assessments by NSGI in NJ
In part 2 of this blog, we will discuss further actions you can take to defeat a network intrusion. It is in any organization’s best interest to hire an experienced IT team and cyber attorney to navigate an intrusion that can land them in legal hot water. This is crucial especially if your business wants to collect from an insurance policy and/or publicly address legal concerns with employees – past and present.
If your small business in New Jersey needs help investigating a cyber security issue, please give our team a call today or visit our website at: https://nsgi.com
*This article includes excerpts from “Pocket Guide for Investigating Ransomware and Network Intrusions” written by John Lucich, the Founder and CEO of Network Security Group, Inc and eForensix.