fbpx
Contact Us
1-855-411-3387
Client Support
Search
Close this search box.

4 Times Managed Detection And Response Saved The Day

  • Joseph Taylor
Managed Detection and Response | MDR Services and Solutions | Corsica Technologies

You can’t respond to a cyber attack if you can’t even detect it.

That’s the thinking behind MDR (managed detection and response). This service is an essential component in cyber security managed services, and it offers incredible power to stop attacks.

But what is MDR? Who provides these services, and what do they look like in real life?

Here’s everything you need to know about MDR.

What is MDR (managed detection and response)?

MDR stands for “managed detection and response.” It’s a combination of two things:

  • Endpoint detection software that spots malicious activity on endpoints (devices connected to a network).
  • Managed services, including incident triage, containment, remediation, and recommendations to improve security posture, provided by cybersecurity experts (either a services team offered by a software vendor, or an MSSP team—see below).

Here at Corsica Technologies, we use CrowdStrike Falcon® Complete MDR for all our clients. It’s the leading MDR software on the market, and our team swears by it.

Along with a managed SIEM solution, MDR forms the bedrock of a strong cybersecurity practice. It’s essential to protect your data, systems, and users in today’s fast-changing threat environment.

Do MSSPs (managed security service providers) offer MDR services?

That depends on the MSSP.

Some MSSPs provide nothing but alerts to the client. Their model covers the “detection” portion of MDR, but it doesn’t cover the “response” portion. Rather, it leaves all remediation to the client or another third-party provider.

In contrast, a full-service MSSP becomes part of your team. Here at Corsica Technologies, our analysts gain familiarity with your network and develop a strong sense of what’s suspicious and what isn’t. We can even tell when something that looks suspicious is a false positive. This discernment allows us to concentrate on true threats.

A full-service MSSP will also conduct threat hunting in your environment, looking for unusual activity and/or processes that may indicate a threat that has yet to be detected by our security software. CrowdStrike Falcon plays a significant role in this endeavor—and the software also comes with CrowdStrike’s own analysts watching things behind the scenes. Essentially, you get two levels of expert human attention monitoring your network.

This is why you should look for a full-service MSSP who includes MDR in their offerings. You want a managed partner who not only detects issues but also responds and remediates them. This is the best way to protect your business and keep your IT team focused on their core responsibilities.

But what does MDR look like in real life?

Glad you asked. Here are 4 scenarios in which MDR has saved the day (or can save it).

1. MDR services protected a local government from a weak VPN password attack

Unfortunately, smaller organizations make great targets for threat actors. These organizations have limited resources to detect and respond to threats—which makes them easier to breach. This is especially true of local governments.

Here at Corsica Technologies, we have numerous clients in the local government space. One of these organizations suffered an attack when threat actors got into their network through a weak VPN password. Once the hackers got in, they easily accessed other machines, moving laterally within the network.

The hackers tried to deploy ransomware, but the client’s CrowdStrike MDR solution (managed by Corsica Technologies) blocked the software. A few non-critical files got encrypted, but they didn’t affect business functionality. Due to the power of CrowdStrike MDR and Corsica’s fast response and remediation, the attack didn’t turn into a major incident. Our analysts were thankful to have a powerful tool like CrowdStrike at their disposal.

Detection and response process for this VPN password attack:

  • CrowdStrike detected the intrusion and created an alert with a status of “critical” (on a scale of low to critical). This automatically created a ticket in our cybersecurity monitoring systems.
  • Our SOC (secure operations center) analysts received the alert instantly.
  • Our analysts checked to make sure the alert wasn’t a false positive, then escalated it.
  • Our analysts immediately isolated the affected machine so it could no longer connect to the internet or any other machines. (Note that CrowdStrike allows analysts to retain their contact with the machine while isolating it completely. CrowdStrike really is incredible.)
  • We alerted the client that we had isolated the machine, and that it would remain isolated while we investigated.
  • We inspected the extent of the damage. We found that the attack had encrypted a few non-critical files, but CrowdStrike had shut it down before it could do major damage.
  • We recommended wiping the affected workstation remotely. The client agreed, and we wiped and reimaged the machine for them.
  • We provided specific recommendations for strengthening VPN passwords to prevent similar attacks in the future.

