The only constant in the world of cybersecurity is change. As fast as new products and technologies are launched into the market, then so do the capabilities and approaches of attackers. It’s a constant game of cat and mouse.
During a recent online session Eric Kokonas, MTR Senior Product Marketing Manager, and Mat Gangwer, MTR Technical Director, reviewed the threat landscape, explained how MTR fits in an organisation’s cybersecurity strategy and provided an overview of the service.
4 Key Trends in The Threat Landscape
1. Living off the Land
These techniques take advantage of an operating system’s native tools. These are legitimate tools designed for Administrator use, for example Powershell and Windows Management Instrumentation, which are manipulated by attackers for malicious use.
You’d expect to see these sort of processes being executed, so telling malicious and legitimate attacks apart is very difficult.
MTR focuses on these sorts of activities, investigating further to identify what is malicious.
2. Automated Active Attack
These start with a hacker using automation, before taking over the process to execute the attack. Ransomware is a prime example, using automation to gain a foothold and then relying on human ingenuity to avoid security controls, evade detection and remain unseen. Although ransomware and other types of attack are viewed as automated campaigns, casting a wide net in the hope of catching anyone whose controls are not suitably robust, they are now becoming much more targeted, with a human element as part of them.
3. Counter Measure Neutralisation
Counter Measure Neutralisation is similar to Automated Active Attacks, but more targeted, silent and methodical. SamSam is a good example, where an attacker looks at ways to switch off or control security tools to remain undetected, and then goes after things like back-ups, without which you’ll be more likely to pay a ransom.
4. Supply Chain Attack
This is an attack which comes from an organisation’s supplier or vendor who are part of their supply chain. These are often the large scale attacks which make headline news. Sophos’ findings show that 56% of organisations have had a breach that involved one of their suppliers. Regardless of how good your own internal processes are, if you have a vendor with access to your data whose security is not as robust, and who is compromised, and this ends up damaging your own organisation.
Managed Detection and Response
Despite the challenges listed above, there is a solution. Managed Detection and Response, a term coined by Gartner in 2016, is the next evolution in cybersecurity, with an emphasis on hunting for new threats and effectively neutralising them.
Managed Security Services Providers
Managed Security Services Providers are the specialists in setting up the infrastructure, managing the different security tools that are the foundation of a security programme. MDR capability provides a level of specialised talent and expertise, delivered by humans.
The Human Element
According to Gartner; ‘clients with successful SOCs put the premium on people rather than process and technology. People and process overshadow technology as predictors for SOC success or failure.’
Technology is important, as this allows analysts to do more, faster, but ultimately having a Security Operation Centre (SOC) relies on having the right people in place who can act quickly in the event of an incident, and who have the skill set and knowhow to manage an incident until it is effectively neutralised.
Protect, Detect, Respond.
At its most basic, every company’s fundamental security objective is to detect attacks on sensitive data assets and neutralise the incidents before they become a breach.
This requires three core components:
Prevent attacks and secure all known vulnerabilities. There are a lot of tools available that help us proactively identify known threats and take action, and these are becoming more and more automated.
Detect attacks and identify malicious behaviours. There are tool that can do this, to a certain extent, as we’ve seen with Endpoint Detection and Response, which has made a huge advances in being able to detect new types of attacks, based both on known signatures as well as on behaviour.
Challenges when detecting a potentially malicious attack include understanding the severity and scope of the threat, in order to be able to validate whether it is indeed a malicious action, as well as detecting new attacks.
We know that attackers are going to adapt and that they know how our tools work, so they are going to look for new ways to evade detection. This is where a response capability that includes Threat Hunting comes in. Threat Hunting aims to identify new types of attacks and behaviours that we haven’t seen before.
Having identified malicious behaviour, we need to decide on the next steps to take both to neutralise the threat and to ensure that it doesn’t happen again.
How to optimise the value from the cybersecurity tools already in the tech stack is an ongoing issue for many organisations. Some tools may be too complicated, or require too much in-house resource to be managed effectively, and help may be need from an external source.
3. Threats Tools Can’t Detect
Tools can’t detect everything. Attackers are going to adapt and evolve, so you need a team that has the ability to look for new indicators of a compromise or attack.
Threat Notification is Not Enough
Most MDR services identify threats, but do not take action on a customer’s behalf. The focus is in identification and notification of threats, however it’s then up to the customer to decide what to do next. In some cases, it’s even up to the customer to carry out the investigation, to decide whether the threat is legitimate or not.
Expert Threat Response
In developing the MTR service, the key objective for Sophos was to ensure that they would be taking action on behalf of their customers. The three core pillars that underpin this service are:
24/7 human-led threat hunting
3 shifts a day of expert analysts, actively and constantly monitoring your environment and conducting investigations
Investigation of suspicious activity, not just detections
Not just looking at alerts that have been flagged, but also malicious activities
Not stopping at Notification. Taking action
The Sophos MTR service is designed to be an extension of your IT team and to complement the resources that you have. Integral to this is the option to choose the response mode that is right for you, whether you want to handle an investigation yourself, or let the Sophos MTR team manage the actions.
