REQUEST A DEMO

Month: March 2025

Cybersecurity Observability Powered by Managed Detection and Response

Posted on by ForeNova

As the name implies, observability is organizations’ ability to visualize and capture complex issues and potential threats throughout their networks, cloud environments, and applications. Traditional continuous monitoring, powered by artificial intelligence (AI) and machine learning (ML), relies on processed telemetry, rules, and policies to detect and respond. Observability is about giving the organization additional real-time insight before detecting security incidents.

Spotting potential issues and gaining more comprehensive visibility allows companies to resolve them quickly.

Are you planning to increase your enterprise’s observability? Partnering with a reputable cybersecurity company, such as Forenova, enhances threat detection and provides valuable insights.

Click here to schedule a demo of the NovaMDR platform today from the team at Forenova.

What is Cybersecurity Observability?

Observability starts with deploying technology to expand the ability to collect telemetry from all enterprise devices, applications, systems, and data sources. By capturing a vast amount of telemetry, this function provides the enterprise with the means to see more of their environment in a simplified manner.

Observability is quickly becoming critical in helping organizations improve their key performance indicators, including Mean-time-to-detect (MTTD) and Mean-Time-To-Resolve (MTTR). Organizations leverage observability to help increase the speed and efficiency in resolving threats.

This increase in speed to detect and resolve becomes a critical component supporting threat detection. This support for detection also helps support the organization’s need to meet compliance mandates. Observability tools are crucial for organizations to comply with privacy and legal mandates, including GDPR, HIPAA, and PCI DSS.

Migration to Advanced Observability

Advanced observability enhances traditional monitoring through sophisticated data analysis. This evolution is driven by greater adoption of advanced threat detection technologies, more advanced endpoint detection and response capabilities, and increases in better threat intelligence sources.

AI also plays a critical role by becoming more embedded with observability tools. Real-time monitoring, faster data processing, and constant evolution for organizations wanting to move from a reactive to a proactive security posture recognize the importance of observability’s technology advancement for cybersecurity.

 

Importance of Observability in Cybersecurity

Observability is critical in improving even automated incident response powered by AI. Collecting all telemetry, cybersecurity-related or not, helps provide far greater early visibility to future events. SecOps teams leveraging actionable insights from observability can now feed this telemetry into their LLM tools to help improve incident response automation.

Observability is quickly becoming critical in helping organizations improve their key performance indicators, including Mean-time-to-detect (MTTD) and Mean-Time-To-Resolve (MTTR). Organizations leverage observability to help increase the speed and efficiency in resolving threats.

How does Observability Enhance Proactive Threat Detection?

A critical enhancement to current threat detection capabilities comes from actionable insights created by observability tools. These actionable insights help provide visibility to anomalies happening in real time. This early warning ability becomes a critical data source for threat detection solutions.

Thus, observability helps prevent minor anomalies from escalating into significant incidents. Observability enhanced current detection functions by delivering actionable insights. Without observability, the SecOps team continues to deal with alert fatigue from increased attack velocity.

Leveraging Observability to Solve Alert Fatigue

Alert fatigue even among the managed service community is a problem. SecOps engineers must become far more engaged on attack incidents cause this high-valued team to burn-out and quit their profession.

Observability’s actionable insights help improve SecOps workflows to help reduce the manual incident response intervention by their engineers.

These insights fed directly into the detection layer helps provide far more deeply analysis of an anomaly behavior. This knowledge interjection improves automation, speeds up response times, and provides a much faster end-result analysis that feeds into the threat intelligence and modeling tools.

By fully automating these workflows, SecOps engineers can focus on more strategy projects and a higher level of overwatch.

Real-time Insights and Analysis

Observability detects threats and enables preventive controls by tracking infrastructure vulnerabilities. Organizations receive alerts to address these issues before attackers exploit them.

Improving an organization’s security posture reduces risks by preventing incidents and closing potential attack gaps.

Integration of Observability in MDR Services

Observability must cover all infrastructure, from cloud to on-premises, ensuring no cybersecurity blind spots and minimizing undetected vulnerabilities. This holistic view enables teams to act against threats, enhancing organizational cyber resilience.

