If somebody is doing something that could harm you physically, then you will know immediately that the person is attacking you by seeing the movement that he/she is doing. So the processes are: receive input (incoming movement), analyse it (is it an attack or not), and decide the action. very simple :-). This article will discuss topic about How to identify a cyber attack.
In the previous article, we have discussed several types of attack on cyber world. Now, the next question is, how to identify a cyber attack on my system / network?
How easy to do attack in networked world?
Well, objects (server, laptops, routers, switches, etc) that are in networking environment are managed by human, and some have intentions to do a bad things. As it is very easy to do communication in networked world, doing an attack is easy too, all computers connected to internet has chance to be attacked.
How do i know im being attacked?
An attack in cyber world is a little bit tricky because it can not be seen clearly like a physical attack. We need tools acting as “senses” to analyse incoming traffic/request and decide if its in an attack or not.
That is why, one important function on IT organisation is Operation and Maintenance (OAM) where one of their detailed task is monitoring the system.
As the name suggest, monitoring means observe and check the progress or quality of (something) over a period of time. data from system (for example: login log, traffic, hits, error page, etc) will be stored in the monitoring system, and therefore we can do a time-series analysis of the data. for example: checking trends, checking anomaly, etc.
Any example of attack case?
yes. See the picture above shows an anomaly on incoming request. Suddenly, there is a spike on hit statistics of a website (looks like a DOS attack). Suddenly, there are lots of request from an IP address from ukraine, which is very suspicious.
Usually, DOS attack is followed by bruteforce. From failed-login log, we could see that the above IP address was doing bruteforce attack on login page. they have tried many times to login with different combination of username and password. see picture below:
I see… what should i do next?
Read this article that discuss things to do after an attack
Thank you for reading 🙂