Have you ever wondered if you would notice that your home network was compromised? Attackers can be stealthy, and they may remain undiscovered for long periods of time. Intruders may reside on any of your devices, including routers, access points, mobile phones, notebooks, televisions, or IoT devices.
What are the indicators of a personal network compromise? What are the possible mitigations? NSA has dealt with these questions in their recent article. The article was aimed towards government workers using Government Furnished Equipment (GFE) to work from home. The reason for choosing this target group is simple. If a government worker connects GFE to his home network, which happens to be infected, the malware can take over the appliance and get into the government network. Therefore, it is worth it to educate workers on how to maintain a healthy home network.
However, any skilled user can benefit from this guide. Just a quick warning before we start: If you intend to seek an expert to investigate your compromised network, DO NOT perform these steps. Some of them will destroy the digital traces needed for the investigation.
Indicators of a personal network compromise
In the following list, we mention a few indicators of compromise that may be worthy of notice. However, observing such an indicator does not always imply having a compromised network – some may even originate from a non-malicious activity.
- Compromised router
- Changed credentials
- Different router/SSID connected
- Compromised devices
- Devices functioning without user input
- Camera LED flashing
- Devices turning on their own
- Cursor moving
- Malfunctioning antivirus
- Antivirus not loading at startup
- Fraudulent browser pop-ups looking like antivirus alert
- Heavy memory usage in task manager
- Fast discharging, overheating
- Modified system time, browser history/cache
- Device crashes
- Advertisements, changed software icons
- Encrypted files, ransom messages
- Devices functioning without user input
- Compromised accounts
- Login notifications from unknown places and devices
- Unintentional sent messages
Mitigations for a compromised network
The following points present you with a succession of steps that you can perform when you want to mitigate the damage or eliminate the threat from your network. We strongly encourage you to perform only actions corresponding to your skill set, otherwise you risk losing data or connectivity.
- Compromised router
- Reboot
- Reset factory settings
- Update software/firmware
- Change passwords
- Enable multi-factor authentication
- Buy your own appliance (do not always rely on ISP-provided router)
- Compromised devices
- Disconnect from the network (to prevent it from spreading further)
- Run antivirus scan
- Remove the malware
- Restore device to previously backed up good state
- Update OS and software
- In case of ransomware, do not pay the ransom (+ some decryption keys may be online)
- Compromised accounts
- From a trusted device, change passwords to your accounts
- Enable multi-factor authentication
- Require new sign in from linked devices
- Warn your contacts to avoid clicking on links originating from you
You can follow these steps to minimize the damage to your network and devices in case of an incident. Should you have any trouble in performing these steps, do not hesitate to call an expert to help you out.
