The Risks of Public WiFi (& How to Protect Yourself)

The Risks of Public WiFi (& How to Protect Yourself)

In a constantly connected world, free WiFi can seem like an oasis in the desert, allowing you to ration your data and safeguarding you from eye-watering overage fees.

Unfortunately, public WiFi is inherently less safe than personal, private networks such as your home internet or the office network. 

Public WiFi Leaves You Vulnerable 

Public WiFi is inherently risky: after all, you have no idea who else is on this network and what they are up to. While businesses such as stores and organizations like your municipality or public library may think they are offering a helpful public service or a valued customer perk, you can’t be sure that they take security as seriously as you do. 

Person using public wifi securely

Common Public WiFi Cyberattacks

If you are the victim of a cyberattack, please contact our team immediately and consider reading our educational article Hacked? Here’s What to Know (& What to Do Next).

Man-in-the-Middle Attacks

Man-in-the-Middle (MitM) attacks are one of the most common public WiFi cyberattacks and are, at their core, a form of digital eavesdropping. Essentially, when a device such as your phone, tablet, or laptop connects to the internet via a public WiFi network, data is sent between point A (your device) and point B (the website you are visiting or the server that hosts the app you are using). Man-in-the-Middle attacks allow cybercriminals to camp out between these two points and intercept your traffic, which they can then either read or manipulate. 

Man-in-the-Middle attacks take a number of forms, including interfering with legitimate networks, creating fake networks that the attacker controls, or rerouting internet traffic to phishing or other malicious sites. Compromised traffic is stripped of any encryption protections, which allows the attacker to steal information or change the information you are transmitting. 

Attackers don’t want you to realize they are manipulating your traffic, so it can be difficult to realize an attack has occurred until you discover your email address is being used to send spam, your bank account is empty, or you uncover other evidence of nefarious activity. As such, users must take steps to avoid falling victim to these attacks. 

While using multi-factor authentication can make it more difficult for attackers to gain unauthorized access to your accounts, your username and password can still be compromised. As such, if you absolutely cannot wait to log in to your bank account or conduct other sensitive business, opting for a cellular connection or using your phone as a personal hotspot for your laptop is a better option.

Malware & Malicious Hotspots

While most developers do their best to ensure the programs they create are secure, sometimes mistakes happen, and programs, apps, and websites can inadvertently be left with security holes or other weaknesses. Attackers use these vulnerabilities to sneak malware (malicious software) onto your device. 

Another common technique involves setting up fake hotspots full of malware and making them look like legitimate networks; an attack sometimes referred to as a honeypot. These networks usually adopt reputable names in order to trick victims into connecting. 

For example, let’s say you decide to visit a coffee shop called Kim’s Cafe. You open your phone and, without thinking, select the “Kim’s Cafe” WiFi network. How do you know that network is actually owned by Kim’s Cafe? While some businesses that offer complementary public WiFi post the network name prominently (to help ensure visitors aren’t connecting to suspicious networks), not all businesses do. You can ask a staff member for the name and password for the guest network, but that doesn’t guarantee their network is secure. When in doubt, go without or use your cellular data, don’t just select a network that appears legitimate and hope for the best. 

Person using phone and laptop on public wifi

Tips for Staying Safe on Public WiFi

When it comes to public WiFi, caution is the name of the game. The best way to stay safe on a public WiFi network is to not use the public WiFi network. However, we also understand that this can be easier said than done. 

If you do have to use public WiFi, you should start by asking yourself a single question: If someone was reading over my shoulder right now, how would I feel about it? If the thought of some stranger reading your screen makes you anxious or angry, you should probably hold off until you can connect to a secure network. 

To help you get started, here are links to guides on how to manage your security settings on these commonly used web browsers:

Leave Your PII At Home

If you need to use public WiFi, limit your activities as much as possible and avoid visiting any sites or using Apps that involve handing over your personally identifying information (PII), such as banking details, usernames, and passwords, or medical information. You wouldn’t carry a sign around with your personal information splashed all over it, so why would you risk revealing this highly sensitive data on a public WiFi network?

If you have to use a public network, stay clear of apps and websites that require you to log in. Some websites and apps require you to enter things like your full name, phone number, and other identifying information when you create an account, so even if you don’t remember providing that information when you registered, you may inadvertently be exposing that information if an attacker intercepts your internet traffic. 

Consider a VPN

If you spend a lot of time away from your desk and absolutely need to stay connected (say you are traveling for work and don’t have unlimited data), you might want to consider a VPN. A VPN allows you to create a secure connection between your device and another network (such as your work network) over the internet, shielding your browsing activity and keeping you off of public WiFi networks. 

