Light Dark
November 13, 2020 By Thomas Bouve 4 min read
Intelligence & Analytics
Security Services

This is the second in a five-part blog series on managed detection and response as it drives strategic security outcomes for businesses.

In this multipart blog series, we’re exploring how an effective managed detection and response (MDR) service helps organizations achieve their goals. Specifically, we’ll examine them through the context of four key strategic security outcomes:

  • Align your security strategy to your business
  • Protect your digital users, assets and data
  • Manage your defenses against growing threats
  • Modernize your security with an open, multicloud platform

In part 1, we discussed alignment. Today, we’ll discuss protection.

Protect Your Digital Users, Assets and Data

Protection is about stopping attacks, but is more than just preventing malicious activity. With MDR, protection consists of a number of essential building blocks. Together, these ensure threats are not only prevented, but also that the security team can detect and respond to them as quickly and efficiently as possible.

Managed Detection and Response With Custom Threat Intelligence

For protection to be effective, we must first be able to detect threats often. These days, almost all endpoint detection and response (EDR) platforms come with some form of next-gen antivirus functionality that leverages both classic atomic indicators and behavioral detection capabilities to trigger security alerts. When the risk of false positive alerting is sufficiently low, alert generation can include automatic prevention as well.

While default EDR detections are a good baseline, consider them a starting point. No two groups are alike, and having more threat intelligence and customized detections improve your chances of detecting threats. They also limit false positive noise from taking up valuable analysis time.

In short, ongoing enhancement of both the baseline intelligence and detection aspects is a must-have. It should be part of any MDR workflow to provide a service tailored to and prioritized for each customer’s needs.

Focus on Behaviors and TTPs

As noted in the previous installment of this series, critical asset prioritization is key. This directly translates to which alerts should get our attention first. Alerting based on atomic indicators like known bad hash, IP or domain values allows for easy detection of threats.

At the same time, an attacker can easily change these types of atomic indicators or indicators of compromise (IOCs). Switching to a new command and control IP address or modifying a binary so the associated hash value changes as well are trivial from the perspective of an attacker. They are easy ways to circumvent detection in any system that only detects on these types of indicators.

The low impact that prevention and detection of static IOCs and atomic indicators have on a persistent attacker means protection based on those indicators will always be short-lived. To be effective in the long term and have a larger impact on an attacker, detection and prevention should first and foremost be focused on behavior. Being able to effectively detect based on tactics, techniques and procedures (TTPs) used by an attacker has a much larger impact in the long term. After all, behavior is inherently harder to change.

Access to Full Telemetry

Once alert prioritization is done and analysis of the activity begins, or when it’s time to kick off a new proactive threat hunt, the full endpoint telemetry captured by the EDR platform comes into play and allows MDR analysts to start their investigation and respond to the threat with confidence.

Other platforms often do not provide the required level of detail into endpoint activity to support a thorough enough deep dive or high confidence conviction. From the perspective of MDR, these additional data sources are most useful to help fill in specific gaps (e.g. network logs, proxy logs) or provide additional context to the ongoing activity.

Having access to the full telemetry captured by EDR platforms allow analysts to respond to threats in several different ways. They can tell their customers where the threat came from and what the full scope and impact are. Additionally, they can find what specific remediation steps are needed to contain the problem and return to a known clean state.

Managed Detection and Response And Handling Problems Before They Start

When, not if, the time comes to contain a threat, responders and application owners no longer have the luxury of hours or days to assess would-be business impact should one or more systems need to be isolated. This drives the need to take a much more proactive approach in identifying critical resources and establishing pre-authorized courses of action. The goal then is to make as many decisions and authorizations in advance as possible.

You can establish pre-authorized containment playbooks ahead of time for high-value assets. In addition, you can select scenarios matching high-risk threat actor behaviors and TTPs (e.g. data exfiltration). When you do make a decision to isolate, the reaction should be contain first and ask questions later. Once you identify them, drill or rehearse containment procedures in a safe and controlled fashion to ensure successful outcomes. Lastly, measure key performance indicators in this area often to ensure the containment procedures are working.

Assessing Your Endpoint Protection Maturity

Take care when switching to a proactive containment and remediation process. Don’t consider it a one-time action. Ask yourself the following questions to determine your maturity level as it pertains to protecting your endpoints:

  • Are we leveraging threat intelligence tailored to our needs? Is this intelligence based on both TTPs and static IOCs?
  • Can we use outcomes of security incidents to fine-tune EDR detections?
  • Are we running regular, tailored proactive hunts? Do we use hunt outcomes to add new or enhance existing detections?
  • Can we rapidly isolate systems if needed?
  • Do we exercise and test our pre-approved containment procedures on a regular basis and realign them when needed?
  • How proficient are we at reducing or getting rid of business impact when we perform a proactive containment action?

Check out Part 3 of this series to explore how to manage defenses against growing threats, and learn more about IBM Security Managed Detection and Response Services.

 |  | 
Thomas Bouve
Senior Threat Response Analyst, IBM

More from Intelligence & Analytics
October 30, 2023

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

September 12, 2023

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

September 7, 2023

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature