When working in Sophos Rapid Response, our Incident Response service, it is unfortunately all too common that I come across IT teams trying to piece together the ruins of their network following a cyber-attack. When talking to these administrators, it often transpires that while they did have security software in place, either a mistake in configuration had been made that let the attacker into the network, or an indicator of compromise was missed that could have alerted the team to the potential breach before the attack was conducted.
Unfortunately, any attacker that has sought to breach your network is likely to be well tooled, well-funded, and well versed in the art of network and system penetration. We often see that attackers have spent a significant amount of time:
- Researching their target
- Performing reconnaissance both inside and outside of the network
- Identifying likely device(s) to target (or even people)
- Carrying out socially engineered campaigns against those targets to gain additional information such as usernames and credentials that allow them to get deeper into the network