To help safeguard sensitive company data and other digital assets, many employers provide their employees with VPNs to ensure they are always using a secure connection while accessing company data. After all, you have no idea if your employee’s home network, local cafe WiFi, or complimentary hotel network meet your security standards. 

No VPN? Look for the Lock

If you don’t have a VPN, there are still steps you can take to help safeguard your data while using public WiFi. SSL connections add a layer of encryption to your network traffic, which can help keep you safe on public WiFi. When using the internet, make sure you enable the “Always Use HTTPS” option on your browser or any websites you frequently visit that require you to enter any credentials and never enter credentials into unsecured websites. 

Disable AirDrop & File Sharing

If you absolutely have to use a public WiFi network, you should turn off any features on your device that enable frictionless file sharing.

Learn how to manage your file-sharing settings on Windows 10 and on a Mac.

Leave WiFi & Bluetooth Turned Off

Leaving your WiFi and Bluetooth settings turned off when not in use can help prevent your device from connecting to unknown networks or other devices without your explicit consent. 

Actually Read the Terms & Conditions

We know that no one actually likes wading through pages of dry technical text, but before you connect to any public WiFi network, make sure you know what you are signing up for. Look for information on what data the network collects, how it is used, and how it is stored, and keep an eye out for any red flags before you click the Accept button. 

Avoid Nosey Networks

Be wary of any public WiFi networks that require you to enter personal information, such as your email address or phone number. If you absolutely have to connect to a network that requires a lot of personal information, make sure you trust the organization that owns the network and consider creating a separate email account specifically for situations like this. 

While asking for some personal information doesn’t automatically mean that the network owner is untrustworthy, stores and restaurants in particular tend to gather this information so they can better track you across multiple WiFi hotspots and tailor their marketing efforts, not to improve security or benefit users. As such, it is up to you to decide if you are willing to give up your private information in exchange for some free WiFi. 

Find Out if Your Cable or Cell Phone Company Offers Complimentary Public WiFi

Some cell phone providers and cable companies manage complimentary WiFi hotspots for their customers, so if you spend a lot of time searching for free WiFi you may want to see if your service provider offers this perk. If you are connecting to free public WiFi through a service you are already signed up for, then you don’t have to hand over any more personal information than you already have. 

Log Out When You Are Finished (Even At Home)

Logging out of all your accounts when you are done may seem like a pain, but it can help safeguard your personal data when your device leaves your home or office. By logging out when you are finished, you can rest assured that you aren’t inadvertently exposing your sensitive data when you grab a coffee or head to the mall.

Look for Password Protected Networks

When it comes to public WiFi networks, passwords are your friend. While adding a password won’t guarantee airtight security, it does help limit who has access to the network and for how long (assuming the organization that owns the network rotates their password frequently). This bare minimum level of security does help, but you should still avoid visiting websites or using apps that contain sensitive information such as PII or private work files. 

Invest in an Unlimited Data Plan

At the end of the day, the best way to stay safe on public WiFi is simply to avoid connecting to public WiFi networks in the first place. If you anticipate having to do a lot of browsing away from your home or work network, you may want to consider investing in an unlimited data plan.

Though the best course of action is to avoid public WiFi networks altogether, there are steps you can take to safeguard your device and personal data if you need to connect. For more information on keeping yourself, your business, or your remote employees safe, please contact our team today.

Why is WiFi 6’s Uptake so Slow? A Look at the Current Technological Environment

Why is WiFi 6’s Uptake so Slow? A Look at the Current Technological Environment

WiFi 6 offers a lot of benefits over its predecessors, but uptake remains sluggish. In this article, we will explore the factors in the current technical environment that are impacting this revolutionary new approach to WiFi’s slow uptake.

The Risk of Being an Early Adopter

WiFi 6 was first announced in 2018 by the WiFi Alliance, making it still relatively new. As such, many organizations aren’t yet ready to make the switch. There also aren’t a whole lot of WiFi 6 clients out there yet, limiting choice and making it more difficult for organizations to find equipment that they know will meet their needs. Though some individuals and organizations pride themselves on being early adopters, most are more inclined to wait until any bugs or potential issues have been addressed before taking the plunge. 

Companies in particular, who would need to invest large sums of money upgrading their entire networks to ensure compatibility, risk investing in unreliable equipment that may offer a poor UX experience or suffer from incompatibility issues. When you buy and deploy too soon, you might not be able to upgrade without re-purchasing everything again, dramatically increasing deployment costs. While larger enterprise-sized companies may be able to absorb the cost of re-purchasing equipment should they discover a compatibility issue or other problem, SMBs tend to have fairly limited IT budgets, which make re-purchasing a hard expense to handle.

