May 20, 2022

MD Vs MDR - Understanding The Difference

The response time for any action on malicious behavior has been critical in mitigating the spread of an attack. It can now take threat actors as little as 30 minutes to begin moving laterally in an environment. This can be particularly challenging for short-staffed security teams without 24/7 response capabilities. The Managed Detection and Response (MDR) product fills this gap by taking immediate action to contain true positive threats and provide actionable details to assist with remediation. Many organizations  have upgraded from Managed Detection (MD) to take advantage of MDR’s expanded set of features. With MDR, organizations can benefit from always having extra eyes on their protected devices that detect, validate and notify of active threats. This long-awaited product alleviates many problems for organizations that cannot maintain a 24/7 security operation or are understaffed.

The response time for any action on malicious behavior has been critical in mitigating the spread of an attack. It can now take threat actors as little as 30 minutes to begin moving laterally in an environment. This can be particularly challenging for short-staffed security teams without 24/7 response capabilities. The Managed Detection and Response (MDR) product fills this gap by taking immediate action to contain true positive threats and provide actionable details to assist with remediation. Many Organizations have upgraded from Managed Detection (MD) to take advantage of MDR’s expanded set of features. With MDR, organizations can benefit from always having extra eyes on their protected devices that detect, validate and notify of active threats. This long-awaited product alleviates many problems for organizations that cannot maintain a 24/7 security operation or are understaffed.

The key components of Managed Detection and Response:

  • Immediate Action to Contain Security Incidents - The response piece of the offering will allow analysts to take action on malicious behavior immediately to limit and contain an incident.

  • Banning Malicious Hashes - Analysts are by default able to ban malicious hashes to prevent known bad binaries from running on devices within the MDR customer’s environment.

  • Policy Modification - Analysts have the ability to move impacted devices to cloned policy groups, and implement any additional rules needed to stop the ongoing threat.

  • Quarantine Impacted Devices - Once an analyst has confirmed malicious activity on a device, they have the ability to quarantine the impacted device(s), ensuring isolation from other assets on the network to prevent further executions of malicious actions and lateral movement.

NOTE: The MDR team will make our best effort to stop the malicious behavior by implementing policy changes or banning hashes before quarantining a device. This is especially important if an attack is experienced on a device that is used frequently for daily business operations.
 

image 135

Figure 1: Policy changes and quarantining are optional permissions that are customizable for each MDR policy group.

●       Two Way Communication - When MDR notifies users of an alert that is a likely threat, MDR customers can respond to the email with questions, requests for additional guidance on MDR recommendations, or provide additional context for further triage.

The MDR team is constantly correlating data across multiple industries and analyzing emerging vulnerabilities that could potentially impact our customers. This gives MDR unique insights into the threat landscape as it changes and evolves in the real world. As new threats emerge, the differences between MD and MDR are highlighted to demonstrate the importance of containing a threat due to decreasing breakout times. 

Attack Correlation

   On March 31st, 2022, the MDR team identified multiple targeted attacks occurring simultaneously in multiple customer environments. We quickly correlated the malicious behavior between the different organizations to the same threat actor using a combination of the following vulnerabilities:

●       CVE-2021-34523 (MS Exchange Server Elevation of Privilege)

●       CVE-2021-31207 (MS Exchange Server Security Feature Bypass)

●       CVE-2021-26855 (MS Exchange Server Remote Code Execution)

image 136

Figure 2: Known malicious web shells being hosted on an Exchange server.

   This threat actor targeted vulnerabilities and leveraged web shells on unpatched public-facing Microsoft Exchange servers. The attack leveraged the IIS worker process w3wp.exe and the MSExchangeECPAppPool.config file to perform various malicious behaviors, including an attempt to dump and extract user credentials stored on the server.

   Security incidents were immediately declared for both organizations, allowing MDR analysts to respond to the threats quickly. While one organization had purchased Managed Detection, the other benefited from having our additional ‘Response’ offering. This difference in response can be a force multiplier for your security team during an incident.

image 137

Figure 3: MDR utilized the above behavior (comsvcs.dll creating a memory dump) to recommend and enable specific policy rules for our client’s policy group.

MD Customer

   Our team was able to send a notification email to the customer, alerting them about the malicious behaviors and indicators found on the devices, as well as additional actions which would be required to mitigate the attack. The customer's security/IT team would then be required to take action and remediate the threat themselves through the Carbon Black Cloud console and/or their internal Incident Response process. In these situations, if a customer cannot respond immediately to the threat, the door may be left open for attackers to continue their malicious activity. This can be especially critical when team members are unable to review alerts immediately or your organization doesn’t have the resources to staff a security team 24/7.

MDR Customer

   Immediately after declaring the security incident, our team was able to attribute this particular malicious behavior to a unique threat actor based on behavior from a recently observed breach. This allowed us to quickly take action and implement blocking rules for various artifacts, malicious files and behavior seen during our investigation. MDR Threat Analysts were able to contain the threat in under 20 minutes by implementing policy rules on the customer’s behalf to mitigate further infection of devices and credential theft. An email was also sent to the customer detailing the MDR team's actions and findings and any additional remediation steps the customer may need to take.

image 138

image 139

Figure 4: Shows policies that were added by the analyst to the customer's environment through the product.

SUMMARY

  When an attack occurs within an MDR customer's environment, our analysts are able to take action on their infected devices to contain the threat on the customer’s behalf. MDR addresses many of the shortcomings that companies face for a myriad of reasons. Perhaps the largest of which is the capability of having well-trained security teams overlooking their environment to immediately respond to potential threats. As new threats emerge, companies will need to take extra precautions and have a more efficient approach when remediation is needed to limit the scope of an attack and reduce impact costs.

To learn more about VMware Carbon Black’s Managed Detection and Response product check out the following links.

●      MDR Security

●      Introducing Managed Detection and Response for Endpoints and Workloads

Want to learn more? Watch this video that shows how the MDR product combines security analysts as well as ML/algorithmic tools to quickly triage alerts and notify customers of likely security incidents.

Integrated MDR Services

Filter Tags

Blog MDR

Ruben Zacarias-Avalos

Read More from the Author

Ruben Zacarias-Avalos, Threat Analyst, Carbon Black, VMware. Ruben has a few years of experience in the industry as a cybersecurity professional with a background in Information System Security. Starting his security career in a security operations center, he has a wide range of experience across numerous security IDS and IPS tools prior to joining the Carbon Black crew. He’s currently a part of the VMware Carbon Black ThreatSight team.

VIEW MORE

Abe Schneider

Read More from the Author

Abe Schneider, Senior Threat Analyst Carbon Black, VMware. 6+ years experience in the United States Air Force managing and operating highly technical systems and procedures. Afterwards started his security career with Carbon Black and has been with the ThreatSight team for 3+ years. Highly motivated by the understanding of how and why things work.

VIEW MORE