A customer enrolled in our security protection suite clicked on a malicious link, what happened? Malware opened a command prompt and began running scripts on her machine. This situation could have ended with numerous computers at our client firm sitting idle with their data encrypted. Fortunately, this customer has Huntress installed on all of their devices. In minutes, the computer was isolated from the network so it could no longer “call home.” This cut off the threat actor’s ability to control the machine while we removed the malware.
The Huntress team reached out and sent our team information about exactly what happened and their recommended approach to remediate the situation. Thanks to Huntress, this customer was protected from an attack that could have been very costly and our team was able to remediate the threat and get our client back to work very quickly.
If you have never heard of Huntress, they are a renowned cybersecurity company with 2.3 million endpoints under management and a team that provides round the clock human intelligence to respond to threat reports. The company was formed with a focus to bring powerful cybersecurity to small and medium-sized businesses and they make products licensed per device that are affordable for small organizations.
How does Huntress Managed Detection and Response work?
Persistent Footholds
One of the first things a threat actor will do after successfully phishing a user is to establish a backdoor or persistence mechanism to allow themselves access to the environment if they get disconnected. By doing this, they no longer need to exploit a vulnerable user or device, they simply connect via an access point they have established.
Here are some examples:
- Modifying startup files
- Creating a service that runs on a server
- Creating a scheduled task
- Modifying registry runkeys
- Giving an existing user admin access
- Creating a user with a common name and assigning admin access
Any of these techniques can be used to reopen access to a compromised system even after it has been rebooted.
The average dwell time before a ransomware attack is 100 days. By monitoring for persistence mechanisms then closing back doors and cleaning malware, Huntress stops threat actors before they trigger ransomware that encrypts data and holds it for ransom.
Malicious Behavior
Once a threat actor has access, they may use legitimate software and other tools already on a system to accomplish their goals. This activity would never be caught by anti-virus software because the software being used is installed by the organization for business use or included in the operating system itself. Managed Endpoint Detection and Response watches for the way these tools are being used and when suspicious activity is detected, the SOC team works to investigate the threat and remediate the incident if necessary. A common example of malicious behavior would be deleting local backup files.
Ransomware Canaries
Ransomware canaries are hidden files that would never be accessed by the user or system software. If these files are modified, they generate an alert that system data may be under attack. This gives the SOC team early warning of an impending Ransomware attack.
By understanding threat actor methods and monitoring an environment for signs it is under attack, Huntress Managed Endpoint Detection and Response provides strong cybersecurity protection for small and medium-sized organizations. MTSi strongly recommends Huntress not only for their ability to monitor threats, but also for their ability to provide fast remediation of threats.
In addition to Managed Endpoint Detection and Response, Huntress offers Security Awareness Training and Managed Detection and Response for Microsoft 365. These tools are increasingly important in a world that is more and more dependent on services in the cloud.
If you would like to know more about Huntress offerings, reach out to our sales team.