Another critical aspect of merging observability into managed detection and response (MDR) by collecting valuable additional telemetry from high-value enterprise assets, including customer data, public-facing websites, and internal intellectual property.

This advanced collection progress enhances incident response by providing actionable data for security events. Security teams with timely, data-driven insights can respond faster to minimize potential damage, creating a cohesive approach to threat management.

Observability offers detailed data critical for incident analysis to MDR platforms like NovaMDR.


What are the Challenges of Observability When Working with MDRs?

Observability tools deliver value regarding providing actionable insight. Like other cybersecurity tools, observability solutions generate considerable telemetry data. This additional data collection can overwhelm many organizations not prepared to receive, store, process, and remove telemetry information in due course. Organizations that invest in observability recognize this as a very sizable expense. A complete enterprise-wide solution requires capital for licensing, implementation, and hiring experienced engineers or contracting out to an MDR provider.

Another element of observability is the challenges requiring privacy and consideration of regulations. Observability’s core focus is to collect vast amounts of data to help provide valuable actionable insights for cybersecurity and application performance.

Organizations must establish governance policies to ensure this new capability collects data while respecting users’ privacy and not jeopardizing compliance mandates or regulatory issues.

Data Migration From Several Sources

Integrating data from various sources into a single observability system is complex and requires careful management to avoid overloading IT infrastructure and to ensure data integrity. Simplifying this integration is essential for timely monitoring and action.

Observability requires an extensive amount of data to be relevant. Data sources originating from different areas within the enterprise. Collecting too much data continues to be a reason for resistance to installing observability tools.

Balancing Cost and Value

Observability delivers optimal value to an organization, especially considering the increase in the volume of adversarial AI attacks. Organizations must extend their governance frameworks to better realize the cost of collecting observability telemetry and the meaningful impact this tool has on improving MTTD and other KPIs.

Organizations considering observability need to consider starting with a smaller subset of tools with a measurable expectation regarding improving the organization’s current and future cybersecurity posture.

The initial observability deployment helps establish a critical guardrail by targeting specific high-value corporate assets. This protection will help limit the data collected from key resources and the insights gained. SecOps will view this additional stream using their extended detection and response (XDR) tools. This will help them evaluate whether the cost of the additional telemetry provided the expected value in improving the organization’s security posture.

Global Shortage of Talent Still A Challenge

Observability tools need skilled personnel for data collection and analysis. Because of a shortage of cybersecurity skills, many organizations struggle with implementation and ongoing security operations of observability tools and data.

MDR providers like Forenova have access to talented and experienced security operations engineers who can assist clients with their cybersecurity detection, prevention, and response journeys.

Future Trends in Cybersecurity Observability and MDR

Observability’s initial rollout followed similar paths to other advanced tools. Many tools use proprietary formats, data schemes, and user interface workflows.

One expected change to observability marketing is the adoption of Open Telemetry, or OTel. OTel is an open standard for collecting and routing telemetry data into open-source observability tools.

Open-source observability tools will continue to impact the industry positively. Organizations that want to collect telemetry from various assets can leverage platforms supporting the OTel framework. Open-source observability also helps organizations build their initial governance framework.

Open-source observability also integrates well with MDR providers like Forenova. By leveraging OTel formatting, Forenova extends the ability to ingest observability telemetry into the NovaMDR platform to complement its existing AI-powered incident response automation functionality.

Why Forenova?

Forenova, an award-winning managed detection and response (MDR) provider based in the European Union (EU), understands the criticality of stopping advanced cyber threats and seeing the constant changes in the cybersecurity landscape.

Preventing advanced attacks powered by adversarial AI requires layers of prevention technologies combined with expertise in security operations. Without proper visibility into networks and corporate digital assets, hackers will continue taking over devices, hijacking applications, and stealing data.

Want more helpful information about your company’s systems? Observability continues to become a strategy investment and focus for organizations witnessing dramatic increases in complex cyberattacks. Forenova’s continued innovation in managed detection and response offerings also recognizes the importance of greater visibility in enhancing automated incident and response offers embedded within their NovaMDR offering.

