SC-730 Part 2b: Identify Threats & Verify Email Safety (30–35%, Part 2)

SC-730 Part 2b Threat Detection

Part 2b: Detection and Verification

Now that you know the risks and tactics (Part 2a), Part 2b teaches you to RECOGNIZE signs of compromise and verify the legitimacy of communications before trusting them.

Core skill: You won't catch every phishing email, but you can reduce damage by recognizing malware symptoms, insider threat behavior, and suspicious emails before they cause harm.

Recognize Signs of Malware Infection

System Symptoms Indicating Malware

Malware infections often progress silently for weeks before detection. By then, thousands of credentials may be stolen, files encrypted, or systems compromised. Early detection is critical. If your computer exhibits ANY of these symptoms, assume malware infection until proven otherwise. These symptoms rarely occur for legitimate reasons.

  • System runs very slowly (sluggish): Malware consumes CPU, memory, and disk resources for its own purposes: mining cryptocurrency, processing stolen data, sending spam/phishing emails, or participating in botnet attacks. Legitimate system processes are starved of resources. Users typically notice: applications take 30 seconds to open, typing lags, file saves hang. A recently slow system (previously fast) after visiting suspicious website is high-risk indicator.
  • Constant pop-ups or ads: Adware and scareware malware inject ads and fake warning messages into web pages. Unlike normal ads, these cannot be closed. New ads appear every few seconds. Attackers profit per ad displayed. Clicking ads often downloads more malware.
  • Unexpected toolbars in browser: Browser hijacker malware modifies browser settings. New toolbars appear (Ask toolbar, Conduit toolbar, etc.). Search engine is redirected to attacker's site. Attacker tracks your clicks for targeted ads or data harvesting. Some variants prevent you from uninstalling the toolbar.
  • Antivirus software disabled or warnings disabled: Ransomware immediately disables Windows Defender and antivirus before encrypting files. Spyware disables antivirus to avoid detection. You cannot re-enable it. This is one of the strongest indicators of active infection. IT should investigate immediately.
  • New user accounts created (you didn't create): Backdoor malware creates new admin account for attacker persistence. Attacker can log in later via RDP (Remote Desktop) even if you remove malware. Check Control Panel > User Accounts > Manage other accounts. Unknown accounts = forensic evidence.
  • Unusual network activity: Malware communicates with command-and-control servers, sends stolen data, or participates in botnet attacks. Indicators: network light flickering constantly, data usage spikes for no reason, internet becomes unusably slow even though you're not browsing. Network monitoring shows traffic to unknown IPs.
  • Files modified, deleted, or inaccessible: Ransomware encrypts your files (you see .locked, .encrypted, .cerber extensions). Spyware steals files or exfiltrates them. You can open some files, others give "access denied" errors. Files suddenly require password you didn't set.
  • Frequent crashes, blue screens, or restarts: Rootkit malware corrupts system files. Resource exhaustion causes kernel panic. Malware installation corrupts drivers. Device becomes unstable: spontaneous restarts (sometimes hourly), error messages on boot, system refuses to shut down cleanly.
Malware Symptom Decision Tree: Detect and Respond Unusual behaviour? YES ↓ Performance Very slow system Fan always loud Frequent crashes Visual Constant pop-ups Unknown toolbars Browser redirects Security Antivirus disabled New unknown accounts Files encrypted/locked Network Unusual traffic spikes Slow internet Unknown outbound IPs Likely: Cryptominer or Rootkit using your resources Likely: Adware or Browser Hijacker injecting ads Likely: Ransomware or Spyware stealing/locking data Likely: Botnet or Trojan sending data to attacker Immediate Action — ALL Symptoms Lead Here: 1. Disconnect from network (unplug ethernet / disable Wi-Fi) 2. Do NOT restart or try to fix it yourself 3. Report to IT Help Desk immediately with screenshots of symptoms
Any malware symptom category leads to the same response: disconnect, preserve, report.
Incident Response: If you suspect malware: (1) Disconnect device from network immediately (unplug ethernet cable or turn off Wi-Fi). This stops data exfiltration and botnet commands. (2) Notify your IT Help Desk or Security team immediately. Include when you first noticed symptoms. (3) Do NOT restart the device (may trigger ransomware to accelerate encryption). Do NOT attempt to remove malware yourself. (4) Preserve evidence: take screenshots of symptoms before assistance arrives. IT will perform forensic analysis to determine: infection source, extent of compromise, stolen data, and recovery path.

Recognize Insider Threat Indicators

Suspicious Behaviors and Patterns

Insider threats are people with legitimate access who abuse it. Watch for patterns:

  • Unusual access patterns: Employee normally accesses marketing files. Suddenly accessing HR payroll, legal contracts, proprietary research. Why? Investigate.
  • Large data downloads/transfers: Employee downloads 50GB of customer data on Friday night before leaving company. Obvious exfiltration.
  • Printing sensitive documents: Finance employee printing customer credit card data or proprietary financial models on home printer (leaves trail).
  • Shared accounts or credential sharing: Insider shares password with external friend/contractor to grant them access. Bypasses audit trails and accountability.
  • Disgruntled behavior or termination notice: Employee announces departure or conflict. Suddenly starts downloading sensitive data (retribution, theft). High-risk period.
  • Failed login attempts: Employee trying to log into other departments' systems they have no business accessing. Detected by logs and alerts.
  • Privilege escalation attempts: Employee tries to elevate permissions above their role (requesting admin rights, changing access policies).
  • External communications: Employee emailing sensitive information to personal email, uploading to personal cloud storage, forwarding to external recipients.

