Blog: DFIR

Have you been compromised?

Vladimir Panek-Noble 02 Aug 2023

Imagine the scenario…

A nation state recruits an asset / spy at age 18. Their education and living expenses are fully funded, all with the aim of getting them a job at a target organisation. All goes to plan, on paper they’re a good fit and they get a low profile graduate role in the company.

Life goes on for months, or even years, then at some point they’re activated. They’re instructed to start exfiltrating information, information that can be used to further the nation state’s interests.

While this may seem far-fetched, it’s a loose account of an incident which took place a few years ago. It’s likely that similar examples are in play at the moment.

Although the time in country was many months, the dwell time (the amount of time the attacker has access to a compromised system before they’re detected) in the organisation was just a matter of days.

While this is an extreme case from a nation state actor, we see similar, lower investment examples from crime groups on a weekly basis.

According to the SANS 2019 Incident Response (IR) Survey 14% of respondents reported dwell time of up to six months. Of those which detected a breach 10% reported it taking up to 3 months to contain it and remove the attackers.

Why does dwell time matter?

The longer an attacker is in your network the more damage they’ll do to your business. In the past attackers would be in and out in short order, with minimal dwell time. As they continue to hone and improve their TTPs (Tactics, Techniques, and Procedures) stealthier attacks now mean longer dwell times.

Crime groups can spend months hidden in networks, installing back doors, mapping networks, exfiltrating data, and pushing malware across the estate. The main difference between nation states and crime groups is final intention. Once they’re entrenched, crime groups start encrypting files and extorting companies. Their business model is getting ransoms paid, and sadly they’re extremely good at it.

Cleaning up after these attacks takes time and is costly. The difficult conversations which need to be had with stakeholders, primarily clients, and the Information Commissioner’s Office are more painful.

What should you look for?

These are tell-tale signs:

  • Unusual network traffic. It could include an increase in data transfers, traffic at odd hours, or communication with suspicious IP addresses.
  • Unexpected system reboots or slow, malfunctioning systems can also be red flags. These might be caused by malicious software consuming system resources or making modifications.
  • Unexplained changes to files or system configurations are further signs to watch for. These might manifest as altered file sizes, timestamps, or sudden presence of new, unknown files.
  • Employees and customers raising alerts about suspicious activity, such as unexpected password reset emails, unknown transactions, or unauthorised changes to accounts. These are warnings that something is amiss.

What can you do?

Use Endpoint Detection and Response (EDR):

  • EDR systems continually monitors and collect data from endpoints to identify potential security threats. This data is analysed to identify patterns that might indicate a security threat. If a threat is detected, EDR systems can respond automatically to neutralise it. In the event of a complex threat, EDR solutions provide analysts with the information they need to quickly understand the problem and take action.
  • In comparison, standard antivirus solutions often fall short. These traditional tools mainly rely on signature-based detection methods, which can only detect known threats. Consequently, they may fail to identify new, sophisticated attacks or variants of existing threats, leading to late or even missed detections. Furthermore, traditional antivirus solutions typically lack automated remediation capabilities. This means that even if they manage to detect an adversary, they may not be able to respond effectively or swiftly enough to prevent the threat actors from executing their malicious activities.
  • This is where EDR stands out, as it not only detects threats based on known signatures, but also uses behavioural analysis to spot new or altered threats. Plus, EDR’s automation capabilities can immediately react to neutralise detected threats, reducing the window of opportunity for threat actors to cause harm. This makes EDR an essential part of modern cybersecurity strategy.

Regular forensic assessment of your network:

  • A forensic assessment is a thorough review of an organisation’s networks and systems to identify unknown security breaches, malware, or signs of unauthorised access. This scalable process involves deep analysis of forensic artefacts, data left by interactions in the system, and looking for any indicators of compromise (IoCs), which are pieces of evidence that a cyber-attack has occurred.
  • Important aspect of a forensic assessment is detecting signs of lateral movement, which refers to techniques that cyber adversaries use to progressively move through a network, as they search for key data and assets. Anomalous user behaviour, another key focus area, that can often be a sign of a compromised account or insider threat.
  • Many backdoors and Command and Control (C2) traffic cannot be detectable by even todays best EDR solutions. One of the main advantages of advanced malware is that it mainly operates in memory once the initial loader is executed and the executables are protected against static analysis (armoured). This poses a problem for the defenders when trying to detect and analyse the malicious activity. With advanced malware being widely used by increasing number of adversaries, combined with dwell time and volatile data, that existing only for a short period of time, further supports the need for clients to adopt a strategy for regular scalable forensic assessments.


  • The human factor plays an integral role in ensuring a secure cyber environment. Staff education, therefore, is a critical aspect of a comprehensive cybersecurity strategy. Phishing attempts, which aim to trick individuals into providing sensitive data by pretending to be from reputable sources, remain one of the most common methods for attackers to gain access to networks.
  • Staff should be educated to identify potential phishing emails. These can often be recognised by poor grammar or spelling, a sense of urgency, requests for personal or financial information, and email addresses that don’t match the name or company that the email claims to represent. An unexpected email, even if it appears to come from a known contact, should also raise suspicion, especially if it contains links or attachments.
  • It is crucial to cultivate a healthy sense of scepticism in your team when it comes to clicking on links or opening attachments in emails. Employees should be encouraged to verify the source of an email if they are uncertain, rather than risking a potential breach by clicking on a link or opening an attachment. An informed and trained workforce can act as a first line of defence against phishing attacks and significantly reduce the risk of a successful breach.

Pen testing:

  • Penetration testing, or pen testing, involves simulating cyberattacks against your own computer system to check for exploitable vulnerabilities. It’s like a drill, conducted to find any weak spots in your defence that real attackers could exploit. Regular pen tests help ensure that easy entry points into your network are identified and remediated before they can be exploited.