Threat hunting complements MDR for a stronger defensive strategy


Elite managed detection and response operations integrate with threat hunting for a proactive/reactive one-two punch that boosts an organization’s cyberdefenses.

Obvious: all security organizations need a strong detection and response strategy.

Slightly less obvious?: proactive programs like cyber threat hunting are critical.

To paraphrase a notable industry analyst, the best way to deal with skin cancer is proactively wearing sunscreen and maybe a hat.

Many (most?) organizations don’t have the resources or expertise to run their own threat hunting programs. According to the SANS Institute’s 2023 Threat Hunting Survey, 73% of respondents said their organizations need more training or more experienced staff to conduct threat hunting. But there’s help, often in the form of managed detection and response (MDR) providers (full disclosure: this would be us, and yes, we’re biased). All threat hunting isn’t created equal, though. Many providers will tell you they do threat hunting, but what they provide is often just a reactive part of their base MDR service. So, what should you look for?

According to the recent Forrester Wave for Managed Detection And Response, Q2 2023, “MDR customers should look for providers that conduct threat hunts with clear success criteria across a wide range of data sources.” They further note that “Threat hunting … requires MDR providers that offer hunting to do so with a systematic, formal methodology.”

Savvy security pros understand how MDR security services and threat hunting work hand-in-hand to help you not only plug holes, but to find them before they have a chance to grow and do real damage to your organization. For example, the core detection technologies underpinning any MDR service (such as SIEM or EDR), are built on rules. And rules can be studied and thwarted, with attackers regularly studying user guides to uncover new ways to avoid detection.

Tales from the SOC: the Chrome 78 case

A recent case from our security operations center (SOC) illustrates the value of integrated MDR and threat hunting.

Last month, the Expel SOC team was seeing suspicious login activity associated with a major telecom and an old version of Chrome (v78.0—we’re on v114 currently). Several MDR customers had users whose credentials were compromised and needed to be reset as a result. The Expel SOC was able to discern this telecom and useragent pattern, as they saw several incidents spun up with similar features. Though they were seeing alerts for some of these events, the alerting wasn’t “hitting” on the specific features observed (telecom + Chrome 78.0).

The SOC asked the Expel threat hunting team to run a hunt. Alerts were coming, but not for the reasons they wanted to see. It was important to know if some technologies and customers were missing this activity altogether. The SOC knew the security hunting team could quickly determine if other customers had been affected.

The hunting team examined all customer login events and determined that it seemed to be connected exclusively to Chrome 78.0, not simply older versions. Additionally, as this activity unfolded, they were able to identify another telecom that was being used in the attacks. Rolling this new information together into a sort of behavioral fingerprint, hunting discovered there were indeed five other customers affected and alerted the SOC team so they could start immediate investigations. They also notified the affected customers so they could take their own follow-up actions.

The attacks employed credential stuffing and brute force attacks to infiltrate customer accounts, and the tactics weren’t consistently detected by the various technologies used in our customer environments. Why not? As noted earlier, the rules were very likely gamed by attackers who knew precisely how many times they could probe without triggering an alert.

This is just one example of how threat hunting complements MDR. An elite MDR operation of the sort envisioned by Forrester integrates with a threat hunting team that can jump into an investigation and rapidly uncover critical insights the MDR team can act on immediately.

Just imagine the havoc those hackers could have wreaked on those customer accounts if there hadn’t been a threat hunting team to call on…