Not All Devices on the Market Support WiFi 6

WiFi 5 remains the default when it comes to devices, so even if you upgrade your WiFi network, chances are most BYOD employees, customers, and visitors won’t likely notice the difference. WiFi 5 devices can work on WiFi 6 networks, but because they can’t broadcast in the 6GHz band, they will be limited to WiFi 5 speeds.

Samsung has already announced compatible products, and Intel has begun manufacturing WiFi 6E compatible devices (though they have done so without any fanfare or even a press release or announcement of any kind). However, Apple remains a holdout and has yet to announce a WiFi 6 compatible device. One source speculates that once Apple gets on board, we will see a noticeable increase in interest. 

Once more WiFi 6 compatible devices (including smartphones, desktops, laptops, and tablets) begin to emerge, companies and individuals alike may become more inclined to make the switch so they can enjoy all the benefits WiFi 6 offers. 

WiFi 5 is Still Going Strong

If it isn’t broken, why fix it? For many organizations, their WiFi 5 network and devices are still in good condition and continue to meet their needs. While upgrading to WiFi 6 will offer some benefits (assuming they invest in WiFi 6 compatible devices as well), many organizations are more inclined to stick with what works than invest in new equipment prematurely.

WiFi 6 Equipment is Still Quite Expensive

Because it is still relatively new, WiFi 6 compatible equipment and devices are still relatively expensive compared to their perfectly functional, tried-and-true WiFi 5 counterparts.

Most organizations can’t risk investing large sums of money in equipment that may present issues (such as the compatibility issues we will discuss later in this article) or be unable to meet their needs and are therefore more likely to upgrade with extreme caution. 

Not Every Organization is Ready to Upgrade

Upgrading your entire network, or even just your employee’s work devices, is a large expense. As such, many SMBs need to plan their upgrade cycle’s carefully and do their best to get the most out of their current equipment before investing in an upgrade. Many WiFi 5 routers and other WiFi 5 devices and equipment are still in excellent condition, so it may not make sense to invest in a whole new network right now when your current solution continues to meet your needs. 

Depending on where an organization is in their upgrade cycle, it may be a few years until a new networking solution is needed and everyone is due for new work phones and laptops. And even if organizations are ready to upgrade now, they may opt to stick with what they know and wait to adopt WiFi 6 on their next upgrade cycle once more devices, APs, routers, and other equipment options are available and have a proven track record.

Upgrading Your Whole Network is Inherently Disruptive

Upgrading is also disruptive, impacting productivity while the network is offline and potentially presenting a learning curve as workers familiarize themselves with new devices and equipment. As such, many organizations try to minimize the number of times they upgrade or may time their upgrades for periods of downtime when business is likely to be slow, and the impact of the disruption can be minimized. 

Your WiFi Network & Devices are Just One Piece of the Enterprise Network Puzzle

When most companies think of WiFi, they think of the devices that rely on the network and the visible equipment, such as APs, that support them. However, upgrading your WiFi network, laptops, tablets, smartphones, and desktops is only the beginning. 

To fully enjoy the benefits WiFi 6 offers, organizations will need to upgrade their entire network infrastructure, which can be costly and highly disruptive. Only upgrading your WiFi can present compatibility issues with the rest of your IT infrastructure, so you will need to conduct a holistic review of your existing IT ecosystem before committing to WiFi 6.  

WiFi 6 Currently Presents Compatibility Issues

Because WiFi 6 is still relatively new, it presents a number of compatibility issues organizations need to be aware of. For example, a number of WiFi adapters produced by Intel have known issues with WiFi 6. Though Intel has released driver updates to fix this issue, these updates are not included in any Windows updates, so they will need to be updated manually. 

Compatibility issues can wreak havoc on your network, preventing your workers from completing tasks and bringing productivity to a grinding halt. As such, it is critical that you do your research before you commit to upgrading and consider consulting the experts to ensure you’ve covered all your bases. 

Whether you choose to upgrade now or continue to wait, it is vital that your equipment is correctly installed and configured to ensure your network remains secure. For more information about WiFi 6, or to begin planning your network upgrade, please contact our team today.

Everything You Need to Know About WiFi 802.11ax (AKA WiFi 6)

Everything You Need to Know About WiFi 802.11ax (AKA WiFi 6)

Over the last year, there has been a lot of chatter surrounding WiFi 6 (also referred to by its IEEE standard name 802.11ax). But what exactly is WiFi 6? In this educational article, we will discuss what makes WiFi 6 different from its predecessors, WiFi 4 and WiFi 5, so you can get the information you need to make informed decisions about upgrading your WiFi network.

What is WiFi 6?

In 2020, the FCC announced that it would be expanding access to the broadband spectrum for unlicensed traffic. This means that routers are now able to broadcast their signals in the 6GHz range, as well as the 2.4GHz and 5GHz ranges originally designated for unlicensed traffic. Much like widening a road to accommodate increased traffic, this decision means there is now more WiFi to go around.

