Cyberattacks: Threat Hunters Conquer Unpredictability with 3 Measures
an attack, and from there determining TTPs and attacker profiles.
The job of a threat hunter is to practice 24/7 monitoring on a client’s environment, being constantly on the lookout for new processes or commands that don’t just look out of place in the environment, but may also be telltale signs of a breach-in-progress.
- Separate legitimate tools from illegitimate uses.
Attackers will often co-opt legitimate tools or files for nefarious purposes. These may include command and recon tools like ADFind or Nltest, or living-off-the-land applications. Threat hunters can’t just terminate these files or processes each time they pop up because they’re native to the operating system and are frequently used by system admins for legitimate and essential purposes. So, the job becomes not just squashing every instance of ADFind or Nltest, but being able to tell the difference between when they’re fulfilling their genuine purpose and when they’re being used by attackers to essentially “case” a client’s network in the run up to a breach.
One notable example of this occurred just last year, when the Sophos Managed Threat Response (MTR) team was asked to intervene for an organization that had been afflicted by a ransomware attack launched by Maze, who were demanding a $15 million ransom from the company. Our investigation revealed that Maze was able to breach this organization’s environment by illegitimately utilizing a series of legitimate tools–namely, Advanced IP Scanner, Remote Desktop Protocol, WinRar, 7zp, and Total Commander. It isn’t reasonable to expect clients’ system admins to block these programs across the board because they’re necessary, and inherently harmless, tools for running a network. That Maze was able to co-opt these tools for their own ends is proof not that these programs must be eliminated, but also that MSPs need to broaden their understanding of suspicious activity to include behavior from seemingly normal sources.
MSPs can inject predictability into threat hunting with Sophos MTR and Rapid Response.
Sophos MTR and Sophos Rapid Response provide the measures that MSPs and threat hunters need to conquer unpredictability.
These first-in-the-industry offerings build on traditional endpoint detection and response, putting forward lightning-fast response efforts that marry the expertise of human-led threat hunting teams with the 24/7 monitoring needed to get ahead of would-be attackers and flush out cyber adversaries from a client’s network. The combined speed and effectiveness of Sophos MTR and Rapid Response ensure that both MSPs and their clients thwart attackers, minimize damage and costs, and accelerate recovery time to get back to normal as quickly as possible. That’s predictability that both threat hunters and their customers should be able to count on.
This guest blog is part of a Channel Futures sponsorship.
- Page 1
- Page 2