Super appreciate the deep dive, and glad we could help in at least some way!
@LAWRENCESYSTEMS Жыл бұрын
Huntress was super helpful in this, If it was not for Huntress this file would still be there!
@Luckotheirish213 Жыл бұрын
Sorry you had to go through this but it was super fascinating to watch. Internal IT at a small shop, so wear a lot of hats/lightly involved in security. Very helpful to listen to your thought process and reaction. Cheers!
@texasaggie1 Жыл бұрын
Excellent breakdown. I've had huntress find things that evade managed S1. I've had tons of times where an S1 detected threat wasn't detected by Huntress. Both are important apps tho. They are often looking for different things.
@Whipster-Old Жыл бұрын
Good to see how this went down. I admire your tenacity and professionalism.
@LAWRENCESYSTEMS Жыл бұрын
Thank you
@Jaabaa_Prime Жыл бұрын
Really, seriously, in IT security, it is 100% better to call an alarm and catch that "zero day" attack or the mundane "duh, behavior change" as early as possible. It is always a case of better to be safe than sorry!
@javabeanz8549 Жыл бұрын
I would much rather investigate an incident that turns out to be a false positive than miss a real attack. In fact, I caught myself recently, I didn't read the installation list, and accidentally installed Nginx, which bit me on the next reboot, as Nginx started before Apache, so the site was all wrong. Still has something to fix, but it wasn't a security incident.
@MrMcp76 Жыл бұрын
We use Sentinel1 at our company, and when we had a file attempt to make TCP connections that was not what triggered S1 to alert of an issue. It was the scanning the file was doing on both the local machine, as well as the attempts to access network resources like servers that triggered the alert. However, our firewall did alert us of the blocked connection attempts the file was making to its c2c.
@d00dEEE Жыл бұрын
It must be hugely frustrating to not have enough information to isolate the infiltration incident. I'm a "root cause guy" and this would drive me nuts.
@troywhite76 Жыл бұрын
This is the stuff that keepse awake at night. Thanks for this video!
@jojobobbubble5688 Жыл бұрын
Great video! I would love to see more of this type of content (but I wish the events which generate this content would end)
@Z3kyTw0 Жыл бұрын
Loving these videos you learn so much!
@R3DP3NGUIN Жыл бұрын
Great vid, very insightful. It kind of highlights the struggle that most organisations have which is limited visibility across their environment. Threat hunting, which many orgs cannot do for various reasons also requires having close to full visibility across your endpoint fleet to be effective
@rvilladiego Жыл бұрын
Good video - what's missing is network visibility to get more context EDR + NDR
@geezergeek1637 Жыл бұрын
VERY Intersting. Thank you, Tom.
@EagleMitch Жыл бұрын
Great video, keep them coming!
@PowerUsr1 Жыл бұрын
I’m also curious if having multiple MDRs installed contributes to any false positives of the other system. So S1 flags Huntress and the other way around
@LAWRENCESYSTEMS Жыл бұрын
No, there is no conflict having these together.
@SandipDas-bd2pt4 ай бұрын
Very good, appreciated.
@TheBeesKneesPhoto Жыл бұрын
I'm currently evaluating Huntress and thinking about getting rid of SentinelOne Control and just going Huntress + Defender. What are your thoughts on that? Can Huntress MDR replace SentinelOne Control?
@LAWRENCESYSTEMS Жыл бұрын
We are still currently using S1 with Huntress but there could be a future where we drop S1 and have Huntress only.
@Superspace87 күн бұрын
@@LAWRENCESYSTEMSis this still the case? Are you still using both 1 year later?
@LAWRENCESYSTEMS7 күн бұрын
@@Superspace8 Yes
@karikhill Жыл бұрын
Speaking of layers, having a good sysmon config running is great for tracing down those first entries.
@LAWRENCESYSTEMS Жыл бұрын
Yes!
@Hunt4m3x Жыл бұрын
Love the shirt! Shady
@sharedknowledge6640 Жыл бұрын
Thanks for this as an example of a real world wake up call for all people who think these things only happen to the “others who are vulnerable” and not them.