This is critical as the number of devices in each home and business continues to rise. The days of a single device per employee and a shared household computer are long gone; according to Statista, the average American household was home to 10.37 connected devices in 2020, and that number is likely only going to continue to increase. Many employees are now equipped with a laptop and a company phone, and with the continued rise of IoT devices in both homes and workplaces, the demand for bandwidth will only increase. 

What are the Benefits of WiFi 6?

WiFi 6 offers a wide range of benefits, including:

Enhanced Security Features

WiFi 6 offers enhanced encryption and other significant security enhancements while simultaneously eliminating some of the weaknesses of older WiFi technologies such as pre-shared keys. This is great news for security-conscious hotspot providers as well as facility managers and visitors. 

All WiFi 6 devices are designed to handle WPA3 encryption, which offers features like robust password protection and 256-bit encryption algorithms, both of which make it harder for cybercriminals to hack into your network

Faster Speeds

WiFi 6 promises speeds up to 30% faster than WiFi 5, which means your employees can spend more time working and less time waiting for web pages and internet-based programs to load. 

Increased Range

In situations when you are relying on a single router, WiFi 5 and WiFi 6 offer approximately the same range because WiFi range is dictated by the radio frequencies the APs can access (5GHz and 2.4GHz). However, if you switch to a WiFi 6 mesh system, you can increase coverage by placing the APs farther apart and use WiFi 6’s faster speeds to make up for the increased distances. Being able to place APs farther apart can be incredibly beneficial in situations where physical cabling is either inconvenient or impossible to lay. 

Though the increased distance between the APs will cause a small decrease in network speed and performance, this decrease is so minuscule you and your team likely won’t notice a difference.

Reduced Latency

Latency (the amount of time it takes for something to load) remains a large problem for many WiFi users. How fast and reliable your WiFi is depends on a variety of factors, including the signal strength of your connection and how many other devices are on the network. By expanding bandwidth access, your network will now be able to support more devices than before, allowing all WiFi traffic to move faster and increasing network reliability. 

WiFi 6 achieves this using OFDMA (Orthogonal Frequency Division Multiple Access), which is an extension of OFDM (Orthogonal Frequency Division Multiplexing) architecture (which is used by WiFi 4 and wiFi 5). While OFDM relies on a single-queue style system, which requires each device to patiently wait its turn to receive data, OFDMA allows the router to transmit data to more than one device at a time, dramatically reducing or even eliminating the need to queue. 

It does this by splitting traffic into smaller packets, so each device can receive a small amount of the data it is waiting for and pass that information on to the end-user while it is waiting for the rest of its packets. This functionality is great for high-traffic environments such as stadiums, conference centers, and large retail environments where employees, visitors, and customers are going to need WiFi access. 

Increased Power

Connecting to a WiFi network requires a proportionally significant amount of power, particularly if a device is moving in and out of WiFi range. Wider ranges, and the ability to comfortably support more devices, means that devices will need to expend less energy maintaining a reliable WiFi connection, which means your devices will be able to go for longer between charges. 

WiFi 6 accomplishes this using target wake times (TWTs, also called wake time targets), which allow the APs to communicate with devices and let them know how long they will be left waiting between transmissions. By providing devices with this information, the devices can “sleep” between transmissions, only waking up when the device needs to connect again. These short bursts of downtime significantly reduce how much power the battery needs to expend to maintain a WiFi connection, which can extend the battery life of laptops, smartphones, tablets, and other WiFi-connected devices on your network. 

Better Throughput & Reduced Congestion

When there are more devices on your WiFi network than the network can comfortably serve, WiFi performance suffers, and some devices may lose connection entirely. Because WiFi 6 uses OFDMA, it has better MIMO (multiple in/multiple out). 

Using multiple antennas, each AP is able to talk to several devices simultaneously, while WiFi 5 networks can only respond to one device at a time, creating bottlenecks and slowing down the connection of every device on the network. Being able to respond to multiple devices at once reduces the amount of time each device needs to wait for its turn, increasing speeds for everyone.

Another advantage of WiFi 6 over its predecessors is BSS (basic service set) “colors”. These colors, labeled 0 through 7, are incredibly useful when multiple APs near one another are transmitting on the same channel. While older WiFi deployments typically assigned multiple APs to the same transmission channels (a necessary approach given the limited amount of bandwidth available), causing traffic jams and slowing down everyone’s connections. To make matters worse, devices weren’t able to effectively communicate or negotiate with each other to maximize channel resources, increasing congestion further. 

Using the color-coded system, APs can assess signals from each color and determine whether they can use the spectrum at the same time as another device without causing interference by selecting a color that isn’t currently in use. 

