Discover what round-the-clock security means with James Rodewald, as he explains what makes ESET MDR the security service to get.

ESET World 2025 was an event that brought together top cybersecurity experts from all walks of life, so you’d expect tangible examples of what makes a business really stay secure. That’s exactly what James Rodewald, security monitoring analyst at ESET did.

During the session titled “Staying protected with ESET MDR,” Rodewald pointed out the critical pain points of IT admins and how managed detection and response (MDR) saves them time and unlocks new efficiencies, as well as sharing a story about a VPN gone rogue.

Usually, IT admins need to split their focus between many areas, and security is just another small part of their tasks, often getting less attention than necessary.

Of the many issues surrounding a company’s cybersecurity, their budgets are a key concern — proper security operations centers (SOCs) can be pricy, as covering hundreds of seats takes time and effort. Some companies assume that having two people cover an entire SOC’s capabilities is enough though, but Rodewald strongly disagrees: “They wouldn’t be able to monitor 24/7. … If something happens while they’re asleep or possibly on vacation, that could be really bad.”

While Rodewald doesn’t want to deter IT professionals from trying, he highlights that there are certain gaps that only security experts can fill: “IT admins are smart. They’re great at what they do. They make these beautiful systems that all communicate with each other — and that’s amazing. But sometimes they don’t know how to notice when somebody else is maliciously managing their network. And that’s where the dangers come in.”

Securing added resources for IT admins to fight threats while they take care of daily tasks is what ESET MDR offers in spades. This is rather helpful for smaller businesses lacking security headcount within their IT departments, quickly leveling up their postures. “It’s like you set it and forget it. … Customers want somebody to monitor and be notified if something happened, what we did to remediate it, are there any actions they need to take,” said Rodewald about the service.

ESET MDR is a 24/7 threat management service for smaller organizations, using AI and human expertise for premium protection without in-house security specialists. Let ESET block, stop, and disrupt malicious behavior in just 20 minutes while you focus on core competencies.

While a basic MDR service can offer enterprise-grade security, with monitoring performed by earnest experts trained to stop security incidents (using top threat intelligence to empower their decisions), a lot more can be done for complex environments with a larger footprint. These environments need a specific approach, slotting in naturally to the existing security apparatus of a larger organization.

As Rodewald said, ESET MDR Ultimate (MDRU) is “for those customers that want to live with us in real time as we monitor their environment … benefits range from custom rule and alert creation, [to] optimizing the security environment … to finding unprotected devices, etc. So, across the range of these activities, we drive both operational and process maturity, help with remediation, and even flag those unprotected devices, sadly an all-too-common source of threats.”

ESET MDRU perfectly combines ESET technology and digital security expertise to effectively and proactively detect and respond to any threat. It is a tailored service, acting as a SOC-like security umbrella, with the ability to protect sophisticated environments with dedicated security teams.

Rodewald also highlighted ESET MDRU’s reports, explaining how the process is more human, connecting experts from both sides to design better protection rules and mechanisms in tandem, which adds even more value.

The ESET MDR service tier maintains a 20-minute time to detect for all customers — currently having a 1-minute time to react and around a 5-minute time to resolve an incident. This is owed to 24/7 SOC-like monitoring, with our MDR teams constantly improving their decision-making processes with every single detection.

To achieve this fast detection and response rate, Rodewald elaborated on ESET MDR’s training regime: “The way we train is to ask the question, could we have spotted this sooner? Because if we can improve, then we want to improve. Also, would you be able to identify this [threat] if you saw it in the wild?” Relevant teams also examine research so they might better identify issues they hadn’t yet encountered.

As a result, ESET’s MDR teams can actively isolate false positives from real detections, apply novel incident response playbooks as needed, and manage trainings to keep analysts up to date on threats. For in-house teams (especially IT generalists), this might be a tough nut to crack, but it’s the vicious cycle that ESET security monitoring analysts are trained for.

In a story about an ESET MDRU success, Rodewald spoke of how a VPN gone rogue led to FIN7 getting on a business’s network. The company in question, which owns a large network with multiple sites globally, was unknowingly breached prior to onboarding its ESET service (at least two to three months before). While it had an XDR solution employed, no one was monitoring it — a recipe for disaster.

