September 19, 2022 - EDR, MDR, and XDR can alleviate challenges most small business cybersecurity teams face, such as alert fatigue and limited resources. Let’s dive into the basics of three common detection and response solutions.
When you hear the words “cyber threat hunting”, you just may picture an elite team of security professionals scouring your systems for malware. Sounds like something only huge businesses or nation states would need to do, right?
Not quite. Threat hunting is just as essential for small-and-medium-sized businesses as it is for larger organizations—for the simple reason that threat actors see SMBs as an easy way to make a quick buck.
Cybercriminals know that most SMBs don’t have the budget for robust cybersecurity technology or seasoned security professionals. And when hackers attack, it stings: In 2021, the average cost of a data breach for businesses with less than 500 employees was $2.98 million.
Threat hunting can weed out malware before anything bad like a data breach can happen. Unfortunately, cyber threat hunting is more difficult for SMBs to do than it is for large organizations due to the aforementioned resource constraints. That’s where Managed Detection and Response (MDR) can help.
In this article, we’ll review what MDR and threat hunting are, and how exactly MDR can help SMBs with cyber threat hunting.
Consider the fact that, when a threat actor breaches a target network, they don’t attack right away. The median number of days between system compromise and detection is 21 days.
By that time, it’s often too late. Data has been harvested or ransomware has been deployed. In fact, 23% of intrusions lead to ransomware, 29% to data theft, and 30% to exploit activity—when adversaries use vulnerabilities to initiate further intrusions.
Threat hunting is all about nipping these sorts of stealthy attackers in the bud. And not only dormant attackers, but dormant malware too.
Threat hunting arrived on the scene as an important security practice with the increased prevalence of unidentifiable or highly-obfuscated threats—those that quietly lurk in the network, siphoning off confidential data and searching for credentials to access the “keys to the kingdom.”
The bad news for SMBs: Manually intensive and costly threat-hunting tools usually restrict this practice to larger organizations with an advanced cybersecurity model and a well-staffed security operations center (SOC). That’s where MDR comes in.
Managed Detection and Response, or MDR, is a service that provides around-the-clock monitoring of an organization’s environment for signs of a cyberattack. Using a combination of Endpoint Detection and Response (EDR) technology and human-delivered security expertise, an MDR service provides advanced attack prevention, detection, and remediation, as well as targeted and risk-based threat hunting.
The core service capabilities of MDR include:
24x7 monitoring of an organization’s environment for threats.
Threat detection, alerting, and response from highly experienced security analysts.
Correlation of endpoint alerts with other data sources to identify threats and response measures more effectively.
Proactive cyber threat hunting based on past (and newly reported) indicators of compromise (IOCs)
So, as you can see, MDR is much, much more than just threat hunting.
While it’s technically possible for SMBs to build out their own MDR program in-house, doing so is a time, expense, and effort equivalent to starting an entirely new IT security department. You’ll need to build out your own SOC facilities, hire a minimum of five full-time employees to provide 24/7 coverage, and so on. That’s why many SMBs opt to outsource their MDR to a service provider.
In short, MDR is a service designed to protect an organization’s data and assets, even if a threat eludes EDR security detection. Outsourcing your MDR alleviates the capital expenditures (CapEx) of purchasing a SIEM or other security tools and gives SMBs fast time-to-market to immediately address your organization’s security needs.
Now, let’s bring this thing full circle: what does threat hunting for SMBs look like as a managed service?
Threat hunting typically includes two essential functions in the delivery of MDR services. The first one is research-based threat hunting where security analysts look, or “hunt,” for known attackers or adversarial behaviors listed in threat intelligence services.
“Let’s say we get our intelligence and it says listen, if you see these five files with this hash, it's most likely this attack. Because we understand the tools, tactics, and motives of the adversary, we can say oh, look, we just found one of those five files,” says Bob Shaker, VP, Managed Services at Malwarebytes.
“We know they're trying to steal certain types of data. I'm gonna go look and see if that data is being exfiltrated. And there it is. There's a folder created and all the data is being copied into this folder. This is that attack.”
The second approach is active threat hunting, where security analysts systematically review your organization’s environment to uncover any current suspicious activity or newly emerging IOCs that are in progress.
Shaker explains this second approach: “Here’s how it works: Intelligence and data comes into the MDR team. The team creates playbooks that execute against the customers’ environment, looking at the EDR data that's been collected for one of those indicators of compromise.”
“When an IOC is found in the EDR data, the analyst takes the next step to investigate wherever it was found to determine if it's an attack or not. If not, they mark it as a false positive. And if it is, they take whatever the appropriate steps are that the customer allows them to take. Then they notify the customer with potential remediation actions, such as deletion, quarantine, blocking, and the customer chooses.”
Shaker further notes that, if a threat slips through the cracks of your MDR provider and an attack is successful, then there’s nothing your MDR can do anymore. The point of MDR is to do everything it can to stop the threat at the point of attack: after that, your incident response company takes over.
Threat hunting is essential for small-and-medium-sized businesses, as attackers can potentiall remain undetected for over two weeks after compromising a network.
Unfortunately, threat hunting is complicated and requires a dedicated SOC and seasoned cybersecurity staff, barring most SMBs from utilizing this important security practice. In this article, we’ve outlined how outsourcing your threat hunting to an MDR service can help.
Want to learn more about MDR and threat hunting? Check out the resources below.