Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

Seven Essential Steps to Vulnerability Management: Learnings from the Ivanti Exposures  

Detecting Compromise and Resolving a Potential Breach

by Amanda Bevilacqua , US Claims Operations Leader
Published

In light of the most recent Ivanti vulnerability, the importance of a robust vulnerability management strategy and incident response plan has never been clearer. 

The Ivanti vulnerabilities, particularly CVE-2024-22024, unveiled on February 8th, 2024, serve as a stark reminder of the relentless nature of cyber threats. These vulnerabilities, which allow unauthenticated, remote attackers to access Ivanti devices and penetrate internal networks, underscore the urgent need for comprehensive defense and incident response mechanisms.

This scenario exemplifies why a multifaceted approach to vulnerability management and incident response is essential—not only to patch existing vulnerabilities but also to detect and mitigate the impact of potential breaches.

While patching is pivotal in protecting your environment from vulnerabilities, there are other steps that are necessary to mitigate new and evolving threats. At Resilience, our expert Claims Team is not only responsible for processing claims but identifying data trends that help break down the state of cyber risk, to build resilience against filing a claim. 

To help our clients stay resilient against Ivanti and any future vulnerabilities, US Claims Operation Lead at Resilience Amanda Bevilacqua created a list of action items that will help organizations quickly determine whether they have been compromised. 

1. Analyze All Systems

Beyond immediate patching, conducting an exhaustive analysis of all systems is crucial. While patching is essential in preventing a compromise if one has not occurred yet, patching will not remediate an ongoing compromise. Look for signs of compromise, including unusual web traffic, misplaced data, or unfamiliar files and processes. Early detection of these red flags is crucial for prompt investigation and mitigation.

2. Review Network Traffic 

As part of analyzing systems, take special care to analyze network traffic. Look for unusual amounts of data being exfiltrated, network traffic in unusual ports, suspicious activity on administrative accounts, or any other unusual login behavior. Pay close attention to any network traffic in countries where the organization does not operate.

3. Look out for Suspicious Login Activity 

Suspicious login activity is a strong indicator of compromise. When observing login behavior, watch for dubious login efforts or other network activity that seem to be particularly probing– for example, if a user is failing MFA several times or looking for workarounds to log in. It is also critical to note where logins are happening and keep an eye out for any locations where the company would not expect an employee to be. If all employees are based in the US, user login from another country should be immediately flagged. 

4. Look for Lateral Movement 

Monitor any activity within the company’s VPN and keep careful track of behavior that indicates lateral movement through networks and systems. Be wary of administrative accounts and their activity, and watch for a spike in requests or read volume in files. Keep track of any data that is found in a location that it should not be and note any unusually large or compressed files. 

5. Analyze Logs

Log clearing is a common tactic used by threat actors to cover their tracks. Check for missing logs which can indicate compromise. To effectively monitor logs, an idea of what information should be present in order to notice anything missing is a necessary baseline. Be aware of what data should be listed in the logs, and pay close attention to any gaps in time or missing data.   

6. Leverage Endpoint Detection and Response (EDR) tools 

Accessing an endpoint via a vulnerability is a common strategy advanced persistent threat actors use as it does not trigger antivirus solutions. EDR tools are designed to identify strange behavior and generate data about processes, actions, network connections, and more. Though EDR alerts can feel noisy, they are essential to monitoring and investigating hundreds of end-points. 

7. Respond As Soon As Possible  

If you think you have spotted any of the above indicators of compromise or any other suspicious activity, activate your incident response plan and investigate it immediately. The faster suspicious behavior is identified and investigated, the better the chance of containing the incident before it turns into a full-blown encryption event. 

“Oversharing is what our claims experts want to see– we want our clients to report things to us,” said Bevilacqua. “Business leaders often look back, and, hindsight is 2020. There can be a lot of red flags that go under the radar that could indicate something is happening. Always report suspicious activity– the faster that this is done, the better the chances of a positive outcome for the organization.” 

If you are a Resilience client, connect with our Claims and Incident Management team as early as possible after identifying any of the above red flags– a false alarm is always better than missing a potential compromise. Our experts can help you review your system, determine if further action is needed, and connect you with resources to help prevent a larger incident. 

You might also like

Why the OODA loop matters for cybersecurity

In 2004 as I prepared to board a flight to Tokyo, I strolled through a bookstore in ATL’s international concourse looking for something to occupy my mind during the 14 hour flight. Just as I was about to head to my gate empty-handed, I noticed a book that I had just read a review about […]

What DeepSeek means for cyber risk

The January 20 release of DeepSeek, an open source LLM developed by a Chinese research lab, rocked both the tech world and the financial markets. The product quickly demonstrated what appears to be exponentially better energy, cost efficiency, and similar performance capabilities when compared with American-made AI products like OpenAI. It also highlighted a number […]

The importance of vendor risk reports in managing third-party risk

The cybersecurity landscape saw a significant shift in 2024, with third-party risks emerging as a major source of cyber losses. Vendor risk management is far more than a compliance checkbox—it is a vital layer of defense in today’s cybersecurity landscape. And that’s why understanding your risk exposure from vendors through vendor risk reports is so […]

The rise of CISO 3.0 and what it means for cyber risk

The Chief Information Security Officer (CISO) has traditionally been seen as someone who worked behind the scenes, focused on technical details and making sure the company’s network, applications, and data were safe. They were known and appreciated for their tech skills, but maybe not so much their business skills. The CISO of the past was […]

Understanding identity-based attacks and how to defend against them

Breaches used to be primarily carried out via software vulnerabilities: Companies would announce a flaw, take a while to fix it, and attackers would find their way into the system using those exploits. From there they might not only steal information and assets from their primary target, but would also use their access to jump […]

Get ready for threats both old and new in 2025

It’s prediction season and while no one can see into the future, we can definitely take some educated guesses. From increasingly severe ransomware attacks to deepfakes that deceive Fortune 500 companies, we’re keeping an eye out for some major events in 2025. And while many organizations are taking steps to beef up their defenses, the […]