In the beginning, someone had used PowerShell to create an external network connection, leading to a renamed remote monitoring and management (RMM) tool being installed (LiteManager). The PowerShell also had an interesting script called “PowerTrash,” which was over 6,000 lines long.

Next, the RMM tool, renamed to romfusclient.exe, started another execution chain to install an OpenSSH backdoor: “This backdoor would communicate with a remote C&C [command-and-control] server and allow whoever was in control to tunnel through this device to target other devices on the network,” said Rodewald.

Shortly after ESET MDRU’s onboarding, monitoring picked up on lateral movement via remotely scheduled tasks — another instance of PowerTrash was being executed: “Its goal was to dump credentials and load Spy.Sekur into memory. At this point, we knew it was FIN7 because Spy.Sekur is only used by FIN7, and PowerTrash, I believe, is also exclusive to FIN7,” commented Rodewald. The latter was 41,000 lines of code, much longer than the previous instance.

“We started to see other lateral movement as we were creating custom rules to block things. … And we started to see this via both remote tasks and WinRM. We saw that their goal this time was to execute a batch file to execute a renamed version of RClone.exe in order to back up the file shares of the network and then use a renamed copy of 7-Zip to compress that all before they would then exfiltrate it,” Rodewald continued.

The MDR team then started to kill and block these processes while creating custom rules to disable them permanently. Nevertheless, this was happening across multiple devices, with multiple forms of lateral movement.

Since the MDR team had the source IPs of each of those movements, it understood that it had to locate unprotected devices in the customer’s environment because they weren’t showing up inside ESET PROTECT or ESET Inspect as being managed. “So, we’re on the phone at this point, and I’m having them remote me directly into these devices so I can see what’s going on. We found OpenSSH backdoors on multiple different devices — we needed to either have the client cut them off the network, or I needed to manually remediate the[m],” said Rodewald.

However, the adversary wasn’t done. Likely panicking as they were losing access, they dropped a new tool: “It was a never-before-seen DLL side-load!” exclaimed Rodewald. While the .exe may have been seen in the wild before (TopoEdit) it included a malicious DLL.

“They were trying to stay on the network. … We spotted that in less than 30 seconds,” said Rodewald with a smile. Thus, the MDR team blocked the clean .exe and the DLL and remediated it from about six or seven other devices, all within the same time frame.

In parallel, the team became curious to investigate how initial access occurred: “We started pulling logs from devices, trying to find the trail of events … so we were doing digital forensic [incident] investigation.” Before they got too deep into that investigation, the threat actors showed their cards: Someone was using Remote Desktop Protocol (RDP) from private IPs to access different devices and immediately installing AteraAgent with Splashtop — two other RMM tools.

However, these IPs were on a specific subnet that was different from other devices on the network, which were quickly confirmed by the business’ admin as addresses assigned by the client’s VPN.

“Their VPN appliance was compromised. They had rogue devices owned by the threat actor joining the VPN and then RDPing to other devices,” Rodewald revealed. Hence, the MDR team had the company shut down its VPN, with no new activity since, though it is still being monitored.

This story highlights how thanks to the close-knit cooperation enabled by the ESET MDRU service, immediate action was taken, quickly developing new playbooks and security strategies for the client to prevent future incidents.

The key value of ESET’s MDR services lies in its prevention-first quality. With each of ESET’s managed services tackling different company architectures, the goal is the same — unlocking fast detection and almost immediate remediation, tackling novel threats before they can cause mischief.

Plus, as evidenced by Rodewald’s rogue VPN story, perhaps going for a managed service even while experiencing a compromise can enable businesses to snatch a security win from the creeping tentacles of a breach.

“SC Awards are recognized worldwide by the cybersecurity community, and we are honored to be a finalist in the Best Business Continuity, Disaster, Ransomware Recovery Solutions category,” said Ryan Grant, VP of Marketing and Sales at ESET North America. “ESET has a history of innovation in mitigating ransomware, and Ransomware Remediation was launched to deliver comprehensive defense from encryption, theft and data holding. This recognition speaks to our continued investment in the ESET PROTECT platform and our commitment to offering businesses peace of mind in the fight against ransomware.”

