How Sophos Managed Threat Response Blocked a Historic Banking Trojan


A recent survey from Sophos recently shed light on numerous challenges that organizations regularly face when addressing cybersecurity incidents. On average, organizations took 13 hours to discover threats and spent 48 days investigating potential security incidents. With 68 percent of organizations falling victim to cyberattacks in 2020, it’s clear that incident response plans must be in place for all organizations – it’s largely a matter of when, not if, an incident may occur.

Even with cybersecurity solutions in place, organizations continue to fall victim to malware, as cybercriminals become more creative and their threat tactics continue to evolve.

The Evolution of Cyberthreats

The concept of a “traditional attack” is rapidly losing meaning, as hackers find increasingly crafty ways to wedge their attack executables and payloads into automated processes to better disguise the malware.

For example, rather than trying to take over an entire network in one shot, SamSam ransomware attacks through a direct yet quiet breach into the security controls of a network, then modifies those controls to help evade detection.

Hackers know that IT teams depend on data backups and recovery following a ransomware event. With this knowledge, cybercriminals are targeting backups first, increasing the chance that a victim of a breach pays a ransom.

Why your Security Solutions Need to Work Together

Because threats come through multiple channels, multiple security solutions such as email security, cloud security and endpoint security must communicate with each other to thwart these attacks. If each solution is working independently, the user needs to manage multiple consoles to properly digest all network activity.

Sophos solves this problem by channeling all information into Sophos Central, a single dashboard for the administrator that provides a more manageable stream of information.

Endpoint Protection

In addition to a consolidated information stream, a sophisticated endpoint solution is essential for detecting, blocking and remediating threats. Intercept X is a next-gen endpoint solution for all your network’s windows and doors, detecting and neutralizing threats as they attempt to deploy.

Even industry-leading endpoint solutions are not 100 percent capable of detecting and blocking all threats, especially those that are already hiding on a network, waiting for the perfect moment to strike, or quietly collecting sensitive data. For this, a threat detection and response plan must be continuously optimized as the final layer of defence.

Threat Hunting and Incident Response Challenges

Cybersecurity technology has evolved rapidly to keep pace with cyberthreats, but without the right personnel actively managing these technologies, the full capabilities cannot be realized. Hiring additional security experts is an option, but does not come cheap, and talent is increasingly difficult to find.

Endpoint Detection and Response: Do it Yourself

For organizations with ample human expertise, EDR (endpoint detection and response) capabilities offer powerful DIY features. EDR lets you run a series of queries to scan for threats and closely monitor your network, helping you cover your bases and own your detection and remediation strategy.

Endpoint Detection and Response: Done for You

The challenge for nimbler organizations when relying on a DIY approach is not just resource allocation, but the ability to monitor the network after business hours and on weekends. As seen in the recent Kaseya ransomware attack over the first weekend of July, cybercriminals know when organizations are vulnerable and will try to take advantage.

Sophos Managed Threat Response (MTR) is a managed detection and response solution that monitors customer environments 24/7/365. It pairs advanced endpoint protection with machine learning and a team of threat hunting and remediation experts.

As of this writing, all Sophos MTR customers were protected against the Kaseya ransomware attack.

How does Managed Threat Response work?

  1. Intercept X with EDR monitors for threats
  2. Machine learning prioritizes suspicious activities
  3. Confirmed malicious activities are automatically terminated
  4. Human analysts investigate suspicious events
  5. Threat hunts are conducted to find new threats
  6. Response experts take action to neutralize threats

Sophos Managed Threat Response also provides activity reporting and security health checks so you’re aware of critical security events. With that in mind, you can choose how closely you do or don’t want to work with the MTR team. The 3 levels of MTR response modes are:

Notify – Sophos notifies you about a threat and helps you prioritize the response

Collaborate – Sophos works with your internal team or external resources to respond effectively

Authorize – Sophos handles the containment and neutralization actions fully

Additional key MTR features include:

  • Lead-Less Threat Hunting
    • Bringing data science, threat intelligence and the human intuition of veteran threat hunters together to anticipate attacker behaviour
  • Enhanced telemetry
    • Supplemental data beyond the endpoints create a full picture of the environment by communicating through Sophos Central
  • Proactive Posture Improvement
    • Prescriptive guidance for addressing configuration and architecture vulnerabilities

Sophos Managed Threat Response in Action

Let’s break down a threat hunt use case. This is a breakdown of a ransomware hunt by the MTR team that discovered a historic banking trojan.

A customer contacted the MTR team to say that a vendor of theirs had been hit by ransomware. The MTR team begins investigating the environment to see if the customer has also been targeted.

15 minutes
MTR team finds no evidence of ransomware, but does detect a suspicious .js script that Sophos had previously blocked when it tried to execute.

38 minutes
The MTR team sends samples of this script to SophosLabs for further analysis.

1 hour 11 minutes
SophosLabs provides additional information, including indicators of compromise (IOCs), to the MTR team. A new detection is created to protect all customers from this .js script.

1 hour 32 minutes
Using the IOCs, the MTR team locates a malicious process that previously called out to a command and control server, leading the team to believe the threat in question is a Qbot malware variant.

1 hour 45 minutes
SophosLabs shares additional IOCs and the MTR team continues their investigation.

1 hour 52 minutes
The MTR team uses the IOCs to locate historic executions.

2 hours 6 minutes
With all remaining malware and artifacts removed from the host, the customer is provided with all details and the case is closed.

This MTR use case is an example of how the human element of cybersecurity can be the final and most essential line of defence against unique and obfuscated threats. Thanks to the collaboration between the MTR threat response experts and the wealth of analytical expertise of SophosLabs, this crafty malware was squashed within a relatively short period of time and fully cleaned from the customer’s environment.

Contact your CDW representative today to learn more about Sophos MTR, or visit