With the complexity of cyber threats increasing across the board, general approaches to cyber security aren’t enough to protect your organisation. You need cyber security that can address each threat on a case-by-case basis.
Unfortunately, many security teams are struggling to detect and respond to threats that have bypassed traditional defences.
As a consequence, Managed Detection and Response (MDR) is now a critical solution for enterprises that want to detect and respond to these advanced threats. MDR provides organisations with support from a managed security service provider who can assist with both detection and response and containment should the worst occur.
How to Detect Use Cases for MDR: A Use Case Framework
Integrity360’s MDR service uses a Use Case Framework to help organisations identify and mitigate priority risks. The framework defines threats we can address with MDR, providing a profile of the threat, outlining threat actor tactics, the level of risk posed by the threat, and the type of security tool integrations and procedures the organisation needs in place to mitigate it.
When advising an organisation on what defences they need to implement, our guidance depends on the type of tactics that attackers are most likely to use to infiltrate their systems.
As part of the process, we break down attacks into stages using the MITRE ATT&CK Framework, categorising the tactics and techniques, the attacker will use to breach key systems.
After analysing the priority risks an organisation faces, we will focus in on the MITRE ATT&CK framework tactics and techniques that attackers use that can relate to such risks. The use cases most relevant to detecting and responding to such tactics and techniques will be identified, including technical details on SIEM correlation searches, EDR configurations, and investigation workflow/SOAR playbooks that will detect, contain, and mitigate these risks in their environment.
Adversarial Tactics and Techniques We Can Detect with MDR
MDR enables organisations to detect a wide range of threats, from APT zero-day attacks to phishing attempts strains and brute force hacks.
Some of the core adversarial tactics and techniques that Integrity360’s MDR service addresses include:
- Phishing - Our MDR service detects and responds to phishing techniques to prevent intrusions whenever a hacker sends a fake email designed to trick users into giving up information.
- Malware - We respond to malware by investigating alerts generated by EDR and AV tools that are sent to a SOAR or SIEM platform, and taking responsive action where needed.
- Network Attack - We can detect any network tactics that hackers use to gain unauthorised access to infrastructure, including vulnerability and remote service exploits, reconnaissance, and brute force attacks.
- Credentials Access - Our MDR service can also detect and respond to credential access techniques such as brute force attacks and operation system credential dumping that indicate an intruder is trying to breach a system.
- Privilege Escalation - With an MDR service, we can help spot hackers that exploit vulnerabilities, create or modify system processes, or conduct DLL hijacking.
- Policy Violations - Continuous monitoring enables organisations to detect policy violations that can indicate malicious or inadvertent insecure activity.
- Command & Control - Through remote monitoring, we can identify when an attacker achieves remote control of an endpoint even if they use obfuscation techniques.
- Lateral Movement - Monitoring for lateral movement techniques early in the breach lifecycle so we can respond before an attacker has had a chance to locate a sensitive target.
- Data Exfiltration - Top-down visibility over network activity enables us to identify the signs of data exfiltration so we can respond before there is massive data loss and provide early warning of any such losses.
Top 5 MDR Use Cases
While every organisation faces different priority threats, there are a number of common threats that most organisations can use MDR to address. These include, but are not limited to:
- Ransomware
- Cloud compromise
- Endpoint compromise
- Insider Threats
- APT/Zero-day attacks
Ransomware
MDR helps address ransomware attacks by allowing you to spot the early signs of an intrusion. A remote SOC team can identify an intruder establishing lateral movement, establishing C&C communication or even data exfiltration, and respond by taking immediate action to protect systems before they have a chance to encrypt your data.
With Ransomware being such a major threat the ability to detect and respond to the early signs of intrusion can be the difference between having your data encrypted or not.
Cloud Compromise
Another valuable use case offered by MDR is the detection and remediation of cloud compromise incidents. Many in-house security teams find it difficult to manage cloud compromise incidents like cloud account compromise and cloud infrastructure modification because these attacks require specialist knowledge to address.
Securing the cloud is a challenge for organisations because threat actors will not only target employees with phishing attempts and credential stuffing to gain access to their online accounts, but they will also modify infrastructure like compute instances, virtual machines, and snapshots to harvest data from the network and the cloud.
Misconfigurations also amplify the difficulty of protecting the cloud. For example, 93% of organisations have misconfigured cloud storage services, leaving them vulnerable to hackers to exploit and gain access to valuable information.
MDR enables organisations to combat cloud compromise by providing security teams with guidance from cyber security specialists who advise on configuring the cloud securely and identify malicious activity like credentials access, policy violations, and data exfiltration so they can shut it down before massive data loss.
Endpoint Compromise
As more workers moved outside of the office during the Covid-19 pandemic, they moved beyond the defences of the traditional perimeter network, which means more hackers are targeting remote endpoints to gain access to sensitive data.
Hackers routinely target employees with phishing scams and social engineering attempts to manipulate the user into downloading malware, which will execute malicious code that enables the hacker to gain persistence, and credentials access on that device.
The end goal of endpoint compromise is to turn that device into a remote access point, so they can connect to the organisation’s network and start to connect to other systems to get their hands on valuable data.
MDR services defend organisations against endpoint compromise by providing them with real-time detection and containment of infected endpoints. A remote team can monitor malware alerts on a SOAR platform to identify infected endpoints and implement rapid containment actions when required.
Insider Threats
Insider threats, something that many organisations are exposed to, come in various forms, from employees to ex-employees, contractors, business associates, and anyone who has access to insider information on the organisation’s security practices, data, and internal systems.
Malicious insider threats are particularly dangerous as most organisations are unsure how to prevent them. In fact, research shows that over half of companies find it impossible or very difficult to prevent insider attacks.
This is a problem when we consider that the privileged access of many insider threats gives them access to steal confidential or commercially valuable information and intellectual property and the opportunity to sabotage computer systems.
An MDR service can decrease the risk of insider threat breaches by maintaining user watchlists that detail the names and usernames of high-risk employees, such as those who have given notice or are considered a potential risk to the business. It can also monitor for anomalous behaviour or policy violations, making it easier to detect malicious activity as early as possible.
APT/Zero-day Attacks
One of the most important capabilities offered by MDR is the ability to detect and contain attacks launched by Advanced Persistent Threat (APT) actors. APTs are a type of threat used by threat actors that can coordinate highly complex and prolonged attacks against government organisations, defence contractors, financial services, and large enterprises that hold high-value information.
Many APTs are state-sponsored, and most in-house security teams struggle to defend against these types of attacks due to the advanced techniques they use to break into networks. For instance, many hackers will attempt to achieve and maintain ongoing access to a target network and will also use obfuscation techniques to avoid detection.
Using obfuscation techniques enables them to avoid detection and increase their dwell time in the network. This provides them with ample time to identify and steal as much valuable data as possible.
MDR helps organisations defend against APTs by providing them with instant support from cyber security specialists, who are familiar with the type of exploits APTs use and know how to identify and investigate them. These specialists will have access to advanced behavioural and anomaly-based detection techniques that will help detect and contain APTs faster that would otherwise be the case.
Mitigate the Threats Most Relevant to Your Environment
MDR provides organisations with all the support they need to tackle some of the most pervasive modern threats in a way that’s cost-effective. With Integrity360’s MDR service, you can receive on-demand support to help you detect and respond.
Want to find out more about what priority risks our MDR service can help your organisation mitigate? Contact us today.