Hackers send phishing emails all over the internet in hopes of a bite. It can arrive as an email about your shipment delivery or from your “IT Department” requesting a password change.
Sometimes hackers want something specific that only YOU have access to... so you’ll be targeted with a convincing email: with legitimate company headers, email signatures, etc.
The attacker installs a beacon to get back into a compromised computer even if it's temporarily disconnected from the internet. The beacon will then continue to “call out” to the internet and check for commands (from the attacker) to run on the victim machine.
CI Security Analysts monitor for persistence payloads communicating to the internet and command & control (C2) servers. Analysts watch for indicators of active beacons, including quiet beacons configured in "long haul" mode. Rapid remediation includes shutting down connected computer(s) or device(s).
Attackers use the original victim to send further phishing emails—this time within the organization’s own email server.
Critical Insight Security Analysts monitor for failed logins and logins on unencrypted pages or unsecure websites. They then correlate events to identify compromised machines for immediate quarantine.
Attackers pivot through the network seeking out credentials of high-integrity or higher-privileged accounts. Trust relationships throughout the network are targeted and exploited.
CI Security Analysts monitor, detect, and respond to common indicators of privilege escalation, including breadth-first password sprays, failed password attempts, network session enumeration, and SMB poisoning.
Attackers exploit the user’s credentials to gather useful information to further compromise other systems.
CI Security Analysts detect signals and correlate events that indicate lateral movement across the network, persistence, and continued privilege escalation activities.
Hackers can perform beaconing stretched over long periods. Since the activity occurs so infrequently it becomes harder to detect. This allows hackers to harvest data over weeks, months, and sometimes years.
Critical Insight Analysts watch for indicators of active beacons, including quiet beacons configured in "long haul" mode. When unusual network activity is detected, CI Analysts use event correlation techniques to conduct further investigation.
Destruction or Denial of Service
In the case of a total compromise, hackers can alter and/or destroy access. The most effective attacks begin weeks or months before leading to more overt and destructive activities.
CI Security Analysts monitor for brute force attacks and help the client respond quickly with detailed reporting of the attack and steps to remediate.