4 Signs Your Network Has Been Breached

According to some IT security experts, there are two kinds of organization - those that know they've been breached, and those that don't. Even with all the investment businesses are making into their network defenses, 100 percent immunity from hackers is never going to be a realistic proposition.

The problem is; many companies may have no idea their networks have already been compromised. In fact, one study from Ponemon suggests the average time it took organizations to detect a breach last year was 206 days. This can be very costly, as according to the research, firms that take under 100 days to spot a breach end up losing $5.99 million, but for breaches that took longer to identify, the average cost rose to $8.70 million.

That's why when you're looking at the security aspects of your network management, you can't just focus on the perimeter. Those that do may find that if someone does manage to sneak past the front door, they'll have free rein to go wherever they want within your business. Therefore, you need to be closely monitoring what is going on within your network and searching for any telltale signs that you have an intruder.

With so much data now travelling across business' networks, spotting anything unusual can be a tricky task, but there are a few key indicators of compromise you need to be looking for.

1. Slower than expected connectivity

Connections that aren't giving you the speed or bandwidth you need can be one key sign that someone else is moving data around in your network. Similarly, systems that aren't delivering the expected level of performance may also be an indicator of unauthorized activity.

This is because when hackers enter a network, they often set up a large number of processes and background activities. They could be just monitoring your systems and sending back reports, or actively using your systems for operations such as sending out spam or initiating DDoS attacks. If you experience unexplained drop-offs in speed, it could be because your resources are being used by hackers.

2. Strange connections or traffic patterns

A key way to establish if you have an intruder is to look at your data traffic patterns for any unusual activity.

For example, one of the most common telltale signs may be a larger than expected amount of outbound traffic from your network. As well as actively copying key data, compromised systems often 'phone home' to their command servers on a regular basis, so being able to spot outbound traffic that can't be accounted for through regular business activity can enable you to find and close a breach before any real damage is done.

Other potentially suspicious signs may include repeated attempts to access the same files, servers, or permissions within applications. This can be an indication of a brute force-type attack, where hackers within your network use trial and error to attempt to gain access to key systems using various account details.

3. Unusual user activity

One key part of any effective security monitoring solution is keeping full audit logs of which users are attempting to access which files at what times, and from where. Reviewing these records - ideally in real-time - can be one of the best ways of spotting anything that isn't right.

For example, do the records show your CIO trying to log into key databases at three o'clock in the morning? Or maybe the IP logs say that your co-worker is accessing their account from another country, when you know they're in the next room.

It is not just where and when accounts are being used you need to be aware of. Look also at what they're doing. Are they in parts of the business that aren't relevant to their role? Or are they making an excessive number of changes to a system? Spikes in file-read requests, application record access, or database read volumes all signal that someone is trying to gather valuable data.

4. Applications misbehaving

Applications that don't do what you're expecting is another potential sign of a breach. While there may be many reasons for this activity, such as misconfigured settings or user error, it could also be a sign it's been compromised. Suspicious activity to watch out for includes programs loading on startup even if they have not been set to do so, difficulty shutting down or restarting a device, excessive pop-up dialogue boxes, or any other activity that does not obviously result from an operator command. 

Also watch out for signs such as a webcam light flashing on for a brief time, even when you're not using a video application, as this can often be an indication of unauthorized access to a device.

Hunting for these types of anomalies by hand can be an impossible task, which is why having strong intrusion detection systems in place to monitor networks and improve visibility into what's going on are essential. Without such tools, the first you know about a breach may be when affected customers or employees call to complain.