The importance of network monitoring is undervalued. Monitoring networks takes resources, not only the licensing of tools but also human resources. Someone to check the telemetry, investigate and make smart decisions that will keep the network secure without disrupting work in cases concerning false positives.
While monitoring is important in preventing and detecting espionage and data loss, it’s also important in preventing crypto-virus extortion. Contrary to popular belief, you don’t just click on a button or open an attachment and get your files locked. The opening of an attachment is just the entry point. From there, hackers follow a playbook: The first step once entry is gained, is to elevate privileges. This means gaining administrative privileges by using exploits to go beyond the privileges assigned to the person that opened the attachment.
Once the intruder gains administrative privileges, they spend days, weeks or months exfiltrating data, deleting backups and restore points, disabling anti-virus programs and installing or modifying settings to gain persistent access for future attacks.
Once they have finished their tasks (or if they suspect they have been discovered) that’s when they press the coup de grâce button.
During the time leading up to this final event, there are opportunities to prevent it. If the infiltrators manage to get past your initial security defenses, a good active monitoring program can help detect, mitigate and remediate the situation.
The following alerts can be leveraged with good monitoring systems in place:
- Escalation of Privileges – Check for the creation or modification of accounts that have administrative rights.
- Data Exfiltration – Monitor your bandwidth usage and check for data flowing to unrecognized repositories by using DLP tools.
- Backup Alerts– Monitor backup logs to maker sure your backups are working.
- Restore Points – Check for logs indicating that restore points are being deleted.
- Anti-Virus – Check for the disabling of AV programs or unusual allow rules being created.