AFG’s IT manager was surprised by what an active threat hunt revealed

Employee circumventions, cybercriminal activity were going on undetected

Credit: ID 128324806 © Jakarin Niamklang |

Matt Kraus figured there might be some security surprises waiting for him when he began taking a closer look at his company’s network – but when the results came back, he was still floored by the findings.

Despite past investment in a range of conventional firewalls and signature-based security tools, an intensive network threat-hunting exercise turned up “quite a bit” of latent malicious hosts and a broad range of unauthorised activities being conducted by employees.

“Just the chemical makeup of who we have on staff, and their making constant outbound calls, made it very likely that our employees were potentially looking for ways to get around proxy servers and things like that,” Kraus, IT manager with US-based equipment leasing firm Alliance Funding Group (AFG), told CSO Australia.

“We found everything from open VPN clients to TOR browsers, point-to-point communications to unauthorised sites, compromised credentials, and passwords in clear text. Those are all things that we need to be aware of, because it’s inherent with those platforms that malicious behaviour can be a result of that kind of activity.”

The new insights came after AFG brought on specialists from LMNTRIX, who set up the company’s cloud-based Adaptive Threat Response Platform (ATRP) on the AFG network and went to work ferreting out all kinds of threats.

Ultimately, that exercise produced a who’s-who of bad behaviour that had been completely missed by existing solutions – providing a hit list of fixes for an overstretched security team that was already working at its limits.

Delivery as a cloud service meant ATRP could be implemented quickly and easily without requiring significant staff effort – a key problem that had prevented the team from implementing a SIEM (security information and event management) platform to improve its visibility.

“We had no visibility into what was going on,” Kraus explained, “and the log-based approach would have been very difficult for us to really validate and cross-correlate between the many endpoints within our infrastructure.”

Dedicating staff to processing and acting on the outputs of a SIEM system would have been prohibitive: “there is a cost associated with that,” he explained, “in that it takes them away from doing their primary roles. We’re not expecting them to be focused on security.”

That detail included the identification and isolation of active compromises that were already active on the network, with ATRP’s tools allowing the team to “bait, track, and hunt down attackers already hidden on our networks. All our previous solutions missed these threats entirely.”

“LMNTRIX’s ability to produce those outcomes was huge for us,” he added, “and the level of detail, and the incidents that we found, were definitely of value.”

Lack of visibility into network activity has long been a problem for businesses of all sizes, particularly with the explosion of virtual and physical devices introduced through business growth or just brought to work by employees.

Bring your own device (BYOD) programs were in place at 85 percent of companies in a recent Bitglass study, with 30 percent saying their adoption of BYOD had been inhibited by company security concerns; 22 percent concerned about privacy, cost, or user experience; and 11 percent concerned about the cost of support.

Some 51 percent of respondents said the threat to mobile devices had increased this year, with 27 percent saying mobile devices had downloaded malware and 30 percent unable to say whether this had happened.

Such findings reinforce the need for better visibility that had sent Kraus and his team looking for a better solution in the first place.

With the platform now in place, AFG is still seeing 5 to 10 incidents per month – but because it now has visibility into what’s going on, it has been better able to identify and prevent issues as they arise. The portal also provides guidance about remediation once reported incidents have been validated.

“Because our IT team is small, we just didn’t have the ability to invest in these capabilities,” Kraus said, noting the platform’s value as a deliverable managed service.

“From an opex perspective, and finding the right people, and the numerous products we would have had to implement to compete with what we’ve gotten now. The level of detail and visibility we’ve seen is huge for us.”

Tags BYODcybercriminal

Show Comments