IT NEWS

Cyberattacks are rapidly evolving, leaving businesses and their IT security teams to handle immense workloads.

Keeping up with today’s cyberthreats not only involves staying up to date in an ever-changing threat landscape, it also involves managing complex security infrastructure and technologies. Detection and response tools are designed to help security teams monitor, evaluate, and respond to potential threat actor activity.

EDR, MDR, and XDR can alleviate challenges most small business cybersecurity teams face, such as alert fatigue and limited resources.

Although detection and response tools share similar purposes, they are not all equal. Every threat detection and response capability has its own advantages when it comes to addressing the needs of your business and catching threats that have thwarted traditional security layers.

Let’s dive into the basics of three common detection and response solutions.

Endpoint Detection and Response (EDR)

Endpoint detection and response (EDR) solutions cover all endpoint monitoring and activity through threat hunting, data analysis, and remediation to stop a range of cyberattacks. These attacks include malware, ransomware, brute force, and zero-day intrusions.

Managed Detection and Response (MDR)

Managed detection and response (MDR) is a service that offers a suite of outsourced capabilities to deliver round-the-clock, 24/7/365 monitoring and detection, proactive threat hunting, prioritization of alerts, correlated data analysis, managed threat investigation, and remediation. MDR is popularly thought of as an in-house Security Operations Center (SOC) alternative. It blends a human element of highly-skilled experts with threat intelligence technologies.

Extended Detection and Response (XDR)

Extended detection and response (XDR) is a proactive cybersecurity solution that provides improved, unified visibility over endpoints, networks, and the cloud through aggregating siloed data across an organization’s security stack.

What is the difference between EDR vs MDR vs XDR?

Today’s industry-leading detection and response technologies rely on threat intelligence data pulled from different sources. This threat intel data varies in readability and usefulness depending on the tool and its intended audience, your security team, decision-makers, or key stakeholders. Not all businesses have the cybersecurity resources to interpret copious amounts of data, investigate alerts, and act on threats.

Let’s compare threat detection and response tools and the challenges they address.

EDR vs MDR

The difference between EDR and MDR is scale.

The needs of your organization, the number of assets and endpoint devices to protect, available resources, bandwidth, and in-house cybersecurity skill level are all factors to consider when it comes to MDR vs EDR. Addressing your business’ security challenges is crucial to understanding how much visibility your company really needs, doing so will help determine the detection and response technology best fit for your business and enhance your cybersecurity stack.

EDR has several benefits and provides holistic visibility into the attack surface of all your endpoints and can detect threats that circumvent legacy endpoint protection platforms (EPP). Endpoint Detection and Response is a staple for establishing a comprehensive security strategy and lays the groundwork for scalable cybersecurity maturity. Although fundamental, it generates a lot of alerts and endpoint telemetry data, adding to its complexity. It requires skilled cybersecurity talent who can readily handle high alert volume, interpret EDR alerts, and respond proficiently. The key takeaway is that standalone EDR products help businesses wanting to enhance their endpoint security posture but require a level of resources and advanced cybersecurity personnel.

MDR security is a managed service which merges human expertise with threat intelligence, offering advanced threat hunting, threat identification, alert prioritization, and incident response. MDR helps businesses obtain outsourced, high-skilled cybersecurity experts at an affordable cost. Regardless of size and level of expertise, your current IT team can leverage a turnkey experience with Managed Detection and Response to close the skill gap in specialized security talent. Small businesses seeking to build security maturity, handle complex threats, and relieve in-house alert fatigue, have everything to gain from Managed Detection and Response.

MDR vs XDR

XDR works to consolidate alerts and unify previously siloed data from a range of cybersecurity tools. Businesses struggling with an influx of alerts across multiple existing security tools have the most to benefit from XDR solutions. Providing extended visibility, the tool is centered on aggregating and correlating telemetry from various security tools and enhancing defense across the security ecosystem.

Extended Detection and Response addresses the challenges of businesses with multilayered security architecture.

Tips for choosing a threat detection and response tool for your business

Choosing the right detection and response tool starts with addressing your business’ security needs at scale. Simply put, your organization should consider the following questions:

• What does my company need to protect? What assets are most vulnerable to being compromised?
• How much visibility does my organization need?
• Does my security team have the skillset, time, and bandwidth to handle large security workloads?
• What are the resource constraints of my organization?
• Who will be analyzing, investigating, and responding to detected threats, alerts, and data?

Featured articles 

What is Threat Hunting?

3 ways MDR can drive business growth for MSPs

Cyber threat hunting for SMBs: How MDR can help

What is Threat Intelligence?

What is MDR?

What is SIEM?

