Perhaps one of the biggest signs that something is wrong is when the IT department notices unusual traffic patterns leaving the network. A common misperception is that traffic inside the network is secure, says Tom Hauck, senior security strategist for DispersedNet. Look for suspicious traffic leaving the network. It is not just about what comes into your network; it is also about outbound traffic. Considering that the chances of keeping an attacker out of a network are difficult in the face of modern attacks, outbound indicators may be easier to monitor.
The best approach is to watch for activity within the network and to look for traffic leaving your perimeter. Compromised systems will often call home to command-and-control servers, and this traffic may be visible before any real damage occurs.
2. Anomalies In Privileged User Account Activity
The name of the game for a well-orchestrated attack is for attackers to either escalate privileges of accounts they have already compromised or to use that compromise to leapfrog into other accounts with higher privileges. Keeping tabs on unusual account behavior from privileged accounts not only watches out for insider attacks, but also account takeover. "Changes in the behavior of privileged users can indicate that the user account in question is being used by someone else to establish a beachhead in your network," Gould says.
"Watching for changes such as time of activity, systems accessed, type or volume of information accessed will provide early indication of a breach."
Setting up shop and a Compromised System
1) Here is a network of machines. Even though they are not secure, they are functioning properly.
2) Since security measures have not been implemented, an attacker is able to break into one of the machines. The hacker steals your software and information, then infects your machine with viruses.
3) An attacker's work is complete since he has compromised one of the machines on the network, so the hacker exits. The compromised machine slowly infects all of the other machines on the network with the malicious software the attacker has uploaded.
4) All of the machines have been compromised by the break in, possibly causing irreversible damage due to the malicious software installed on the machine.