Managed Detection and Response MDR
No matter how good your technology, it’s worthless without the right people to utilize it: individuals with the right skills and the right experience, keenly engaged in their role.
All about people, not just technology
The traditional approach is broken...
The traditional approach to detection conjures up images of dynamic dashboards and flashing red lights – possibly even a shiny ‘threat map’. The purpose of these gimmicks is to divert attention away from the underlying detection principles, which are archaic – based on rules and alerts. You cannot reveal a targeted attack with rules and alerts, as the modern threat actor utilizes signature-less attacks and then carries out actions masquerading as a legitimate internal user.
Rather than alerts notifying analysts of ‘known-knowns’, Countercept uses trained threat hunters and anomaly-based methods to detect previously unknown attacks.
Skills required for threat hunting
Threat hunters need two broad skillsets: incident response (knowing what to look for based on past compromises) and offensive security skills (knowing what to look for based on what we would do next if we were performing the attack).
Threat hunters search for signs of potential attacker action across the kill chain, from initial compromise (Patient Zero) through to exfiltration or destruction. Countercept’s threat hunters have a deep understanding of OS internals, malware analysis and utilizing both on-disk and live memory forensics to reveal attacks.
True threat hunting
Some MSSPs see MDR providers as the biggest threat to their business, and their marketing departments have responded accordingly – without actually having any meaningful threat-hunting capabilities. Make sure that your MDR supplier can demonstrate comprehensive understanding of attacker operations and detection techniques, without relying on automated alerts to do the work for them. Automated alerts are set defensive parameters that can readily be circumvented by determined attackers.
Modern tech for modern attacks
To reveal advanced attacks, a threat hunter needs the tooling to cover modern attack paths. This technology is known as Endpoint Detection and Response, or an EDR tool. An effective EDR tool will enable the investigation of anomalous activity in the live memory and operating systems of endpoints, from initial code execution, persistence, lateral movement, and even attackers ‘living off the land’ using legitimate tools such as PowerShell.
Clearly, a tool that alerts a security team to every instance of PowerShell will quickly be discarded, so it is the data from the EDR combined with the skill of the threat hunter to cross-correlate against other data that enables effective hunting.
Traditional tech for traditional attacks
As threats have developed in sophistication and capability, traditional MSSP security vendors have simply responded with ‘more of the same’. Faster log analysis, more events per second, wider network coverage – none of which works in the face of completely new attack techniques.
Threat intelligence, rules, alerts and signatures are powerless when it comes to revealing advanced attacks, leaving most companies blind to the earliest – and most crucial – stages of an attack.
Advanced threat actors: Deal with the risk
To request a demo or to talk more about Deteqt and its related cyber defense services, call +44 (0)8445 611 487 or email firstname.lastname@example.org