Huntress Managed Security Platform 1
Huntress Managed Security Platform - Overview
Huntress is a Managed Security Platform that enables you to find and eliminate threats. Huntress delivers a powerful suite of managed protection, detection and response capabilities—backed by a team of 24x7 ThreatOps Analysts—to protect your business from cybercriminals. This document is designed to be educational and focuses on the objectives of the Huntress product. Readers of this resource should leave with a greater understanding of Huntress capabilities and how it can support and execute on your desired cyber security outcomes.
As threats evolve, the Huntress Managed Security Platform will continuously add new detection and response capabilities to meet security demands without requiring a significant additional investment of time or money. Tearing down barriers associated with the procurement of new technology, Huntress is in your corner to adapt your defenses, improve your security posture, and free your team to focus on business challenges, not security challenges.
Huntress 24x7 Product Delivery
The Huntress platform is built to augment your team and address the continually evolving threat landscape on your behalf. Through a combination of proprietary technology (Huntress MEDR, Huntress Agent, Huntress Portal) and trained forensic ThreatOps analysts, we power our threat detection and response efforts through visibility into real-world intrusions observed across the millions of endpoints Huntress protects.
The following serves as an objective-based overview of the 24x7 Huntress ThreatOps Center, which performs detection and response capabilities in support of your organization.
ThreatOps Center - Our 24x7 Security Operations Center for Huntress
Huntress operates a 24x7 SOC, called the ThreatOps Center, to monitor and respond to active intrusions in your environment(s) identified by the Huntress Managed Security Platform. Our mission is to secure the 99% by bringing world-class security solutions & products to a long-underserved market of small & mid-sized businesses around the globe.
Huntress Telemetry & Data Collection
The Huntress Managed EDR is powered by telemetry from multiple features designed to give our ThreatOps Center the data they need to detect and respond to the top threats targeting small & mid-sized businesses today. Data from the endpoint is routinely sent to the Huntress cloud-hosted platform, where intelligence and detection logic is applied against the forensic data.
Triage & Investigation
The Huntress agent has forensic acquisition capabilities that expand upon the routine data collection performed by the Huntress EDR product. These forensic tasks can be initiated manually by Huntress ThreatOps analysts during an investigation or can occur as part of automated playbooks in response to specific observed behaviors. Agent tasks are recorded and can be reviewed in the Huntress product as an audit trail for what actions have been taken on a system.
Detection & Response Process
Once onboarded to the Huntress Managed Endpoint Detection and Response platform. Huntress will monitor telemetry from the features listed below to gain insights into potential compromises and intrusions. Huntress technology is designed to generate priority-based alerting for the Huntress ThreatOps Center to triage and validate on your behalf.
Managed EDR: Collection of forensically valuable data from the system. Capable of providing near real-time insight into hands-on threat actor activity and common adversary techniques. Currently focused on process event data.
Persistent Footholds: The Huntress agent collects forensic information designed to identify persistent malware on systems. Persistent malware can survive a reboot or potentially self-restart if stopped or killed. Malware authors commonly deploy these persistence mechanisms as a way to keep access to a network over an extended period of time. Persistent Footholds can be highly valuable in identifying both historical and current intrusions.
Huntress Managed Antivirus: Included in your Huntress subscription is the Managed Antivirus product which leverages Microsoft Defender. When Defender is enabled and successfully configured, the Huntress agent will collect Microsoft Defender detections from the system. This gives our ThreatOps Center additional telemetry and detection opportunities. Huntress has global insight into the Defender Detections observed in real-world incidents and applies that knowledge to your environment.
Ransomware Canaries: Huntress' Ransomware Canaries enables the detection of late-stage ransomware incidents. When deployed, small, lightweight files are placed on all protected endpoints. If those files are modified or changed in any way, an investigation is immediately opened with our ThreatOps team to confirm whether those changes are the result of a ransomware infection or malicious encryption. The objective of ransomware canaries is to alert Huntress to a late-stage attack and assist partners with the identification of ransomed assets.
This alert gives Huntress an opportunity to isolate that environment from other logical environments you may have in your organization. It also allows Huntress to begin advanced analysis to determine how ransomware made it onto the system(s). Ransomware canaries can also be used to identify which physical machines were successfully encrypted by a threat actor. Reducing the time needed to remediate a ransomware threat on endpoints.
MDR for Microsoft 365: This security product provides continuous monitoring, threat detection, and rapid incident response for your Microsoft 365 environment. With a dedicated team of security experts and technologies which benefit from large scale visibility of attacks, MDR for Microsoft 365 helps protect your organization from evolving cyber threats, identifies potential breaches, and takes actions to mitigate risks and ensure the security of your critical data.