What is SOC?

Webinar: Malwarebytes EDR Product Demo

Last week on Malwarebytes Labs:

• The North Face hit by credential stuffing attack
• Facebook engineers aren’t sure where all user data is kept
• 6 patch management best practices for businesses
• The MSP playbook on deciphering tech promises and shaping security culture
• Apple puts the password on life support with passkey
• BackupBuddy WordPress plugin vulnerable to exploitation, update now!
• Update now! Google patches vulnerabilities for Pixel mobile phones
• Important update! iPhones, Macs, and more vulnerable to zero-day bug
• Steam account credentials phished in browser-in-a-browser attack
• How to help your child manage their online reputation
• WPGateway WordPress plugin vulnerability could allow full site takeover
• Update now! Microsoft patches two zero-days
• The privacy concerns of tying SIM cards to real identities
• 5 technologies that help prevent cyberattacks for SMBs
• Malvertising on Microsoft Edge’s News Feed pushes tech support scams
• Cyber threat hunting for SMBs: How MDR can help
• Here are the new security and privacy features of iOS 16
• Explained: Fuzzing for security
• School app Seesaw compromised to send shock NSFW image
• Uber hacked
• 3 ways MDR can drive business growth for MSPs

Stay safe!

Ethical hacker and security researcher Kody Kinzie shared with BleepingComputer a list of over 50 domains of which many are spelling variations of the brand name Sniffies.

Sniffies identifies itself as a “modern, map-based, meetup app for gay, bi, and curious guys.”

Kody used an open source tool called DNSTwist to generate a list of lookalike domains for Sniffies.com. Out of the 3531 possibilities generated by the tool, 51 represented valid domains.

“I saw a good amount of domains registered with the same MX server set up, even though the domains were hosted on random platforms.”

A mail exchanger record (MX record) specifies the mail server responsible for accepting email messages on behalf of a domain name. So that would imply that the domains were set up by the same threat-actor.

Typosquatting

Typosquatting is a term you may have seen when reading about Internet scams. In essence it relies on users making typing errors (typos) when entering a site or domain name. Sometimes it is also referred to as URL hijacking or domain mimicry, but IMHO the word typosquatting more accurately describes the matter. As you will understand, the success of a typosquat scammer depends on the number of victims that are likely to misspell the intended domain and land on the scammers’ pages.

One factor is the popularity of the domain. With an estimated number of 79,600 visitors per day, Sniffies certainly qualifies in that department.

Advertising

BleepingComputer’s test results were described as:

“Once accessed, the illicit ‘Sniffies’ copycat domains do one of the following things:

• Push the user to install dubious Chrome extensions
• Launch the ‘Music’ App on Apple devices right from the web browser
• Lead the users to bogus technical ‘support’ scam sites
• Lead the users to fake job posting sites”

Obviously, we did some testing of our own. We found some domains that had either been abandoned or parked for the future, but some did what they were set up for—redirect visitors based on some basic system properties and the location (based on IP address).

Most of the redirects we found at Malwarebytes went to advertising sites that were more or less legitimate. But certainly not what the user would be looking for. Many shared this look, offering the visitor a few choices.

In one instance (Dutch IP, Windows system) we were redirected to a fake Microsoft Defender warning site (including soundtrack and locked screen), parked in the domain ondigitalocean.app which has been on Malwarebytes’ radar for some time.

We also found one of the Chrome extensions that BleepingComputer described as dubious. Malwarebytes detects these extensions as PUP.Optional.AdMax.

Mitigation

While it’s certainly nice to read how these campaigns work and how the research was done, Sniffies is just an example of what is out there.

To avoid falling victim to typosquatters, there are a few basic measures you can take, which are in essence aimed at not typing the url.

• Bookmark your favorites
• Use search results rather than typing the url in the address bar
• Leave some or all of the sites that you visit every day open in your browser tabs (most popular browsers offer the option to continue where you left off or to specify a set of sites to start with)
• Never click links in unexpected emails or on unknown sites
• Use an antivirus or anti-malware solution that offers web protection and preferably even an anti-exploit solution.

Stay safe, everyone!

The managed service provider market is growing rapidly. As cyberattacks continue to increase worldwide, more and more small-and-medium-sized businesses (SMBs) are looking to MSPs to take the load off when it comes to securing their business. 

With more business, of course, comes more competition—and what better way to whet your competitive edge than to offer security services that SMBs desperately need?

It’s a no-brainer. By focusing on the specific security needs of their customers, MSPs can attract and retain the 91% of SMBs who would consider switching service providers if another one offered the “right” cybersecurity services.

