When working in Sophos Rapid Response, our Incident Response service, it is unfortunately all too common that I come across IT teams trying to piece together the ruins of their network following a cyber-attack. When talking to these administrators, it often transpires that while they did have security software in place, either a mistake in configuration had been made that let the attacker into the network, or an indicator of compromise was missed that could have alerted the team to the potential breach before the attack was conducted.
Unfortunately, any attacker that has sought to breach your network is likely to be well tooled, well-funded, and well versed in the art of network and system penetration. We often see that attackers have spent a significant amount of time:
- Researching their target
- Performing reconnaissance both inside and outside of the network
- Identifying likely device(s) to target (or even people)
- Carrying out socially engineered campaigns against those targets to gain additional information such as usernames and credentials that allow them to get deeper into the network
In most breaches that we investigate, we can identify that the attackers were often in the network for a significant amount of time before the cyber incident from the tracks they leave behind. This “dwell time” can be days, weeks, or even months, allowing the attacker to fully embed themselves inside your network before launching whichever desired attack they have in mind. It could be a ransomware attack or a mass deployment of crypto-mining software.
However, in most cases, there will have been some indication that they were active in your network a significant time before the cyber incident itself. Due to the extreme pressure on IT administrators and security teams, it is easy to understand how these signals are missed or how the system was not configured correctly to protect against and alert to these threats.
To mitigate this risk, you need a multi-layered security solution that is adequately monitored and managed. Namely:
- A fully featured next-gen endpoint security product providing multiple different layers of protection
- A robust management platform for your security product protected by countermeasures such as Multi-Factor Authentication (MFA)
- A team that can effectively monitor your security infrastructure and conduct proactive and reactive threat hunting 24 hours a day, 7 days a week, every day of the year – because, as noted by the FBI and CISA, most attacks happen when attackers know that IT and security teams are likely not monitoring their environments – for example at weekends and on public holidays (2)
- The knowledge within that team to make the correct decisions fast when it comes to threat analysis and responding to identified incidents in your network
While points one and two are easy to acquire, there can be difficulty meeting the third and fourth requirements. Over recent years we have seen a massive increase in the workload of security teams. IT teams experienced a 63% increase in non-security workload and a 69% increase in cybersecurity workload over the last year . This impacts the day-to-day running of an IT team, with 61% reporting an increase in response times to IT cases. Stretched IT teams often have to juggle the growing security workload while keeping the network secure.
Additionally, there is a massive skills shortage in the IT sector. 54% of IT administrators believe that even with all the tools at their disposal, cyberattacks are now too advanced for their IT team to deal with on their own . Therefore even if your organization has the budget to invest in your security team, filling those roles can be difficult. Once you realize that you need to employ six people at a minimum to provide 24/7 cover, the challenge multiplies.
That’s why Managed Detection and Response (MDR) services, like Sophos Managed Threat Response (Sophos MTR), that provide 24/7/365 coverage for your environment, are ideal solutions for many organizations. When selecting an MDR service to extend your team, there are a few essential questions to consider:
- What level of support does the team provide? Will they neutralize threats for us? Or tell us about them?
- What does their remediation involve? Are they just isolating the device to ensure that the attacker cannot move laterally across your estate, or are they fully ejecting the adversary?
- How skilled are the threat hunting, neutralization, and incident response team?
Let’s look at how Sophos stands in these areas.
Level of support
Sophos MTR works with and alongside your IT team, integrating with and extending your organization. We offer a range of response modes so you can choose how you want to work with us:
- The Sophos MTR team will inform you of any concerning behavior and guide how to remediate
- The Sophos MTR team will contact you and will work with your team to share the burden of remediating the behavior or threat
- The Sophos MTR team will actively remediate and neutralize threats in your environment on your behalf
- We will inform you after the fact of the actions taken
- If there is a critical security incident or an active attacker on your network, we will reach out to your designated contacts to make them aware that a priority incident is occurring
- Collaborate with the option of Authorize
- You allow us to move you into an “Authorize” mode if there is no response to our initial communications regarding an incident or threat
Quality of remediation
Sophos changes the paradigm with the level of action we can (and will) take to ensure that your systems are secure. Tools at our fingertips include:
|Change Configurations||Adjust configurations to manage an active threat. Not limited to adjusting threat policies, enabling Sophos protection features on unprotected devices, adjusting exclusions, etc.|
|Isolate Hosts||Limit the exposure a compromised asset could have|
|Block Files||Block files by hash within an environment to prohibit malicious content from running|
|Run Scan||Initiate system scan|
|Block websites/IPs/CIDR||Block a specific website or IP address through web control|
|Block Application||Block a specific application through application control|
|Use Live Terminal||If other response actions are not effective, the use of Live Terminal can give us direct access to the host.|
|SophosLabs||The Sophos MTR team has a direct line into SophosLabs to gather the most up to date threat data about a particular threat.|
I want to take a moment to dive into Live Terminal. When facing an active attacker with ands-on keyboard access to your network, often the only way of actively neutralizing and removing that attacker from your network is to fight fire with fire. In these cases, one of our senior MTR analysts will seek approval from management and then activate a Live Terminal session directly to the relevant device(s) on your network. Within this session, they have full command line (or terminal for OSX and Linux) access to the device, allowing them to perform active defense against the attacker; moreover, if the MTR analyst needs to isolate the device, they are still able to maintain their secure tunnel to your device(s) and actively neutralize and remediate the threat.
The Sophos MTR team consists of certified threat hunters and security practitioners (SSCP, SCP) who are often experts in their chosen areas (C|EH, C|TIA, ECSA) and all-round fonts of knowledge in every area of your security stack (CompTIA Security+, Network+, CySA+). When you hand us the keys to your castle, know that responsibility is not taken lightly.
To sum up….
The bottom line is that threat hunting, and neutralization is a 24/7 task that requires expert operators. If you don’t have the capacity or skills in-house to provide this level of cover, extend your team with 3rd party analysts. Choose a team that can work with you to elevate your defenses and keep attackers at bay, even in the middle of the night.
 Sophos: The IT Security Team: 2021 and beyond