EDR Killers: Detect and Prevent With Managed Detection and Response

Posted on by ForeNova

Red teams have used endpoint detection and response (EDR) Killer tools for years. These tools allow teams to bypass endpoint security agents and expose vulnerabilities that pose a risk to all organizations.

To address this global concern about cybersecurity tool bypassing, including EDR, ForeNova, a global managed detection and response (MDR) provider, created NovaMDR. The NovaMDR service monitors several areas within the enterprise network, including the endpoint, to ensure hackers do not bypass the various control tools and propagate their attacks across their clients’ networks.

Are you concerned about EDR killers bypassing your security controls? The ForeNova team has an excellent demo of NovaMDR available today!

What are EDR Killers?

EDR killers have the sole purpose of impairing cybersecurity tools to allow for further attack propagation into their victim’s networks.

Like other cybersecurity tools, firewalls, VPNs, wireless, and host-based IPS, NDR tools have known vulnerabilities. Software developers will issue emergency patches to remediate these vulnerabilities during outside maintenance release windows.

Hackers accessing EDR killers from the dark web and other sources leverage these tools to find and exploit vulnerabilities. Bypassing EDR using these rogue tools happens across the host level, kernel level, and within file directories.

Once the EDR defensive tools become disabled, hackers access critical parts of their victim’s network, including data.

The Black Market for EDR Evasion Tools

Hackers continue to gain access to or develop their own EDR Killers’ tools. Creating their own EDR bypass tools is commonly called the “Bring Your Vulnerable Driver (BYOVD)” attack method.

Here are some examples of known EDR killers found on the dark web and open marketplaces:

KernelMode

KernelMode tools is a typical red team utility that used to test several EDR solutions, including Bitdefender, CrowdStrike, and Cylance. The tool doesn’t disable EDR; it simply proves various vulnerabilities within the application file and memory areas.

EDRSilencer

EDRSilencer focuses on blocking the EDR tool’s ability to send valuable telemetry information to the centralized management console. This attack vector exploits the Windows Filtering Platform (WFP) to block communication between the EDR client and the central management console, including any alerts.

EDRKillShifter

These crafty tools help hackers stop the current NDR service, load malware files that include a rogue driver into the memory and drop a new .sys file into the \AppData\Local\Temp folder. The malware then restarts the NDR service with the rogue .exe files.

Terminator

“Terminator employs BYOVD by loading vulnerable Zemana anti-malware drivers, allowing attackers to execute malicious code in kernel mode and terminate any system or user processes, including detection mechanisms.”

AuKill

Threat actors use the “AuKill” tool to turn off enterprise EDR defenses before deploying ransomware. The tool infiltrates systems using malicious device drivers, dropping similar .sys files to overwrite existing ones. AuKill effectively halts multiple NDR processes, preventing their restart.

MS4Killer

MS4Killer terminates kernel security products by exploiting a global variable’s vulnerable driver. Global hacking group Embargo added features including endless scanning of processes and hard-coded names of processes to kill within the binary

Limitations of Relying Solely on EDR

Bypassing EDR and other security adaptive controls happens. Regardless of manufacturing, every tool has vulnerabilities that are prone to exploitation. Preventing these exploits is nearly impossible because organizations depend overly on the software provider to fix the problem.

Specifically, CrowdStrike released an untested security patch that caused a global shutdown of their Falcon agent. This lack of QA control affected global international firms, including Microsoft and Delta Airlines.

Like other security tools, EDR processes much security telemetry information daily. This processing creates data set analysis to help clients defend against zero-day attacks. No security is 100% foolproof. False positives and false negatives exist even with tools based on artificial intelligence.

Hackers Executing Effective Kill Chains Against NDR

Because of the ease of use of NDR killer tools, hackers continue to incorporate several of these utilities into a single kill chain.

Here is an example:

  • Identifying application file vulnerabilities; KernelMode
  • Stop existing NDR services: Terminator and AuKill
  • Load new payload into memory; EDRKillShifter
  • Block all telemetry from the NDR agent to the console; the EDRSilencer

Security operations teams could also see the execution of denial-of-service (DoS) attacks against their border routers, an increase in AI-powered email phishing attacks, or brute force attacks against identity management systems, as part of the kill chain.