What Does The Sophos MTR Team Do
1. Proactively Hunts For and Validates Threats and Incidents
Constantly looking for new threats which may have evaded detection
2. Uses all Available Information to Determine the Scope and Severity of Threats, and Applies Appropriate Business Context for Valid Threats
This combines machine and human intelligence. A machine may be able to identify a threat, or suspicious activity; a human analyst is able to apply the ‘why’; for example, why is a particular asset under attack, or why is a particular user being targeted
3. Provides Actionable Advice for Addressing the Root Cause of Incidents
Addressing the root cause of an incident prevents a repeat occurrence
4. Initiates Actions to Remotely Disrupt, Contain, and Neutralise Threats
While others stop at just monitoring your environment and sending you alerts, the Sophos MTR team take action.
Real Life Secenarios Explored
Scenario #1 -
A tool is in place to detect suspicious behaviour.
The tool knows enough about the attack/behaviour to automate the correct response. It’s seen the attack before; knows what actions to take; the response can be automated in real time.
A tool is in place to detect suspicious behaviour.
The tool does not know enough about the attack/behaviour to automate a response.
This is a common scenario that may come up with an EDR tool. An activity is detected, but further investigation is need to understand what it means.
In this case, the human analysts within the MTR team will conduct and investigation to confirm whether or not the attack or behaviour is malicious. This is where most MDR services will stop, by identifying the activity, determining its severity, abd then sending this information to the customer.
Where Sophos MTR continues to go further is in determining what response or actions need to be taken, and they will then execute these.
The outcome will be that the output of the investigation is then fed back into the Sophos toolset, so that in the future, that activity can be automated.
Tools do not detect an attack or suspicious behaviour
As nothing is detected, no response action is taken.
This brand new indicator of compromise is detected by an analyst, who conducts an investigation to determine whether the behaviour is malicious or benign. They will determine what action needs to be taken, take those actions and feed this back into the toolset so that future actions can be automated in the future.
How does Sophos MTR work?
The Sophos MTR Team
Responds to ‘lead driven’ threat investigations detected automatically in the customer’s network, and take action, or escalate to the customer
Investigates ‘leadless’ threat hunts, looking for anything suspicious that hasn’t been automatically identified
These get involved when there is a ‘true positive’ and work with the customer during active incidents to triage, contain and neutralise the threat.
The Sophos Investigative Framework
This process is based on the OODA model (Observe, Orient, Decide, Act) and aims to answer the questions:
How confident are analysts in their investigation decisions?
How do you measure a workflow during an investigation, threat hunt or incident
Pre-determined searches are executed on the endpoint. The collected data has been groomed to ensure meaningful data is being captured for detection creation and subsequently faster investigations using the searchable data
For data that isn’t captured via a scheduled query, Sophos MTR can live query an endpoint to return information from the endpoint or the server.
What Does Sophos MTR See
Sophos can review details about:
The detection that was observed
Information related to the endpoint
If this detection was seen on other endpoints
Most importantly, they can see detailed information about what was executed, allowing for further investigation if required.
How is This Used
A single detection on its own may not provide enough intelligence to determine if a threat is real, so Sophos review additional detections, building up a comprehensive picture for investigation.
Fireless Cryptomining Attack Discovered Within Minutes of MTR Deployment
Response Mode: Authorise
Within minutes of deploying Sophos MTR, the MTR team identified malicious activity originating from fileless cryptomining malware.
There were no files being run, but the team could see that there were Powershell commands being executed.
The team investigated to see where on the system this was coming from. They identified that rather than using a file based attack, the attackers used Windows Management instrumentation to execute and fileless attack and avoid detection. Because organisations expect to see some degree of WMI usage, malicious activity can be difficult to spot.
After conducting a full investigation to confirm the scope and severity of the attack, the Sophos MTR team rapidly initiated response actions on the customer’s behalf to neutralise and remove the threat.
What is Threat Hunting
Threat hunting is described as:
A human-led investigation of causal and adjacent events (weak signals) to discover new indicators of Attack (IoA) and Indicators of Compromise (IoC) that previously could not be detected by existing tools.
There are three types of threat hunting:
Data can be gathered from three sources:
Endpoint Data: Process execution; Registry data; File artifacts
Network: Session data; IDS data; Firewall logs; DNS logs
Chess is one of the UK’s leading independent and trusted technology service providers, employing 300 skilled people across the UK, supporting over 20,000 organisations.
By leveraging world-class technology, Chess helps you to connect your people, protect your data, grow your business, reduce your costs and work better together, which means your business, your people and your customers can thrive.
At Chess, we’re passionate about our unique culture and our continuous investment in our people to be industry experts. We’re extremely proud that our people voted us No.1 in ‘The Sunday Times 100 Best Companies to Work for’ list 2018, and we continue to celebrate more than ten years in the top 100.
Speak to a Product Specialist
You can fill out the form and one of our product specialists will contact you shortly with more information.
To contact our Sales team directly, please call 0344 770 6000 and choose option 4.
For general queries or to report a non-urgent fault, please log a ticket on our customer portal using the email address associated with your account. Logging a ticket is quick and easy to do. Once you have logged your ticket, we will respond within 24 hours or your Service Level Agreement, whichever is quicker.