Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

Seven Essential Steps to Vulnerability Management: Learnings from the Ivanti Exposures  

Detecting Compromise and Resolving a Potential Breach

by Amanda Bevilacqua , US Claims Operations Leader
Published

In light of the most recent Ivanti vulnerability, the importance of a robust vulnerability management strategy and incident response plan has never been clearer. 

The Ivanti vulnerabilities, particularly CVE-2024-22024, unveiled on February 8th, 2024, serve as a stark reminder of the relentless nature of cyber threats. These vulnerabilities, which allow unauthenticated, remote attackers to access Ivanti devices and penetrate internal networks, underscore the urgent need for comprehensive defense and incident response mechanisms.

This scenario exemplifies why a multifaceted approach to vulnerability management and incident response is essential—not only to patch existing vulnerabilities but also to detect and mitigate the impact of potential breaches.

While patching is pivotal in protecting your environment from vulnerabilities, there are other steps that are necessary to mitigate new and evolving threats. At Resilience, our expert Claims Team is not only responsible for processing claims but identifying data trends that help break down the state of cyber risk, to build resilience against filing a claim. 

To help our clients stay resilient against Ivanti and any future vulnerabilities, US Claims Operation Lead at Resilience Amanda Bevilacqua created a list of action items that will help organizations quickly determine whether they have been compromised. 

1. Analyze All Systems

Beyond immediate patching, conducting an exhaustive analysis of all systems is crucial. While patching is essential in preventing a compromise if one has not occurred yet, patching will not remediate an ongoing compromise. Look for signs of compromise, including unusual web traffic, misplaced data, or unfamiliar files and processes. Early detection of these red flags is crucial for prompt investigation and mitigation.

2. Review Network Traffic 

As part of analyzing systems, take special care to analyze network traffic. Look for unusual amounts of data being exfiltrated, network traffic in unusual ports, suspicious activity on administrative accounts, or any other unusual login behavior. Pay close attention to any network traffic in countries where the organization does not operate.

3. Look out for Suspicious Login Activity 

Suspicious login activity is a strong indicator of compromise. When observing login behavior, watch for dubious login efforts or other network activity that seem to be particularly probing– for example, if a user is failing MFA several times or looking for workarounds to log in. It is also critical to note where logins are happening and keep an eye out for any locations where the company would not expect an employee to be. If all employees are based in the US, user login from another country should be immediately flagged. 

4. Look for Lateral Movement 

Monitor any activity within the company’s VPN and keep careful track of behavior that indicates lateral movement through networks and systems. Be wary of administrative accounts and their activity, and watch for a spike in requests or read volume in files. Keep track of any data that is found in a location that it should not be and note any unusually large or compressed files. 

5. Analyze Logs

Log clearing is a common tactic used by threat actors to cover their tracks. Check for missing logs which can indicate compromise. To effectively monitor logs, an idea of what information should be present in order to notice anything missing is a necessary baseline. Be aware of what data should be listed in the logs, and pay close attention to any gaps in time or missing data.   

6. Leverage Endpoint Detection and Response (EDR) tools 

Accessing an endpoint via a vulnerability is a common strategy advanced persistent threat actors use as it does not trigger antivirus solutions. EDR tools are designed to identify strange behavior and generate data about processes, actions, network connections, and more. Though EDR alerts can feel noisy, they are essential to monitoring and investigating hundreds of end-points. 

7. Respond As Soon As Possible  

If you think you have spotted any of the above indicators of compromise or any other suspicious activity, activate your incident response plan and investigate it immediately. The faster suspicious behavior is identified and investigated, the better the chance of containing the incident before it turns into a full-blown encryption event. 

“Oversharing is what our claims experts want to see– we want our clients to report things to us,” said Bevilacqua. “Business leaders often look back, and, hindsight is 2020. There can be a lot of red flags that go under the radar that could indicate something is happening. Always report suspicious activity– the faster that this is done, the better the chances of a positive outcome for the organization.” 

If you are a Resilience client, connect with our Claims and Incident Management team as early as possible after identifying any of the above red flags– a false alarm is always better than missing a potential compromise. Our experts can help you review your system, determine if further action is needed, and connect you with resources to help prevent a larger incident. 

You might also like

Contrasting and comparing FAIR with the Resilience solution

As market awareness of cyber risk quantification grows, we frequently receive questions from clients and curious risk managers about FAIR (Factor Analysis of Information Risk)—what it is, whether it truly provides accurate cyber risk quantification, the effort needed to set it up and maintain, and more. Clients often ask us to compare the FAIR methodology […]

How does Resilience establish the probabilities presented in my LEC?

Managing risk successfully at any level requires an understanding of a concept called “probability.” As both an insurance company (risk transfer) and a cyber risk management company, Resilience relies on understanding probabilities to price our services and to guide our clients to greater levels of cyber resilience. As we often receive questions from our clients […]

Moving beyond heat maps for better risk management

Heat maps are among the most widely used—and debated—tools for risk managers worldwide to communicate risks in their registries or project portfolios. Despite their popularity, we advise leaders seeking transparency in discussing risk and value to avoid relying on them. What are heat maps? Risk managers often use heat maps (or risk matrices) to represent […]

Breaking Lemonade: Understanding Value at Risk

I talk a lot about value-at-risk among my colleagues, with our customers, and the broader market. Value-at-risk may be the single most important measure to grasp, without which one cannot accurately measure risk transfer, excess risk, risk acceptance, and return on controls. Yet, these are all important concepts that leadership in modern organizations need to […]

Would you fall for a live deepfake?

The Office of Senate Security revealed last week that the head of the Senate Foreign Relations Committee was targeted in a deep fake video call. An unknown person, claiming to be the former Ukrainian Minister of Foreign Affairs, Dmytro Kuleba, lured the Senator onto a Zoom call. The attack was thwarted when the Senator and […]

Artificial Intelligence for Cyber Resilience

AI tools are shifting the calculus for cyber defense by enhancing key areas such as vulnerability mapping, breach detection, incident response, and penetration testing. This integration could help an organization bolster its cyber resilience against an ever-evolving threat landscape. AI tools could automate the discovery and monitoring of vulnerabilities, providing real-time updates of an organization’s […]