|Answered by Nick Klein,Executive Director, Digital Forensics and Incident Response|
Initially the objective of an investigation into a compromised network is to try to get visibility on what is going on inside the network. The more monitoring there is, the more visibility you have and the better you can detect “bad stuff”, which equips you better to respond to it.
The first of the three top locations to monitor would be any ingress points into your network, typically things like remote VPN connections or email. The mass migration to cloud-based email platforms like Gmail or Office 365, needs proper security and monitoring. If you’re not using the monitoring on your cloud-based email platform and not using multi-factor authentication, you are taking a major risk because so many attacks come from this area.
For VPNs, in particular for SMEs, who allow their staff, service providers and remote IT providers to VPN into their network, security is paramount because often an attacker can VPN in with a privileged level of access which can cause a real problem.
The second point would be to monitor the email platform itself. You need to be scanning your email for malicious attachments, for bad links and any other possible threats, given that email is a key attack vector.
The third location to monitor is endpoints, like the workstations of your users and your servers, because most attacks will compromise an endpoint. For example, a user may click a link in a phishing email, which will start some malware activity, compromising their computer. From there the attacker can spread their wings. Having visibility on the security activity on those endpoints is crucial. The best way to monitor these is an end point detection and response (EDR) platform. There are many available, and they will give you excellent visibility to detect those kinds of attacks sooner.
If you don’t have an EDR platform, the next best thing is anti-virus. People like to downgrade the effectiveness of anti-virus, but it is still highly effective at finding attacks. Whilst it will not find all of the zero-days and the modified malware, monitoring the alerts from a good anti-virus system across your network will allow you to see the majority.
View our 5 easy steps to improve your cyber resilience.