How do you know someone is planning a cyberattack on your company? Case analysis and practical tips
Cyberattacks do not appear out of thin air. There are symptoms that should serve as warning signals for you. This text is about those signs. Below, you will find an analysis of several high-profile cases, as well as the alarm signals that could have pre-emptively warned that an attack was being planned.
Where a cyberattack begins - the first traces
Attackers often start with reconnaissance – gathering information about the company, its empoyees, and its infrastructure.
Signs of such activity include:
- Unusual network traffic – a high number of port scans or attempts to access services that are not publicly available.
- Network traffic anomalies generated by malware tools (e.g., SystemBC).
- Unusual traffic to cloud platforms such as MEGA.io (Dropbox, OneDrive, Google Drive).
- The use of tools such as Rclone.
- Uncommon login patterns – a sudden spike in login attempts outside of working hours or from unusual locations.
- Attempts to use FTP (both successful and failed).
- An increase in phishing attempts and impersonation calls (pretexting) – inensified attempts to extort credentials or business information.
- Unusual connections utilizing the SOCKS5 protocol.
- Suspicious user activities, such as running PowerShell.
- Detecion of reconnaissance tools (Nmap, Nessus, Metasploit) or unusual DNS queries.
- Alerts from external intelligence – mentions of the organization on dark web forums or in threat intelligence reports.
Case study: Volt Typhoon
Extensive reconnaissance can be analyzed through the actions of the Chinese group Volt Typhoon in their attack on critical infrastructure organizations, as described by Cisa.gov in 2024. Before the criminals launched the actual offensive, they analyzed network architecture, security policies, and the habits of users and key administrators. They then used the gathered data to utilize stolen credentials only during working hours to avoid suspicion. Furthermore, their initial access often originated from vulnerabilities in publicly accessible network devices.
Early signals in the network and systems - what to watch for
Unusual traffic and system behavior
Tools monitoring network traffic can detect “leads” – early signs of a possible breach before they turn into a major incident. According to PreyProject, anomalous traffic that should raise vigilance includes:
- Sudden spikes in bandwidth usage during unusual hours of encrypted communication with exotic locations.
- The appearance of scanning patterns in server logs and an increased number of HTTP 404 error queries, indicating vulnerability testing.
- Unexpected administrative logins or attempts to grant permissions, especially from devices not used on a daily basis.
How to effectively detect a cyberattack before it causes damage?
Intrusion Detection Systems (IDS/IPS) and SIEM systems, which analyze traffic and logs in real-time, are essential here. Consequently, during the reconnaissance phase, one can limit their digital footprint (disabling location, using a VPN), deploy honeypots, and monitor the network for unusual scans and port probing. Detecting contact with deception technology is a clear sign that someone is probing the environment.
Another vital source of information and alerts is User Behavior Analytics (UBA) – unexpected password reset requests, reports of locked accounts, an increasing number of customer complaints regarding phishing from the company domain, or messages from partners about unusual activities linked to your systems are all red flags.
Data leaks: internal threats and case analysis
Cases: insider threats and unauthorized data exfiltration
A threat that cannot be ignored is the insider. Specifically, these are individuals employed within the organization who use legitimate access to obtain data, making them difficult to detect. The case of the company Rippling (March 2025) shows that an employee downloaded sensitive information from tools like Slack or Salesforce for four months; it was only discovered later that they were searching for data using phrases related to competitors.
The analysis revealed that the systems did not react to unusual search patterns or the increased volume of document downloads. It the company had monitored user activity in real-time and applied behavioral analytics, it could have noticed deviations from the typical work profile and issued a warning early enough.
At Tesla in 2025, junior employees gained access to administrative accounts and created several hundred user accounts, enabling a broad data leak campaign. Adequate identity verification mechanisms were not in place. It was only a log analysis that revealed the unusual hours of activity and the number of accounts being created.
These cases demonstrate how crucial permission monitoring and the early detection of unauthorized administrative actions are – in other words, they can stop escalation.
Lessons form security reports: what went wrong
Insufficient response to alarms
The Unit 42 Global Incident Response report indicates that in many cases, an attack was possible not because the systems failed to generate warnings, but because those warning were ignored. A lack of appropriate response or “alert fatique” meant that suspicious activity was not reported, leading to privilege escalation.
It is not the first time it has turned out that notifications and alerts in systems are flashing red, but no one is doing anything about it. A particularly important element of a cybersecurity management system is the people who analyze signals from SIEM or XDR systems in real-time, correlating data from various devices and identities. Based in this, specialists make decisions and act immediately. A week later, there is little left to conclude, and sometimes, little left to save…
Through constant analysis, even the first deviations from the norm – such as unprecedented login locations – can be linked to suspicious network traffic and blocked.
How to effectively react and defend against cyberattacks
- Reduce public information about infrastructure and employees; use a VPN and disable geolocation on devices. This makes reconnaissance and the identification of key personnel more difficult.
- Deploy IDS/IPS and SIEM systems, use behavioral analytics, and set honeypot traps. Early detection of scans or nmap attempts can warn of an impending attack.
- Apply the Zero Trust principle, limit employee permissions to the bare minimum, and require Multi-Factor Authentication (MFA). Network segmentation and micro-segmentation hinder the takeover of further assets if security is breached.
- Monitor anomalies in eployee and system behavior – sudden increases in data downloads, logins from new locations, or attempts to modify permissions. This may indicate an insider or a compromised account.
- Regularly train employees to recognize phishing, suspicious phone calls, and to report unusual events. Early reports are often the most valuable source of information
- Ensure that every signal is analyzed and assigned to a person responsible for the response. Automation and categorization of alerts reduce fatique and improve efficiency.
Preparations for a cyberattack leave traces. If you know where to look, you can prepare for it. Observe anomalies in network traffic, unusual user behavior, and an increase in social engineering attempts. Case analyses like Rippling or Tesla tech us that most important thing is the rapid detection of deviations form the norm and drawing conclusions form minor warnings. Implementing the right monitoring tools, response procedures, and employee education will allow you to recognize in time that someone is planning an attack on your company.
FAQ - Frequently Asked Questions
Does a cyberattack always leave traces?
Yes. Every phase of an attack (reconnaissance, exploitation, escalation) leaves traces in logs, network traffic, and user behavior.
Can an attack originate from an employee?
Yes. Insider threats are a real danger. Employees can abuse their privileges to leak data.
What should I do if I suspect a cyberattack?
Report the incident to the IT/CSIRT team, secure the logs, isolate suspicious systems, perform an analysis, and implement an incident response plan.
How can I limit the risk of a cyberattack?
Segment your network, use MFA, monitor traffic, educate employees, implement a Zero Trust policy, and analyze every alert.
How can future cyberattacks be prevented?
Apply the Zero Trust principle, regularly audit permissions, monitor systems, teach employees how to respond to suspicious events, and use up-to-date security solutions.
How long can preparations for a cyberattack take?
Reconnaissance before a cyberattack can last from several days to even several months – especially in the case of advanced APT groups that aim to remain undetected for as long as possible.
Which industries are most frequently targeted by cyberattacks?
The most vulnerable companies are in the financial, healthcare, and energy sectors, as well as SMEs without extensive IT departments. In recent years, the number of cyberattacks on the education sector and public administration has also increased.
Looking to enhance your cybersecurity?
Contact us!
Leave your details – we’ll call you back
Our specialist will get back to you no later than the next business day. You don’t have to fill in the message field, but a brief note about the topic you’re interested in will be a valuable hint for us.
