You are here

Cyber Hunting: The next step in network protection

Written by Nick Jesi, CISA

Vulnerability assessments and penetration testing may uncover areas where hackers can break in, but what if they are already there? Cyber Hunting is a proactive strategy to identify if anyone is already on your network versus waiting for an actual breach to occur. Most breaches occur weeks or even months after the attacker gets a foothold on the network, so if you can find them before they unleash their payload on your environment, you can potentially save your institution time, money, and reputational damage. 

Proactive versus Reactive

It all starts with having an understanding of what is normal versus abnormal activity on your network. Many of the advanced endpoint solutions can help towards identifying anomalous activity. Additionally, you also need to have a fully integrated security information and event management (SIEM) system to correlate data across all systems on the network. Once the endpoint solution is in place, you need to establish a baseline. You need to know what type of activity is expected and normal. This information correlated across all systems on the network will help to identify anomalies to dig further into.

Identifying Anomalies

Now that you have identified your normal baseline and anomalies on the network, you need to start thinking like an attacker.  We can start the hunt! This starts with mapping out attacker techniques and tactics to allow you to see what a potential attacker may do to exploit your network. This should include looking into the anomalous activity, identifying increased traffic between machines, reviewing account lockout information, and analyzing off-hour activity.

Found it! Now what?

Bam! You found something on your network that should not be there and fortunately, it is still in a sleep mode.  First step is to enact your incident response plan. Success!  You isolated the threat, deployed countermeasures and stopped it from performing any attacks.  Unfortunately, that doesn’t mean you’re done.  You need to continually monitor your network and keep hunting.

By employing Cyber Hunting techniques, you are taking steps to reduce the potential for reputational and financial damage stemming from a future breach. This proactive approach uses the procedures and tools that you may already have to identify areas of anomalies. Once you have identified the possibility, you can take action to remedy it and further attacks to your systems. Stay safe and happy hunting!

For more information on cybersecurity assessments, vulnerability scanning, penetration testing, and overall network hardening, please reach out to Nick Jesi, IT Assurance Supervisor, at njesi@wolfandco.com or 617-933-3373.