It’s like if a grocery store had seven checkout lanes open instead of one: The old WiFi standards required all shoppers to cram into a single checkout lane, but the shoppers can talk to one another, so sometimes two or more shoppers will try to purchase their items at the same time, causing a traffic jam while the cashier sorts everything out. The color-coded system allows each shopper to assess which of the seven checkout lanes has the shortest line (or ideally no line at all) and line up there, improving efficiency and getting everyone out of the store faster. 

WiFi 6 offers a wide range of benefits from both a security and usability perspective. Are you considering upgrading to WiFi 6? Our experts have experience with a wide range of technologies, verticals, and industries and work with organizations of all sizes to support their IT and networking needs.

For more information about WiFi 6, or to get started planning your upgrade, please contact our team

Identifying a Breach: Finding Indicators of Compromise (IOC)

Identifying a Breach: Finding Indicators of Compromise (IOC)

Cybersecurity is more important than ever before: According to Government Technology, though 2020 saw an overall decline in the number of breach events, the number of breached records grew dramatically, and the number of ransomware attacks doubled between 2019 and 2020.

These troubling trends demonstrate why a robust yet adaptable cybersecurity stance is critical for all organizations, regardless of size or vertical. But how do you know if your organization has experienced a breach? In this article, we will discuss common types of cybersecurity breaches, and red flags you should look for that may indicate a breach has occurred.

If you have experienced, or are currently experiencing, a cybersecurity breach, please call our team immediately and consider reviewing our guide: Hacked? Here’s What to Know (& What to Do Next).

What Constitutes a Breach?

A security breach is like a break-in, but instead of breaking into your house or business, they break into your digital systems to steal personal information or sensitive documents or damage your network. However, there are steps you can take to best safeguard your digital assets, which include:

  1. Creating a cybersecurity incident response plan, reviewing it regularly, and updating it as necessary. Having a plan in place is critical because it allows you to respond quickly and lays out, in advance, who needs to do what should an incident occur.
  2. Investing in employee cybersecurity training. Even the best cybersecurity incident response plan is effectively useless if your team doesn’t understand why security is important, what role they play in it, and how to respond should an incident occur. All new hires should undergo training, and all employees from the CEO down should receive regular refresher training. 
  3. Regularly monitoring your network for suspicious activities. These suspicious activities, called IOCs or indicators of compromise, will be discussed in depth later in this article. 

Breaches Have Wide Reaching Consequences

Breaches cause more than headaches: to address the situation, you will likely need to pull critical personnel from other projects, hindering productivity and severely impacting your daily business activities. Depending on what data is stolen or what systems are compromised, you may also suffer financial damages in the form of regulatory fines or even lawsuits.

A poorly handled breach can cause permanent damage to your organization’s reputation, damaging consumer trust. 

Recent large-scale breaches include the Yahoo breach of 2014, the Equifax breach of 2017, and the Facebook security breach of 2019. Facebook is currently facing a class-action lawsuit, while the FTC and Equifax reached a global settlement that includes as much as $425 million to help individuals impacted by the breach. Yahoo faces paying for a settlement fund of $117,500,000 to affected individuals in the form of two years of credit monitoring, or in the case of individuals who already have credit monitoring in place, a cash payment. 

Common Types of Cybersecurity Breaches

Malware (Including Ransomware, Viruses, & Spyware)

Many cybercriminals rely on malware (malicious software) to infiltrate protected networks. The malware is often delivered via email or by tricking unsuspecting employees into downloading corrupted files from compromised or malicious websites. 

For example, an employee receives an email with an attachment, which infects your network when the attached file is opened or visits a compromised site and downloads the file directly. Once one computer is infected, the malware will likely spread to other areas of your network, sending sensitive data back to the attacker, laying the groundwork for a larger attack, or damaging your digital infrastructure. 

Phishing Attacks

Phishing attacks are designed to trick potential victims into believing they are talking with someone they trust (such as a colleague, their bank, or another trusted individual or institution) in order to hand over sensitive information (such as credit card numbers, usernames, passwords, etc.), grant the sender access to restricted areas of the network, or trick the target into downloading malware. 

For example, an employee might receive an email from someone pretending to work in your IT department asking them to reset their username and password, or from “their boss” requesting confidential files, or from “your company’s bank” warning that they have detected suspicious activity on a company credit card or in a company bank account, and requesting the recipient click on a link in the email to login and review the flagged transactions.

 In all three scenarios, criminals are acting as trusted individuals or individuals working on behalf of trusted institutions in order to trick unsuspecting email recipients. 

We discuss phishing attacks, and what you can do to avoid them, in our in-depth article: Don’t Let Phishing Scams Catch You Unaware

DDoS (Distributed Denial of Service) Attacks

DDoS attacks are designed to crash websites, preventing legitimate users from visiting them. Attackers do this by flooding websites with traffic, either by working with other attackers or by programming bots (software programs programmed to perform repetitive tasks) to hammer the server hosting the website with requests. 

