Data-driven defense

Our experts explain how cyberattacks give themselves away

Cyber threat hunters analyze network data to spot signs of a cyberattack.

Old-fashioned crime has a way of announcing itself. When someone breaks a window, you hear the glass shatter.

Cybercrime is less obvious – until you know your way around data. This is the job of threat hunters, the cyber specialists who comb through billions of bytes of information to spot signs that something is amiss.

Here, threat hunters from Raytheon explain how they tell when clients are under attack – and what to do about it.

Someone stole user credentials (or is trying to)

What it is: An attempt by an attacker to log onto a network as a real-life user.

What to look for:

  • A few failed logins from many users, all around the same time. That means attackers are trying easy-to-guess passwords, said Molly Payne, a virtual security operations center analyst at Raytheon. “They will take two of the most common passwords used and they’ll try it once against thousands of users. And there’s a good chance they’ll get a hit,” she said. “That’s not going to set off alarms anywhere, because it won’t lock anyone out.”
  • Diversions from a user’s normal pattern, like logging on and immediately scanning the network rather than checking email or opening recently used documents.
  • Logging on at an unusual time or place. like a strict nine-to-fiver suddenly signing in remotely at midnight.
  • Login activity that defies physics. “If I’m logging in on the East Coast, and then in Austin, and then two hours later there’s activity from China … that’s usually a pretty big telltale sign,” said Chris Poirel, principal data scientist at Forcepoint, a commercial cybersecurity company jointly owned by Raytheon.

Someone is using a ‘fileless attack’

What it is: Malware without malware. “Fileless attacks” basically build malware from the weaknesses of legitimate programs. One example: An old Microsoft Word feature called Equation Editor, which dressed up mathematical formulas, could also be used to download files. (Microsoft issued a patch and ultimately eliminated the feature altogether.)

What to look for: Common software doing uncommon things.

“If, all of a sudden, Microsoft Word launched another program … and all of a sudden it started to beacon out to a place like Russia and started to download things, that would be kind of strange,” Payne said.

“This particular threat doesn’t leave any tangible trace on the computer, which makes it super tricky to find,” Payne said. “I started to look at some of the outbound network traffic — what was going on and where was it going?”

Someone is spearphishing you

What it is: An attacker is using fake emails to steal usernames and passwords – for example, posing as a health insurance carrier and directing people to a fake login page.

What to look for: 

  • Emails with embedded links, sent to an unusual grouping of employees
  • Emails from an address like “” that use misspellings and special characters to look legitimate

Someone is stealing data

What it is: Your intellectual property, customer information, employee data, heading straight out the digital door.

What to look for: Anomalies in network traffic, including:

  • Users downloading a large amount of data, or data they do not normally use
  • Non-browser computer programs interacting directly with the Internet
  • A network user downloading or transmitting unusually large amounts of data

But before you can call something unusual, you need to know what’s normal. Understanding the usual activity of users and groups of users is critical, Poirel said. While it might be normal for, say, an intellectual property lawyer to handle documents packed with trade secrets, “it’s highly unusual when someone who rarely interacts with sensitive documents suddenly starts shipping those to external destinations,” he said.

What to do about it

The secret to threat-hunting is to have all the data you need but no more than is necessary. Too much data, or the wrong kinds of data, can trap analysts in an avalanche of noise and false alarms.

Payne recommends keeping data logs on whatever surrounds the parts of the network you most want to protect. It’s a little like making sure the museum cameras are trained on the priceless works – not just the entrance.

“When you know what you’re protecting and you have data around that, everyone’s job gets easier because you have a place to look,” she said.

Last Updated: 05/09/2019