Digital Risk: Enterprises Need More Than Cyber Insurance

Seven Essential Steps to Vulnerability Management: Learnings from the Ivanti Exposures  

Detecting Compromise and Resolving a Potential Breach

by Amanda Bevilacqua , US Claims Operations Leader

In light of the most recent Ivanti vulnerability, the importance of a robust vulnerability management strategy and incident response plan has never been clearer. 

The Ivanti vulnerabilities, particularly CVE-2024-22024, unveiled on February 8th, 2024, serve as a stark reminder of the relentless nature of cyber threats. These vulnerabilities, which allow unauthenticated, remote attackers to access Ivanti devices and penetrate internal networks, underscore the urgent need for comprehensive defense and incident response mechanisms.

This scenario exemplifies why a multifaceted approach to vulnerability management and incident response is essential—not only to patch existing vulnerabilities but also to detect and mitigate the impact of potential breaches.

While patching is pivotal in protecting your environment from vulnerabilities, there are other steps that are necessary to mitigate new and evolving threats. At Resilience, our expert Claims Team is not only responsible for processing claims but identifying data trends that help break down the state of cyber risk, to build resilience against filing a claim. 

To help our clients stay resilient against Ivanti and any future vulnerabilities, US Claims Operation Lead at Resilience Amanda Bevilacqua created a list of action items that will help organizations quickly determine whether they have been compromised. 

1. Analyze All Systems

Beyond immediate patching, conducting an exhaustive analysis of all systems is crucial. While patching is essential in preventing a compromise if one has not occurred yet, patching will not remediate an ongoing compromise. Look for signs of compromise, including unusual web traffic, misplaced data, or unfamiliar files and processes. Early detection of these red flags is crucial for prompt investigation and mitigation.

2. Review Network Traffic 

As part of analyzing systems, take special care to analyze network traffic. Look for unusual amounts of data being exfiltrated, network traffic in unusual ports, suspicious activity on administrative accounts, or any other unusual login behavior. Pay close attention to any network traffic in countries where the organization does not operate.

3. Look out for Suspicious Login Activity 

Suspicious login activity is a strong indicator of compromise. When observing login behavior, watch for dubious login efforts or other network activity that seem to be particularly probing– for example, if a user is failing MFA several times or looking for workarounds to log in. It is also critical to note where logins are happening and keep an eye out for any locations where the company would not expect an employee to be. If all employees are based in the US, user login from another country should be immediately flagged. 

4. Look for Lateral Movement 

Monitor any activity within the company’s VPN and keep careful track of behavior that indicates lateral movement through networks and systems. Be wary of administrative accounts and their activity, and watch for a spike in requests or read volume in files. Keep track of any data that is found in a location that it should not be and note any unusually large or compressed files. 

5. Analyze Logs

Log clearing is a common tactic used by threat actors to cover their tracks. Check for missing logs which can indicate compromise. To effectively monitor logs, an idea of what information should be present in order to notice anything missing is a necessary baseline. Be aware of what data should be listed in the logs, and pay close attention to any gaps in time or missing data.   

6. Leverage Endpoint Detection and Response (EDR) tools 

Accessing an endpoint via a vulnerability is a common strategy advanced persistent threat actors use as it does not trigger antivirus solutions. EDR tools are designed to identify strange behavior and generate data about processes, actions, network connections, and more. Though EDR alerts can feel noisy, they are essential to monitoring and investigating hundreds of end-points. 

7. Respond As Soon As Possible  

If you think you have spotted any of the above indicators of compromise or any other suspicious activity, activate your incident response plan and investigate it immediately. The faster suspicious behavior is identified and investigated, the better the chance of containing the incident before it turns into a full-blown encryption event. 

“Oversharing is what our claims experts want to see– we want our clients to report things to us,” said Bevilacqua. “Business leaders often look back, and, hindsight is 2020. There can be a lot of red flags that go under the radar that could indicate something is happening. Always report suspicious activity– the faster that this is done, the better the chances of a positive outcome for the organization.” 

If you are a Resilience client, connect with our Claims and Incident Management team as early as possible after identifying any of the above red flags– a false alarm is always better than missing a potential compromise. Our experts can help you review your system, determine if further action is needed, and connect you with resources to help prevent a larger incident. 

You might also like

Five Predictions on the State of Cyber Claims in 2024

Unravel the complexities of cyber risk with the 2023 Mid-Year Claims Report by Resilience. Dive into our analysis and predictions for the cyber insurance industry in 2024, including the pivotal role of AI and regulatory changes.

Knowing Your Risk Surface: A Risk-Focused Approach to Incident Response

After decades of more damaging and less predictable cyber attacks, modern cybersecurity practitioners have recognized the critical need to incorporate more risk-based approaches to their planning efforts. However, despite the continuing advances within the cybersecurity field, analytics firms are noting record years for cybercriminals and breaches against some of the most well-defended organizations in the […]

Top Three Trends on Cyber Resilience from The World Economic Forum

With generative AI dominating the conversation at the World Economic Forum’s annual meeting in Davos this year – a massive 32 sessions in total – it’s easy to overlook another topic that was the focus of WEF’s 2024 Global Cybersecurity Outlook: Cyber Resilience.  The term has taken on a new importance in 2024 as enterprise […]

Do you Need Human Brains to make AI Useful in Cybersecurity?

As the world advances with data processing and artificial intelligence (AI) capabilities at a mind-boggling pace, we might feel as if humans are becoming obsolete. This is certainly the question of an endless series of articles that have clogged our inboxes since the release of ChatGPT publicly in late 2022. Maybe this development is a […]

Mastering Cyber Resilience

Cyber Resilience 101, 202, and accompanying Cyber Resilience Workshops are designed to teach brokers the fundamentals of proactive cyber risk management