Thinking Beyond the Basic MSSP

Managed Security Services Providers (MSSPs) are great. They help SecOps teams focus on important security tasks by taking over routine operations like monitoring firewalls and so forth. The nature of the threat environment, however, makes it necessary to think beyond the basic MSSP in certain cases.

Eldon Sprickerhoff, Founder and Chief Innovation Officer at eSentire

I spoke recently with Eldon Sprickerhoff, Founder and Chief Innovation Officer at eSentire. eSentire is a managed detection and response service that leverages Machine Learning (ML) to detect cyber attacks that are hard to spot with standard SecOps tools and processes. Sprickerhoff shared an example of how ML can make a difference in threat detection.

He talked about PowerShell, Microsoft’s task-based command-line shell and scripting language. Built on .NET, PowerShell exists on every Microsoft Windows instance. It’s a useful tool for administrators. From a security perspective, however, this pervasiveness is a weakness. “PowerShell can be incredibly granular,” Sprickerhoff said. “There’s also a ton of PowerShell traffic on the networks, so it’s a lot to parse. You can obfuscate code in PowerShell easily, encoding in octal [base 8]. This makes it possible to hide malware very effectively in PowerShell.”

eSentire has witnessed a big increase in PowerShell-based attacks in the last year or two. They see process tunneling within Microsoft apps, e.g. load redirects running inside a legitimate-looking app. Such attacks are quite difficult to detect. To mitigate the PowerShell risk, Esentire does a complete packet search. Then, they looked at an enormous amount of PowerShell code. Using ML, they developed a model that spots potential malware.

They nicknamed the PowerShell detection analysis project “Blue Steel,” after the movie Zoolander with Ben Stiller. Blue Steel reviewed commands in PowerShell and found an attack on Kaseya’s Virtual Systems Administrator (VSA) at several eSentire customer sites. The attacker had seen an opportunity in Kaseya’s endpoint updating process and used PowerShell to embed the Monero crypto mining malware on the endpoints. eSentire Blue Steel detected the attack and disclosed it to Kaseya, which has remediated the vulnerability.

The Blue Steel/Kaseya case illustrates how challenging it can be to detect stealthy attacks. A basic MSSP is usually not equipped to do this, nor is it paid to look this deeply into threats in its standard contracts.  Rather, they need tools, or perhaps partners, who can augment basic SecOps services to provide the kind of highly sophisticated threat detection that today’s cyber risk landscape demands.