Located in Boston MA 02216.

When Intrusion Detection isn’t enough, how do you protect your network?

You've got a firewall, got an intrusion detection/prevention system (IDS/IPS), and you've even got a SIEM. But these are all reactive systems, what do you do if you want to detect the threat as it is happening or alert to warning signs before the attack occurs? How can you be prepared for something that you don't know is coming or how?

Cyber threat hunting

You need to start being proactive and not just reactive. You need to start searching for threats before they move laterally around your network and before they start hiding their tracks. You need Cyber threat hunting.

What can I do?

There are of course vendors that make products to help you, consultants that can help you figure out your weak points (such as RDAIT), as well as training and tactics to strengthen your team.

There are products such as Carbon Black and Sqrrl, there are things you can do on your own too.

Do you really need to allow that?

A simple first step is to ask yourself if you really need to allow those services into your network. Not just blocking from the outside, but also blocking from the inside as well. You should never just allow open access from one place to another, you need to identify all traffic on your network and block everything else that is not explicitly needed.

Do you already perform pen tests?

If you don't perform penetration tests on a regular basis you should stop here and not go to the next option. You need a mature cyber defence posture before you proceed.

Do you have a team actively watching?

You should already have a team watching your logs, performing analyses, establishing baseline activity and correlating your data. You should have automated tools like Kibana already up and watching for anomalies. You should have a SIEM and you should have someone watching.

Is your IDS/IPS doing all it can?

Are you using all the features of your Intrusion Detection System? Do you really need an Intrusion Prevention System? You might want to stop just detecting problems and enable it to start blocking identified threats. There is always fear that it will block something necessary but I have found this is rarely the case once you configure it properly.

Red vs Blue?

If you have the manpower, you might think about having a sort of game. One team tries to break in (red), the other tries to protect/detect/block them (blue). This is different than a penetration test, if you don't feel your team is up to performing the attack you might think about finding someone who can.

What if I need help?

If you need help with cyber threat hunting, proactive cyber defence, or other business IT needs give RDAIT a call or use the contact form on the right and see how we can help you!


Wikipedia - Cyber threat hunting
Wikipedia - Proactive cyber defense
CSO - Red team versus blue team
A3sal0n's Cyber Threat Hunting resources on GitHub
SIEM on Wikipedia
Kibana by Elastic Search

Comments are closed.