Unlike solutions based on the Windows Volume Shadow Copy service, ESET Ransomware Remediation is a proprietary post-execution solution which works with and is enabled by ESET Ransomware Shield – monitoring for and blocking sophisticated attacks before they happen. Solving one of the most common failings of regular backups during a ransomware attack – the lack of isolation or segmentation of data — ESET Ransomware Remediation creates temporary encrypted backups of important data, all in a sequestered environment untouchable by untrustworthy apps and processes.

“From the rise of generative AI attacks to breaches exploiting third-party access and non-human credentials, the past year has reminded us that cybersecurity needs to be about innovations that help enterprises pivot, adapt, and thrive in a threat landscape that changes by the hour,” said Tom Spring, Senior Editorial Director, SC Media.

“Being named an SC Awards finalist is a recognition not only of technical innovation, but of a shared commitment to making the digital world safer,” Spring said. “It’s inspiring to see how this year’s community of finalists — across identity, cloud, data protection, and beyond—is pushing forward together, united by purpose.”

The 2025 SC Awards entries were evaluated across 33 specialty categories by a distinguished panel of judges, comprised of cybersecurity professionals, industry leaders, and members of the CyberRisk Alliance CISO community, representing sectors such as healthcare, financial services, education, and technology.

The 2025 winners will be announced on Tuesday, April 29, 2025, at RSAC ’25 in San Francisco at the SC Awards Reception. Find the full list of 2025 finalists on SC Media’s website here.

Threat Intelligence can save money, and it doesn’t need to be hard to understand.

Even people living thousands of years ago understood that “knowledge is power”, and amidst the digital era’s rapid developments in technology, including both cyber threats and cyber defense, this ancient wisdom applies more than ever.

A poignant  example, recent ESET research about the newly discovered China-aligned APT group PlushDaemon presented by ESET Malware Researcher Facundo Muñoz at JSAC 2025 conference. This research demonstrates how various users who were seeking protection in the form of a legitimate South-Korean VPN service but, alas, what they attempted to install was in fact trojanized VPN software that delivered spyware.

ESET endpoint protection stopped the malware, but for those who additionally field ESET Threat intelligence and its diversity of feeds, an even more powerful tool lays at their disposal – knowledge. Knowledge about the new threat, the compromised but legitimate URL, and Indicators of compromise (IoC). Using this knowledge, they could readily avoid the threat and check their defenses against the documented PlushDaemon tools.

In May 2024, ESET researchers noticed detections of malicious code in an NSIS installer for Windows that users from South Korea had downloaded from the website of a legitimate South Korean VPN company. This installer deployed both the legitimate software and the malicious implant that ESET researchers named SlowStepper.

Another attack vector for PlushDaemon is to intercept network traffic, hijack update protocols, redirect traffic to attacker-controlled servers, and deliver its SlowStepper implant.

However, SlowStepper is a backdoor that attempts to establish communication with a C&C server to receive further instructions. Once communication is established, SlowStepper can process multiple commands such as:

• Collecting information from the compromised machine such as computer name, list of running processes, list of installed applications, whether cameras or microphones are connected, and more.
• Executing a Python module from its toolkit; the output and any files created by the module are sent to the server.
• Deleting the specified file.
• Process various commands such as creating a complete report about the specified file or deleting the specified file, directory, or all files in a directory.
• Uninstalls SlowStepper by removing its persistence mechanism and removing its files.

Going through the list of SlowStepper’s capabilities, it becomes clear that supply-chain attacks pose significant risks to businesses including financial losses due to system downtime, lost revenue, remediation costs, and reputational damage.

These attacks can also lead to data breaches and consequences can be ruinous. The average cost of a data breach jumped to USD 4.88 million from USD 4.45 million in 2023, according to IBM’s Cost of a Data Breach Report 2024. In fact, third-party breaches including supply chain breaches are among the top 3 factors that amplified breach costs.

