Blog Posts

‘R’ is for Response—the Key Component to MDR

As I discussed in my previous post, detection is a must. And detection becomes more important by the day when you consider that endpoints are multiplying like tribbles. The use of mobile devices continues to grow as employees throughout your business employ phones and tablets to do everything from sending emails to managing supply chains. Meanwhile, the use of IoT devices continues to grow at a ridiculous rate. According to research firm Gartner, the number of installed IoT units will more than triple from just under 6.4 million units in 2017 to 20,415,400 units in 2020, which means threats can come from just about anywhere.

But detection ultimately is of little value if it isn’t paired with response. In its 2017 Market Guide for Managed Detection and Response Services, Gartner writes that response is “the key element of MDR.”

I sense this point is obvious to most of you reading this, but it wasn’t to a potential client of ours. He interrupted our sales pitch and said straight out: “I don’t understand why I need MDR. Why do I need you to tell me when the cows have run out of the barn?”

I replied: “Well, would you rather know a day after your cows had gotten out of the barn but are still on your property, or would you rather the FBI tell you they came across your cows in a pasture in China and say, ‘Good luck with that.’?"

Why You Can’t Rely on MSSPs

The Gartner report also points out that the tools needed for effective MDR traditionally are beyond the scope of what MSSPs offer their clients.

Such tools include:

  • Endpoint detection and response;
  • Network behavior analysis; and
  • Network forensics tools.

Moreover, Gartner states that while MSSPs typically offer basic detection and alerting services, their customers ultimately are on the hook for supplying additional incident, analysis and associated response activities. At best, this methodology puts a lot of pressure on a client’s security team; at worst, for companies that don’t have dedicated security teams, it may actually increase risk by putting you on notice of threats to which you have no means to respond.

UnitedLex recently saw this scenario in action when helping a new client that had been using an MSSP for several years. A banking Trojan had infected its network, stealing banking and email credentials and used the latter to send out legitimate-looking emails to everyone in the affected user’s address book. The MSSP was already working on it when we came into the picture.

The MSSP had concluded the Trojan was contained, and no more response was needed. Not surprisingly, they were wrong.

Our Response

Looking back on this scenario, I find it hard to believe the MSSP came to such a premature conclusion. After all, what piece of nominally sophisticated malware doesn’t continue to spread laterally inside a network?

UnitedLex, however, quickly determined that the Trojan was indeed spreading laterally. The night after the MSSP signed off on the case, our UnitedLex analysts detected some hashes coming over the network and some network communication going to suspicious IP addresses.

These events were not inherently indicators of compromise. But our analysts determined that they were tied to the same session, with the same patterns of behavior, seeking out the same files to steal. They escalated the situation to me, a trained incident responder, while at the same time advising the client to pull the infected hosts off the network. Soon after, I and another incident responder discovered that the infection had spread to five other hosts. We immediately told the client to isolate those computers from the network to prevent further spreading and enable forensic analysis.

Let’s Improve Your Defenses

But we didn’t stop there. We created a timeline of the attack and wrote up a formal report that delineated the progression of the infection, complete with all of our evidence. We provided them with further remediation recommendations and techniques. We also made images of the infected machines to show the email accounts that received the phishing email and what links those employees clicked on to enable the infection.

By providing this client with comprehensive response capabilities and remediation advice, we did more than stop the infection. We also gave them the ability to harden their defenses and take action to preempt similar attacks in the future. Now, isn’t that what you would expect from a true MDR service?

And if you are looking into MDR services for your organization, we at UnitedLex can help. Contact us at — and if you’d like, ask to speak to me. I’d love to chat and am around day and night to talk MDR— just as I am for our current clients.