How do we know that we’ve been hacked?

Two most valuable questions for security teams dealing with cyber attacks is “How do we know?” and “When can we understand?”

Security Kill Chain

In order to answer both questions, let’s talk about the general structure first. In the cyber security world, there is a scheme called “security kill chain” that explains the process well:

This diagram shows the path taken by an outside attacker to enter an organization or a system. During the reconnaissance phase, before interacting with the computer connected to the company’s network or system, information about that company is collected primarily by using special software and through other sources on the internet such as Google. After completing the preparations, the second stage, Exploitation, that is, in the intrusion, slowly initiates interaction with that company’s systems and security vulnerabilities are detected.
In order to detect the vulnerability of a company, it is necessary to make small tests on the structures, systems, solutions, software, applications, websites of that company with access to the Internet. The initial part of these trials is not distinguishable from an ordinary user, but can be noticed by the security scanner software that is installed later as those trials start to get serious and are made for certain points.

Best stage of detecting a cyber attack is Reconnaissance

For a company, the best stage of detecting a cyber attack is Reconnaissance. For this, the company must have solutions that follow the requests to its systems very well. With these systems, companies can examine the details of alarms or place feeds called “honeypots” into the system. These baits are placed in remote corners of the system and when the normal user presses normal keys, they never log in. However, while the attacker is examining the system, they see a security vulnerability there and act. With that bait, companies can watch the attackers and learn what they are trying to do and how they attack. In this way, it can both find the answer and prevent the attack, which is still in the research and trial phase, before it has a serious effect, since it detects the infiltration effort at a very early stage.
Even though the computer that attackers first reach often does not contain the data they want to access, even being able to become an inside user is a very important start. Once they have managed to infiltrate, they spread within the system by accessing other computers and servers from an ordinary computer in the company with the movement we call “lateral movement”. In each phase of the attack, there is actually a loop seen in the kill chain scheme. There are different ways to be aware of each step of this flow chain. As security teams, our goal should be to be aware of it at the earliest possible stage because the earlier it is caught, the less loss is. According to an IBM made with Ponemon Institute, when the attackers are detected, they may have spent an average of 6 months in the system.