Analytics For Cyber Threat Hunting

Evan is a recent graduate from the University of Maryland where he got his degree in Cybersecurity working at as a Threat Hunter at at a mid-sized company that has recently started to get a lot of attention due to some press releases that have indicated the company's overall growth in customer base. This new attention, while beneficial from a financial perspective, has resulted in an increased number of cyber attacks against the company's network.

‍

Evan understands the cyber domain, but the amount of data flowing in is significant and he doesn't have the technical skills to write advanced queries against the data to find the primary culprits. While Evan knows the questions he wants to ask, not being able to compose the right queries severely limits his ability to drill in to the data they're collecting.

The Cyber Threat Hunting team has been getting increased pressure from leadership to identify and mitigate these attacks in fear of losing primary intellectual company property. The entire threat hunting team is in a similar boat as Evan. While a few of them have backgrounds writing SQL queries, not all of them have that particular skillset.

The Director of Cybersecurity brought in ClearQuery to aid the Threat Hunting team in drilling into their data. Although Evan doesn't have a significant technical background, he was able to start drilling into network attack data immediately and identify the core culprits:

• Evan started by using Ask ClearQuery to identify trends by inputing "Break down attacks by month and country", which immediately highlighted spikes in the month of September of attackers from China hitting the network.
  ‍
• While there were a significant number off attempted connections in September, Evan realized that not all of these were successful and most were simple probes. He decided to follow up by filtering out the noise - "Only include attacks with exploit as the connection type". This filter highlighted that most successful attacks were occurring from the United States in May of the following year.
  ‍
• Evan clicked to drill into this data and followed up with one last question - "Who are the top attacker ips?", which highlighted a single IP address that was responsible for most of the successful attacks on the network.
  ‍
• Within about 15 minutes, Evan was quickly able to identify this culprit, and share the IP address with the IR team which was able to block all future attempts coming from the range of IPs this attacker used. The Threat Hunting team was also able to do further analysis on the techniques used by that IP address so they could mitigate the flaws in their systems that allowed for successful exploitation of the network.