Today’s security leaders are challenged not just by a skills shortage and budgetary constraints, but by immense vendor sprawl in the cybersecurity market. To tackle these challenges, many have invested in Managed Detection and Response (MDR) over traditional Managed Security Services (MSS). However, there is still too much confusion in the industry over what truly sets MDR providers apart.
Given the competitiveness of the MDR market, many service providers have benefitted from Response being viewed as tablestakes in the eyes of the customer. Of course, their MDR partner will provide fast, complete, and effective response to eliminate cyber threats before they spread.
Unfortunately, many MDR providers fail to demonstrate security leadership in a critical area of MDR – their threat investigation capabilities. You can’t deliver complete threat response without robust and thorough investigation expertise. Especially when it comes to the depth of investigation required to correlate multiple signals network, endpoint, log, cloud, and identity sources.
In this blog, we share why building the world’s most complete response capability is driven by the strength of the threat investigations and how you can evaluate true investigative expertise in an MDR provider.
Why is threat investigation important?
If you ask Tia Hopkins, Field CTO and Chief Cyber Risk Strategist at eSentire, she’ll say that every MDR provider is hyper-focused on demonstrating their Response capabilities – but that’s precisely where the problem lies.
“A CISO absolutely needs to value fast and accurate response, but what I’ve found is that not enough security leaders truly understand that the accuracy of the response is powered by the maturity of the threat investigation,” Tia points out. “As a security leader, you have to question how can the vendor respond to a threat if they haven’t done the necessary legwork for the threat investigation portion?”
MDR providers that value response speed over accuracy might grab the first smoking gun they find during their threat investigation process and base their response from that. But that gun might have been a decoy.
In other words, the depth of the threat investigation dictates the depth of the response.
It’s the differentiating factor between your team simply being notified of potential suspicious activity after an alert is triggered vs. getting a list of specific actionable recommendations and being guided through the recovery and remediation process to eliminate the threat altogether. Without the appropriate tooling, security expertise, or threat intelligence to drive the threat investigation, the response outcome will be inaccurate and incomplete.
Moreover, the lack of a deep investigative process drives inefficiency.
For example, if one of your endpoints is impacted by a threat, the MDR provider’s Security Operations Center (SOC) may perform a superficial investigation and contain the threat. This might be the end of the investigation and remediation process – case closed. However, if a second endpoint is impacted just a few hours or days later, the SOC now has to open another ticket and conduct another investigation. This process is largely inefficient for the SOC Analyst as well as you, the customer. As a result, you’re now dealing with multiple incidents over a far more extended time period.
On the other hand, a thorough investigation following the containment of the first incident would have driven a highly efficient and thorough remediation process.
“The worst thing an MDR provider can do is take things – in this case, alerts – at face value. You have to conduct deeper threat intelligence and research to get the full lay of the land. Otherwise, the SOC might miss key indicators of compromise,” Tia advises. “In eSentire’s case, if we discover a new IOC as part of the threat investigation, we operationalize the information and apply it to all our other customers so they can benefit from Security Network Effects. Not all MDR providers are doing this.”
How can you evaluate threat investigation capabilities in an MDR provider?
As critical as threat investigation capabilities are, many organizations don’t know what to look for or how to evaluate true investigative expertise as they compare MDR providers. This may stem from the fact that the MDR market has become saturated and confusing, especially with the rise of Extended Detection and Response (XDR).
“A lot of security leaders can’t distinguish that MDR is a service, not a tool. XDR is the tool and that’s why it’s critical to make MDR outcomes more effective,” Tia says. “When you have confusion over MDR and XDR, it’s no surprise that the industry is having a hard time evaluating threat investigation capabilities.”
So, what should you look for instead? According to Tia, it comes down to the buyer’s experience and understanding that you can’t evaluate a service in the same way you evaluate a product – and threat investigation is a service.
When evaluating a product, buyers often focus on its features, the functionality, how hard the technology is to onboard or deploy, how effective it is, and how it compares to its competitors. But this doesn’t suffice when you evaluate a service like Managed Detection and Response.
“As a buyer, you need to give the MDR provider a scenario and have them walk you through how they will handle a threat,” Tia advises. “This gives you an idea of their process, their communication style with you and your team, the extent to which they will defend you, and most importantly, what your team will have to deal with after the recovery and remediation process.”