Okay, but that begs the question: Exactly what security service should MSPs be offering to their clients? Endpoint protection, EDR, and VPM services are high-up there—but you may not know that Managed Detection and Response (MDR) is another must-have.

MDR is a service that provides around-the-clock monitoring of an organization’s environment for signs of a cyberattack. Gartner reports that, by 2025, 50% of organizations will be using MDR services for threat monitoring, detection, and response functions that offer threat containment capabilities.

The core service capabilities of MDR include:

• 24×7 monitoring of an organization’s environment for threats.

• Threat detection, alerting, and response from highly experienced security analysts.

• Correlation of endpoint alerts with other data sources to identify threats and response measures more effectively.

• Proactive cyber threat hunting based on past indicators of compromise (IOCs)

While it’s technically possible for MSPs to build out their own MDR program in-house, doing so takes the same time, expense, and effort as starting an entirely new IT security department. You’ll need to build out your own security operations center (SOC) facilities, hire a minimum of five full-time employees to provide 24/7 coverage, and so on.

In short, the expertise and infrastructure required for MDR is why many MSPs opt to outsource their MDR to a service provider. 

Here are three ways MDR can drive business growth for MSPs.

1. Minimize dwell time

In the cybersecurity world, dwell time is the time that elapses between a malware or an attacker infiltrating a system and when they are detected (and removed).

The longer the dwell time, the longer an attacker has to elevate their privileges and move deeper into a network in search of sensitive data and other high-value assets. We call this lateral movement—and MDR can nip it in the bud, preventing a potential data breach. It’s all made possible by threat hunting. 

Threat hunting typically includes two essential functions in the delivery of MDR services:

• A research-based approach, where security analysts look, or “hunt,” for known attackers or adversarial behaviors listed in threat intelligence services. 

• An active hunting approach, where security analysts systematically review your organization’s environment to uncover any current suspicious activity or newly emerging indicators of compromise (IOCs) that are in progress.  

Because both research-based and active threat hunting can stop an attacker before they exfiltrate data or deploy ransomware, outsourcing your threat hunting can greatly help control infections for your MSP clients. And if you have a reputation for letting fewer threats through than your competitors, you’ll likely attract more business.

Read: Cyber threat hunting for SMBs: How MDR can help

2. Overcome alert fatigue

Let’s say your MSP business serves more than 60 customers, ranging from small businesses with a handful of employees to larger companies with about 150 users. 

Every day, your small team works to protect thousands of endpoints, and deals with an ever-growing number of alerts.

With constant alerts demanding attention, MSP security analysts end up being overworked and exhausted, reducing their ability to properly identify and triage alerts to prevent malware infections and the spread of damage. That can lead to missed threats getting through to clients—ultimately leading to data loss and downtime for their organizations.

By outsourcing your MDR, your environment is monitored 24x7x365 by a team of advanced cybersecurity analysts. Rather than scrambling to identify and understand critical threat alerts, your MSP team receives notifications from the MDR team with guidance to remediate critical threats.

Not only can this increase your team’s morale and job satisfaction, but it also opens your team’s resources to focus on net new billable projects.

3. Increases customer satisfaction and MRR

If you’re an MSP, you might find three ways to take your business to the next level:

• Increasing your number of customers offers increased monthly recurring revenue (MRR) and diversifies your client base, but providing the services businesses are looking for could require extra staff.

• Recruiting larger customers could increase MRR at a lower marginal cost than serving multiple small clients, but a larger client could require more resources to properly manage.

• Upselling existing customers would allow your MSP to build upon your current customer base, but it will require a compelling value proposition to encourage satisfied customers to increase their monthly spend.

Finding an offering that provides 24x7x365 security is a great way to increase your number of customers, recruit larger customers, and upsell existing customers all at once—and MDR can make it happen. Specifically, other than 24×7 real-time threat detection and threat hunting, MDR offers a few other key features that businesses of all sizes are looking for:

• Threat intelligence: Provides insights into who attackers are, where they can access the network, and specific actions that can be taken to strengthen defenses against a future attack. 

• Effective threat response: An MDR service provider with top-tier security analysts will have the skills to tackle complex threats. This will reduce an organization’s mean time to respond (MTTR).

• Reporting: MDR service providers give transparent and consistent communication, sharing details about their threat detection and giving expert guidance on responding to and remediating security threats.

By outsourcing your MDR, you can offer all of these in-demand activities for current and prospective clients without needing your own in-house MDR tools and staff.

Transform your MSP business with MDR

The threat hunting, threat intelligence, and threat response capabilities of MDR make it a must-have solution for any security-minded SMB. Likewise, with the demand for MDR services on the rise, MSPs would be wise to include it in their security portfolio. 

