A Behind the Scenes Look at Attacker Behavior Analytics with our MDR Team

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Just a handful of years ago, drive-by exploit kits were how attackers attempted to attack companies and individuals. Today, it’s through the delivery of malicious documents and malware that can quickly contort and disguise where it’s coming from. Attack vectors are constantly evolving—here within our managed detection and response (MDR) team at Rapid7, it’s our job to stay several steps ahead of them for our customers.

What started as a rule management system on top of our alerting system quickly evolved into what we now call Attacker Behavior Analytics (ABA). Born out of our own desire to be able to quickly and accurately detect behaviors indicative of real threats, we soon realized all of our customers (across both MDR and InsightIDR, our threat detection and response solution) could benefit from this future-ready approach to detection.

As part of the original team who developed detections for our MDR customers, I’m going to explain more about how we use ABA, how we continue to create detections for it, and how we use it in-house every day.

How We Build Attacker Behavior Analytics

As you know, many security alerts can turn up to be false positives. Additionally, new threats can go undetected if you’re not collecting the right data or running the right analytics to spot compromise. We needed a way to address this for our MDR clients, so we began by creating a rule management system based off the Logentries alerting system. Using sources like the Metasploit project, our penetration testers, Cyber Threat Intelligence, and our own threat intelligence teams, we wrote several hundred detections to help us find evil things occurring inside our client environments.

Most of the rules we developed are behavior-based, since today’s attacks are typically delivered by the drop of malware from a malicious document or covert actions that static, signature-based methods fail to detect. We developed an automated custom feed to find malicious documents used in ongoing campaigns—any matches are then retrieved and analyzed in our own sandbox. We use this analysis, as well as other open & closed source intelligence sources, pen tests, and tactics, techniques, and procedures (TTPs) we have observed performed by actors during incident response engagements.

By analyzing how malicious documents and malware interact with various systems, we better understand their underlying intent. Then, we correlated how the malware would show up in data collected by the Insight Agent, our cross-product endpoint agent. From here, we developed behavior-based detections to hunt future malicious behavior, even if steps have been taken to evade common prevention defenses.

This library of detections powered the majority of the reporting output for our MDR clients, and not long after, the feature was dubbed Attacker Behavior Analytics and added to our InsightIDR solution as well.

How We Contribute to Attacker Behavior Analytics

All of the research we do inside the MDR team directly benefits Rapid7 customers. Any time we investigate a new threat and develop an ABA detection, it’s added to the wheelhouse of malicious behaviors InsightIDR can spot and alert on for customers. Everything from malicious documents (or maldocs), to droppers, to second-stage payloads can be detected, added to our research sandbox, and if verified, added to ABA within InsightIDR. Visit our Attacker Behavior Analytics library for an overview of some of the detections that have been added to InsightIDR so far.

Since the MDR team is made up of information security practitioners actively on the front lines of combating threats, we are a valuable source of information when it comes to spotting malicious activity. With this direct link to our Products team, we can quickly integrate new detections as they’re created. Furthermore, when an alert fires, ABA loads it with context, along with how to respond, so customers can jump right into remediation.

How We Use Attacker Behavior Analytics

We eat our own dog food because we use ABA every day to detect issues for our MDR customers. While other vendors can take weeks to find new threats, our team can’t afford to wait or waste time investigating false-positives alerting on stale malware or intelligence. Since we’re looking for unique behaviors that are indicators of a compromise, and have a dedicated analyst team to investigate these behaviors right away, we can discern the moment something drops if it’s evil or not. If it is, we inform our clients with a detailed Findings Report that details our investigation, recommended next steps, and ways to harden for the future.

Most other technologies in the industry look for known-bad static indicators like hashes, IPs, and domain names. However, alerts matching on these indicators requires follow-up investigation to validate their maliciousness, meaning the attack is usually well underway by the time it’s spotted.

In our experience, we’ve found that Attacker Behavior Analytics fills a big gap in monitoring and detection that antivirus, firewall, and other broad monitoring solutions cannot meet. In fact, for our MDR clients, we’re often looking at multiple feeds, but it’s the ABA detections that have given us the best insights and helped us find the latest and most advanced behavioral threats. For InsightIDR users, an alert is generated in real-time when attacker behavior is detected so they, too, can take quick action.

InsightIDR is the technology that powers our global SOCs, yet you can get up and running in your environment in just hours. See the power of ABA for yourself. Explore a 30-day free trial of InsightIDR today.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Rapid7
Rapid7 (NASDAQ:RPD) powers the practice of SecOps by delivering shared visibility, analytics, and automation that unites security, IT, and DevOps teams. The Rapid7 Insight platform empowers these teams to jointly manage and reduce risk, detect and contain attackers, and analyze and optimize operations. Rapid7 technology, services, and research drive vulnerability management, application security, incident detection and response, and log management for more than 7,000 organizations across more than 120 countries, including 52% of the Fortune 100.
Promoted Content
30-Day Trial: UBA-Powered SIEM with Rapid7's InsightIDR
Rapid7 InsightIDR delivers trust and confidence: you can trust that any suspicious behavior is being detected, and have confidence that with the full context, you can quickly remediate. From working hand-in-hand with security teams, we understand how painful it is to triage, false-positive, vague alerts and jump between siloed tools, each monitoring a bit of the network. InsightIDR combines SIEM, UBA, and EDR capabilities to unify your existing network & security stack. By correlating the millions of events your organization generates daily to the exact users and assets behind them, you can reliably detect attacks and expose risky behavior - all in real-time.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?