10

Steps to Take After

You Detect a Breach

A powerful and effective defense strategy is a multi-layered one that detects threats, connects devious actors, and
protects your company from similar attacks in the future through systematic actions that quickly stop the bleeding.
But what good is having the tools without a plan to make it stop? Here are ten steps you should take immediately
after you find a breach in your network.

Identify the actors IP address and

associate him with infected devices.
Determine if the device was company-issued or BYOD,
then look at application behaviors and identifiers to
figure out whose it was. Look for lateral movements
and unexpected connections to help you quickly figure
out which networks the device(s) had accessed.

If you can get access to the device

Immediately secure it and take it off the network! Using desktop

forensics tools, pull the hard drive image and run full forensics
on the device to understand what was communicated.

3
4

If you cant get access to the device

Look at the traffic flow to the internet at the application level. Abnormal
lengths of URL and User Agent strings or repeated or multiple requests
to DNS entries with a low TTL are red flags for malware.

Look for all traffic flows that were sending data to

locations that are synonymous with malware and
attacks.
Resolve any IP addresses outside of your network to geographies and
reconcile them with blacklists to correlate any red flags, elevate the
most serious concerns, and eliminate false positives.

Use statistical visualizations.

Identify systems consistently communicating over a new port.
Identify scans or attempts to take advantage of vulnerabilities.
Identify persistent flows spanning non-working hours

Look for files transferred.

Search across emails, chats, file transfers and Internet file store services.
Check whats been downloaded and uploaded. Is it an executable or a DLL?
Does it have an unusually large number of spaces in the filename? It could
be a malware executable disguised as a harmless file type that is taking
advantage of character display limitations in certain apps. It could be
exfiltration.

Identify protocols.
The next step is to look for non-compliant commands issued on
a common protocol, such as an HTTP client issuing RUN. Or, the
uses of a protocol above a non-standard port - like SMTP over
port 80, for example. These may be innocent, but most likely
theyre red flags for command and control.

8
9

Isolate suspicious-looking flows.

Identify all flows that are sending and receiving encrypted

transmissions. Based on its origination or destination and port
usage, you can determine whether or not to deem a session
suspicious. For example, if an encrypted session over port 80
has a destination IP of a server residing in China, this should
clearly indicate that something is wrong.

Pinpoint suspicious IP-addresses.

Plot the locations on a map to identify anomalous
flows. Dont just look at the statistics per-flow, look
at them by packet count, byte count or length in time.

Cover your bases.

10

Once you know the behaviors of the infected systems,

use those patterns to determine other systems that may
have been compromised. If and when similar attacks
do occur, youll be prepped and ready to act swiftly in
securing your companys network.

Learn more about protecting your company from security breaches at go.ss8.com/top10
Follow us!