For many MSPs, however, delivering MDR services isn’t possible with their current staff and tools. 

Partnering with an MDR vendor provides several key advantages, giving you fast time-to-market to immediately address market demand and enabling you to offer a service that has top-tier professionals and uses the best security tools. 

Want to learn more about the tools MDR analyst use to detect and respond to threats? Checkout our webinar: Malwarebytes for Business Demo.

Featured articles 

What is Threat Hunting?

Cyber threat hunting for SMBs: How MDR can help

What is Threat Intelligence?

What is MDR?

What is SIEM?

What is SOC?

Webinar: Malwarebytes EDR Product Demo

Uber informed the public on Thursday it was responding to a cybersecurity incident after somebody breached its network. From what we have been able to find out so far, the attacker managed to compromise an employee’s access to the chat app Slack. The intruder may also have gained access to the Amazon and Google-hosted cloud environments where Uber stores its source code and customer data, and to the company’s HackerOne account, which contains information about security flaws in its products.

We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.

— Uber Comms (@Uber_Comms) September 16, 2022

There has been no indication that Uber’s fleet of vehicles or its operation was affected.

Security researchers that spoke with the hacker, who claims to be 18 years of age, are under the impression that the threat actor’s main motive seems to be to show off what he did. The person also said Uber drivers should receive higher pay.

A highly respected source revealed that the threat actor spammed an employee with MFA push requests, an established tactic that can defeat some kinds of multi-factor authentication by simply annoying a victim into submission. This type of MFA sends a notification to a user whenever their username and password are used. The user has to approve the login by pressing a button on a smartphone app. The idea is that a stolen username and password are useless to an attacker unless they also have physical access to the victim’s phone. It doesn’t always work like that though. Unfortunately, some criminals have learned that they can batter people into submission by repeatedly using the username and password until the victim approves the login just to make the notifications stop.

In this case the attacker reportedly contacted the employee on WhatsApp and told them they had to accept the requests to make them stop, at which point the victim did as instructed.

Slack

Slack is a messaging system that’s widely used by, and within, tech companies as an alternative to email. It allows direct messages between individuals, and conversations among groups of people take place in channels dedicated to specific topics or areas of concern. Channels contain a complete history of every conversation they have ever hosted, and may contain sensitive or valuable information. In other words, Slack can be a potential gold mine for an attacker looking to expand their access and impact.

The New York Times reports that Uber was forced it to take several internal communications and engineering systems offline after the attacker used Slack to send a message to Uber employees.

The Slack message, including spelling errors, read:

“I announce I am a hacker and uber has suffered a data breach. Slack has been stolen, confidential data with Confluence, stash and two monorepos from phabricator have also been stolen, along with secrets from sneakers. #uberunderpaisdrives”

The message was received as a joke by Uber’s employees in the Slack channel at first, but people soon started realizing the claims were serious. To prove that the intruder really had access they posted a photo on an internal information page for employees, as well as screenshots of the Uber AWS instance, HackerOne administration panel, and more.

HackerOne is a vulnerability coordination and bug bounty platform that connects businesses who want to know about security issues in their products with penetration testers and cybersecurity researchers looking to be rewarded for their bug-hunting efforts.

I suppose if there is one thing you don’t want a hacker to get their hands on, it’s the company’s HackerOne administration panel. Imagine someone having access to a list of unfixed security vulnerabilities affecting your organization, alongside proof-of-concept code that can exploit them.

We reached out to HackerOne to ask about the security measures that apply to a company account. We are awaiting their response.

No hush, hush this time

Uber famously covered up a 2016 data breach that affected its 57 million customers and drivers. The company hid the incident from the public and paid the hackers $100,000 to delete the data and keep quiet. That Uber hack came to light after new leadership took over the company in 2017, a year after the incident occurred. Uber settled the case with the DOJ (US Department of Justice) and paid  $148M for civil litigation settlement.

On Wednesday, parents and teachers reported that student learning platform, Seesaw, had been hacked after some users received an infamous explicit photo known as “goatse” on private chats. Schools from districts in Colorado, Illinois, Kansas, Michigan, New York, Oklahoma, South Dakota, and Texas all experienced similar issues, and began to send out warnings like the one below:

San Francisco-based Seesaw, which prides itself on having more than 10 million users, declined to comment on how many were affected.

In a news release, Seesaw said it wasn’t hacked but was compromised via “a coordinated ‘credential stuffing’ attack” in which widely available compromised credentials—email address and password combinations—were used to illegally take over Seesaw accounts.

“We have no evidence that the attacker performed additional actions in Seesaw beyond logging in and sending a message from these compromised accounts,” the notification said.

