5 minute read 25 Aug 2019
it technician working server room

How to hunt for evidence of cyberattackers

By Paul van Kessel

Former EY Global Consulting Cybersecurity Leader

Boardroom cybersecurity discussion leader. Values simplicity in language. Enjoys sports and travel. Proud father of a daughter and a son.

5 minute read 25 Aug 2019
Related topics Cybersecurity Consulting

The quickest way to identify and eject an intruder is to assume that they’re already in your environment and to proactively assess your systems and networks for evidence of compromise.

Cyberattacks make headlines on a daily basis. It’s no longer a question of whether your organization will be breached, or even when; it’s likely to have happened already. Cyberattacks are complex and motivated by a variety of factors, ranging from ideology and financial gain to commercial espionage and even nation state-driven agendas.

The threats are constantly evolving, targeting all organizations, while becoming more prevalent and high-profile. Attackers today are patient, persistent and sophisticated, and attack not only technology, but increasingly people and processes.

Criminals are targeting commercially sensitive information, intellectual property and critical network infrastructure. These threats may come from attackers both within and outside your organization.

Some of these may seem harmless and others far more damaging and malicious in their intent. Nevertheless, any intrusion into an organization’s computer systems can lead to operational expense, reputational damage and loss of competitive advantage, not to mention regulatory fines. No organization wishes for its closely guarded secrets to be traded or leaked, or its brand to suffer from adverse media attention.

Global Information Security Survey 2018


of board members and C-level executives have said they lack confidence in their organization’s level of cybersecurity.

Global Information Security Survey 2018


of organizations say it is unlikely that they would be able to detect a sophisticated attack.

Global Information Security Survey 2018


do not have a Security Operations Center.

Global Information Security Survey 2018


do not have, or only have an informal, threat intelligence program.

Many vendors are creating products and services to help counter the threat. Organizations are deploying sophisticated virus detection tools, intrusion detection systems and data leakage prevention appliances. Organizations are also implementing sophisticated vulnerability management programs to identify and remediate vulnerabilities in a timely manner. Despite this array of available technology solutions, attackers continue to find a way through, resulting in high-profile and damaging breaches that continue to be publicized in the media.

As media reports of significant breaches indicate, the challenge lies in detecting evidence of an intruder and taking steps to stop the attack before your data is stolen and real damage is done to your business.

The current cyber threat landscape has a wide variety of threat actors with a multitude of specialized attack capabilities at their disposal. EY’s cybersecurity compromise diagnostic services are a set of services that are built to help detect those threat actors via a set of diagnostic assessments.

Today’s silent intruder

Many attacks, such as Distributed Denial of Service (DDoS), are noisy and disruptive, making them hard to overlook. However, the most impactful attacks tend to be perpetrated by cyber threat actors that are commonly referred to as advanced persistent threats (APT), who use sophisticated and stealthy methods to carry out system breaches that go undetected for extended periods of time.

While every attack is different and is unlikely to follow the same approach (cyber criminals don’t exactly follow a rule book), it is possible to map the majority of attacks to a simple 10-step process as outlined here. Mapping the attack life cycle in this manner allows an organization to not only understand how an attacker might perpetrate an attack, but also what controls are in place to sense, resist and react to an attacker at each step. It’s these opportunities to terminate an attack early in the process that lead to the mapping process being called the “kill-chain.”

The example here depicts a typical APT attack that starts with spear-phishing. However, the techniques to gain that initial foothold are many and varied, ranging from exploiting vulnerabilities on internet-facing systems through physical breach of defenses and plugging straight into your core systems. We have also included a high-level view of the types of evidence that might exist, and can therefore be detected, at each stage of this example attack.

Challenges of managing cyber risks

Cyber risk is different than traditional IT risks and presents a unique set of challenges:

  • The lead time in detecting attacks can be significant due to blind spots and the advanced techniques used by attackers to hide their presence.
  • Traditional prevention and detection methods (such as signature-based anti-virus) won’t detect sophisticated attacks, which have been tailor-made for your environment.
  • Preventative technologies, such as firewalls and various intrusion prevention systems, do not prevent your most sensitive information being sent over the internet if the activity is instigated by what appears to be a legitimate user on one of your systems.
  • Understanding and establishing a baseline of “what is normal” on your network can be challenging, making it difficult to spot anomalous activity, or indicators of compromise, which require further investigation.
  • The increasing sophistication in the ways attackers gain an initial foothold can make it very difficult to detect attacks in the early stages — such is the sophistication of phishing techniques that it can be almost impossible to spot a malicious email from a real one, making it difficult to educate your organization’s people on how to spot an attack.

It can be difficult for cyber defense teams to take the time required to take a step back from routine activities and really focus on determining if there is any evidence on their systems that would suggest they have been, or are currently, subject to a sophisticated cyberattack.

Where to start

Attacks often go undetected for weeks, months and, in some cases, years — by which time the damage is done. The critical first step is determining that your organization has been breached. Given the advanced nature of the attacks and their discrete techniques, an effective way to detect a historical, ongoing or imminent attack is by proactively hunting for evidence of attackers on your systems and networks.

Many organizations don’t have a fully-fledged security operations center (SOC) with 24/7/365 security monitoring and response. Those that do often either don’t have the right tools deployed in the right locations, or do have tools deployed but have not taken the time to tailor and fine-tune them to their unique environment.

Organizations setting out on the journey to build a SOC and the supporting tools can get a significant head start by temporarily deploying a highly skilled team with best-in-breed technology to perform a time-limited exercise to understand the tools, while also undertaking an initial hunt for evidence of cyberattackers.


Organizations need to adapt and adopt a new detection and response strategy focused on detection through proactively hunting for evidence of attackers on their own networks and systems. EY has developed the cybersecurity compromise diagnostic to help organizations identify signs of compromise, such as that from malware or APT attacks, leveraging leading methodologies and tools.

About this article

By Paul van Kessel

Former EY Global Consulting Cybersecurity Leader

Boardroom cybersecurity discussion leader. Values simplicity in language. Enjoys sports and travel. Proud father of a daughter and a son.

Related topics Cybersecurity Consulting