DDoS attacks are considered security breaches because they can overwhelm your organization’s security defenses and severely curtail your ability to conduct business. Common targets include financial institutions or government bodies, and motivations range from activism to revenge to extortion. 

To learn more about hackers, who they are, and why they do what they do, please consider reading our article: The Modern Hacker: Who They Are, Where They Live, & What They’re After.

What are Indicators of Compromise (IOC)?

IOCs are pieces of forensic data, such as system log entries or files, that identify potentially malicious activity on a network or system. Like suspicious ink-stained fingers or an errant muddy footprint in a Sherlock Holmes book, IOCs are clues that help security and IT professionals detect data breaches, malware infections, or other suspicious activities. 

By looking for IOCs regularly, organizations can detect breaches as soon as possible and respond swiftly, limiting or even preventing damages by stopping attacks during their earliest stages. 

However, IOCs are not always obvious or easy to detect: they can be as obvious as an unexpected login or as complex as snippets of malicious code. Cybersecurity and IT analysts often look at a range of IOCs when trying to determine if a breach occurred, looking at how different IOCs fit together to reveal the whole picture. 

IOCs vs IOAs

IOAs (indicators of attack) are similar to IOCS, but instead of focusing on the forensic analysis side of a compromise that has already occurred, these clues aim to identify attacker activity while the breach is in progress. 

A proactive approach to security relies on both IOCs and IOAs to uncover threats or potential threats in as close to real-time as possible.

Common IOCs and IOAs

There are many IOCs and IOAs that IT and security analysts look for, but some of the most common include:

  1. Unusual outbound network traffic. This could indicate someone is moving sensitive files off the network.
  1. Anomalies in privileged user access accounts. A common tactic used by attackers is to either escalate privileges on accounts they have already compromised or use compromised accounts as gateways to more privileged accounts. By monitoring accounts with access to sensitive areas of your network, analysts can look out for signs of insider attacks or account takeover attacks.
  1. Geographic irregularities. If an employee logs out of their account from an IP address in Chicago, then immediately logs back in from New York, that is a huge red flag. Analysts also look for traffic between countries that your organization doesn’t have business dealings with.
  1. General login irregularities. Multiple failed login attempts or failed login attempts for accounts that don’t exist are both huge red flags. Analysts also look for irregular login patterns, such as employees logging in well after work hours and attempting to access files they don’t have authorization for, which likely indicate the account credentials have been compromised.
  1. Unusually high database read volume traffic. If an employee is attempting to download and read your entire personnel or credit card database, that likely means an attacker is attempting to access those sensitive files.
  1. A large number of requests for the same file. Breaches rely on trial and error a lot, so a large number of repeated requests for the same file (such as the credit card database we mentioned earlier) may indicate an attacker is testing out a variety of strategies in an attempt to gain access.
  1. Suspicious configuration changes. Changing configurations on files, servers, and devices may indicate an attacker is attempting to set up a network backdoor or adding vulnerabilities to aid a later malware attack.
  1. Flooding a specific site or location with traffic. Many attackers rely on bots for a variety of tasks and may recruit compromised devices on your network to do their dirty work. A high level of traffic from a number of devices targeting a specific IP address may indicate those devices have been compromised. 
  1. Suspiciously timed web traffic. Even the fastest typers can only type so fast, so if logs indicate that someone is trying thousands of password and username combinations a second, chances are an attacker is attempting to break into your network using a brute force attack

These are just some of the most common IOAs and IOCs that security and IT analysts use to look for signs of suspicious activity.

By monitoring your infrastructure and firewalls 24/7/365 for signs of a potential breach and keeping a watchful eye on your endpoints, you can gather the information you need quickly so you can respond to potential incidents as soon as possible. To help keep your network secure, VirtualArmour offers a variety of managed and consulting services and has extensive experience working with organizations in a variety of industries, including, but not limited to, healthcare, finance, retail, and energy as well as service providers

To learn more about how our experienced security analysts use IOCs, or to get started improving your security posture, please contact our team today

Recommended Reading

Identifying IOCs is just one small aspect of cybersecurity. To learn more about cybersecurity, why it’s important, and what steps your organization should be taking, please consider reviewing the educational articles listed below. 

Managed Services Security Providers (MSSPs)

What is a Managed Services Security Provider (MSSP)?

