How to Detect a Hacker Attack

  • Article

This title immediately caught my attention and probably yours as well: How to detect a hacker attack – something I definitely want to know. And then I realized that the article a) is written from a techie and b) does not really cover the attacks I am worried of most. But I will address this toward the end and would appreciate your ideas as well.

If you look at the article, it gives 4 tips:

  1. Suspiciously high outgoing traffic for dial-up and ADSL
  2. Look out for strange looking files in the root directories of your drives and/or too much disk activity.
  3. If your personal firewall is reporting blocking large packets of data from the same IP address
  4. A lot of hackers still rely on trojans and backdoors. So, if your anti-virus software starts finding a lot of those, try increasing protection, use an Internet security suite instead of a basic anti-virus

That’s just an excerpt. If I look at my mom and dad – they never look at 1 (I do not do it either), 2 (I would just see it if I would clean up my machine), 3 (It might be in the event log but who is looking at the even log?). 4 is definitely a good thing as we said since ages (actually since Blaster) that there are three things you should do to protect your PC:

  1. Switch on your firewall
  2. Keep your software updated
  3. Install an anti-malware solution and keep it updated (see Microsoft Security Essentials)

If we take it to a company level, the 4 tips about might look slightly different: 1 is network monitoring (if you see the anomalies), 2 is rarely done, 3 is rarely done and 4 again I hope is done.

But what really worries is me are not the attacks we are finding with the 4 tips above. Those are not the ones, which keep me up at night as they are noisy.

What about the stealth, targeted attacks – the real attacks? They do not create a lot of traffic (as the data is slipped out slowly), they hide the files “behind” other files, the use the universal firewall tunneling protocol (called HTTP) to transfer data and the malware they are using is just written for this single purpose: To attack just you!

How do we defend against those attacks? How do we even find them? They will sneak in through social engineering and I have to admit, that I am not clear what we can do against them – really. A few things come to my mind:

  1. Risk Management – start with understanding your risk exposure not only from a technical side but who could be interested for what in your environment. How likely are you to be targeted by e.g. industrial espionage?
  2. Patch Management – this is for sue. However, the targeted attacks often do not leverage technical vulnerabilities but the user. But staying on the latest versions of all your software is key to defend. This does not only mean security updates but “real” versions as well. If you are still on Windows XP, your risk exposure is significantly higher than on Windows 7
  3. Information Protection – the classical encryption does not help here as the malware might impersonate you and then simply copy/past the data or transfer the data in plain text. I think that Rights Management Services could at least lower the risk of data loss.

What else? What do you do? I would be really interested hearing your ideas and approaches

Roger