2. MDR services protected a local business employee who accidentally downloaded malware

Not all employees have received cybersecurity awareness training. Even those who’ve had it in the past may not know about the latest threats.

In this case, our client, a local business, nearly got breached through an employee’s internet browsing. The employee unwittingly clicked on a link that executed malicious JavaScript on their machine. While the code didn’t actually install a virus, it covered their screen in popups that said they had a virus. The popups told the employee to contact IT through a specific phone number.

Unfortunately, the employee didn’t realize this wasn’t their actual IT support department. They called the number, followed the instructions, and downloaded a remote desktop control program to their computer. This new software would’ve given the hackers total control of the workstation—but CrowdStrike detected it and blocked the execution of the downloaded file. CrowdStrike really is amazing!

Detection and response process for this malware attack:

  • CrowdStrike detected the malicious software and sent an alert, which created a ticket in our cybersecurity monitoring systems.
  • Our SOC analysts checked for a false positive, then escalated the incident.
  • Our analysts isolated the affected machine and alerted the client.
  • We investigated the extent of the damage. In this case, CrowdStrike had already blocked the remote desktop control software, and we found no evidence of actual damage. After ensuring the malware was deleted, we advised the client that it wasn’t necessary to wipe the device. However, we let them know we wanted to monitor the machine for a few days to be sure.
  • We provided specific recommendations for training employees on safe internet browsing.

3. MDR services can stop attacks on internet-exposed servers (like Microsoft Exchange)

In 2021, attacks that exploited four unpatched vulnerabilities were discovered in on-premises Microsoft Exchange servers. Microsoft attributed the attacks to the Hafnium group, which has been associated with Chinese state-sponsored hacking.

This attack was ingenious. The threat actors sent a specially crafted packet to an internet-exposed Exchange server, then uploaded a file to a public Exchange directory. From there, they executed the file, which gave them a backdoor into the Exchange server.

These specific vulnerabilities have been patched, but any type of server exposed to the internet can experience a zero-day (unknown and unpatched) vulnerability.

In fact, the structure of this attack is similar to the MOVEit attacks that happened in 2023. MOVEit is a file transfer solution that allows users to exchange files over the internet. In this case, attackers discovered a vulnerability on MOVEit’s servers and used that vulnerability to steal data from organizations using the service.

In both cases, hackers exploited zero-day vulnerabilities in servers connected to the internet. Once a hacker gains this type of access, it’s easy for them to move laterally through the network and install ransomware.

A managed detection and response solution can spot these attacks in real time. It also empowers cyber analysts to shut down the attacks as they happen. Without MDR services in place, it’s very difficult to detect zero-day vulnerabilities—let alone respond—before criminals fully exploit those vulnerabilities.

Detection and response process for attacks on internet-exposed servers:

  • CrowdStrike detects the uploading of malicious files and creates an alert. This automatically creates a ticket in our cybersecurity monitoring systems.
  • Our analysts verify that the alert isn’t a false positive, then escalate it.
  • Our team isolates the affected server so it can no longer connect to the internet or any other machines. We also alert the client.
  • We probe the extent of the damage, looking for signs of data exfiltration. If there are no signs of damage or data exfiltration, we’ll clear the server, then recommend keeping it online in a temporary high-surveillance state rather than wiping it. No one wants to wipe a server!
  • If there are signs of damage, we may have to recommend wiping the server.
  • We’ll provide tailored recommendations to adjust server configurations and patch any vulnerabilities (if patches are available).

4. MDR services can block downloaded attachments from executing malicious code

When it comes to phishing emails, Microsoft 365 and Google are decent at blocking them—though we still recommend Corsica Email Protection to stop 99.9% of all malicious emails.

That said, what happens when a phishing email does slip through—and an employee downloads an attachment?

Malicious files may try to execute a PowerShell command or a script command. From there, things get ugly fast.

The good news is that MDR can detect these executable files. The solution also empowers analysts to respond in real time before the unthinkable happens.

