Checking systems for signs of compromise

FacebooktwitterredditlinkedinmailFacebooktwitterredditlinkedinmail

Almost all IT professionals at some time in their career have faced the question of whether or not a system they are responsible for has been compromised, and many people face this worry with their own tech as well. ITS Information Assurance (IA) provides help checking UM-owned systems and guidance that can be useful for checking any computer.

If a system contains sensitive U-M data and you suspect it has been compromised, report it immediately to ITS IA at security@umich.edu. If the situation is urgent, please indicate that clearly in your report.

Do not install or alter software on your system while waiting for IA to respond! Disconnect the system from any networks by unplugging the ethernet cord or turning off the WiFi.

CrowdStrike Falcon and detection on U-M computers

If the system in question is a UM-owned computer and has CrowdStrike Falcon endpoint protection installed, contact your unit’s Falcon administrator. Your unit’s Falcon admin can check for detections or incidents for the system and may also suggest a course of action and contact ITS Information Assurance (IA) for more assistance.

If you have U-M systems that do not yet have Falcon installed, contact your unit Falcon administrator or ITS IA for assistance getting it installed. Not sure who your Falcon admin is? Contact your Security Unit Liaison (SUL) to find out.

What to look for if you suspect your system has been compromised

Start by checking system and software logs for the following components to be sure they are running as expected and there are no unexpected configuration changes to them:

  • Endpoint protection, antivirus, and/or malware detection software
  • Network activity
  • Changes to the operating system or files and directories
  • Unexpected changes, including to protections like firewalls

Be sure to check your endpoint protection, antivirus, and malware detection software logs for any alerts to possible problems after they have run.

Checking Systems for Signs of Compromise covers these points and more to help you know when you could be facing a potential IT security incident. If you need assistance with checking a system, ITS IA is there to help! Contact IA through the ITS Service Center.