For the above features of the Huntress Managed Security Platform:
A subset of informational or low-priority detections may be generated as contextual alerts to aid an investigation. These contextual alerts fall outside of standard product delivery and are designed to provide our analysts with additional insights that may aid the investigation of a higher-priority detection. These detections may be part of detection development testing or are low confidence and fall below the criticality threshold to warrant review each time the alert occurs. Huntress does review these alerts when a higher priority alert is presented to the ThreatOps Center for the same endpoint or identity.
Huntress performs proactive Threat Hunting efforts against our telemetry in an effort to identify previously undiscovered malware or compromises. Persistence Hunting is routinely performed during product delivery, while additional hunting happens ad-hoc as needed and outside of product delivery. These efforts are performed with an objective of helping Huntress create new detection logic for future product delivery.
Our Sales Engineers, Partner Success, Account Executives, and Support team will be available to help Huntress-protected organizations deploy & configure Huntress in the environment. The Huntress agent is provided by Huntress and installed by the Huntress partner. Updates to the Huntress software are automatically pushed to the endpoint on an as needed basis. In the event an endpoint does not update properly, our support team or sales engineers can assist in resolving the issue. Partners are responsible for monitoring and maintaining agent health by ensuring the Huntress agent is running and agents have successfully updated to the latest version.
Product Delivery Objectives
The Huntress ThreatOps Center's objective is to identify when a remote threat actor has gained access to a Huntress-protected environment.
- Triage & Investigate curated detections that have been implemented in the Huntress Platform.
- To confirm a true positive detection, Huntress may perform forensic data acquisitions and analysis to validate that the observed activity of interest is malicious or benign.
- This allows Huntress to make a human or automation-backed determination on whether the activity observed is authorized/legitimate or a remote threat actor.
Compromise Detection and Response Objectives:
- Huntress sets an outcome objective of identifying and reporting which systems and user accounts are known to be compromised based on available telemetry and detections at the time of the incident.
- During the analysis of the incident, Huntress will work to isolate compromised systems unless the partner has opted out of the host isolation feature.
- The Huntress Security Operations Center will attempt to add actionable remediation steps designed to significantly assist remediations and reduce your effort to respond.
- There may be incidents that require remediation actions past the scope of what the Huntress platform is designed to perform. When applicable, Huntress may add Manual Remediation steps to incident reports for your team/organization to perform.
- Should a detailed timeline and/ or comprehensive forensic review of threat actor actions performed on a system be a desired outcome, Huntress can recommend unaffiliated incident response & forensic consultancy firms to assist.
- Through Huntress’ Support, Sales Engineering, and Partner success organizations, we can advise your organization on when 3rd party assistance may benefit your organization. Huntress makes these determinations based on observed activity in real-world intrusions. Depending on the visibility, installation date of Huntress, and attacker dwell time, additional resources may be advised to aid response. This is particularly likely, but not limited to, environments where Huntress deployment is in a degraded state due to less than 100% agent deployment in an environment or post-compromise agent deployment.
The Huntress product regularly identifies penetration tests that are conducted in partner environments.
Huntress has an objective of identifying unauthorized remote access by threat actors in your organization. Penetration Tests may simulate scenarios which are less commonly observed by remote threat actors in the wild. As Huntress sets an objective of identifying Systems and Accounts which are compromised, there may be actions performed by the threat actor/penetration tester that go undiscovered or unreported once the initial compromise is identified and reported. The Huntress product sets an objective of reviewing any post-assessment penetration test reports for new detection opportunities should the partner wish to share the results.
To maintain operational capacity for our partners, Huntress may de-prioritize triaging, analysis, and reporting of environments where the partner has confirmed a penetration test is ongoing. The Huntress product is designed to provide a consistent experience and thus has limited flexibility to implement ad-hoc requests for deviations to product delivery.
A penetration test may lead to the isolation of a system or all systems in an environment. Steps should be taken by the partner prior to a penetration test to specify how the Huntress ThreatOps Center team will respond to security events. For example, partners may wish to exclude hosts or organizations from host isolation to prevent unintended downtime due to isolation actions taken by the Huntress ThreatOps Center team.
