Sophos MTR – Cybersecurity Evolved

The only constant in the world of cybersecurity is change. As fast as new products and technologies are launched into the market, then so do the capabilities and approaches of attackers. It’s a constant game of cat and mouse.

During a recent online session Eric Kokonas, MTR Senior Product Marketing Manager, and Mat Gangwer, MTR Technical Director, reviewed the threat landscape, explained how MTR fits in an organisation’s cybersecurity strategy and provided an overview of the service.

4 Key Trends in The Threat Landscape 

1. Living off the Land

These techniques take advantage of an operating system’s native tools. These are legitimate tools designed for Administrator use, for example Powershell and Windows Management  Instrumentation, which are manipulated by attackers for malicious use.

You’d expect to see these sort of processes being executed, so telling malicious and legitimate attacks apart is very difficult.

MTR focuses on these sorts of activities, investigating further to identify what is malicious.

2. Automated Active Attack

These start with a hacker using automation, before taking over the process to execute the attack. Ransomware is a prime example, using automation to gain a foothold and then relying on human ingenuity to avoid security controls, evade detection and remain unseen. Although ransomware and other types of attack are viewed as automated campaigns, casting a wide net in the hope of catching anyone whose controls are not suitably robust, they are now becoming much more targeted, with a human element as part of them.

3. Counter Measure Neutralisation

Counter Measure Neutralisation is similar to Automated Active Attacks, but more targeted, silent and methodical. SamSam is a good example, where an attacker looks at ways to switch off or control security tools to remain undetected, and then goes after things like back-ups, without which you’ll be more likely to pay a ransom.

4. Supply Chain Attack

This is an attack which comes from an organisation’s supplier or vendor who are part of their supply chain. These are often the large scale attacks which make headline news. Sophos’ findings show that 56% of organisations have had a breach that involved one of their suppliers. Regardless of how good your own internal processes are, if you have a vendor with access to your data whose security is not as robust, and who is compromised, and this ends up damaging your own organisation.

Managed Detection and Response

Despite the challenges listed above, there is a solution. Managed Detection and Response, a term coined by Gartner in 2016, is the next evolution in cybersecurity, with an emphasis on hunting for new threats and effectively neutralising them.

Managed Security Services Providers 

Managed Security Services Providers are the specialists in setting up the infrastructure, managing the different security tools that are the foundation of a security programme. MDR capability provides a level of specialised talent and expertise, delivered by humans.

The Human Element

According to Gartner; ‘clients with successful SOCs put the premium on people rather than process and technology. People and process overshadow technology as predictors for SOC success or failure.’

Technology is important, as this allows analysts to do more, faster, but ultimately having a Security Operation Centre (SOC) relies on having the right people in place who can act quickly in the event of an incident, and who have the skill set and knowhow to manage an incident until it is effectively neutralised.

Protect, Detect, Respond.

At its most basic, every company’s fundamental security objective is to detect attacks on sensitive data assets and neutralise the incidents before they become a breach.

This requires three core components:

• Protect
• Detect
• Respond

Protect

Prevent attacks and secure all known vulnerabilities. There are a lot of tools available that help us proactively identify known threats and take action, and these are becoming more and more automated.

Detect

Detect attacks and identify malicious behaviours. There are tool that can do this, to a certain extent, as we’ve seen with Endpoint Detection and Response, which has made a huge advances in being able to detect new types of attacks, based both on known signatures as well as on behaviour.

Challenges when detecting a potentially malicious attack include understanding the severity and scope of the threat, in order to be able to validate whether it is indeed a malicious action, as well as detecting new attacks.

Response

We know that attackers are going to adapt and that they know how our tools work, so they are going to look for new ways to evade detection. This is where a response capability that includes Threat Hunting comes in. Threat Hunting aims to identify new types of attacks and behaviours that we haven’t seen before.

Having identified malicious behaviour, we need to decide on the next steps to take both to neutralise the threat and to ensure that it doesn’t happen again.

3 Cybersecurity Challenges

1. Cyber Skills Shortage

Recruiting and retaining the talent to manage your security programme is difficult, and there are a rising number of unfilled posts within the industry in the UK. An in-house team needs to include a mix of strategic and tactical resource, with enough people to be able to maintain 24/7 coverage.  

2. Return on Investment

How to optimise the value from the cybersecurity tools already in the tech stack is an ongoing issue for many organisations. Some tools may be too complicated, or require too much in-house resource to be managed effectively, and help may be need from an external source.

3. Threats Tools Can’t Detect

Tools can’t detect everything. Attackers are going to adapt and evolve, so you need a team that has the ability to look for new indicators of a compromise or attack.

Threat Notification is Not Enough

Most MDR services identify threats, but do not take action on a customer’s behalf. The focus is in identification and notification of threats, however it’s then up to the customer to decide what to do next. In some cases, it’s even up to the customer to carry out the investigation, to decide whether the threat is legitimate or not.