On top of that, supply-chain attacks are not rare. Verizon’s 2024 Data Breach Investigations Report (DBIR) saw a 68% year-over-year growth in supply-chain attacks.

Yet, these attacks are only a fraction of cyber threats out there. See this list of most frequent attack vectors, according to IBM’s report:

• Stolen or compromised credentials – 16 %
• Phishing – 15 %
• Cloud misconfiguration – 12%
• Unknown zero-day vulnerability – 11 %
• Business Email Compromise – 10 %
• Malicious insider – 7 %

Seeing these increasingly sophisticated attacks and how businesses are growing concerned about their cybersecurity, there is no surprise that the global threat intelligence market is projected to grow from USD 5.80 billion in 2024 to USD 24.05 billion by 2032.

IBM’s report calculated that a threat intelligence solution decreases average data breach cost by more than USD 240,000.

At the ESET WORLD 2024 conference, Tope Olufon, senior analyst at Forrester, a leading global market research company, stressed the importance of threat intelligence claiming that organizations need to understand the threat landscape and be prepared for upcoming threats.

However, organizations should also be smart about how they use the provided information – threat intelligence is not about counting detected samples but putting them into context and identifying the right stakeholders, according to Mr. Olufon.

Thanks to ESET LiveGrid technology, there are more than 110 million endpoints acting as sensors detecting malware. Combine this data with knowledge of ESET award-wining researchers, and you get a powerful tool that keeps users informed about the current threat landscape, adversaries, malicious programs and their properties, the servers used to propagate them, and even the URLs and domains which spread them.

A threat intelligence feed is an ongoing stream of data related to potential or current threats to an organization’s security that can be easily integrated to SIEM and TIP platforms. Instead of receiving a large amount of non-curated data, ESET shares a curated feed that features top-notch categorization and is pre-filtered for customers to use according to their preferences. Filtering is done by ESET researchers, who understand the internal data intimately.

Such filtering has multiple advantages for users. ESET feeds may be smaller in quantity, but all of the data are relevant and come with a very low rate of false positives. They also come with a significant amount of additional contextual data.

APT Reports provide contextual information about various adversaries, the latest APTs, technical analysis of threats, and activity summaries of the threat landscape. If a new threat is spreading quickly, ESET sends activity alert reports. Users can secure access to both human-readable reports and machine-readable Indicators of Compromise (IoCs).

If you are interested in ESET research blogs like PlushDaemon, or publicly available ESET APT Activity Reports and Threat Reports, bear in mind that these are just the tip of the iceberg of what you can see in documents received from ESET Threat Intelligence.

Now ESET has updated its Threat Intelligence service which consists of 15 feeds and has restructured the ESET APT reports into 3 tiers. Thus, businesses can choose what’s right for them. For example, while a large enterprise can get all the feeds and the highest tier APT report, some other businesses may opt just for a few feeds that are essential to secure their operations.

Users of the ESET Threat Intelligence APT Reports’ Advanced and Ultimate tiers can reduce complexity further with ESET AI Advisor, a specialized AI chatbot designed to provide information about APTs.

Here is the list of feeds:

1. Malicious files feed
2. Domain feed
3. URL feed
4. IP feed
5. Botnet feed with two subfeeds:
   a) Botnet – C&C feed
   b) Botnet – Targets feed
6. APT IoC feed
7. Android infostealer feed
8. Android threats feed
9. Cryptoscam feed
10. Malicious email attachments feed
11. Phishing URL feed
12. Ransomware feed
13. Scam URL feed
14. Smishing feed
15. SMS scam feed

As the world of cybercrime evolves rapidly, new threats are more sophisticated and agile, having access to intelligence about the threat landscape becomes a necessity. ESET Threat Intelligence and its data feeds can set businesses’ minds at ease knowing that they regularly receive the latest information about specific dangers.

What’s more, ESET works tirelessly to make this service as simple-to-use as possible. With APT reports enhanced by AI, curated intelligence feeds, filtering, and seamless integration, businesses can have the current threat landscape for breakfast.