Post-Compromise Huntress Deployment
The Huntress product is designed to function as a continuous monitoring and detection solution. It has limited ability to perform retrospective analysis or detection. Should the Huntress product be deployed to an environment or systems post-compromise, the Huntress ThreatOps Center will review any generated alerts and provide standard product delivery functions on those alerts. Huntress has limited capacity to perform retrospective incident response and forensics and will be unable to assist with in-depth historical analysis and timelining of threat actor activity.
Post-compromise deployment is unlikely to alert on events that occurred prior to the Huntress product being deployed. The Huntress platform can be used for assistance in identifying remnants of a compromise but will lack the insight needed to help fully remediate the threat from the environment. 3rd party non-affiliated incident response consultancies may be recommended to reduce the risk of unknown threats.
Ad-Hoc Requests for ThreatOps Center assistance
Huntress protected partners can reach out with threat-related questions through our formal Support team during standard Support operating hours. Triage of the request will be performed by the Support team and if necessary, transferred to our ThreatOps Center team. The following common topics are eligible to be triaged by the ThreatOps Center:
- Government Based Breach Notification
- Self-Identified Suspected Compromise
- 3rd Party (Non-Huntress) Security Product or Vendor Alerting
Huntress will perform a specific, ad-hoc review of your account to determine if there are any current findings that may be related or warrant escalation based on the request. Huntress has limited ability to investigate or comment on other vendor findings or tools and recommends working with the 3rd party vendor to validate their findings.
Product Delivery Teams
ThreatOps - Our 24x7 Security Operations Center for Huntress Solutions
After the initial deployment and configuration of Huntress in your organization, our 24x7x365 ThreatOps Center will begin monitoring and responding to threats in your environment. Through a combination of proprietary automation augmented by trained human investigators, the Huntress ThreatOps Center will review events of interest and take actions designed to limit and or revoke threat actor access.
Our Security Operations Center uses a Follow-the-Sun model with analysts located in the United Kingdom, the United States, and Australia. Our analysts are trained to deploy numerous forensic techniques to investigate and report on intrusions of varying severities in our partners' networks.
The Huntress Product Support team is intentionally located within our ThreatOps department to serve as a key differentiator for our Partners. This team is available to our partners during the documented Support hours. They can provide assistance on topics ranging from deployment, troubleshooting, product delivery-related questions, and product-related concerns.
As part of the Huntress product, you will receive incident reports upon identification of malicious activity, which gives insight into the work performed on your behalf and outline any remediations you may need to take to assist in resolving the incident.
When the Huntress ThreatOps Center identifies a malicious activity, we will craft an incident report which includes details such as, but are not limited to, descriptions of the malicious activity, remediation steps, observed indicators of compromise, user accounts and systems involved. These Incident Reports are delivered to partners via email and/or one of the available PSA integrations.
Threat Actors can quickly spread through an organization's network, and humans are not always online to respond to attacks. Huntress Host Isolation provides the ability to quickly block incoming and outgoing network activity on infected hosts, significantly reducing the risk of malware and Threat Actors spreading across your network. During isolation, the host remains connected to Huntress, allowing partners to authorize assisted remediations to resolve the incident.
Huntress will utilize the Host Isolation feature to slow down or completely limit threat actor activity during an investigation. Huntress may isolate a system early in the investigation and before an incident report has been written and sent. Information on why the host is currently isolated can be found on the endpoint’s overview page in the Huntress portal.
Assisted Remediations is an advanced security feature that streamlines the incident response process for your organization. When a threat is detected, Huntress generates a remediation plan tailored to the specific threat, providing clear and actionable steps to resolve the issue.
By using "Assisted Remediations" the Huntress agent will execute the remediation actions on your behalf, saving time and effort for your team.
While the majority of single host compromises can be remediated with the Assisted Remediations feature, there may be times when only using the assisted remediation feature will not completely remove the threat actor from the environment.
Certain incidents cannot be handled through Assisted Remediation alone and must be remediated by performing the tasks described in the incident report. At times, Huntress will recommend consulting a third-party incident response firm when the attack would be unlikely to be fully remediated by the assisted remediations feature.
Manual Remediations is a valuable component of your organization's cybersecurity strategy, providing expert recommendations for addressing security incidents that require hands-on intervention. When the Huntress agent detects a threat that cannot be resolved automatically, it offers a set of manual remediation steps tailored to the specific issue.
These steps may include actions such as resetting credentials, patching vulnerable software, or blocking malicious IP addresses and domains. By following these guided instructions, your team can efficiently address the security incident, ensuring your systems remain protected and minimizing potential damages. Manual Remediations empower your organization to take control of its cybersecurity, arming your team with the knowledge and tools to proactively defend against and respond to evolving cyber threats.
