Q. “New attacks have new patterns that may have long been similar to normal user behavior and go unnoticed. The time interval between the occurrence of such attacks and the time they should be detected by the analyst, if it is large, will inflict adverse blows on the organization. My constant concern is the prolongation of this time interval. How should I tackle this?”
Hans: Key Signs your company should look for when you think you have been attacked with a zero-day exploit:
Unexpected traffic on a valid/legit port.
Unexpected potentially legitimate traffic or substantial scanning activity originating from a server/client.
Similar behavior from the compromised client or server even after the latest patches have been applied.
Nowel: It is important to stay up-to-date with the new patterns and keep learning, especially trying to learn about how threats are adapting to cloud services. This usually means as well to learning new tools and approaches. Break down a threat into detectable components and automate parts of the detection process whatever is possible.
Peter: I think that new attacks target large organizations and big fishes, they have way more power to detect and countermeasure. Learn from the big ones.
Joe: The only solution for this is vigilance. Someone must be monitoring logins and security logs either manually or with the assistance of some automation tool. My experience is all with small networks (less than 50 users) in small businesses. If the business does not have the personnel it must be outsourced, but it cannot be ignored.
The SecPro is a weekly security newsletter to help you stay sharp and upgrade your skills with trending threat insights, practical tutorials, hands-on labs, and useful resources. Build skills in as little as 10 minutes. Join the newsletter here.