Leveraging Your MSSP in an “IT Light” Environment

Cybersecurity Basics

Terms & Phrases Used in the Managed IT & Cybersecurity Industries

The SMBs Guide to Getting Started with Cybersecurity

Cybersecurity Spring Cleaning: It’s Time to Review Your Security Practices

Building a Cybersecurity Incident Response Program

Beyond SIEM: Why Your Security Posture Needs to SOAR

Identity Management is Just Cybersecurity Best Practices With a Fancy (& Expensive) Name

Creating an Agile Workplace: How to Prepare for the Unexpected

Cyber Hygiene 101: Basic Steps to Keep Your Company Secure

The Ultimate Guide to Managed Threat Intelligence (2020 Edition)

What is Information Security (& How Does it Impact Your Business?)

5 Old-School Hack Techniques That Still Work (& How to Protect Your Data)

Keeping Your Network Secure in a “Bring Your Own Device” World

Basic Website Precautions: Keep Intruders Out With These Fundamental Security Best Practices


Security vs Compliance: What Are Their Differences?

US Companies Could Get Badly Burned by GDPR – Here’s How Not To 

The Challenge to Remain PCI & NIST Compliant During the Shift to Remote Work

Common Types of Cyberattacks

Don’t Let Phishing Scams Catch You Unaware

Cryptojacking: Because Every Currency Needs to Be Protected 

In a Remote World, Social Engineering is Even More Dangerous

How Fear Motivates People to Click on SPAM

Ransomware is Only Getting Worse: Is Your Organization Prepared to Confront it?

Everything You Need to Know About Ransomware (2019 Edition)

DNS Spoofing: What It Is & How to Protect Yourself

About Cybercriminals & Cybercrime

Hacked? Here’s What to Know (& What to Do Next)

The Modern Hacker: Who They Are, Where They Live, & What They’re After

Hackers Are Increasingly Targeting People Through Their Phones 

Airports are a Hacker’s Best Friend (& Other Ways Users Expose Themselves to Risk)

2021 Cybersecurity Trends

Our Predictions for the 2021 Cybersecurity Environment

Cybersecurity by Vertical & Industry

Cybersecurity Basics Every College & University Needs to Have in Place

The Ultimate Guide to Cybersecurity in the Healthcare Industry

How the Financial Industry Can Strengthen Their CybersecurityCybersecurity for the Manufacturing Industry, What You Need to Know Now

Making Sense of TTPs, Cybersecurity, & What That Means for Your Business

Making Sense of TTPs, Cybersecurity, & What That Means for Your Business

Once considered a nice-to-have, cybersecurity has become essential for organizations in all verticals. Even before COVID-19 made remote work the norm for many office workers (leading to a marked increase in social engineering attacks), cybercrime was already on the rise, with global losses skyrocketing to nearly $1 trillion in 2020 alone

No matter how large or small your organization is, investing in your cybersecurity posture is vital for safeguarding your digital assets, your business, and your customers. To improve your cybersecurity posture, you need to get inside the mind of a cybercriminal and figure out how to stay one step ahead in this endless game of cat and mouse. 

What are TTPs?

TTPs refers to the tactics (or tools), techniques, and procedures used by a specific threat actor (the bad guy) or threat actors. Essentially, TTPs refer to distinct patterns of activities or behaviors associated with a particular person or group of people and describe how threat actors orchestrate, execute, and manage their cyber attacks. 


Tactics, generally speaking, refer to the vectors used by attackers. This could include accessing and using confidential information, gaining access to a website, or making lateral movements (moving sideways between devices and apps to better map your system and look for vulnerabilities in less protected areas that they can exploit). 


Techniques refer to the methods attackers use to achieve their goals. For example, if the immediate goal (the tactic) is to gain unauthorized access to your system, then the technique could be using social engineering (such as a phishing scam) to trick employees into sharing their login credentials. A single tactic can involve multiple techniques. 

Techniques act like stepping stones towards the attacker’s overarching goal, which could include damaging your systems, infecting your network with ransomware, or stealing sensitive files.


Procedures refer to specific, actionable, preconfigured steps used by cybercriminals to achieve their overarching goals. So, for example, if the goal is to use a phishing scam to gather login credentials from employees, the procedure could involve determining what the email should say and configuring the email to download malware when a user opens the attachment included with the email.

Why are TTPs Important for My Business?

Analyzing TTPs is vital for your cybersecurity posture since the clues threat actors leave behind can be used to help identify who is responsible for an attack or breach. By analyzing TTPs, your cybersecurity team or cybersecurity partner can:

  1. Rapidly triage and contextualize the event taking place by comparing the TTPs of the current attack with TTPs of known threat actors or groups (such as hostile foreign governments, lone criminals, criminal groups, or rival corporations) who may have launched the attack. Based on who may be behind the attack, your cybersecurity experts can try to predict what may happen next and redeploy resources to better safeguard your most critical digital assets, such as your server. 
  2. Review probable paths for research and further exploration based on what TTPs were used in the attack. This allows your cybersecurity experts to potentially identify who was behind the attack so criminal charges can be laid.
  3. Identify potential sources or vectors of the attack. This step involves identifying how the threat actors were able to gain unauthorized access to your systems so those vulnerabilities can be addressed as soon as possible so that other threat actors can’t exploit them in the future.
  4. Identify and investigate all systems that may have been compromised. This step is part of your incident response process and is critical for preventing further damage and rooting out potential back doors left by the attackers. 
  5. Create threat modeling exercises and improve your cybersecurity training so that your team won’t be caught unaware again should a similar or related event occur in the future. 