Preventing kill chains requires more than one security adaptive control. Continuous monitoring, complete visibility, and observability with automated incident response are essential in avoiding successful kill-chain attacks.

The Importance of a Layered Cybersecurity Approach

Attacks occur in various locations inside the network. Hackers continuously use automated penetration tools and techniques to scan their victims’ networks, hosts, and devices for vulnerabilities that become easily exploited. Most penetration tests are fully automated, including the ability for the rogue scanning agents report to the hacker’s command and control (C&C) servers any vulnerabilities open for future exploits.

Preventing an EDR solution’s bypass starts with a layer of defense combined with continuous monitoring, automated incident response, and reporting. However, hackers will use EDR killer tools to bypass these security controls. Other red team tools in the wild have also affected anti-virus, email security, and network detection and response (NDR).

Organizations migrating from a reactionary cyber-defensive mindset to a more proactive approach recognize the need to deploy several next-generation adaptive controls. These tools, including next-generation firewalls (NGFW), zero-trust architectures, SASE cloud with SD-WAN, MFA, EDR, NDR, and XDR tools, require a comprehensive security operations team, process, and easy-to-follow standard operating procedures.

As engineers consume more tools, the operations layer becomes more challenging. Organizations that invest minimal human capital, talent, training, and managed services experience more cybersecurity attacks and data losses.

Investing in talent combined with managed services helps organizations maximize their investments in these proactive security tools.

Continuous Monitoring and Threat-Hunting

Organizations that want to stay ahead of NDR kill chain attacks spend considerable capital on next-generation tools. These tools, combined with continuous monitoring, threat hunting, and threat modeling, help organizations become more proactive in their cybersecurity posture.

Leveraging managed service providers with threat-hunting and modeling expertise is critical to dealing with NDR killers.

These services help organizations analyze NDR killer attacks to better prepare for future engagement. Threat hunting helps review possible future NDR vulnerabilities within the enterprise. This forward-thinking analysis helps organizations expedite patching and other remediation before the next NDR.

Threat modeling is also a critical service. This function focuses on the impact of an NDR killer attack. Organizations face vulnerability risk across their entire enterprise. Threat modeling helps determine which area of vulnerability has a financial and operational impact on the organization.

The output from threat modeling and threat hunting helps set a priority level regarding continuous monitoring. While SecOps teams using a SIEM can monitor everything within the network, including asset protection prioritization. This critical step will fight alert fatigue even with AI tools enabled.

Managed providers like ForeNova work with their clients to help determine asset protection priorities and automated incident response requirements.

The Role of MDR in Detecting EDR Killers

MDR providers like ForeNova are critical in protecting clients from NDR killer attacks. Monitoring of endpoints is one of their most valuable services within the NovaMDR solution offering. Monitoring endpoints is essential in stopping attacks against these devices.

The NovaMDR service looks for endpoint agent services that are becoming unresponsive or not sending updated telemetry promptly. The team at ForeNova also monitors several other areas within their client’s networks, looking for ransomware propagation that may have originated from an initial NDR attack.

ForeNova’s security engineers can quickly respond to an NDR killer event and other cyberattacks using continuous monitoring and threat analysis. Their extensive observability of their client’s environment, combined with telemetry captured from different sources, helps the ForeNova team deliver a far more accurate and effective proactive security posture.

Why ForeNova?

Experience, expertise, and proven methods across several industries make ForeNova a leader in the MDR space. Many MDR providers specialize in specific sectors or offer minimal service engagement. ForeNova, powered by its NovaMDR offering, delivers a wide range of security capabilities. These capabilities align strongly with various European Union compliance mandates, including GDPR.

ForeNova’s NovaMDR solution also provides 24/7 monitoring and response capabilities, ensuring a rapid and effective response to any security incidents. By partnering with ForeNova, organizations can enhance their cybersecurity defenses and minimize the risk of data breaches.

Interested in learning more about ForeNova’s NovaMDR solution to help stop NDR killers?

Click here to schedule a demo today with the engineers at ForeNova!

