Cat Contillo 07.26.2021 5 min read

The Age of Rapid-Response Managed Detection and Response

Co-written by Mike Penn (Magna5) and Cat Contillo (Huntress ThreatOps Analyst II)

As a busy “as-a-service” managed security provider that serves customers nationwide, our teams at Magna5 regularly hear what keeps customers’ IT staff members up at night. At the top of the list is cybersecurity.

It is becoming more common to see sophisticated ransomware attacks and malicious malware target small- to medium-sized businesses (SMBs). Organizations that thought they had strong preventive security measures in place are now questioning their security preparedness. Lack of visibility into endpoint devices, poor detection capabilities to respond to cyber threats quickly, and shortage of IT staff time to regularly update patches are leaving many organizations unprepared to protect remote workers.

Customers tell us that the lack of early-warning detection due to limited visibility and awareness of existing vulnerabilities that can expose risk is frustrating. Today, many cyber attackers use fileless malware, zero-day exploits or other advanced persistent threats. These attacks do not use signatures, so traditional antivirus programs and signature detection methods are no match to stop these threats.

In addition, with remote work here to stay, customer IT managers are feeling the pressure of increased cloud workloads and data proliferation from many endpoints. Identifying new ways to protect their network from unknown devices or unsupervised users is a high priority.

An estimated 70% of breaches start on endpoint devices. When working remotely, there is a hidden security danger. All those endpoints and devices connected outside of the office firewall are prime entry points for cybercriminals to target an organization. Without proper protection, it is open season for a tsunami of malicious ransomware attacks through those unsecured endpoints.

These customer challenges are real. They spark a need for real-time, managed threat prevention, detection and response that protects all perimeters—networks, virtual clouds, endpoints, remote offices and mobile operations.

Take Note of Your Endpoint Security Gaps

When evaluating your endpoint security, it is important to see if any red flags are holding you back. Below are some questions to ask.

  • Do we have full visibility into all endpoint environments? Whether traffic is on the corporate network, in a hybrid data center or on the remote employee’s endpoint, central visibility into the devices that employees are working on can go a long way in finding potential hidden entry points.
  • Can we adequately secure our remote workforce connecting both inside and outside of our protective firewalls? Employees may be using company-owned laptops on home Wi-Fi networks or using their personal smartphones to access business data. Or other family members using the same home devices could download malware onto the same machine used to handle enterprise information.
  • Is our incident response to ransomware and cyber threats too reactive, putting our organization at risk? Cybercriminals are launching waves of relentless attacks against remote workers. Many businesses do not have effective control over remote endpoints that are accessing their environment from untrusted networks. Can you proactively roll back a machine state after malware has been detected and auto-quarantine an infected machine off the network?
  • Are we struggling with performing company-wide rollout of patches or security upgrades? The vast majority of all ransomware infections result from unpatched systems and rampant password reuse. Many IT departments are bogged down by daily operational activities, resulting in patching and upgrades taking a back seat—to the delight of the cyber bad guys.

Be on the Offensive—Protect Your Endpoints to Reduce Risks

The best option to avoid downtime is to not get compromised in the first place. Working with Huntress to augment our suite of managed security solutions, Magna5 provides customers with a multi-layered security defense to manage and safeguard their network.

What does a resilient endpoint defense look like? Here are six pillars we provide organizations to help gain an upper hand in providing real-time prevention, detection and response.

  • Watch. Proactively monitor attacks with full visibility into all endpoints, encrypted traffic as well as applications and processes.
  • Prevent. Automate the entire patching and endpoint configuration process to actively minimize the vectors that attackers can exploit.
  • Detect. Utilize AI and machine learning to monitor both known and unknown cyber threats at every state of their lifecycle.
  • Isolate. Generate real-time forensics and storyline visualizations to map attacks' point of origin and progression across endpoints.
  • Block. Use policy-driven protection to kill a process, quarantine or delete malicious binaries before they do damage.
  • Hunt. Actively hunt for attacks using sophisticated algorithms to seek out potential footholds and hard-to-detect persistent threats.

Real-Time Detection and Response in Action

Let’s take a look at a real-life example. A manufacturing customer reached out to Magna5 when a type of malware infected their production servers and workstations, halting all operations. The breach was sourced to a malicious email that targeted a user. With little visibility across their network, they requested Magna5’s expertise and toolsets to help isolate and eradicate the infection.

Magna5 deployed several tools within its endpoint security bundle, including SentinelOne and Huntress. We leveraged Huntress’s cyber threat hunting capabilities to identify which machines had been infected.

The Huntress solution collects data using forensics, looking for footholds and backdoors that usually are found in startup folders, autoruns and, scheduled tasks, to name a few. This data then goes to Huntress’ ThreatOps team who analyzes the data manually after the tool uses automated detection mechanisms to spot anything malicious or unwanted. Huntress reports any findings to the Magna5 team who then takes action to remediate the malware variant from the customer environment.

A Huntress ThreatOps Perspective

Cyber threat hunting is when analysts are actively looking through and reviewing new autoruns on different hosts. Huntress looks at each persistence mechanism name and the file paths—more specifically, the files and what directories they are on.

Threat actors use multiple techniques to get past antivirus software. Threat analysts at Huntress actively hunt for threats by scanning logs from every host. We’re constantly looking at data from the new autoruns that come through, whether it is a changed file (known as a new hash) or a trialing customer with new file paths that come through.

When a computer has a malware infestation, you might see a ransomware notice that states that your files have been encrypted. You might see lots of pop-up ads. Your system administration tools/antivirus software applications might be disabled. These are just a few behaviors that might signal that malware has infiltrated your system, network or computer.

The malware infestations we see at Huntress look a bit different. Analysts are looking at data/logs of file paths (autoruns) from every customer. We see what the malware is hiding. It might feature different techniques like living off the land (for example, LOLbins) to remain undetected. In these scenarios, we look for specific files like powershell.exe or cmd.exe that might be used maliciously to get malware into a computer/network.

We might see multiple autoruns/file paths on a host that are malicious. Cyber threat hunters seek to find every autorun/file path or directory that might have other malicious files inside. Once we mark all the files as malicious, a report is generated with information for remediation steps to be taken to eradicate the malware.

At Huntress, real humans analyze every detail on every persistence mechanism we find. The autorun details—the file name, file path, directories/folders, file name, signature, behavior and more—are analyzed. Even before investigations are opened, we’ll use static/dynamic analysis on suspicious activity to find any other details that will aid in an investigation. If the threat is deemed to be malicious, we mark this autorun as such in an investigation.

After an autorun is marked malicious, we’ll look at the host to see if any other autoruns are associated with this autorun or malware in general before a report is created. After every autorun is reviewed, a report is generated with remediation steps that must be followed to help get the malware off the host. Those steps are passed along to customers so the malware can be eliminated.

Be Proactive in Safeguarding Your Data

Staying ahead of cyber threats today means protecting your endpoints on multiple fronts. With cyber criminals ratcheting their attacks on remote workers, managed detection and response can provide the visibility organizations need to proactively counter attacks before they penetrate your endpoints and perimeter.

About Magna5

Magna5 provides managed IT, voice and connectivity solutions to mid-market and enterprise customers nationwide, including leaders within the education, healthcare, government, financial services and other industry segments. Headquartered in Frisco, TX, Magna5 operates nationally and has office locations in Pittsburgh; San Antonio; Seattle; and Troy, NY. Magna5 is a platform company of NewSpring Holdings.

Editor's Note: This post was originally published on Magna5's blog.

avatar

Cat Contillo

ThreatOps Analyst II at Huntress