Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Why Threat Hunting is Crucial to a Managed Detection and Response Service

Managed detection and response (MDR) is justifiably one of the fastest-growing areas of cybersecurity, with Gartner estimating 50 percent of organizations will be using MDR services by 2025. But in choosing an MDR service, security pros should take into consideration what kind of expertise the provider can bring to bear – and how that expertise should extend beyond the MDR service itself.

Fundamentally, MDR helps companies deal with the onslaught of alarms and alerts generated by their endpoint detection and response (EDR) platforms, security information and event management (SIEM) systems, and other security tools. MDR is growing in popularity because most firms simply don’t have the capacity or expertise to properly vet each alert, determine which represent real threats vs. false positives, and respond appropriately.

But how effective an MDR provider is at the job of vetting alerts may vary widely, depending on the resources at its disposal and the expertise of its personnel. The best MDR providers have a comprehensive threat intelligence database that includes proprietary and third-party intelligence. When an alert comes in, they can check that database to see if it’s something they’ve seen before. In that fashion, the provider can rapidly dismiss the huge number of false positive threats and quickly home in on the credible ones.

Threat Hunting: a Great Complement to MDR

It’s crucial for MDR providers to maintain a quality threat database, with the most up-to-date information possible. And doing that requires a research organization dedicated to the task and a team of threat hunters who actively search for threats in user environments.

From the customer perspective, to get the best possible cyber protection from an MDR service, it makes sense to partner with a provider with deep threat hunting capabilities.

Two Types of Threat Hunting

Here again, not all threat hunting services are equal. For the purposes of this post, we’ll look at two main types: those that can detect known indicators of compromise (IOCs) and the more advanced version that can discover active threats based on clues left behind by an attacker’s specific behavior within a network – also known as indicators of behavior.

When security vendors talk about threat hunting, you’ll find they often refer to an automated service based solely on IOCs. This is not entirely different from the signature-based approach used by endpoint detection and antivirus software. An automated threat hunting tool systematically scans your environment, looking for predefined indicators of an attack. While this can be a valuable exercise that is sometimes fruitful it is not a thorough threat hunt. A threat hunt team must look for more than just existing, known IOCs. For example, attackers who infiltrate your network through a phishing attack or with otherwise stolen credentials may leave no such indicators behind.

Identifying Threats Through Indicators of Behavior

Once inside your network, these adversaries may linger for weeks as they move about, looking to exfiltrate your sensitive data, initiate ransomware, or launch other types of attacks.

Hunting down these bad actors requires the ability to identify the tell-tale signs that a threat actor is in your network, meaning indicators of behavior. To get the best results, it is a mistake to rely purely on an automated system to conduct a hunt. These hunts should be human-led by a an experienced and well-trained security professional with specific expertise in threat hunting.

Threat hunters leverage EDR platforms, customized tools, and various frameworks such as MITRE ATT&CK to identify indicators of behavior. The MITRE ATT&CK Framework is a catalog of the tactics, techniques, and procedures (TTPs) used by threat groups and is a powerful resource that is utilized daily by Trustwave SpiderLabs Threat Hunt team..

What make threat hunters so effective is they understand how intruders think and move about in a network. They can decipher normal from anomalous behavior and, aided by proprietary tools, assess large amounts of data. Ultimately, they discover security gaps before attackers exploit them and identify active attacks that EDRs and other security tools often miss.

In the process, threat hunters will take their new findings and create new indicators of compromise to add to the threat intelligence database. In that sense, an MDR provider with advanced threat hunting capabilities and a dedicated team of threat hunters benefits all of its MDR customers.

To learn more, check out the 2023 Gartner Market Guide for MDR. You can also visit our threat hunting page, which includes an overview of the topic and an e-book that describes what Trustwave SpiderLabs brings to bear on the topic, including deep research into cyber threats.

Latest Trustwave Blogs

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow...

Read More