Barracuda MSP Exec On How To Tackle Emerging Cybersecurity Threats

Threat hunting is an "ongoing exercise."

Samara Lynn
clock • 3 min read
 Barracuda MSP Exec On How To Tackle Emerging Cybersecurity Threats

Threat hunting. That was a phrase used repeatedly by Eric Russo, senior security operations center manager, defensive security at Barracuda MSP about battling cybersecurity attacks during his presentation at the Midsize Enterprise Summit IT Security 2024, hosted by MES Computing parent The Channel Company.

Just like the toothy, predatory fish after which the cybersecurity company is named, Barracuda takes an aggressive approach to detect and "hunt" threat actors in its customers' environments, Russo said. 

Threat hunting is an "ongoing exercise," said Russo, who leads intensive security operations within Barracuda's SOC team.

As most anyone in IT knows, there are more threats than ever before. "I think we're seeing between two and sometimes even five or ten critical vulnerabilities being published in a given week," he said.

"We have this process running regularly," he said. "It starts with each week we assign engineers and analysts from our SOC team to conduct threat research … What are the new vulnerabilities that are being published? What are new malware variants?  … What new tactics and techniques are threat groups executing?" 

Russo then broke down the steps that the SOC team takes to pinpoint and respond to threats – useful advice for any IT security professional:

How To Hunt Cyber Threats

Gather Intelligence

Russo said that the SOC team looks for specific threat indicators in suspicious files. "Indicators could be simple things …  'I couldn't address [the] domain's hash values.' [We] gather as much intelligence as possible around the threat and then validate that intelligence. That's a pretty significant step that sometimes gets missed in the threat intelligence process. But something we really emphasize is: if your indicators are illegitimate, you're going to create a lot of false positives, a lot of noise for your customers. We don't want to do that. A really important part of our process is validating the IOCs [indicator of compromise]."

Create A Hypothesis

When analyzing a potential threat, "an engineer or analyst will create a hypothesis," Russo said. 

"What do I think the threat actor is doing? What have I learned based on my recreation of the attack? What is the general idea behind this threat? Then [we] use that to conduct an investigation with the tools and techniques that we have on our XBR [extended detection and response] platform. 

Study IOCs

Next, SOC analysts may investigate IOCs, Russo said. 

"Maybe we'll see, ‘hey, this IP address we know it's associated with this threat' and then we see it doing these additional actions. We can gain more information and uncover new patterns and new techniques. 

Analyze All Information

Russo said the SOC team then takes all of that collected information and runs it against their threat intelligence tools. 

"[We] correlate [it] against additional data sources … trying to gather as much information as possible t paint a full picture so that when we go to a customer as a SOC we can say, ‘here's everything that we see happening in your environment," he explained. 

Learn From Threat Hunting 

"We take what we learn from threat hunting," Russo said. "[We] do some detection engineering in order to be able to monitor for these types of threats, these types of exploits in real-time going forward. [We] automate response actions – these could be things as simple as if we see a bad IP address [and] blocking it on the firewall," he added. 

He said the team also takes more advanced actions like looking at certain file extensions they know are associated with ransomware cybercriminal group LockBit. 

"Let's not only make sure we mitigate that file or that malicious threat, but let's take the step further. Let's network quarantine that device, make sure we're getting contact with the organization. We're working with them in order to fully contain the potential incident," he said.

Share Information With The Cybersecurity Community

"Publishing advisories" and "sharing the intelligence we've gathered," are also important parts of winning the war against these emerging threats, Russo said. 

 

You may also like
Access Point: Weekly News Roundup For IT Executives For April 19, 2024

Column

Access Point is a weekly roundup of major tech news for IT executives on the go. This edition covers April 15-19.

clock 04-19-2024 • 2 min read
DataStax Exec Talks About Recent Acquisition That Gives Businesses Powerful AI Capabilities

Artificial Intelligence

DataStax's chief product officer also details how midmarket companies are using the platform

clock 04-19-2024 • 6 min read

MES Midmarket 100 Awards

MES Midmarket 100

The MES Midmarket 100 Awards recognizes vendors that have proven themselves to be forward-thinking technology providers with product and services offerings.

More on Security

Protect AI Releases 'Bug Bounty' Report On This Month's Vulnerabilities

Protect AI Releases 'Bug Bounty' Report On This Month's Vulnerabilities

The vulnerabilities involve tools used to build AI apps

Samara Lynn
clock 04-18-2024 • 6 min read
Trouble Managing Digital Certificate Sprawl? There's A Mid-Market Solution For That

Trouble Managing Digital Certificate Sprawl? There's A Mid-Market Solution For That

More users, more devices, more certificates to manage.

Samara Lynn
clock 04-17-2024 • 2 min read
Experts Warn 2024 Elections Will Be Biggest Cyberattack Targets

Experts Warn 2024 Elections Will Be Biggest Cyberattack Targets

“In the biggest global election year in history, democracy is the primary target of nation-state threat actors," the co-founder of cybersecurity firm Armis says.

Samara Lynn
clock 04-16-2024 • 3 min read