Detection and response process for malicious executable files:

  • CrowdStrike detects the attempted execution of the command and sends an alert. This automatically creates a ticket in our monitoring systems.
  • Our SOC analysts see the alert, check for a false positive, and escalate the incident.
  • Our analysts immediately isolate the affected workstation so it can no longer connect to the internet or any other machines.
  • We alert the client that we’ve isolated the workstation, and that it will stay that way until we’ve finished our investigation.
  • We investigate the extent of the damage. Depending on the results, we may recommend wiping the computer.
  • If the computer doesn’t need to be wiped, we’ll continue to monitor it for any signs of trouble.
  • We’ll provide detailed recommendations to harden workstation security and teach employees how to detect phishing emails.

What to look for in a managed detection and response provider

As we mentioned above, not all MSSPs do a great job with managed detection and response services. Some only provide alerting—without remediation.

You can get MDR services from software vendors, i.e. those companies that build and maintain MDR software. But these companies may not offer comprehensive cybersecurity services—only those related to MDR.

It’s best to choose a single partner who handles all things cybersecurity (including a comprehensive approach to MDR).

Here’s everything your MSSP/MDR provider should offer.

  • Compliance gap assessments. What’s your standing with applicable cybersecurity law? The right partner can take you through the compliance gap assessment process, which includes detailed recommendations to get your organization on track.
  • Cybersecurity risk assessments. While risk assessments are similar to gap assessments, they’re different as well. A risk assessment gives you a well-defined framework and a concrete process for analyzing risk against thresholds of acceptability.
  • Managed security services. Here’s where managed detection and response comes into play—but it’s not the only piece of the puzzle. You’ll also need a SIEM solution and a team watching it for trouble. It’s also a good idea to add dark web monitoring, security awareness training, protection for email and browsers, and more.
  • Managed services for network and server security. Firewalls, switches, wireless access points, servers, and other network gear all require cybersecurity controls. Ideally, you want one team managing the cybersecurity side as well as the network support side.
  • End user security services. If you don’t have centralized workstation management today, you need it! This provides greater workstation security and reduces the cost of repairs and reimaging.
  • Expert cybersecurity consulting. Look for a partner who offers consulting from a vCIO (virtual CIO) and/or vCISO. The best MSSPs give you a vCIO/vCISO who functions like a member of your executive team. These experts can help with security policy development as well as defining and maintaining your 3-year technology roadmap.
  • User-friendly client portal. Look for a partner who practices full transparency with you. They should offer a self-service portal where you can see everything related to cybersecurity and IT—in real time.

Hint: Here at Corsica Technologies, we provide all this and more. MDR is only one piece of the puzzle, and we believe organizations do best when they get all the cybersecurity services they need from a single partner.

Want to learn more about MDR?

Reach out to schedule a consultation with our security specialists.

Schedule Now
Joseph Taylor
As a cybersecurity analyst at Corsica Technologies, Joseph works on the front lines of cyber warfare, defending clients from the latest attacks in real time. In diverse roles such as network administration, IT operations, and infrastructure support, Joseph has gained a wealth of experience at the intersection of IT and cybersecurity. His certifications include CCFA (CrowdStrike Certified Falcon Administrator), CompTIA CySA+, Microsoft 365 Certified: Security Administrator Associate, and ISC2 CISSP.

Related Reads

Business wifi solutions and problems - Corsica Technologies

Business WiFi Solutions: Fixing Common Issues

Wifi solutions can cause headaches for IT. Along with IT services, wifi is essential to support the business, yet it often suffers from various issues. Dropped connections, low signal strength, and interference directly hamper employee productivity—making reliable wifi a business-critical

Read more
Cloud Cost Optimization - 4 Strategies to Win - Corsica Technologies

Cloud Cost Optimization: 4 Strategies To Win

Cloud is all the rage in IT infrastructure—but it gets expensive. Fast. If you don’t break out of legacy thinking, you can lose your shirt on cloud systems. That’s the case whether you’re managing those systems in house or outsourcing

Read more

Sign Up For Our Newsletter

Stay up-to-date on the Managed Services and Cybersecurity landscape, and be the first to find out about events and special offers.

Linkedin Youtube Facebook Instagram Spotify
1-855-411-3387
Client Support
Read Corsica Technologies reviews on G2
Services
Industries
About
Resources
101 Guides
Locations
Corsica Technologies © 2024. All Rights Reserved. | Privacy Policy | Website Accessibility Statement