In an update, Seesaw said it has removed the inappropriate link, which is a bit.ly shortened URL, and undertook other actions to make sure that no one can access the link anymore.

“However, in a few instances, if the message was already loaded in a web browser or one of our apps, the message may have been cached on your device,” it added. “To ensure that no one has access to the inappropriate message, we recommend all everyone *refresh their web browsers and refresh their mobile apps*. On mobile, you can update your device to the latest app version (version 8.1.2, released today) and re-launch Seesaw OR close and re-open the Seesaw app.”

Seesaw has adjusted its detection and blocking feature and is slowly bringing back the messaging feature of the app after it temporarily disabled it as part of sorting out the compromise.

Say ‘no’ to password reuse

The Seesaw incident is a timely example of why it’s important for people not to reuse passwords across different accounts. Often when a breach occurs the stolen credentials are sold on to more cybercriminals who then try these logins on other sites.

To eradicate password reuse forever, get yourself a password manager to create and remember unique, complex passwords. All you need is one very long and very complicated password for the password manager itself—you can combine random words or think of a ridiculous phrase that is unguessable. 

Seesaw endorsed a guideline for creating and managing passwords by CISA (Cybersecurity & Infrastructure Security Agency). Responsible parents, teachers, and guardians would also be wise to heed this.

Stay safe!

While Google Chrome still dominates as the top browser, Microsoft Edge, which is based on the Chromium source code, is gradually gaining more users. Perhaps more importantly, it is the default browser on the Microsoft Windows platform and as such some segments of its user base are of particular interest to fraudsters.

We have tracked and observed a malvertising campaign on the Microsoft Edge News Feed used to redirect victims to tech support scam pages. The scheme is simple and relies on threat actors inserting their advertisements on the Edge home page and trying to lure users with shocking or bizarre stories.

In this blog post, we raise awareness and expose this scam operation that has been going on for at least two months.

Overview

The Microsoft Edge News Feed is a collection of thumbnails alternating between news content, traffic updates and advertisements. We have identified several ads that are malicious and redirect unsupecting users to tech support scams.

The redirection flow can be summarized in the diagram below:

Technical details

When a user clicks on one of the malicious ads, a request to the Taboola ad network is made via an API (api.taboola.com) to honor the click on the ad banner. The server will respond with the next URL to load, with the folling format:

document.location.replace('https://[scammer domain]/{..}/?utm_source=taboola&utm_medium=referral

The first request to one of those malicious domains retrieves a Base64 encoded JavaScript whose goal is to check the current visitor and determine if they are the potential target.

An original version of this script can be found here, while a beautified version can be found here.

The goal of this script is to only show the malicious redirection to potential victims, ignoring bots, VPNs and geolocations that are not of interest that are instead shown a harmless page related to the advert.

This scheme is meant to trick innocent users with fake browser locker pages, very well known and used by tech support scammers. What’s worth noticing is the cloud infrastructure that is being leveraged here, making it very difficult to block.

These are subdomains on ondigitalocean.app which are constantly changing; in the span of 24 hours, we collected over 200 different hostnames.

Infrastructure

The advertisements displayed on the Edge News Feed are linked with the following domains (this list is not exhaustive):

• feedsonbudget[.]com
• financialtrending[.]com
• foddylearn[.]com
• glamorousfeeds[.]com
• globalnews[.]cloud
• hardwarecloseout[.]com
• humaantouch[.]com
• mainlytrendy[.]com
• manbrandsonline[.]com
• polussuo[.]com
• newsagent[.]quest
• newsforward[.]quest
• puppyandcats[.]online
• thespeedoflite[.]com
• tissatweb[.]us
• trendingonfeed[.]com
• viralonspot[.]com
• weeklylive[.]info
• everyavenuetravel[.]site

One of the domains,tissatweb[.]us, which was also publicly reported for hosting a browser locker has interesting whois data:

Registrant Email: sumitkalra1683@gmail[.]com

That email address is associated with the following additional domains:

The email address belongs to an individual named Sumit Kalra who is listed as a director for Mws Software Services Private Limited, a company located in Delhi whose principal business activity is “Computer and related activities”.

Protection

This particular campaign is currently one of the biggest we are seeing in terms of telemetry noise.

The fingerprinting to avoid detection is interesting and more sophisticated than usual. We will continue to expose and report abusive infrastructure used for scams.

Malwarebytes users were already protected against this tech support scam thanks to our Browser Guard extension.

When you hear the words “cyber threat hunting”, you just may picture an elite team of security professionals scouring your systems for malware. Sounds like something only huge businesses or nation states would need to do, right?

