Threat Hunting

When an AI-based antivirus is no longer sufficient…

Threat Hunting?

Fortunately, at the time of writing, we cannot yet speak of war in our country. Or can we? That depends on your definition of “war.” Even within our region, companies are under constant attack. Hackers from all over the world have free access to not only our public IP addresses, but they can also send mail to any of us. You don’t even have to distinguish between personal or business related mails.

The intention of these hackers is usually to make money, but sometimes there is also a political motive behind it. It is very difficult to find this out, let alone prove it. The type of company and the consequences can raise some suspicions though.

Regardless of what they have in mind, the consequences are rarely minuscule.  

That is why we have all kinds of shields set up such as firewalls, email security and endpoint protection. The weakness of humans is exploited to gain themselves an access to the computer – with the network connected to it – through a backdoor. If you can’t count on the alertness of that user, how can you count on him or her to report his or her mis-click?

What we are looking for is a kind of camera system that detects and records every movement in the network. By making correlations between different actions, suspicious patterns can be recognized.

Something more technical… 

Mitre Att@ck is an American organization that closely monitors and maps the actions of hackers. An attack technique is a combination of various – in itself seemingly harmless – commands, most of which are also used by sysadmins.

Before encrypting an entire network, hackers search their way around a network, map out where the backups are, which servers are important and so on. Between the initial contact and the effective encryption, days, weeks and sometimes months go by. The key is to detect the hacker before the encryption happens but also before he had a chance to upload data.


The detection of these techniques, usually takes place in an EDR or XDR product. (Endpoint/eXtended Detection and Response) This piece of software that is sometimes an extension of an existing endpoint protection or sometimes an entirely separate product, acts as a kind of probe that stores every activity in an on-computer and/or cloud based database. The latter is usually called datalake. Depending on the product, you can immediately and automatically assign actions to certain triggers or you can program queries to generate alarms.

When comparing these products you will see that some AI based endpoint protection software can block multiple actions even before EDR has had to catch them. When we talk about the term XDR, we see that the interpretation can also be different.

Managed EDR

Suppose the system makes a detection that is almost certainly related to the presence of a hacker, then the desire is to remove this hacker from the network. The EDR tools will block the activity whether or not the hacker logs off, however, that does not guarantee that the hacker has not already installed loopholes. The hacker might have realized he was caught and accelerated the encryption process. Consequently, quick action in defense is appropriate. It is not obvious for everyone to free up the necessary resources at any time of the day or on weekends.

The technical teams of the involved vendors are trained for this and are ready 24×7 to carry out the effective countermeasures. We speak here of MDR, Guard or whatever the vendor wishes to use as a name for the service.


WithSecure™ EDR is a module of the WithSecure™ Elements cybersecurity platform. This cloud platform offers effective protection against ransomware and advanced attacks. Elements brings together vulnerability management, automated patch management, dynamic threat intelligence and continuous behavioural analysis. You can use one or more solutions to achieve maximum protection. Benefit from expert advice on best practice responses, with the ability to automate remedial measures around the clock.

Onze partners