Threat Hunting: Identifying and Resolving Cyber Vulnerabilities

When It Comes to Cyber Vulnerabilities, Being Proactive is Key

Year after year, cyberattacks are resulting in significant losses for large and small businesses alike. In 2019 alone, losses incurred from cyberattacks have already surpassed $2 trillion — with that figure expected to reach $6 trillion by 2021. And most cyberattacks are targeted at small businesses, which invest far less on cybersecurity resulting in more catastrophic damage and loss of data to their customers and their companies themselves.

With billions of websites online today, it can be easy for organizations to assume that there is safety in numbers — that business can continue as usual because only the big names are the ones we hear about in the news. Sadly, per the Internet Crime Complaint Center (IC3) under the FBI, only 10–12 percent of cybercrimes are reported. And that’s just in the U.S. — globally, the reality of the situation is far worse. Now more than ever is the time to make the shift from being reactionary to being proactive when it comes to your cyber vulnerabilities.

Identify Cyber Vulnerabilities with Threat Hunting

To be truly proactive, organizations must be on the hunt for vulnerabilities before they reveal themselves and cause significant damage. Threat hunting is the practice of doing exactly that. In threat hunting, organizations evaluate their networks for the presence of indicators of compromise (IoCs) — signs of potentially malicious activity within a network. This can range from an unauthorized user presence to some other activity revealing an attacker’s movement.

Often, these hints of malicious activity are what are most often found in threat hunting and are just part of an ongoing series of efforts by cybercriminals to access a network and accomplish their goals. However, it’s not only networks that are at risk. Attackers can target anything from endpoints (user devices like phones, tablets, computers, or other handheld devices) to entire cloud applications, exploiting weaknesses in these systems or using manipulation, deception, and other tactics aimed at users themselves. 

To combat this, Lockheed Martin developed the Cyber Kill Chain — a methodology designed to identify the steps that attackers must follow in order to complete their goal(s). Consisting of seven steps, the Cyber Kill Chain helps security analysts understand how cybercriminals think, plan their attacks, and ultimately execute their malicious plan within a target environment. This is a great foundation for any cybersecurity strategy, and as we’ll discuss later, MRK builds upon this methodology with our unique approach to threat hunting. But first, let’s review two threat hunting solutions used in identifying cyber vulnerabilities.

Identifying Cyber Vulnerabilities with User and Entity Behavior Analytics

User and entity behavior analytics (UEBA) is both a security solution and a process. With UEBA, advanced tools such as LogRhythm allow organizations to understand employees’ activity within their networks. This activity is monitored on a day-to-day basis with normal activity identified and any unusual patterns reported immediately. 

For example, it is well within the realm of possibility that an employee could be bribed or intimidated into providing a cybercriminal with access to your network (if their account isn’t accessed by others means already). If that employee typically only downloaded 25 MB worth of data over the course of a workday, and then suddenly began downloading hundreds of GB worth, UEBA would identify that unusual pattern and sound the alarm.

These user behavior analytics for security are not meant to be a standalone solution. Rather, they’re meant to be complementary to other security systems and processes you already have in place. This ensures you have an extra layer of protection that’s watching the flow of activity throughout your network, whereas other solutions might be watching for other potential security threats apart from your employees’ everyday activity.

Using East-West Traffic Security to Find Cyber Vulnerabilities

As more and more companies explore technology solutions such as virtualization and shift from on-premises hardware to on-demand solutions, complexity lessens — but cyber vulnerabilities increase. This is because the various systems, devices, and functions that companies now rely on are relaying data to one another rapidly across multiple servers within a data center. 

While there are solutions for dealing with the resulting traffic and latency issues that often come with this, what is often not considered is the security of this data transfer environment. Servers are the foundation of the data center, and the data being relayed passes from one to the other (hence term east-west — north-south traffic would be data passing out of the data center). Many security solutions and professionals often focus on the north-south traffic, as that represents data coming into the network. However, it’s just as important to protect data already moving around within the network.

The reasons for this include the potential for insider threats — i.e., employees who have mishandled login information, been bribed to provide access, or are otherwise “going rogue” with company data. Additional risks include the possibility of malware having entered the network externally without being identified. Once present, it can quickly begin to wreak havoc unbeknownst to other security solutions. East-west traffic security can help to identify these threats within your network at the first onset of any suspicious activity.

Taking Threat Detection of Cyber Vulnerabilities One Step Further

At Inversion6, we’ve built a best-in-class solution utilizing the steps of the Cyber Kill Chain while adding additional proactive measures for enhanced threat detection. Our approach consists of actively searching for threats in the environment based on intelligence, analyst instinct, machine learning, and behavioral anomaly cues. This process helps to detect unusual or malicious activity on the network, on an endpoint, or cloud application.

Our Managed Security Services Provider (MSSP) program provides ongoing monitoring, detection, and resolution of any threats present in your system. Our team acts as an extension of yours to work with the technology you already own while supplementing it with advanced solutions to further protect your company, employees, and customers. 

To learn more about MSSP, fill out the form below, and our expert team of chief information security officers (CISOs) will be in touch with you to learn more about your challenges and discuss solutions.