Knock Knock: Who’s there?

November 20, 2017

By: Bharat Nair

We are all way too familiar with this classic one-on-one wordplay and pass time. At my house, every so often this is a classic dinnertime favorite. Often times the jokes keep repeating but it never gets old. At least for my little one.

The point here is to not rehash this old time classic. But something that happened during a recent pilot study we did made me think of this.

When it comes to cybersecurity and defenses, we all spend (if not at the personal level, certainly at the corporate level) significant amounts of time and money in attempting to secure our networks and devices. Yet there are one too many stories about compromises and ransomware attacks – clearly indicating the defenses put up today is failing to fully secure the critical assets of an enterprise from bad actors. And knowing very well that sufficient perimeter security has been established for almost all networks, these bad actors don’t come knocking on the front door.

Recently we conducted a pilot study which involved monitoring net flows in an environment that was sufficiently secured and had multiple controls in place. What surprised us though was the tens of thousands of pings (virtual knocks) this company was receiving from foreign IP addresses. Interestingly like numerous other US-based and operating companies, this company was a regional company with clients, services, and servers located ONLY in the US. Yet these virtual knocks on their perimeter was coming from foreign-based IP addresses. The company was unaware of this and was skirting the possibility of this bad actor jumping the fence and getting in. Once in, it is not typically the character of these bad actors to go to work right away. They lay quiet and work their way through the network and start exploring and exploiting laterally inside the network until they find something of value or if in the case of targeted attack what they are looking for, and make a beeline to the exit.

It should come as no surprise to anyone that we live in very different times – many aspects, especially when it comes to Cyber threats and thefts. The frequency, audacity, and the magnitude of the attacks are only getting worse. While the security products and measures taken are absolutely necessary and critical as the first line of defense, the lack of network visibility and the inability to observe and analyze network and API traffic at scale is creating gaps in an otherwise well thought out security posture for most companies. This becomes more apparent when you realize the SOC analytics are missing the context around connectedness.

This is where AI-based algorithms and deep machine learning capabilities must be leveraged to augment your existing security defenses. This is as good a time as ever for the saying “the best offense is a good defense”.

Back to the story of this company, we were able to quickly isolate the port under attack and put remediation in place. If you are interested to find out if someone is knocking on your ports or just learn more about advanced threat hunting technologies that leverage AI based algorithms, and cognitive sciences, please PM me. I will be happy to set up a short conversation.



Bharat Nair has worked in the Identity and Authentication Management (IAM) and Enterprise Risk Management disciplines over the past 10+ years focusing on financial institutions (large and community based) as well as other regulated industry.

Back To Blog
Why CyGlass Product Resources