To bring it back full circle in how you should evaluate the MDR provider’s threat investigation process, Tia suggests paying close attention to the picture they paint for you:
“Ideally, they should detect the adversarial presence and first investigate how they got into your environment and your systems. Once the threat is contained, they should go back and conduct a second, deeper investigation about the full actions and complete pathway attackers took. With SunWalker, this is what allowed us to see the threat actor pivoting from Machine A to Machine B and all the TTPs they were leveraging. We also looked for additional IOCs elsewhere in the network just to make sure they weren’t hiding anywhere else.”
This is the methodology our own SOC Analysts have adopted to ensure our customers truly benefit from effective, accurate threat response. We conduct threat investigations before and after threat containment — that’s the eSentire differentiator.
As a buyer, if the MDR vendor isn’t laying out this process for you, we recommend you continue the evaluation process. Fake MDR providers often stop after they’ve isolated the host, restored the data, and gotten it back online. This marks the end of the investigation process for them.
“With eSentire MDR, this is not the outcome you should expect. We want to know all the details of any threat – big or small – before we close out the incident. Our customers should walk away understanding the threat in detail, knowing the pathways the attackers took, and more importantly, how they can make sure this won’t happen again.”
Case Study: SunWalker Ransomware Incident
To put this into perspective, here’s a walkthrough of an 8-hour long battle that eSentire’s 24/7 SOC Cyber Analysts and Threat Response Unit (TRU) partook in. In this case, an unidentified threat actor attempted to deploy the SunWalker ransomware against an online education institution in a highly targeted cyberattack.
The adversary tried to gain initial access, conduct lateral movement, and deploy the ransomware but ultimately withdrew because of eSentire’s SOC and TRU teams working together to deflect the hands-on attack paths. We picked up activity through Blue Steel, our proprietary machine learning-powered tool that detects malicious PowerShell commands from customer endpoints, which allowed us to respond quickly.
However, it’s the second, deeper investigation we conducted once the threat was eliminated that demonstrates how we were able to respond so quickly:
- First, a detection rule in an endpoint agent generated an alert, which triggered the attention of our SOC Analysts. They recognized the risk of an active intruder, isolated the endpoint, and escalated the incident to our Threat Response Unit (TRU).
- TRU initiated a broader threat investigation to assess the Initial Access vector and to determine additional active response actions. They investigated log and network flow data and discovered that a VPN was an attack vector. This discovery led to another active response action, during which the organization disable the two compromised VPN tunnels.
- TRU continued to investigate the threat and reconstruct the attack:
- An unknown IP address successfully connected to the online education institution’s VPN pool and a workstation endpoint (i.e., Endpoint Zero) beginning the attack.
- One hour later, a member of the VPN pool successfully logged in to Endpoint Zero via Remote Desktop Protocol (RDP) using credentials belonging to Account A, abusing a Valid Account.
- Using Service Account B, that had recently been created legitimately by Account A, the attacker re-established RDP with Account B on System Zero.
- Using Account B on Endpoint Zero, the attacker executed Mimikatz27 via PowerShell to engage in credential theft, which eventually triggered the detection rule in the first place.
At this point, there were no active traces of the intrusion. However, because TRU kept the threat investigation ongoing, we were able to find a stealthy backdoor that had been planted on a domain controller. When the attacker returned four hours later, we were ready. What followed was human vs. human battle to ensure the attacker couldn’t successfully fulfill the objectives. From start to finish, this incident played out at just over eight hours.
It's critical to understand that if an MDR provider had simply closed the incident after Endpoint Zero had been isolated and restored, they would not have found that the Initial Access vector was a VPN. This means that the compromised VPN tunnels would remain operational. Not to mention the backdoor the threat actor had installed as a backup just in case.
This is precisely why we believe that the speed and efficacy of an MDR provider’s response actions rely heavily on their investigation capabilities, which ultimately rely heavily on their detection capabilities.
Learn more about the SunWalker incident, how modern ransomware attacks have changed, and what this means for organizations in our report, Defending Against Modern Ransomware.
To learn how eSentire MDR can help you build a more responsive security operation and put your business ahead of disruption, connect with an eSentire cybersecurity specialist.