Why this matters: Insider threats cause 60% of data breaches. They have legitimate access, so perimeter firewalls can't stop them. Detection relies on access logs, unusual patterns, and behavioral red flags.

Scenario: You notice a colleague downloading massive amounts of data the day before they're being laid off. What should you do? Answer: Report to your manager or security team immediately. This is classic pre-termination exfiltration. It requires investigation and possible evidence preservation.

Recognize Abnormal System Behavior

Signs Your System May Be Compromised

Beyond obvious malware, compromised systems exhibit subtle abnormalities:

  • Fan running constantly/loudly: CPU working hard (mining malware, background processes, ransomware encryption). Fan at max trying to cool.
  • Unresponsive to input: You type, but character appears 10 seconds later. System is busy with malware tasks, not responding to you.
  • Battery draining rapidly: Laptop battery dies in 2 hours instead of 8. Malware consuming power (GPU mining, continuous encryption).
  • Device overheating: Laptop too hot to touch. Hardware working at max. Malware resource consumption.
  • Error messages or warnings: Constant OS warnings, corrupted file system messages, unfamiliar security warnings (scareware trying to trick you into paying).
  • Corrupted files or file system errors: Can't access normal files, directories missing, file extensions changing (.doc becomes .encrypted).
  • Disk is full (no obvious reason): Malware storing stolen data, temporary encryption files, backup copies consuming space.
  • Cannot update OS or antivirus:** Malware blocks updates to prevent detection/removal.
Important: If you suspect compromise, backup important personal files immediately (to external drive, not cloud synced to infected system). Then notify IT for professional recovery/forensics.

Verify Email Legitimacy and Attachments

Red Flags in Emails

Email is the #1 attack vector. Learn to spot suspicious emails BEFORE clicking:

  • Suspicious sender address: Email claims to be from "CEO@company.com" but sender is "ceo@company-finance.biz" (misspelled). Or completely different domain (amaz0n-verify.com instead of amazon.com).
  • Misspellings in sender name: "Microsft Support", "Amaz0n", "Gogle". Attacker typos. Legitimate companies spell correctly.
  • Urgent tone and threats: "Act NOW or account locked!", "Verify immediately or suspended!", "Claim reward before expires!". Urgency bypasses critical thinking.
  • Generic greetings: "Dear Customer", "Hello Friend", "User". Legitimate emails usually have your name (they have your profile data).
  • Unusual requests: CEO asking for wire transfer via email? Asking for your password? Asking for MFA codes? RED FLAG. Legitimate requests go through proper channels with documentation.
  • Mismatched branding: Email claims to be from Microsoft but logo is low-res, colors off, formatting wrong. Quick visual inspection catches obvious fakes.
  • Reply-to address doesn't match sender: Email from "ceo@company.com" but reply-to is "attacker@gmail.com". Intentional mismatch so replies go to attacker.

Phishing links are designed to deceive you. Before clicking:

  • Hover over link (don't click yet): Look at actual URL destination, not link text. Link says "Click here to verify account" but URL is "evilsite.ru/stealbankinfo.php"? That's phishing.
  • URL obfuscation:** Attacker uses tricks: "http://amazon.com@attacker.com" (looks like Amazon but isn't), "http://amaz0n.com" (0 instead of o), shortened URL "bit.ly/xyz" (hides real destination).
  • Homographs:** "rn" looks like "m", "0" (zero) looks like "O" (letter). Domain "amaz0n.com" looks like "amazon.com" to human eye but resolves to attacker server.
  • HTTPS spoofing:** Phishing site uses HTTPS with valid certificate (looks secure with green lock icon). Don't trust HTTPS alone; verify URL carefully.
Safe way to access accounts: Don't click email links to reach bank/email/account login. Instead: manually type the URL ("www.microsoft.com"), use bookmark, or use official app. This bypasses phishing links entirely.

Suspicious Attachments

Malware is often delivered via email attachments:

  • Unexpected attachments:** Colleague sends email with attachment, but you didn't request it and it's not normal for them to send. Verify with colleague directly (not by replying to email): "Did you send me this file?"
  • Executable files (.exe, .com, .scr, .bat, .cmd):** These run code immediately. Never download/open unless absolutely certain (and from trusted source). Especially dangerous are .exe pretending to be documents (.exe.pdf).
  • Macro-enabled documents (.docm, .xlsm):** Macros can execute code. Attackers use this for malware delivery. Be extremely suspicious.
  • Archive files (.zip, .rar, .7z):** Often contain executables or scripts. Don't extract unless you know what's inside.
  • Double extensions (.pdf.exe, .invoice.pdf.exe):** File is actually .exe (executable) but appears to be .pdf (document) to casual observer. Windows hides extensions by default; enable "Show file extensions" to see truth.
Safe attachment handling: If unsure about attachment, ask the sender via phone or known messaging (not email reply—sender might be spoofed). "I received attachment from your email address. Did you send it?" If they didn't, it's phishing.

Key Takeaways from Part 2b

Malware leaves system symptoms: slowness, pop-ups, disabled antivirus, unusual network activity. Recognize them.

Insider threats are dangerous because they have legitimate access. Unusual access patterns and large downloads are red flags.

Email is the #1 attack vector. Verify sender address, check for urgency/threats, hover over links before clicking, be suspicious of unexpected attachments.

Don't click email links to reach sensitive accounts. Type URL manually, use bookmarks, or use official apps. This bypasses phishing entirely.

Ready for Part 3?

You've learned the threats and how to detect them. Part 3 teaches you the defensive controls: how to secure your devices, accounts, and data.

Continue to Part 3a: Device & Data Security

Archives