Not quite. Threat hunting is just as essential for small-and-medium-sized businesses as it is for larger organizations—for the simple reason that threat actors see SMBs as an easy way to make a quick buck.

Cybercriminals know that most SMBs don’t have the budget for robust cybersecurity technology or seasoned security professionals. And when hackers attack, it stings: In 2021, the average cost of a data breach for businesses with less than 500 employees was $2.98 million.

Threat hunting can weed out malware before anything bad like a data breach can happen. Unfortunately, cyber threat hunting is more difficult for SMBs to do than it is for large organizations due to the aforementioned resource constraints. That’s where Managed Detection and Response (MDR) can help. 

In this article, we’ll review what MDR and threat hunting are, and how exactly MDR can help SMBs with cyber threat hunting.

What is cyber threat hunting?

Consider the fact that, when a threat actor breaches a target network, they don’t attack right away. The median number of days between system compromise and detection is 21 days.

By that time, it’s often too late. Data has been harvested or ransomware has been deployed. In fact, 23% of intrusions lead to ransomware, 29% to data theft, and 30% to exploit activity—when adversaries use vulnerabilities to initiate further intrusions.

Threat hunting is all about nipping these sorts of stealthy attackers in the bud. And not only dormant attackers, but dormant malware too.

Threat hunting arrived on the scene as an important security practice with the increased prevalence of unidentifiable or highly-obfuscated threats—those that quietly lurk in the network, siphoning off confidential data and searching for credentials to access the “keys to the kingdom.”

The bad news for SMBs: Manually intensive and costly threat-hunting tools usually restrict this practice to larger organizations with an advanced cybersecurity model and a well-staffed security operations center (SOC). That’s where MDR comes in.

What is MDR?

Managed Detection and Response, or MDR, is a service that provides around-the-clock monitoring of an organization’s environment for signs of a cyberattack. Using a combination of Endpoint Detection and Response (EDR) technology and human-delivered security expertise, an MDR service provides advanced attack prevention, detection, and remediation, as well as targeted and risk-based threat hunting. 

The core service capabilities of MDR include:

• 24×7 monitoring of an organization’s environment for threats.

• Threat detection, alerting, and response from highly experienced security analysts.

• Correlation of endpoint alerts with other data sources to identify threats and response measures more effectively.

• Proactive cyber threat hunting based on past (and newly reported) indicators of compromise (IOCs)

So, as you can see, MDR is much, much more than just threat hunting.

While it’s technically possible for SMBs to build out their own MDR program in-house, doing so is a time, expense, and effort equivalent to starting an entirely new IT security department. You’ll need to build out your own SOC facilities, hire a minimum of five full-time employees to provide 24/7 coverage, and so on.  That’s why many SMBs opt to outsource their MDR to a service provider. 

In short, MDR is a service designed to protect an organization’s data and assets, even if a threat eludes EDR security detection. Outsourcing your MDR alleviates the capital expenditures (CapEx) of purchasing a SIEM or other security tools and gives SMBs fast time-to-market to immediately address your organization’s security needs.

Cyber threat hunting and MDR

Now, let’s bring this thing full circle: what does threat hunting for SMBs look like as a managed service? 

Threat hunting typically includes two essential functions in the delivery of MDR services. The first one is research-based threat hunting where security analysts look, or “hunt,” for known attackers or adversarial behaviors listed in threat intelligence services.

“Let’s say we get our intelligence and it says listen, if you see these five files with this hash, it’s most likely this attack. Because we understand the tools, tactics, and motives of the adversary, we can say oh, look, we just found one of those five files,” says Bob Shaker, VP, Managed Services at Malwarebytes.

“We know they’re trying to steal certain types of data. I’m gonna go look and see if that data is being exfiltrated. And there it is. There’s a folder created and all the data is being copied into this folder. This is that attack.”

The second approach is active threat hunting, where security analysts systematically review your organization’s environment to uncover any current suspicious activity or newly emerging IOCs that are in progress.  

Shaker explains this second approach: “Here’s how it works: Intelligence and data comes into the MDR team. The team creates playbooks that execute against the customers’ environment, looking at the EDR data that’s been collected for one of those indicators of compromise.”

“When an IOC is found in the EDR data, the analyst takes the next step to investigate wherever it was found to determine if it’s an attack or not. If not, they mark it as a false positive. And if it is, they take whatever the appropriate steps are that the customer allows them to take. Then they notify the customer with potential remediation actions, such as deletion, quarantine, blocking, and the customer chooses.”

