How to Hunt Down a Cyber Attacker


Catching a glimpse of a large windswept lake for the first time is many anglers’ dream, wondering what lurks beneath and where are you best placed to catch the fish you have been dreaming about at all winter. At this time of year, a lot of anglers are starting to look at new lakes and targets for the year ahead. Some prefer a small intimate lake tucked away, while others prefer large open expanses of water. Both hold their different challenges of locating where these fish are going to reside and ultimately how they are going to end up in their photo album.

Once these tickets are secured, the research begins: where in the past certain fish have been caught from, what bait were they using, and the weather conditions that best favour captures, noting this all down ready for the year ahead. This coupled with years of angling experience and a watercraft that an angler has compiled from watching and catching fish from other lakes, giving them a good overall baseline to start their campaign. Carp however, are not a computer program doing the exact same thing every day, and sometimes throw a spanner in the works to all your carefully laid plans. Getting caught from a new area of the lake, a different time of day, or even going uncaught for many years compared to regularly hitting the bank in the past. This would create an anomaly in your predefined baseline and would get any good anglers’ attention on how this might help them gain an edge over the competition.

LogRhythm, a leader in the Gartner Magic quadrant for SIEM (Security Incident Event Management) in the IT security world is like an angler trying to catch their target; a malicious incident or insider working on the network. This solution, like the angler on a new lake, tries to collect and correlate a baseline of what the network should look like and how it should work on a day to day basis. Usually this process takes 2-4 weeks, but depending on your business cycles it might be a slightly longer process. Once this is complete, the solution will then monitor the network and wait for an attacker to infiltrate and start removing company information.

LogRhythm’s key differentiators:

  • UEBA: Allows for extra context to be added to security incidents that the SIEM produces and helps remove excess alerts for the SOC to deal with.
  • Reduction in MTTD/MTTR: Mean Time to Detect & Mean Time to Remediate a breach in many businesses has been slowly increasing allowing for more data to be exfiltrated from the organisation. With LogRhythm the dwell time in an organisation is dramatically reduced using scenario and behavioural analytics, to surface credential threats faster.
  • Strengthens SOC team value: With reduction in MTTD & MTTR and also one tool carrying out UEBA and NTBA analytics this boosts the value in a good SOC team plus also improves the workflow of the company.

If you are looking for that extra edge in trying to hunt down an attacker in your organisation a Next Generation SIEM platform is the best place to start on this journey, if only a solution like this was available to carp fishermen then hours and hours spent searching for their quarry will be drastically reduced. But where’s the fun in that!!     


Written by: John Webster, Client Manager at Armadillo.