@Armmani2000 Жыл бұрын
Great video, I would love to see more of these videos..
@carmercado007 Жыл бұрын
You should do one with Crowdstrike next
@samsampier7147 Жыл бұрын
What’s the cost (labor and any financial capital) of implementing a type of auditing logging for windows hosts? Fascinating video. I’m on the network side so my logs are a bit different.
@NetworkBuildersIT Жыл бұрын
Great video and recap.
@stefanbehrendsen330 Жыл бұрын
I'm actually interviewing EDR and MDR vendors right now the company I work at. I've used Huntress in the past at another job and they've always been excellent. One thing I am specifically asking vendors is "what does a zero day look like from install to first detection to remediation?" A lot of initial meetings are crap, it can be hard to cut through the buzzwords and marketing to determine how effective the product is. Most successful attacks are now zero day or advanced persistent threats - signature detection can and will fail. The human element, and how much the company spends on research and threat hunting, is far more important. Any thoughts on products that advertise full stack, like arctic wolf or crowdstrike falcon complete?
@LAWRENCESYSTEMS Жыл бұрын
"Most successful attacks are now zero day or advanced persistent threats" is not true, most attacks are unpatched systems and people clicking on something. You never know how any product will protect against a zero day because a true zero day is something that know one knows about except the threat actor. For example NO ONE offered protection from Log4j. Huntress is great, S1 is good.
@stefanbehrendsen330 Жыл бұрын
@@LAWRENCESYSTEMS yeah OK that makes sense... thanks for the reply! :)
@TheTannertech Жыл бұрын
Huntress's support is fantastic.
@ramondewitt8827 Жыл бұрын
Dray is a great guy over at Huntress.
@IzzoYourNizzo Жыл бұрын
Thank you much for the video, for providing analysis, and education to the community. You make quality content. I realize that Tom hit upon using both tools seems excessive but does anyone have any experience in these tools interferring with eachother or can provide any insight? Personally, I'm concerned with the compute overhead of using both tools in conjunction. I'm not saying it's wrong and like Tom, I'd rather have the coverage than not but does anyone have personal expirence, or Tom could you share your opinion on this?
@spartan1986og Жыл бұрын
SOC Analyst here. You are not being too hard on SentinelOne. It is not enough to look for known threats. The product needs to identify threat like behavior as well. This was definitely threat like behavior. There should have been an alert on the behavior so an analyst like me could evaluate the situation. I'll admit I'm not that familiar with SentinelOne. My company uses Carbon Black for XDR detection. Even had Carbon Black not alerted on it, we dump all data to a SIEM (Elastic) and write rules to detect such indicators of compromise. Had our rules seen that local host traffic (because you were 100% correct in your interpretation of it) we'd have seen an alert the first time it happened. Do you use a SIEM? If so, would you be able to tell us which one?
@LAWRENCESYSTEMS Жыл бұрын
This client does not have SIEM as part of their plan, for our clients that do we use Blumira.
@clomok Жыл бұрын
I run a MSP focused specifically for small businesses. Without access to resources like yours, what things can I do to help mitigate against zero day attacks? Currently I rely on Bitdefender and immutable image cloud backups (I am very happy with them). Is there something else I should be doing?
@LAWRENCESYSTEMS Жыл бұрын
The best mitigation is to have a plan for if something happens and practice that plan. Have good backups that are well separated is a big key to recovering from an attack.
@lightingman117 Жыл бұрын
13:18 - I love your quote
@mahlonotero5448 Жыл бұрын
We've been happy with Huntress + Windows Defender. It's much less of a headache to manage than S1.
@berndeckenfels Жыл бұрын
Sounds like a insider thing if you have no other iocs And „not tcp connection monitor“ answer is just alarming - wrong answer or insufficient tool
@abrahamdeutsch3175 Жыл бұрын
The team at hunters recommended windows defender saying it gives them more visibility and do a better job with detection
@dneumet Жыл бұрын
I had a presentation by Huntress a couple of days ago and this is also what they told me. Huntress can see/control Windows Defender whereas it has no visibility into S1. We are considering replacing S1 with a combo of Huntress and WD. Our net spend will be unchanged and we will have the benefits of both.