Expert Threat Response

In developing the MTR service, the key objective for Sophos was to ensure that they would be taking action on behalf of their customers. The three core pillars that underpin this service are:

24/7 human-led threat hunting

3 shifts a day of expert analysts, actively and constantly monitoring your environment and conducting investigations

Investigation of suspicious activity, not just detections

Not just looking at alerts that have been flagged, but also malicious activities

Not stopping at Notification. Taking action

The Sophos MTR service is designed to be an extension of your IT team and to complement the resources that you have. Integral to this is the option to choose the response mode that is right for you, whether you want to handle an investigation yourself, or let the Sophos MTR team manage the actions.

What Does The Sophos MTR Team Do

1. Proactively Hunts For and Validates Threats and Incidents

Constantly looking for new threats which may have evaded detection

2. Uses all Available Information to Determine the Scope and Severity of Threats, and Applies Appropriate Business Context for Valid Threats

This combines machine and human intelligence. A machine may be able to identify a threat, or suspicious activity; a human analyst is able to apply the ‘why’; for example, why is a particular asset under attack, or why is a particular user being targeted

3. Provides Actionable Advice for Addressing the Root Cause of Incidents

Addressing the root cause of an incident prevents a repeat occurrence

4. Initiates Actions to Remotely Disrupt, Contain, and Neutralise Threats

While others stop at just monitoring your environment and sending you alerts, the Sophos MTR team take action.

Real Life Secenarios Explored

Scenario #1 -

Detect:                

A tool is in place to detect suspicious behaviour.

Response:          

The tool knows enough about the attack/behaviour to automate the correct response.  It’s seen the attack before; knows what actions to take; the response can be automated in real time.

Scenario #2

Detect:                

A tool is in place to detect suspicious behaviour.

Response:          

The tool does not know enough about the attack/behaviour to automate a response.

This is a common scenario that may come up with an EDR tool. An activity is detected, but further investigation is need to understand what it means.

In this case, the human analysts within the MTR team will conduct and investigation to confirm whether or not the attack or behaviour is malicious. This is where most MDR services will stop, by identifying the activity, determining its severity, abd then sending this information to the customer.

Where Sophos MTR continues to go further is in determining what response or actions need to be taken, and they will then execute these.

The outcome will be that the output of the investigation is then fed back into the Sophos toolset, so that in the future, that activity can be automated.

Scenario #3

Detect:          

Tools do not detect an attack or suspicious behaviour

Response:          

As nothing is detected, no response action is taken.

This brand new indicator of compromise is detected by an analyst, who conducts an investigation to determine whether the behaviour is malicious or benign.  They will determine what action needs to be taken, take those actions and feed this back into the toolset so that future actions can be automated in the future.

How does Sophos MTR work?

The Sophos MTR Team

Threat Analyst

Responds to ‘lead driven’ threat investigations detected automatically in the customer’s network, and take action, or escalate to the customer

Threat Hunter

Investigates ‘leadless’ threat hunts, looking for anything suspicious that hasn’t been automatically identified

Incident Responder

These get involved when there is a ‘true positive’ and work with the customer during active incidents to triage, contain and neutralise the threat.

The Sophos Investigative Framework

This process  is based on the OODA model (Observe, Orient, Decide, Act) and aims to answer the questions:

• How confident are analysts in their investigation decisions?
• How do you measure a workflow during an investigation, threat hunt or incident

Data Collection

Scheduled Queries

Pre-determined searches are executed on the endpoint. The collected data has been groomed to ensure meaningful data is being captured for detection creation and subsequently faster investigations using the searchable data

Live Queries

For data that isn’t captured via a scheduled query, Sophos MTR can live query an endpoint to return information from the endpoint or the server.

What Does Sophos MTR See

Sophos can review details about:

• The detection that was observed
• Information related to the endpoint
• If this detection was seen on other endpoints

Most importantly, they can see detailed information about what was executed, allowing for further investigation if required.

How is This Used

A single detection on its own may not provide enough intelligence to determine if a threat is real, so Sophos review additional detections, building up a comprehensive picture for investigation.

Use Case

Fireless Cryptomining Attack Discovered Within Minutes of MTR Deployment

Customer Overview:

Industry: Manufacturing

MTR Tier: Advanced

Response Mode: Authorise           

Within minutes of deploying Sophos MTR, the MTR team identified malicious activity originating from fileless cryptomining malware.

There were no files being run, but the team could see that there were Powershell commands being executed.

The team investigated to see where on the system this was coming from. They identified that rather than using a file based attack, the attackers used Windows Management instrumentation to execute and fileless attack and avoid detection. Because organisations expect to see some degree of WMI usage, malicious activity can be difficult to spot.

After conducting a full investigation to confirm the scope and severity of the attack, the Sophos MTR team rapidly initiated response actions on the customer’s behalf to neutralise and remove the threat.

What is Threat Hunting

Threat hunting is described as:

A human-led investigation of causal and adjacent events (weak signals) to discover new indicators of Attack (IoA) and Indicators of Compromise (IoC) that previously could not be detected by existing tools.

There are three types of threat hunting:

• Automated
• Lead-Driven
• Lead-Less

Data can be gathered from three sources:

• Endpoint Data: Process execution; Registry data; File artifacts
• Network: Session data; IDS data; Firewall logs; DNS logs
• Security Data: Security alerts; Threat intelligence

Managed Threat Response by Sophos addresses today’s cybersecurity challenges and provides a solution. Get in touch to find out more.