Attacks your EDR doesn't detect

The APT group known as Librarian Ghouls has managed to infiltrate the networks of technical universities and industrial companies in Russia, Belarus, and Kazakhstan without arousing suspicion. How did the gang get inside? By using legitimate logins and moving laterally through internal networks, relying on legitimate access credentials without generating alerts.

This security incident, disclosed by recent investigations, places the spotlight on a silent but effective threat. Unlike other advanced persistent threat groups, Librarian Ghouls eschews custom malware and uses legitimate third-party software to perpetrate its attacks. By combining remote access tools, archivers, or SMTP utilities, the gang creates almost word-perfect phishing campaigns, including password-protected files, all the way to the implementation of polymorphic malware that changes on the fly. These stealth attacks manage to bypass traditional controls and are difficult to detect.

This is not an isolated case. It reflects an increasingly common problem: when cybersecurity tools such as EDR, firewalls, and authentication systems operate in silos, threats can move through an environment undetected. For example, EDR solutions may overlook the use of legitimate administrative tools if they don't exhibit overtly malicious behavior. Firewalls might flag anomalous outbound connections but lack the context to identify which user or endpoint initiated them. Authentication systems may log a series of valid logins without recognizing a pattern of lateral movement.

This highlights a critical need for integrated visibility across security layers ‒ correlating signals from multiple tools is essential to detect complex, multi-stage attacks that no single solution can fully uncover on its own. Without this unified perspective, organizations risk missing the bigger picture until it's too late.

For many companies, this creates a false sense of security as they deploy multiple solutions, each of which generates alerts. However, they need effective correlation to understand when those signals together indicate an active intrusion. Without this correlation, they can become victims of complex attacks that can remain invisible for weeks or months, causing damage or leaking information undetected.

How to protect against threats that evade detection?

Companies need a unified view of their environment and the ability to respond in real time. This is where a Managed Detection and Response (MDR) service becomes essential. MDR is a cybersecurity service that combines advanced threat detection, analytics, and human expertise to monitor, investigate, and respond to threats on behalf of an organization ‒ 24/7. Unlike traditional tools that operate in isolation, MDR correlates signals across endpoints, networks, cloud environments, and identity systems, enabling faster and more accurate detection of suspicious activity. Just as importantly, it can trigger automated, coordinated responses to contain and neutralize threats before they cause significant damage. An MDR approach enables you to:

Find real threats before they escalate: when a firewall blocks an unusual connection or EDR detects anomalous behavior, each can generate alerts separately, but they don't always correlate with each other. An MDR service combines AI and automation to connect those signals and detect real threats in minutes, preventing small issues from turning into major incidents, especially when stealthy attacks blend in with normal activity.
Respond quickly and accurately: once a real threat is identified, response time is critical. MDR accelerates investigations thanks to its overview of events across network, endpoint, and identity security layers. This reduces investigation time, causing fewer disruptions while ensuring business continuity and reduced reputational impact.
Reduce noise and improve focus: AI filters out false positives, prioritizes relevant alerts, and adds the context needed to make informed decisions. This allows security teams to focus on what really matters and reduces alert fatigue and boosts operational efficiency as a result. A particularly valuable advantage in resource-constrained environments, where every second counts and there is no room for distractions.

The Librarian Ghouls’ breach demonstrates that attackers can circumvent traditional defenses if these solutions aren’t coordinated. While the firewall blocks external connections, EDR detects suspicious activity on the endpoint, and authentication blocks anomalous logins, it’s crucial to put these three key pieces together to see the big picture.

It's like finding a needle in a haystack, and by integrating intelligent detection and response capabilities, MDR addresses these types of threats from an integrated perspective, combining visibility, analysis, and action in real time. By correlating disparate attacks, filtering false positives, and providing a unified view of the entire infrastructure, this service provides the context necessary for EDR to identify anomalies (even when legitimate tools are used by cybercriminals), enables the firewall to interpret connections more accurately and helps identity solutions to flag up suspicious access, thus leveraging the value of each technology, while your team focuses their attention on what really matters.

If you want to learn more about how to improve your security with an intelligent managed detection and response (MDR) service, check out the following blog posts: