It Only Takes One Data Point to Blow Open a Threat Investigation


By Brandon Dixon, Vice President of Product at RiskIQ

Because cybersecurity has been such a pain point for businesses, it’s easy to assume that threat investigations are difficult and unwieldy to manage. When you consider what’s at stake—customer data, sensitive company and client information, and the financial costs of responding to a breach—the prospect of threat hunting can seem overwhelming.

But the truth is, attackers can be just as vulnerable as the businesses they target. They get sloppy. They overlook their own vulnerabilities and forget to cover their digital tracks. And all it takes is one slip-up to crack open an investigation.

Here’s an example. Let’s say a Chinese state-sponsored attacker is trying to break into foreign databases. He’s been focused on these targets for awhile, probing their weaknesses and infiltrating their digital defenses. But then he forgets to switch IP addresses from one associated with another of his attacks to a new one. Now, he’s exposed himself to being caught. He slipped up. Simply seeing the same IP address associated with multiple forms of suspicious activity can help you identify a potential threat and act swiftly to block the infrastructure he was using to prevent him from hacking your assets.

Creatures of Habit

The most important thing you need to remember is that hackers are creatures of habit. Once you know how to connect the dots between the activity you’re seeing, you’ll be able to spot suspicious patterns.

Think about it this way. Once you observe someone’s day-to-day routine a few times, you can make predictions about their behavior. You know that they get up at 6:30 a.m., brew coffee while they dress for work, and catch the same bus outside their apartment building at 7:35 each morning. Based on the patterns you’ve observed, you can make an educated guess as to where they’ll eat lunch and when they’ll take an afternoon coffee break.

Hackers are similarly predictable. They reuse infrastructure for multiple attacks, and they tend to be active at the same times of day. These habits leave signals, and once you know how to spot them, you’ll become adept at catching potentially suspicious patterns. Importantly, hackers can grow careless in their habits. One hacker group revealed its own spear-phishing scam by forgetting to blind copy the recipients of its scam email message.

If you implement the right threat hunting software, you’ll be leveraging massive amounts of behavioral data that could indicate malicious activity. Over time, you’ll begin to see patterns that correlate with threat actors’ standard pre-attack behavior and will be able to identify threats that much faster.

Just because cyber criminals are tech-savvy doesn’t mean they’re not also lazy and prone to errors. You may not be able to understand the malicious code they write and deploy, but thanks to advances in threat detection, you don’t need to.

How to Spot Potential Hackers

What matters more than programming know-how is installing high-quality detection programs that allow you to search for and monitor threats. For instance, companies should seek to implement a database that can search to identify every aspect of their digital footprints.

However, it’s also important to consider the attack surface, which includes everywhere you have a presence on the internet. If you’ve launched landing pages for your marketing, built partner or customer portals, or initiated an ad campaign, you need to know that every single one of those assets could be compromised by hackers.

An example of this would be a hacker who uses typosquatting to mimic a legitimate service like Google. With a platform built on the right data, you can connect a suspicious URL to related domains, the phone number or email addresses associated with its WHOIS registration, and the IP addresses the infrastructure is correlated with. If you’re able to recognize a threat actor reusing old infrastructure from a previous attack, you can defend your business by blocking it. The best part about this is your threat analysis started with just one access point—the suspicious URL.

Obviously, making these connections and surveying each potential access point manually is impossible from both a personnel and cost perspective. Instead, you want to use a an automated platform powered by as much data as possible that serves as a centralized monitoring hub from which you can study all potential threats.

When You Need Multiple Data Points

Imagine that you’re monitoring real-time site activity and you see that someone is logging into your site from Russia. You know that a good deal of cyber crime originates from Russia, but, obviously not every internet user in that country engages in cyber crime—acting solely on a user’s location would be a waste of time and resources. Instead, you should begin assessing their other digital attributes and behaviors.

A suspicious IP address can tell you that you need to investigate a certain asset or pattern of behavior. But to use your resources efficiently, you need to be fairly certain that there is a genuine threat. That’s why you want to pull in multiple supporting data points before making a decision.

Even if you determine the user is a malicious actor, you want to gather more data before deciding how to respond. While it’s tempting to crack open an investigation as soon as you notice suspicious activity, it’s only after you’ve connected all the dots that you can determine whether, and how, to act.