Cyber threat hunting for SMBs: How MDR can help
When you hear the words âcyber threat huntingâ, you just may picture an elite team of security professionals scouring your systems for malware. Sounds like something only huge businesses or nation states would need to do, right?
Not quite. Threat hunting is just as essential for small-and-medium-sized businesses as it is for larger organizationsâfor the simple reason that threat actors see SMBs as an easy way to make a quick buck.
Cybercriminals know that most SMBs donât have the budget for robust cybersecurity technology or seasoned security professionals. And when hackers attack, it stings: In 2021, the average cost of a data breach for businesses with less than 500 employees was $2.98 million.
Threat hunting can weed out malware before anything bad like a data breach can happen. Unfortunately, cyber threat hunting is more difficult for SMBs to do than it is for large organizations due to the aforementioned resource constraints. Thatâs where Managed Detection and Response (MDR) can help.Â
In this article, weâll review what MDR and threat hunting are, and how exactly MDR can help SMBs with cyber threat hunting.
What is cyber threat hunting?
Consider the fact that, when a threat actor breaches a target network, they donât attack right away. The median number of days between system compromise and detection is 21 days.
By that time, itâs often too late. Data has been harvested or ransomware has been deployed. In fact, 23% of intrusions lead to ransomware, 29%Â to data theft, and 30%Â to exploit activityâwhen adversaries use vulnerabilities to initiate further intrusions.
Threat hunting is all about nipping these sorts of stealthy attackers in the bud. And not only dormant attackers, but dormant malware too.
Threat hunting arrived on the scene as an important security practice with the increased prevalence of unidentifiable or highly-obfuscated threatsâthose that quietly lurk in the network, siphoning off confidential data and searching for credentials to access the âkeys to the kingdom.â
The bad news for SMBs: Manually intensive and costly threat-hunting tools usually restrict this practice to larger organizations with an advanced cybersecurity model and a well-staffed security operations center (SOC). Thatâs where MDR comes in.
What is MDR?
Managed Detection and Response, or MDR, is a service that provides around-the-clock monitoring of an organizationâs environment for signs of a cyberattack. Using a combination of Endpoint Detection and Response (EDR) technology and human-delivered security expertise, an MDR service provides advanced attack prevention, detection, and remediation, as well as targeted and risk-based threat hunting.Â
The core service capabilities of MDR include:
-
24×7 monitoring of an organizationâs environment for threats.
-
Threat detection, alerting, and response from highly experienced security analysts.
-
Correlation of endpoint alerts with other data sources to identify threats and response measures more effectively.
-
Proactive cyber threat hunting based on past (and newly reported) indicators of compromise (IOCs)
So, as you can see, MDR is much, much more than just threat hunting.
While itâs technically possible for SMBs to build out their own MDR program in-house, doing so is a time, expense, and effort equivalent to starting an entirely new IT security department. Youâll need to build out your own SOC facilities, hire a minimum of five full-time employees to provide 24/7 coverage, and so on. Thatâs why many SMBs opt to outsource their MDR to a service provider.Â
In short, MDR is a service designed to protect an organizationâs data and assets, even if a threat eludes EDR security detection. Outsourcing your MDR alleviates the capital expenditures (CapEx) of purchasing a SIEM or other security tools and gives SMBs fast time-to-market to immediately address your organizationâs security needs.
Cyber threat hunting and MDR
Now, letâs bring this thing full circle: what does threat hunting for SMBs look like as a managed service?Â
Threat hunting typically includes two essential functions in the delivery of MDR services. The first one is research-based threat hunting where security analysts look, or âhunt,â for known attackers or adversarial behaviors listed in threat intelligence services.
âLetâs say we get our intelligence and it says listen, if you see these five files with this hash, it’s most likely this attack. Because we understand the tools, tactics, and motives of the adversary, we can say oh, look, we just found one of those five files,â says Bob Shaker, VP, Managed Services at Malwarebytes.
âWe know they’re trying to steal certain types of data. I’m gonna go look and see if that data is being exfiltrated. And there it is. There’s a folder created and all the data is being copied into this folder. This is that attack.â
The second approach is active threat hunting, where security analysts systematically review your organizationâs environment to uncover any current suspicious activity or newly emerging IOCs that are in progress. Â
Shaker explains this second approach: âHereâs how it works: Intelligence and data comes into the MDR team. The team creates playbooks that execute against the customersâ environment, looking at the EDR data that’s been collected for one of those indicators of compromise.â
âWhen an IOC is found in the EDR data, the analyst takes the next step to investigate wherever it was found to determine if it’s an attack or not. If not, they mark it as a false positive. And if it is, they take whatever the appropriate steps are that the customer allows them to take. Then they notify the customer with potential remediation actions, such as deletion, quarantine, blocking, and the customer chooses.â
Shaker further notes that, if a threat slips through the cracks of your MDR provider and an attack is successful, then thereâs nothing your MDR can do anymore. The point of MDR is to do everything it can to stop the threat at the point of attack: after that, your incident response company takes over.
SMBs need cyber threat huntingâand MDR can help them do itÂ
Threat hunting is essential for small-and-medium-sized businesses, as attackers can potentiall remain undetected for over two weeks after compromising a network.Â
Unfortunately, threat hunting is complicated and requires a dedicated SOC and seasoned cybersecurity staff, barring most SMBs from utilizing this important security practice. In this article, weâve outlined how outsourcing your threat hunting to an MDR service can help.
Malwarebytes MDR is a service that prevents, detects, and responds to ransomware, malware, trojans, rootkits, backdoors, viruses, brute force attacks, and “zero-day” unknown threats so you can avoid business disruption and financial loss.Â
Complete cyberthreat protection starts here
Want to learn more about MDR and threat hunting? Check out the resources below.Â