Security Incident Using Huntress & SentinelOne: What Was Found & What Was Missed 🚨

Super appreciate the deep dive, and glad we could help in at least some way!

It must be hugely frustrating to not have enough information to isolate the infiltration incident. I'm a "root cause guy" and this would drive me nuts.

Really, seriously, in IT security, it is 100% better to call an alarm and catch that "zero day" attack or the mundane "duh, behavior change" as early as possible. It is always a case of better to be safe than sorry!

Loving these videos you learn so much!

Sorry you had to go through this but it was super fascinating to watch. Internal IT at a small shop, so wear a lot of hats/lightly involved in security. Very helpful to listen to your thought process and reaction.
Cheers!

We use Sentinel1 at our company, and when we had a file attempt to make TCP connections that was not what triggered S1 to alert of an issue. It was the scanning the file was doing on both the local machine, as well as the attempts to access network resources like servers that triggered the alert. However, our firewall did alert us of the blocked connection attempts the file was making to its c2c.

Excellent breakdown. I've had huntress find things that evade managed S1. I've had tons of times where an S1 detected threat wasn't detected by Huntress. Both are important apps tho. They are often looking for different things.

Great video! I would love to see more of this type of content (but I wish the events which generate this content would end)

Great vid, very insightful. It kind of highlights the struggle that most organisations have which is limited visibility across their environment.
Threat hunting, which many orgs cannot do for various reasons also requires having close to full visibility across your endpoint fleet to be effective

This is the stuff that keepse awake at night. Thanks for this video!

Good to see how this went down. I admire your tenacity and professionalism.

Good video - what's missing is network visibility to get more context EDR + NDR

Great video, keep them coming!

VERY Intersting. Thank you, Tom.

Thanks for this as an example of a real world wake up call for all people who think these things only happen to the “others who are vulnerable” and not them.

Great video, I would love to see more of these videos..

Great video and recap.

Love the shirt! Shady

What’s the cost (labor and any financial capital) of implementing a type of auditing logging for windows hosts?
Fascinating video. I’m on the network side so my logs are a bit different.

Speaking of layers, having a good sysmon config running is great for tracing down those first entries.

You should do one with Crowdstrike next

Beautiful breakdown here. Something I’ve done and my org does on the daily. This stuff is hard.
I hope (I don’t hope) you have more of these incidents to share and highlight. Is this client running SSL decryption on the firewall? Maybe an external tool (think PaloAlto WildFire) could’ve picked this up, scan it, and email Infosec. If so at least you would know the time of download and what user did so

13:18 - I love your quote

Thank you much for the video, for providing analysis, and education to the community. You make quality content. I realize that Tom hit upon using both tools seems excessive but does anyone have any experience in these tools interferring with eachother or can provide any insight? Personally, I'm concerned with the compute overhead of using both tools in conjunction. I'm not saying it's wrong and like Tom, I'd rather have the coverage than not but does anyone have personal expirence, or Tom could you share your opinion on this?

I'm currently evaluating Huntress and thinking about getting rid of SentinelOne Control and just going Huntress + Defender. What are your thoughts on that? Can Huntress MDR replace SentinelOne Control?

Huntress's support is fantastic.

Sunday alarms are the life. 😞

I’m also curious if having multiple MDRs installed contributes to any false positives of the other system. So S1 flags Huntress and the other way around

SOC Analyst here. You are not being too hard on SentinelOne. It is not enough to look for known threats. The product needs to identify threat like behavior as well. This was definitely threat like behavior. There should have been an alert on the behavior so an analyst like me could evaluate the situation. I'll admit I'm not that familiar with SentinelOne. My company uses Carbon Black for XDR detection. Even had Carbon Black not alerted on it, we dump all data to a SIEM (Elastic) and write rules to detect such indicators of compromise. Had our rules seen that local host traffic (because you were 100% correct in your interpretation of it) we'd have seen an alert the first time it happened. Do you use a SIEM? If so, would you be able to tell us which one?

We've been happy with Huntress + Windows Defender. It's much less of a headache to manage than S1.

Oh, hell, yeah... now you're into stuff I'm all about! 🤪

I'm actually interviewing EDR and MDR vendors right now the company I work at. I've used Huntress in the past at another job and they've always been excellent.
One thing I am specifically asking vendors is "what does a zero day look like from install to first detection to remediation?" A lot of initial meetings are crap, it can be hard to cut through the buzzwords and marketing to determine how effective the product is. Most successful attacks are now zero day or advanced persistent threats - signature detection can and will fail.
The human element, and how much the company spends on research and threat hunting, is far more important.
Any thoughts on products that advertise full stack, like arctic wolf or crowdstrike falcon complete?

Dray is a great guy over at Huntress.

Any worthy actor will easily bypass S1 even in protect mode. That's not the challenge 😉 the challenge is hiding your activity after initial access.

I have the same Huntress shirt!

💗

Sounds like a insider thing if you have no other iocs
And „not tcp connection monitor“ answer is just alarming - wrong answer or insufficient tool

I run a MSP focused specifically for small businesses. Without access to resources like yours, what things can I do to help mitigate against zero day attacks?
Currently I rely on Bitdefender and immutable image cloud backups (I am very happy with them). Is there something else I should be doing?

The team at hunters recommended windows defender saying it gives them more visibility and do a better job with detection

I'm in an MSP. We have maybe 250 hosts, so not a huge sample. We run Sentinel One on each one. My sample is inadaquate - but my gut feel is that sentinel one doesn't seem to pick much up and in far too many cases, it requires staff to review, and assess what its found. This to me seems to have multiple failures and to be way off what is needed. In this film, I'm not surprised it was in fact left to Tom's team to chase it up and make a case with SO. I've run a lot of AV and NG-AV - previous house was crowdstrike. I am jury out of SO, but can't say I like it it rate it, but as I say, jury out. Assessment of something is not based on knee jerk..

What was the hash of the file that was dropped? Would you mind sharing it and other IOCs?

While I appreciate and enjoy your content, this is exactly why MSSPs (Security) and MSPs (IT) should be totally separate.
You want security focused professionals that set and push telemetry requirements and have the forensic capability to truly root cause detections. There was no entry point analysis or a real forensic effort to determine the extent of network or system compromise.

why no crowdstrike?

I think this doesnt effect company's only, but also on home users and such.

Dump S1, pickup ThreatLocker, keep Huntress

But seams you disagree

I find it odd that none can find where that file came from. And, as usual, Windows is really THE security threat of today's age. You want ot secure your business, stop using Windows for desktop and for server.

U talk to fast and dont explain cleanly!!