What should you look for in an MDR partner?

A checklist for you by Countercept.

Posted on 7 March 2018 by Gayle Kennedy

Managed detection and response (MDR) is a field that has grown out of the need to defend organizations against a range of known and unknown threat actors with a wide range of objectives. Many providers have emerged, but there can be a lack of clarity around what they offer and which one is right for your organization. In advance of more structured guidance from Gartner’s upcoming Magic Quadrant for this sector, what should you look for in an MDR partner to ensure that you can best manage the risks to your organization?

 

We’ve made a checklist, so you don’t have to.

 

Here are the questions you should ask any potential MDR partner:

1. Is threat hunting a core part of the solution?

Threat hunting is the process of actively seeking out potentially malicious activity on your estate. This involves deploying savvy, experienced people who channel the attacker mindset in order to predict and prevent an attacker’s next movements.

 

Doing this effectively requires giving your team dedicated time for researching possible attack plans and techniques, detecting ‘living off the land’ mechanisms, writing new scripts to counter attacker actions, and more. If threat hunters aren’t given the right tools and conditions for success, their skills will quickly atrophy and become outdated.

2. Does their threat hunting capability cover endpoint visibility, networks and logs?

An experienced hunt team requires a range of data sources to provide much greater visibility into where threat actors might have entered and what their end objective might be. Hunt sprints should be conducted across data from endpoints, network, and logs to gain complete visibility of an IT estate, and most – if not all – of the technology used to extract this data should be developed in-house to match that team’s expertise and intelligence.

3. Do they incorporate memory analysis?

The modus operandi for most advanced attackers – and even some remedial ones – is memory injection, where malicious payloads are injected directly in to the memory space of running processes, never written to disk and commonly bypassing anti-virus protections. In-memory attacks can often originate in infinitesimal bits of code, so threat hunters need to look for small anomalies in thousands of lines of code.
 

4. Is machine learning part of their solution?

Machine learning is not new – it has been around since the 1970s – but from an attack detection point of view, it has been given new life as a panacea to the difficulties in detecting advanced attacks. While we are passionate that the human element is crucial to spotting attacker tactics, techniques, and procedures (TTPs), machine learning has a critical role to play. A solution that integrates machine learning can go a lot of the way to identifying patterns and anomalies, which a threat hunter would then investigate and either rule as a false positive or deem worth further investigation. The ethos behind adopting the attacker mindset is understanding that an attacker will find a way around any piece of software or firewall, so while machine learning can help identify existing and emerging attacker techniques, the human element is crucial in confirming them.

5. Do they provide 24/7 monitoring and how do they achieve it?

Many MDR providers say they offer 24/7 monitoring, but is this really the case? Unless there are actual human threat hunters sitting at a desk around the clock, then this is a false claim.

6. Are they more than just a piece of EDR software?

The term ‘threat hunting’ has been bandied about and there are a number of false definitions creeping into the industry vernacular. For example, some companies are marketing endpoint detection and response software as ‘threat hunting’, when in actual fact it is not – it may give your team the ability to see breaches via known techniques, but often provide little or nothing for unknown techniques, nor the ability to respond to the breach as it occurs.

7. Do they “assume breach”?

Research has shown that only one in five active compromises are detected within seven days, with the most common method of detection being law-enforcement notification. To “assume breach” is to take a proactive stance and look for evidence of attackers throughout your IT estate, executing multiple procedures to contain attackers before they fully compromise an organization. Threat hunters do this by actively searching for signs of malicious activity and anomalies, even if there isn’t any immediate evidence of an endpoint compromise.

8. Are their threat hunters given time to research new attacker tactics, techniques, and procedures instead of relying on threat intelligence alone?

To effectively detect and respond to advanced attackers, threat hunters need to think as hackers. To keep their skills and expertise fresh and timely, threat hunters need time away from hunting to practice and research new attacker skills and processes. They should have time to make use of the tools that attackers use. Threat intelligence is important, but is only a small part of a much bigger story.

9. Do they work with what you already have?

You don’t need to reinvent the wheel. Any good security solution should supplement your good work thus far. Perhaps you have put a lot of time and investment into your current setup and your people internally, and you want to supplement rather than replace. Outsourcing threat hunting – and the training, experience, technology, and research that goes with doing it well – means you have access to a breadth and depth of knowledge and experience that you don’t have to develop in-house.

10. Is their incident response tried, tested, and able to handle multiple complex scenarios?

Detecting an attack is just the first step. Then what? How do you isolate or predict their next movements? How do you stop attackers from making lateral movements within your organization and reaching their end goal? What analysis techniques give insight into their intended target? How do you communicate within the organization as to how employees should conduct themselves during a breach? How do you ensure that the attacker isn’t elsewhere on the estate? Your MDR partner should have a series of tried and tested processes for the majority of eventualities.

 

Most MDR providers will only tick some, if any, of these boxes. If yours doesn’t, it might be time to ask them: why not?