How Can VirtualArmour Help?

Security experts like the VirtualArmour team use TTPs to help identify potentially suspicious activities. When a company like VirtualArmour is monitoring your network 24/7/365, one of the things our experts look for are TTPs. TTPs act like fingerprints: Our experts know what sort of patterns to look for and use that vast wealth of knowledge to help sift out potentially suspicious network activity from ordinary, harmless network activity. 

Should an incident occur, our experts can use TTPs to narrow down the list of suspects, potentially identify third parties that may be impacted (for example, if the phishing attack came from a Gmail email address that may mean Gmail has been compromised), and allow our team to trace the route of the attack back through your network, flagging potentially compromised systems for further investigation and identifying how the attacker was able to gain access. Once we have that information, we can work with you to address your security posture’s current shortcomings and help you update your cybersecurity training so your employees are better able to identify potentially suspicious activities such as phishing emails. 

To help keep organizations like yours safe, we offer a variety of managed services and consulting services, including SOCaaS (security operations center as a service). Most SMBs don’t have the budget to maintain a full, in-house security team. Virtual Armour SOC as a service offers a cost-effective solution: Our full team of cybersecurity experts and analysts act like an extension of your existing security team or can be used to supplement staff in IT light environments, managing and monitoring your network, devices, and digital assets.

VirtualArmour’s SOCaaS premium includes:

  • Managed Detection & Response
  • Enforcing Sanctioned Enterprise Applications
  • Endpoint Security Policies
  • Firewall Rule Management
  • Firewall Configuration
  • Security Incident Investigations
  • Regular Cadence Reporting
  • Identification of Vulnerable
  • Software/Hardware
  • Configuration Auditing for Security Gaps
  • Data Enrichment and Context for Alert

For more information about TTPs and their importance, or to get started improving your cybersecurity posture, please contact our team today. 

Further Reading

To learn more about cybersecurity and the steps your organization should be taking to improve your cybersecurity posture, please consider reading one of our other educational articles.

General Knowledge

Hacked? Here’s What to Know (& What to Do Next)

Terms & Phrases Used in the Managed IT & Cybersecurity Industries

Leveraging Your MSSP in an “IT Light” Environment

The Ultimate Guide to Managed Threat Intelligence (2020 Edition)

Security vs Compliance: What Are Their Differences?

What is a Managed Security Services Provider (MSSP)?

Tactics, Techniques, & Procedures

In a Remote World, Social Engineering is Even More Dangerous

The Modern Hacker: Who They Are, Where They Live, & What They’re After

Hackers Are Increasingly Targeting People Through Their Phones

How Fear Motivates People to Click on Spam

Ransomware is Only Getting Worse: Is Your Organization Prepared to Confront It?

5 Old-School Hack Techniques That Still Work (& How to Protect Your Data)

Airports are a Hacker’s Best Friend (& Other Ways Users Expose Themselves to Risk)

Everything You Need to Know About Ransomware (2019 Edition)

DNS Spoofing: What It Is & How to Protect Yourself

Don’t Let Phishing Scams Catch You Unaware

Cryptojacking: Because Every Currency Needs to Be Protected

Steps Your Organization Should Be Taking

Building a Cybersecurity Incident Response Program

The SMBs Guide to Getting Started with Cybersecurity

Cyber Hygiene 101: Basic Steps to Keep Your Company Secure

Creating an Agile Workplace: How to Prepare for the Unexpected

Cybersecurity Spring Cleaning: It’s Time to Review Your Security Practices

Keeping Your Network Secure in a “Bring Your Own Device” World

19 Essential Cybersecurity Best Practices

Basic Website Precautions: Keep Intruders Out With These Fundamental Security Best Practices

Industry-Specific Information

Higher Education

Cybersecurity Basics Every College & University Needs to Have in Place


The Ultimate Guide to Cybersecurity in the Healthcare Industry

Healthcare Industry Case Studies


How the Financial Industry Can Strengthen Their Cybersecurity

Financial Industry Case Studies


Cybersecurity for the Manufacturing Industry: What You Need to Know Now


Retail Industry Case Study


Energy Industry Case Studies

Service Providers

Service Provider Case Studies