Managed detection and response (MDR) is justifiably one of the fastest-growing areas of cybersecurity, with Gartner estimating 50 percent of organizations will be using MDR services by 2025. But in choosing an MDR service, security pros should take into consideration what kind of expertise the provider can bring to bear – and how that expertise should extend beyond the MDR service itself.
Fundamentally, MDR helps companies deal with the onslaught of alarms and alerts generated by their endpoint detection and response (EDR) platforms, security information and event management (SIEM) systems, and other security tools. MDR is growing in popularity because most firms simply don’t have the capacity or expertise to properly vet each alert, determine which represent real threats vs. false positives, and respond appropriately.
But how effective an MDR provider is at the job of vetting alerts may vary widely, depending on the resources at its disposal and the expertise of its personnel. The best MDR providers have a comprehensive threat intelligence database that includes proprietary and third-party intelligence. When an alert comes in, they can check that database to see if it’s something they’ve seen before. In that fashion, the provider can rapidly dismiss the huge number of false positive threats and quickly home in on the credible ones.
It’s crucial for MDR providers to maintain a quality threat database, with the most up-to-date information possible. And doing that requires a research organization dedicated to the task and a team of threat hunters who actively search for threats in user environments.
From the customer perspective, to get the best possible cyber protection from an MDR service, it makes sense to partner with a provider with deep threat hunting capabilities.
Here again, not all threat hunting services are equal. For the purposes of this post, we’ll look at two main types: those that can detect known indicators of compromise (IOCs) and the more advanced version that can discover active threats based on clues left behind by an attacker’s specific behavior within a network – also known as indicators of behavior.
When security vendors talk about threat hunting, you’ll find they often refer to an automated service based solely on IOCs. This is not entirely different from the signature-based approach used by endpoint detection and antivirus software. An automated threat hunting tool systematically scans your environment, looking for predefined indicators of an attack. While this can be a valuable exercise that is sometimes fruitful it is not a thorough threat hunt. A threat hunt team must look for more than just existing, known IOCs. For example, attackers who infiltrate your network through a phishing attack or with otherwise stolen credentials may leave no such indicators behind.
Once inside your network, these adversaries may linger for weeks as they move about, looking to exfiltrate your sensitive data, initiate ransomware, or launch other types of attacks.
Hunting down these bad actors requires the ability to identify the tell-tale signs that a threat actor is in your network, meaning indicators of behavior. To get the best results, it is a mistake to rely purely on an automated system to conduct a hunt. These hunts should be human-led by a an experienced and well-trained security professional with specific expertise in threat hunting.
Threat hunters leverage EDR platforms, customized tools, and various frameworks such as MITRE ATT&CK to identify indicators of behavior. The MITRE ATT&CK Framework is a catalog of the tactics, techniques, and procedures (TTPs) used by threat groups and is a powerful resource that is utilized daily by Trustwave SpiderLabs Threat Hunt team..
What make threat hunters so effective is they understand how intruders think and move about in a network. They can decipher normal from anomalous behavior and, aided by proprietary tools, assess large amounts of data. Ultimately, they discover security gaps before attackers exploit them and identify active attacks that EDRs and other security tools often miss.
In the process, threat hunters will take their new findings and create new indicators of compromise to add to the threat intelligence database. In that sense, an MDR provider with advanced threat hunting capabilities and a dedicated team of threat hunters benefits all of its MDR customers.
To learn more, check out the 2023 Gartner Market Guide for MDR. You can also visit our threat hunting page, which includes an overview of the topic and an e-book that describes what Trustwave SpiderLabs brings to bear on the topic, including deep research into cyber threats.