Shaker further notes that, if a threat slips through the cracks of your MDR provider and an attack is successful, then there’s nothing your MDR can do anymore. The point of MDR is to do everything it can to stop the threat at the point of attack: after that, your incident response company takes over.

SMBs need cyber threat hunting—and MDR can help them do it 

Threat hunting is essential for small-and-medium-sized businesses, as attackers can potentiall remain undetected for over two weeks after compromising a network. 

Unfortunately, threat hunting is complicated and requires a dedicated SOC and seasoned cybersecurity staff, barring most SMBs from utilizing this important security practice. In this article, we’ve outlined how outsourcing your threat hunting to an MDR service can help.

Want to learn more about MDR and threat hunting? Check out the resources below. 

Featured articles 

What is Threat Hunting?

What is Threat Intelligence?

What is MDR?

What is SIEM?

What is SOC?

Webinar: Malwarebytes EDR Product Demo

On Monday, September 12, Apple released iOS 16, which included a host of new security and privacy features.

Let’s look at what these are—and some quality-of-life (QoL) changes. 

Lockdown Mode

As Macrumors calls it, Lockdown Mode is an “extreme” security setting ideal for those who regularly find themselves in the crosshairs of online risk and targeted sophisticated cyberattacks: Activists, journalists, and government officials.

Although this mode was made with a small fraction of iPhone users in mind, anyone can enable and use it.

Lockdown Mode disables and “strictly” limits many iPhone features when enabled, which requires restarting the device and entering a passcode. This mode blocks (among others) messages with attachments, FaceTime calls from people with whom you have no call history, and wired connection with other devices if the iPhone is locked.

Passkey

As we mentioned earlier this week, passkeys are a “password killer” and are used instead of passwords to sign in to a website or app. It may seem complicated if you dig into the details, but in practice it may be as simple as using Face ID or Touch ID.

Passkeys aim to help protect users from phishing attacks, malware, and other campaigns designed to steal accounts or unlawfully gain access to them.

Clipboard consent

Copying and pasting from the clipboard now requires explicit permission from the user. Apps are now forced to get consent the same way as when they ask for access to the phone’s camera, microphone, and other sensitive data.

Known Wi-Fi networks editing

Here’s another handy feature that makes users aware of all the Wi-Fi networks they have previously connected to so they can properly disconnect or forget that connection, even when they’re not in range of the network anymore. Users can also view details about these networks.

Not only that, if iCloud Keychain is enabled on all your Apple devices, users will also see a listing of Wi-Fi hotspots those devices have connected to in the past. This listing is under Known Networks, which you can navigate to from Settings > Wi-Fi > Edit.

It’s important to clear out old Wi-Fi hotspot connections so your device won’t auto-connect to them in the future, especially if a hotspot owner still uses the same insecure password.

Wow, it’s frightening to see the networks in this list. So many generic hotel and airport networks that I never remembered to “forget” while still connected, and my phone would have happily tried to join any network with the same name. 😳

Thanks, @Apple, for adding this! 🙂 pic.twitter.com/txLtHfroDZ

— Thomas Reed (@thomasareed) September 13, 2022

Rapid security response

Software updates are essential. With so many exploits, one cannot afford to leave software unpatched. Apple has made it easier for iPhone users to apply security updates without updating the entire OS. This will also make the download of those updates quicker.

Users have the option to turn this feature on or off.

Safety Check

Safety Check is a new feature under Settings. Once again, this was built with ease and functionality in mind. If users want to reset all data and location access granted to apps and other people, they can do so with Safety Check.

This feature is not just for general privacy reasons, but also aimed people in complicated and abusive relationships, especially those with violent partners. A “Quick Exit” button also takes the user to the iPhone’s Home screen in case they don’t want to be caught using the Safety Check feature.

Safety Check has two options: Emergency Reset and Manage Sharing & Access. The former will instantly freeze information sharing with people and apps with one tap. It’ll also remove all emergency contacts and reset your Apple account (ID and password).

The latter—Manage Sharing & Access—gives you a birds-eye view of what data you’re sharing with whom and with what apps. If you think someone is secretly tracking or monitoring you, you go here to check. The user can cherry-pick what data they want to share with who or if they want to completely stop sharing with this person(s) or app(s).

Face ID

Face ID is a staple on iOS, but some Apple fans may find it a tad annoying to use it only in portrait orientation. This is no longer the case for those using iPhone 13 and above. They can now use Face ID in either portrait or landscape orientation after updating to iOS 16.

Overall, it appears Apple has attempted to cover as much ground as possible. Some new features, unrelated to security or privacy, like Live Captions, are aimed at deaf and hard-of-hearing users.

You can read more about iOS 16’s new features on this page.