Preventing Account Takeover Attacks Leveraging Managed Detection and Response Services

Posted on by ForeNova

Ever use the same email account and password login credentials for several websites, including travel, banking, and e-commerce? You are not alone. Millions of online users will reuse their credentials as a matter of convenience. Yet, this action makes the hacker’s job much easier for them to execute an account takeover (ATO) attack.

Fact: “An annual analysis of recaptured data from the darknet shows a 74%password reuse rate for users exposed in two or more breaches in the last year.”

Preventing ATO starts with placing proactive monitoring and controls across the organization’s identity management systems and application platforms, looking for suspicious activity, unauthorized access to accounts, and other malicious activities.

ForeNova, a global provider of managed detection and response services, created its NovaMDR offering to help organizations monitor, respond to, and provide remediation of their client’s digital assets to prevent complex cyberattacks, including ATO.

Interested in learning more about NovaMDR and ATO Prevention?

Click here to schedule a demo with the Forenova engineering and product support experts today!

Understanding Account Takeover (ATO) Attacks

One of the most common methods of financial fraud and identity theft is accessing a single credential that federates to several domains. Hackers leverage several attack vectors, including email phishing, to lure victims into disclosing their usernames and passwords or clicking on malicious links that redirect them to rogue sites and encourage them to change their passwords.

How big of a problem is ATO?

Here are some essential statistics highlighting how ATO is a global problem that every organization and individual needs to be aware of.

Personal Impact

  • “Account takeover fraud resulted in nearly $13 billion in losses in 2023.”
  • “24% of consumers were a victim of ATO in 2024, up from 18% in 2023.”
  • “Only 43% of account takeover victims were notified by the company that their information had been compromised.”
  • “Four out of five consumers would stop shopping on a site where they’d been a victim of ATO.”

Corporate Impact

  • “Over 75% of security leaders rank account takeovers as one of the top four cyber threats organizations face globally.”
  • “ATO attacks increased 24% year-over-year in 2024.”

Standard Methods of ATO Attacks

90% of all cyberattacks begin with email phishing. Email phishing is a leading cause of ATO. ATO also has become the leading cause of identity theft and financial fraud.

Social engineering is a component of email phishing attempts. This attack vector is less about a technical cyberattack and more about using malicious actors’ social skills to lure the victim into disclosing credential information.

Social engineering tactics include email messages, social media postings, phone calls, SMS messages, and public encounters. The hacker’s references lure victims by claiming they know someone close to them, a place they have worked, or maybe even a family member.

Preventing social engineering starts with organizations investing in security awareness training and attack simulation, which are additional security measures that help minimize this threat. These tools are critical in educating the user community about hackers’ social skills and other types of attacks.

Impact of ATO Attacks

Financial accounts remain prime targets for ATO attacks, with cybercriminals seeking quick access to banks’ accounts and transactions. Account Takeover currently comprises 90% of fraud attempts, and this trend will probably continue into 2024.

ATO attacks and their consequences vary depending on the victim. Corporate users who reuse their business credentials, especially across federated identity domains, place themselves and their organizations at significant risk for financial fraud, intellectual property theft, and extortion schemes.

Hackers who successfully compromise an organization’s credentials spread attacks across other employees within the same domain. This propagation of attacks also becomes a problem for other organizations connected through supply chains or digital application platforms. Supply chain attacks from phishing campaigns continue to be a global problem, partially because of ATO attacks.

Once an individual’s credentials within an organization become compromised, the hackers target this person’s individual username and password credentials.

ATO Attacks Jump in 2024: Trend Expected in 2025

“Sift has released its Q3 2024 Digital Trust Index, which found that account takeover (ATO) attacks are on the rise, having an increase of 24% across its Global Network.”

“Additionally, 24% of clients surveyed by Sift reported being ATO victims in the past year, up from 18% in 2023. This surge is part of a trend, with Sift data showing a 354% year-over-year increase in ATO attacks in Q2 2023.”

Organizations with complex passwords continue to see rising operations costs even with self-tools enabled.

Financial Losses for Organizations and Individuals

In a recent report, Experian released statistics showing how impactful ATO attacks are against banks globally.

“A March 2024 survey by Liminal revealed that ATO attacks average $6,232 each, with a 66.8% rise in social engineering attacks over the past two years. Despite this growth, only 44% of banks use mobile device signals to combat these threats.”