@PowerUsr1 Жыл бұрын
Beautiful breakdown here. Something I’ve done and my org does on the daily. This stuff is hard. I hope (I don’t hope) you have more of these incidents to share and highlight. Is this client running SSL decryption on the firewall? Maybe an external tool (think PaloAlto WildFire) could’ve picked this up, scan it, and email Infosec. If so at least you would know the time of download and what user did so
@thoselog Жыл бұрын
why no crowdstrike?
@Traumatree Жыл бұрын
There are no better, just more expensive.
@Crazy--Clown Жыл бұрын
Too expensive
@edwinrosales6322 Жыл бұрын
What was the hash of the file that was dropped? Would you mind sharing it and other IOCs?
@LAWRENCESYSTEMS Жыл бұрын
We just have the Virustotal lnk as there were not any external IP's we could find it reaching out to. www.virustotal.com/gui/file/b455335d64e1633333899c32b49b867272b3d0b2e0653a484c2c8f22ceb3dbd6
@johnb3170 Жыл бұрын
Any worthy actor will easily bypass S1 even in protect mode. That's not the challenge 😉 the challenge is hiding your activity after initial access.
@jd415 Жыл бұрын
I have the same Huntress shirt!
@AdmV0rl0n Жыл бұрын
I'm in an MSP. We have maybe 250 hosts, so not a huge sample. We run Sentinel One on each one. My sample is inadaquate - but my gut feel is that sentinel one doesn't seem to pick much up and in far too many cases, it requires staff to review, and assess what its found. This to me seems to have multiple failures and to be way off what is needed. In this film, I'm not surprised it was in fact left to Tom's team to chase it up and make a case with SO. I've run a lot of AV and NG-AV - previous house was crowdstrike. I am jury out of SO, but can't say I like it it rate it, but as I say, jury out. Assessment of something is not based on knee jerk..
@LAWRENCESYSTEMS Жыл бұрын
Our trust is with Huntress more than anything else.
@g04tn4d0 Жыл бұрын
Oh, hell, yeah... now you're into stuff I'm all about! 🤪
@SB-qm5wg Жыл бұрын
Sunday alarms are the life. 😞
@joelanzo8 ай бұрын
💗
@mikolosteez61 Жыл бұрын
While I appreciate and enjoy your content, this is exactly why MSSPs (Security) and MSPs (IT) should be totally separate. You want security focused professionals that set and push telemetry requirements and have the forensic capability to truly root cause detections. There was no entry point analysis or a real forensic effort to determine the extent of network or system compromise.
@LAWRENCESYSTEMS Жыл бұрын
Like so many things, it comes down to budget.
@abrahamdeutsch3175 Жыл бұрын
But seams you disagree
@tinawhite4962 Жыл бұрын
Dump S1, pickup ThreatLocker, keep Huntress
@LAWRENCESYSTEMS Жыл бұрын
ThreatLocker does not work well in environments with lots of custom software, way too much overhead.
@AspendoraTechnologies Жыл бұрын
@@LAWRENCESYSTEMS unfortunately I feel your pain on this. Great for normal offices. I hear those exist somewhere.
@tinawhite4962 Жыл бұрын
@@LAWRENCESYSTEMS I understand why you might feel that way. However, I have found approving an application update in ThreatLocker less taxing that investigating S1 false positives and hoping actual malicious activity is detected in time to save the business from a lot of pain.
@swollenaor Жыл бұрын
I think this doesnt effect company's only, but also on home users and such.
@Traumatree Жыл бұрын
I find it odd that none can find where that file came from. And, as usual, Windows is really THE security threat of today's age. You want ot secure your business, stop using Windows for desktop and for server.
@Crazy--Clown Жыл бұрын
Unfortunately many have to because of software only available on windows. CAD is a great example