The MSSP industry has seen a significant increase in attacks on MSP and MSSP partners this year. This has led to several new attacks on everything from RMM tools to applications. We all deal with a crushing number of alerts daily – so how are the most successful partners managing this?
Start with the kill chain. The most popular framework today is the MITRE attack framework. If you can look at your alerts through this lens, you can begin to reduce your SOC teams’ workload significantly. Start with the reconnaissance stage. Why start there? Because if you can cut off the connections before the attackers gain a foothold, you can eliminate much of the hunting and clean-up your team is doing today.
A great example is Log4j. This has been a big nuisance for the last month or so. Many attackers are leveraging this because currently it creates so much noise. In a way it has been amplified through crowdsourcing by multiple attack groups – the more attackers using it, the more alerts you’ll see related to it.
Those initial scans don’t deliver any payload, but they do create a ton of work for your SOC. If you can connect the scan to communication with an asset in your network, you can limit your response to actual threats to your customer. This is an area where machine learning can significantly improve your chance for success.
Leveraging unsupervised machine learning, you can baseline whether a particular machine has ever communicated with an external host or run a particular application like Log4j. More importantly, you can also detect if data is being exfiltrated. Stellar Cyber has developed a platform that can map this to the MITRE attack framework to quickly identify this behavior, stage it in the kill chain, and recommend a remediation tactic. Armed with this context, you can take a much more targeted approach to responding and you will not need to purchase or deploy special detections from multiple vendors.
In addition, if you detect a connection to a known malicious host, you can terminate the connection automatically on the firewall and on the device. With automated threat hunting rules, you can choose a detection, set the condition, and the Stellar Cyber Platform can initiate the response through integrations with your firewall and EDR tool. Ultimately, this accomplishes three very important things:
- Reduce time to detection of actual events.
- Tune out the noise.
- Automate response to reduce risk.
When you have a fully integrated platform performing these tasks, it’s simple. If you are interested in learning more, please reach out to Brian Stoner at Stellar Cyber.