Fuzzing, or fuzz testing, is defined as an automated software testing method that uses a wide range of invalid and unexpected data as input to find flaws in the software undergoing the test.

The flaws do not necessarily have to be security vulnerabilities. Fuzzing can also bring other undesirable or unexpected behavior of the software to light. But it’s good to realize that bugs discovered through fuzzing account for the majority of new CVE entries.

The purpose

Ensuring software quality is becoming more essential, but sometimes collides with deadlines, complex software engineering, and dependencies on other software. As such, fuzzing has become part of the quality assurance (QA) procedure before software is released. But it doesn’t stop there. After the release, the number of testers might go up, but not every one of them will be doing it for your benefit.

Fuzzing is particularly useful for exposing potential security vulnerabilities like:

• Memory leaks. A memory leak is a type of bug that occurs when a computer program incorrectly manages memory allocations in a way that memory which is no longer needed is not released. Memory leaks slow down the system up to a point where the system or the running process crash.
• Control flow errors and other runtime errors. A control flow error is an erroneous jump throughout an executing program induced by external disturbances. Runtime error is an umbrella term for any error that occurs during execution of a program.
• Race conditions. A race condition, or race hazard, is the behavior of a system where the output depends on the sequence or timing of other uncontrollable events. It becomes a bug when events do not happen in the order the programmer intended.

All these types of bugs can be exploited when the outcome is more or less predictable and can be used to work in the attackers’ advantage. The goal of fuzzing for bug bounty hunters is to induce unexpected behavior of an application and see if it leads to an exploitable bug.

Input types

The idea behind fuzzing is to release different types of input and look for hiccups. A crash or other strange behavior may mean that you are on to something. After the test you can repeat the input that caused the abnormality and test similar types of input to work out what might be the underlying reason. Causing unexpected behavior is only the first step when you are working out a vulnerability.

An application may have more than one attack surface. One can, for example, pass arguments to an application in several ways: Through the graphical user interface (GUI), by using command line options, or by using it on malformed or specially crafted files.

Web applications

The software undergoing the fuzzing can also be a web application. Web application fuzzing is mostly deployed to expose common web vulnerabilities, like injection issues, cross-site-scripting (XSS), and more. When testing online web applications, keep in mind that you want to test the application itself, not the infrastructure it is running on. In other words, leave some room for the regular users.

Test types

While it is understandable that at face value fuzzing sounds as if you are about to throw the kitchen sink at an application and see what sticks, but even fully automated methods will be more effective with some preparation. The input used to fuzz an application could either be crafted for a specific purpose, or randomly generated, but it helps to exclude input types that you already know the application will not accept.

A common approach to fuzzing is to define lists of values that have a bigger chance of raising an issue (fuzz vectors) for each type. These can be extremes, like very large numbers, or known issues from similar applications, like escaped characters or Structured Query Language (SQL) commands.

Rules of engagement

Note that many applications take exception to uninvited penetration testing. Check if the developer or owner of the software you want to scrutinize has a bug bounty program and read the guidelines to participate. Depending on which country you live in, and where the software owner resides, you could be breaking the law if you don’t follow the rules.

Existing fuzzing software

Below are some interesting leads if you want to find more in-depth information about fuzzing.

OSS-Fuzz is a fuzzing platform to make open source software more secure and stable. It was launched by Google as a response to the Heartbleed vulnerability. To be accepted to OSS-Fuzz, an open-source project must have a significant user base and/or be critical to the global IT infrastructure. Since its launch, OSS-Fuzz has become an important service for the open source community, helping get more than 8,000 security vulnerabilities and more than 26,000 other bugs in open source projects fixed.

One of the most well-know fuzzing tools is Burp Suite. Burp Suite is a powerful tool out of the box, but it can grow with you as you become more experienced. The professional version offers the opportunity to integrate automated and semi-automated processes with manual tooling. If you are starting or want to try it first, there is a Community Edition, or you can trial the Professional version for 30 days.

Another web app scanner which is certainly worth mentioning is OWASP ZAP. OWASP Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications, and is both flexible and extensible. At its core, ZAP is what is known as a machine-in-the-middle proxy. It stands between the tester’s browser and the web application so that it can intercept and inspect messages sent between browser and web application, modify the contents if needed, and then forward those packets on to their destination.

OWASP ZAP in action

Many other free fuzzing tools can be found if you search for them, and some are really useful for specific purposes, but you should keep in mind that most of them require an advanced knowledge level before you can expect any useful results. Many are command line tools and/or require you to have Python installed.

Even then it can be a steep learning curve, but it is one that is well worth it, in my opinion. Let us know your experiences in the comments, below.