Costs per ATO rarely include the reputation damage organizations face when they suffer a breach. Customer trust is critical for an organization to keep clients. An ATO attack breach damages an organization’s ability to sustain customer trust.

Importance of Prevention Strategies

Preventing ATO attacks using legacy email security, static identity management fraud detection, or next-generation firewalls (NGFW) technology alone is unrealistic.

Hackers use artificial intelligence (AI) and machine learning (ML) tools to create attack vectors. Powered by AI, hackers can launch ATO attacks through social engineering, email phishing, and SMS at much higher volumes than most organizations capable of detection and prevention.

Organizations that struggle with the constant increases in ATO invest considerable financial capital in next-generation cybersecurity defensive tools powered by artificial intelligence (AI) and machine learning (ML).

Leveraging AI and Machine Learning in ATO Prevention

Organizations must place front-end AI-based fraud detection and prevention security tools on their various application portals, databases, and websites that link back to sensitive customer and organization data.

  • AI-based access control observability tools detect the initial attack vectors of ATO even if the attack is multi-threaded and distributed.
  • Upgrade to AI-powered email security tools to eliminate the threat of phishing attacks. This tool is vital in blocking ATO attacks through the email channel.
  • Invest in AI-powered security awareness training and attack simulation tools to educate the user community about the threats.
  • Deploying multi-factor authentication (MFA) as a strong protection against ATO. However, hackers continue to discover ways to bypass this adaptive control.
  • Invest in incident response automated tools for faster response to ATO attacks.
  • Continue to hire more experienced security engineering talent to staff security operations. center 24×7.
  • If the organization has trouble hiring security talent, the next step is to develop a relationship with an MDR provider like Forenova to assist with the SecOps functions.

Increase Focus In Threat Intelligence a Plus in Stopping ATO

ATO attacks powered by AI no longer use analog or manual distribution channels. Attack automation allows the hacker to target thousands of organizations simultaneously. Knowing who is conducting the attack and where it originated would be critical intelligence for the SecOps teams.

With threat intelligence data, SecOps teams can proactively enable additional security controls, policies, and countermeasures before the initial vector affects their user community.

Leveraging exceptional threat intelligence data and threat modeling frameworks and tools is critical for an organization that wants to stay ahead of future attacks.

The Role of MDR for All Things ATO

Detection and prevention of ATO attacks require continuous monitoring across several security devices and platforms. ATO attacks leverage several vectors that form a digital kill chain.

Preventing kill chain attacks begins with correlating telemetry into a Security Information Event Management (SIEM) platform staffed by security engineers with global knowledge and experience to identify and stop these attacks from propagating across the enterprise.

In addition to correlating the telemetry information, SecOps teams must combine it with threat intelligence and threat modeling tools to better understand the source and its impact on the organization.

ATO attacks powered by AI morph based on attack telemetry processed by the hacker’s LLM. SecOps teams need access to similar capabilities to detect when an ATO attack changes its method, velocity, and GEO-location attack vector.

NovaMDR by Forenova is a global MDR service built for the AI-adversary world. Attacks, including AI-generated ATO, need an MDR provider like Forenova with expertise in hosted-based, network, and endpoint detection. Along with its expertise in these defensive tools, Forenova’s ability to support regulated industries in Germany, including healthcare, manufacturing, education, and government, speaks to its expertise in cybersecurity and wealth of experience.

NovaMDR is ISO 27001:2022 certified.

Why Forenova?

Are ATO attacks becoming a bigger problem? Do you see a rise in credential theft and unauthorized access to critical systems hosting sensitive data?

Click here to schedule an initial consultant and demonstration of NovaMDR service from the team at Forenova.

Logo Image
ForeNova’s security platform is designed to detect more cyber threats and attacks than ever before – even the previously unknown and undetected – across the entire IT landscape.
RSMCERT.2024.32_ForeNova Technologies B.V
Services
Partners
Company
Resources
ForeNova Technologies GmbH, Sulzbacher Str. 48, 90489 Nürnberg +49 8926 200 920 © 2025 ForeNova Technologies. All Rights Reserved.