There are security system rules configurations that can indicate these threats, so if you see any one of these, there is a good chance that your system has been compromised somewhere along the way.
Someone else is reading your emails! (The Windows Outlook Hack)
If you use Microsoft Outlook for your emails, your emails can be easily forwarded to different email accounts. This feature is designed to allow users to quickly copy their Outlook box and access it from another inbox. If you didn’t know about this feature or aren’t using it, but you go to check on it and there’s an unrecognized email address in the box…
…well, someone else is reading your emails.
An email is received that is not in your common keyboard layout
Phishing is one of the most common attack vectors hackers are using to penetrate businesses. If you receive an email from a foreign sender and your SIEM technology shouts that this email is not in your common keyboard layout, that’s a good enough reason to pop up the red flag and start an investigation. Setting up rules that track email patterns can help identify attacks on your organization by keeping tabs on things like irregular keyboard layouts.
You receive multiple reports of similar suspicious activity
Receiving one notification from an employee that his workstation has encountered a piece of malware may look suspicious. But a short time later, someone else reports the same activity, and then another, then another. Well, there no need for more indicators. As the investigation into the malware begins, it’s a good idea to check if these users have a common theme (ex: they all work in the same OU group). Noticing what infected systems have in common can be a critical clue in determining the root source of malware infection cases.
Data starts appearing in places where it normally does not.
At its core, any cyber-attack or infiltration is something abnormal within the system. Setting up a and organization working baseline will help security notice when something is amiss. This baseline can be for user groups, departments or endpoints – whatever makes sense for your organization. It will help you to find anomalies in user activity and better indicate potential threats.
“NO UNAUTHORIZED ACCESS”
Sometimes, there’s just no substitute for good security. In the physical world, security guards, locked doors, fences and barriers keep people out of secure areas. Things should work the same in the cyber world. Your settings should block employees from accessing files or folders they have no business accessing, or actively changing user/network settings. Making sure the pathways from users to sensitive network files or folders are properly enabled and safeguarded will help identify internal threats and mitigate them before they get into your network.
(BONUS) Windows Defender Credential Guard
Windows Defender Credential Guard came online 2 years ago with Windows 10, and not many organizations know about it. In simple terms, Credential Guard protects your users’ credentials on virtually isolated memory spaces, making them almost impossible to reach without the proper abilities. It also provides the ability to monitor potential bypasses and stop them before they happen. This is particularly useful at safeguarding your credentials against credential-dumping tools.