Digital Risk: Enterprises Need More Than Cyber Insurance

Seven Essential Steps to Vulnerability Management: Learnings from the Ivanti Exposures  

Detecting Compromise and Resolving a Potential Breach

by Amanda Bevilacqua , US Claims Operations Leader

In light of the most recent Ivanti vulnerability, the importance of a robust vulnerability management strategy and incident response plan has never been clearer. 

The Ivanti vulnerabilities, particularly CVE-2024-22024, unveiled on February 8th, 2024, serve as a stark reminder of the relentless nature of cyber threats. These vulnerabilities, which allow unauthenticated, remote attackers to access Ivanti devices and penetrate internal networks, underscore the urgent need for comprehensive defense and incident response mechanisms.

This scenario exemplifies why a multifaceted approach to vulnerability management and incident response is essential—not only to patch existing vulnerabilities but also to detect and mitigate the impact of potential breaches.

While patching is pivotal in protecting your environment from vulnerabilities, there are other steps that are necessary to mitigate new and evolving threats. At Resilience, our expert Claims Team is not only responsible for processing claims but identifying data trends that help break down the state of cyber risk, to build resilience against filing a claim. 

To help our clients stay resilient against Ivanti and any future vulnerabilities, US Claims Operation Lead at Resilience Amanda Bevilacqua created a list of action items that will help organizations quickly determine whether they have been compromised. 

1. Analyze All Systems

Beyond immediate patching, conducting an exhaustive analysis of all systems is crucial. While patching is essential in preventing a compromise if one has not occurred yet, patching will not remediate an ongoing compromise. Look for signs of compromise, including unusual web traffic, misplaced data, or unfamiliar files and processes. Early detection of these red flags is crucial for prompt investigation and mitigation.

2. Review Network Traffic 

As part of analyzing systems, take special care to analyze network traffic. Look for unusual amounts of data being exfiltrated, network traffic in unusual ports, suspicious activity on administrative accounts, or any other unusual login behavior. Pay close attention to any network traffic in countries where the organization does not operate.

3. Look out for Suspicious Login Activity 

Suspicious login activity is a strong indicator of compromise. When observing login behavior, watch for dubious login efforts or other network activity that seem to be particularly probing– for example, if a user is failing MFA several times or looking for workarounds to log in. It is also critical to note where logins are happening and keep an eye out for any locations where the company would not expect an employee to be. If all employees are based in the US, user login from another country should be immediately flagged. 

4. Look for Lateral Movement 

Monitor any activity within the company’s VPN and keep careful track of behavior that indicates lateral movement through networks and systems. Be wary of administrative accounts and their activity, and watch for a spike in requests or read volume in files. Keep track of any data that is found in a location that it should not be and note any unusually large or compressed files. 

5. Analyze Logs

Log clearing is a common tactic used by threat actors to cover their tracks. Check for missing logs which can indicate compromise. To effectively monitor logs, an idea of what information should be present in order to notice anything missing is a necessary baseline. Be aware of what data should be listed in the logs, and pay close attention to any gaps in time or missing data.   

6. Leverage Endpoint Detection and Response (EDR) tools 

Accessing an endpoint via a vulnerability is a common strategy advanced persistent threat actors use as it does not trigger antivirus solutions. EDR tools are designed to identify strange behavior and generate data about processes, actions, network connections, and more. Though EDR alerts can feel noisy, they are essential to monitoring and investigating hundreds of end-points. 

7. Respond As Soon As Possible  

If you think you have spotted any of the above indicators of compromise or any other suspicious activity, activate your incident response plan and investigate it immediately. The faster suspicious behavior is identified and investigated, the better the chance of containing the incident before it turns into a full-blown encryption event. 

“Oversharing is what our claims experts want to see– we want our clients to report things to us,” said Bevilacqua. “Business leaders often look back, and, hindsight is 2020. There can be a lot of red flags that go under the radar that could indicate something is happening. Always report suspicious activity– the faster that this is done, the better the chances of a positive outcome for the organization.” 

If you are a Resilience client, connect with our Claims and Incident Management team as early as possible after identifying any of the above red flags– a false alarm is always better than missing a potential compromise. Our experts can help you review your system, determine if further action is needed, and connect you with resources to help prevent a larger incident. 

You might also like

third-party cyber risk management

New Frontier: Cyber Risk Mitigation with Superforecasting

You’re a CISO, bombarded from all sides. New vulnerabilities emerge daily, vendors tout countless security solutions, and your inbox overflows with security alerts. Your skilled analysts are stretched thin, struggling to keep pace with the ever-evolving threat landscape. How do you make sense of it all? How do you prioritize investments, allocate resources, and make […]

third-party cyber risk management

Cybersecurity Essentials: The Role of Vulnerability Management in Building Cyber Resilient IT Systems

Navigating the complexities of cybersecurity requires a strategic approach to mitigate risks and safeguard IT systems. Central to this approach is vulnerability management, a systematic process that identifies, assesses, and prioritizes vulnerabilities within organizations’ infrastructure. Understanding what vulnerability management entails and how it contributes to preemptive cyber defense is critical.  According to a recent report […]

third-party cyber risk management

Mastering Cybersecurity Risk Metrics: A New Way to Think About Cyber Risk

Digital threats are not just possibilities but inevitabilities; understanding and calculating cyber risk is more than a precaution – it’s a necessity. Understanding cybersecurity metrics is essential to safeguarding and improving business operations. Calculating cyber risks simplifies complex issues and empowers professionals to communicate them clearly to improve their organization’s digital security. This requires a […]

third-party cyber risk management

Evolving Cybersecurity: From Risk Management to Cyber Resilience

With an astonishing 95% of cybersecurity breaches attributed to human error, organizations must educate, train, and implement a security foundation for all employees. This staggering statistic highlights the vulnerability of humans within digital infrastructures and underscores the importance of building a security-forward mindset into the culture of resilient businesses.   As cyber threats continue to lead […]

third-party cyber risk management

Counting the Cost: Understanding the Financial Risk of Cybersecurity Breaches

Cybersecurity breaches stand as a relentless challenge for organizations worldwide, causing substantial financial repercussions. As cyber threats advance in complexity, the economic impact on businesses intensifies, affecting everything from upfront costs to sustained financial health.  A thorough investigation into the financial risks posed by cybersecurity breaches reveals the breadth of direct and indirect expenses that […]

third-party cyber risk management

Rewriting the Rules of Cyber Security Risks: Part II

Building Cyber Resilience requires a new approach to assessing, measuring, and managing risk. Traditional thinking from both the security and insurance sectors views risk management in binary silos that either stop an attack or fail to prevent loss. However, the truth is that cyber security risk is significantly more complex. Being resilient to cyber security […]