Huntress Platform Terminology
The following is a glossary of Huntress-related terminology.
A forensic indicator of the activity or compromise
Work performed to define logic or create analytics designed to identify compromises in partner environments based on telemetry available via the Huntress MEDR platform.
Logic is designed to identify malicious activity using telemetry collected by the Huntress Agent
|Endpoint Detection and Response (EDR)||
Endpoint Detection and Response (EDR) is a set of features used to enable the detection and response of threat actors in the environment. EDR features and telemetry may evolve over time based on trends observed in real-world intrusions.
Investigative efforts related to acquiring and analyzing forensic artifacts from target systems/platforms.
Action performed by the Huntress Agent, which restricts network activity by only allowing the Huntress Agent to have network access. All other applications are restricted from accessing the network
Software installed on endpoints which collect data used by the Huntress Portal to identify threats. It also has forensic collection capabilities, enabling Huntress ThreatOps Center analysts to investigate potential threats.
Manual triage by the ThreatOps Center based on leads generated from our detections or hunting efforts.
|Managed Endpoint Detection and Response (EDR)||
Managed Endpoint Detection and Response (EDR) is the Huntress SaaS version of an EDR product where Huntress is responsible for managing the triage, investigation, and response of selected alerts generated by the Huntress EDR product.
Additional actions to be taken that Huntress cannot perform on your behalf, such as changing the user’s password(s).
|MDR for Microsoft 365||
MDR for Microsoft 365 is the Huntress SaaS product where Huntress is responsible for managing the triage, investigation, and response of select alerts generated by the Huntress integration with Microsoft 365.
|Optimized Product Delivery||
The Huntress partner is responsible for maintaining the health of the Huntress Platform deployment and configuration. Product delivery capabilities are considered unoptimized if the Huntress software is not utilized and running on 100% of eligible systems in the environment. Unoptimized product delivery limits Huntress's capabilities and can impact the success of detection and response outcomes.
|Channel Account Manager||
The Channel Account Manager at Huntress is responsible for maintaining strong relationships with the company's channel partners and ensuring their success in selling and delivering Huntress' Managed Detection and Response (MDR) product. The team works closely with partners to provide training, support, and guidance on how to effectively market, sell, and implement Huntress' MDR solution with their customers or environments.
Actions that can be performed by the customer or by the Huntress ThreatOps Center to hinder or contain a threat actor in the environment.
MEDR provides a findings Report with a complete timeline of events and discoveries so the customer can learn each step of the process of the attack.
Upon review by the Huntress ThreatOps Center, Incident Reports will be sent with a severity level to help partner organizations appropriately prioritize their response efforts.
The Sales Engineer team helps Huntress partners understand our technology and how it fits in their security stack. The Sales Engineers recommend ways to have better security outcomes for partners, advising them on potential holes in their security stack. In addition, sales engineers are the technical bridge that can assist in interactions between our partners and the ThreatOps Center or Support team as needed.
Similar to Detections. Signatures are named logic designed to detect the activity of interest.
Security Operations Centers are typically teams of security analysts capable of triaging and reviewing the activity of interest with the goal of identifying compromises in networks. At Huntress, we refer to our Security Operations Center as the Huntress ThreatOps Center.
A remote person or group of individuals who are working to target an organization.
Process to proactively search for compromises in the environment with the objective of improving the overall Huntress product/platform.
The Huntress MEDR Platform may utilize proprietary collected or 3rd party intelligence to enable detections or add context to investigations for the Huntress ThreatOps Center team’s consumption.
|Threat Operations Center (ThreatOps Center)||
At Huntress, our SOC team is called the Huntress Threat Operations Center or ThreatOps Center. This team is composed of analysts who are staffed to maintain 24x7 coverage. This team performs forensic investigations, crafts reports, and responds to intrusions in our partner's networks. They are located across the United States, the United Kingdom, and Australia.
The Huntress MEDR platform employs a team of Detection Engineers and ThreatOps Center analysts capable of tuning threat detections and our Huntress technologies to reduce false positives.
The Huntress ThreatOps Center will perform triage and analysis if needed and work to provide a determination as to whether an alert or observed activity is believed to be malicious or benign in nature.
1 This document is provided as a convenient description of the Huntress Managed Security Platform and does not represent an agreement to provide any service. All services provided by Huntress are governed solely by the appropriate Terms or Service between Huntress Labs Incorporated and its customers. Huntress makes no warranty claims as to the continued availability of its services or features as described herein.