Perhaps one of the biggest signs that something is wrong is when the IT department notices unusual traffic patterns leaving the network. A common misperception is that traffic inside the network is secure, says Tom Hauck, senior security strategist for DistributedNetworks. Look for suspicious traffic leaving the network. It is not just about what comes into your network; it is also about outbound traffic. Considering that the chances of keeping an attacker out of a network are difficult in the face of modern attacks, outbound indicators may be easier to monitor.
The best approach is to watch for activity within the network and to look for traffic leaving your perimeter. Compromised systems will often call home to command-and-control servers, and this traffic may be visible before any real damage occurs.
2. Anomalies In Privileged User Account Activity
The name of the game for a well-orchestrated attack is for attackers to either escalate privileges of accounts they have already compromised or to use that compromise to leapfrog into other accounts with higher privileges. Keeping tabs on unusual account behavior from privileged accounts not only watches out for insider attacks, but also account takeover.
"Changes in the behavior of privileged users can indicate that the user account in question is being used by someone else to establish a beachhead in your network," Gould says.
"Watching for changes such as time of activity, systems accessed, type or volume of information accessed will provide early indication of a breach."