Rapid7 Threat Report: Analyzing Three Key Detection Trends

save
Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

In case you missed the big news, our 2018 Q3 Threat Report is out! We’re in the midst of both crypto-winter and real-life winter, which is perhaps why we’re seeing attackers burrow deep. More than ever, defenders need a unified approach to detect and respond to threats.

In this post, we’ll review three actionable findings based on data from our Project Heisenberg honeypot network, Project Sonar, and our 250+ managed detection and response (MDR) customers who use our underlying InsightIDR technology to unify security data and identify compromise in real time.

Experience the power of a unified threat detection strategy with a free trial of InsightIDR today.

Get Started

1. Which attack types most often lead to breaches?

There are three attack techniques that lead up to nearly every breach today:

PhishingMalwareStolen credentials

This coincides with the top detections spotted across our MDR customer base, which highlights the need to have detection coverage that spans across user accounts, endpoints, and cloud services such as Office 365 or IaaS.

First on the chart is PowerShell, which we can bucket under malware. At best, the detected PowerShell is a weird misconfiguration or IT time-saver; at worst, the adversary is able to command and control a compromised asset via PowerShell commands. While this stealthier technique is designed to evade antivirus and prevention defenses, we can detect these attacker “micro-behaviors” with the endpoint telemetry we collect and analyze within InsightIDR. Detecting malicious use of native scripting utilities is impossible without an endpoint detection and response agent, which InsightIDR provides.

Next up is suspicious URL activity. This is closely linked to phishing, as it’s indicative of end users clicking on malicious links delivered via email, chat, or another vector. Of course, every organization is concerned about phishing—for our recommended strategy, reference, “Phishing Attacks Duping Your Users? Here’s a Better Anti-Phishing Strategy.”

InsightIDR adds detection value to organizations by applying user behavior analytics (UBA) to authentications across Active Directory and your internal network, along with cloud services, to flag anomalous user behavior and accounts being attacked (e.g., Office 365 brute-forcing from Nigeria). On top of that, DNS, web proxy, and firewall traffic is ingested and made fully searchable, and then matched against third-party threat intelligence (e.g., Google Safe Browsing and PhishTank), our machine learning, and intelligence shared within our InsightIDR customer community.

This directly ties into the top detection from InsightIDR: malicious login attempts. This can range from run-of-the-mill brute-forcing or trying exposed credentials from a leaked data breach to a more sophisticated attacker who has obtained credentials and is now on your internal network impersonating a legitimate employee.

This is where UBA is critical—you need to know about anomalous ingress and lateral movement, but don’t need an alert every time Stacy goes on vacation in Cancún or when Bob in Marketing has a cluster of failed logins. InsightIDR uses a combination of threat intelligence, UBA, and smart visualizations to help customers quickly identify anomalous logins and account takeovers.

For most companies, it’s not a simple process to detect attacks across these three techniques. While PowerShell detection requires being able to detect activity on the endpoint, URL access and login attempts require tracking and analyzing user behavior data. Today, UBA has converged with SIEM technology to help security teams baseline typical user activity (e.g., what processes they execute and where and how users log in) and find risky behavior and compromised accounts. It’s a critical part of a holistic detection strategy, and where we first invested in detection and response, so be wary of “modular, bolt-on analytics” claims that can produce more noise than value.

Since the data sources that reveal each attack type are different, companies are pushed toward fragmented detection solutions for phishing, endpoints, and user behavior—and wait, do you also need “next-gen, AI-powered” versions for all of these?!

InsightIDR is the only SIEM on the market with the capability to detect malware, phishing, and stolen credentials right out of the box. More importantly, because of continuous learning from our customers, the Metasploit community, our research, and fantastic in-house suite of servicesthat spans pen testing to incident response, we have a resilient architecture built to detect the attacks of tomorrow, today.

2. Emotet: A malware nightmare

The second major theme we saw in Q3 was the persistence of Emotet, a popular malware campaign typically delivered via malicious spam or spear phishing (we’ve included some examples we encountered below). Over half of the malware we investigated throughout the quarter were variants of Emotet, targeting industries including construction, finance, healthcare, manufacturing, real estate, and utilities.

Given the range of impacted industries, it’s important to be on the lookout for Emotet. To see exactly how Emotet is impacting your industry, what it does once inside an organization, and our recommendations, see the full breakdown in the Q3 Threat Report. Guidance around email validation systems, file attachment blocking, and least-privilege access policies are among the tips provided.

If you use InsightIDR, you can subscribe to the Emotet threat feeds within the Threats community. Shoutout to all of the dedicated contributors who continue to share their curated threat intelligence!

3. Protocol poisoning flaring up as a threat vector

A particularly interesting development is protocol poisoning, which is the use of software such as Responder that is designed to confuse nodes on a local network, causing them to route data through it to capture credentials, hashes, and/or general data. Essentially, if attackers have already compromised a machine, they can run a program to steal more credentials and gain deeper access.

Protocol poisoning made our “Top 5 Threat Events Per Month” list twice in Q3 (see below). This can indicate not only an attacker foothold, but also specific intent to hunt for credentials and start lateral movement.

Responder, which attacks Windows networks when you have internal network access but no domain user, is a top tool in every pen tester’s toolbox. Therefore, like the rest of our detections, we’re focused on making sure it:

Is easy to identify and monitor: For Responder, our Insight agent will issue queries or nonexistent host names over NBT-NS to reveal tools abusing trusted traffic .Provides context: Along with the alert, notable user and asset behavior is automatically surfaced on a visual timeline.Takes action: In InsightIDR, you can now disable a user account, kill a malicious process, or quarantine an asset right from within the console.

This all goes toward our mission of helping security teams reduce the complexity around detecting, investigating, and containing threats.

Test, test, and test

The last thing of note here is that as you prepare for these threats, you also need to test the detections and responses you have in place. Simulating protocol poisoning and malicious PowerShell commands to ensure working visibility is one part, but just as important is an organized, cohesive response in the event of a serious incident from both within the security team and the broader organization.

To Q4 and beyond!

The diverse behaviors our security operations centers (SOCs) detected and investigated in Q3 truly highlights the need for holistic detection, a strategy that can identify a wide range of attacks while providing important context. You can find all of our identified indicators in Appendix C of the Q3 Threat Report, which you can directly port into your SIEM to match against your data. If you don’t have centralized, working, or affordable log management today, you’re flying blind against the most prevalent attacks today.

To prepare your defenses, view our full report for free.

Learn more about Rapid7’s approach to threat detection with a free 30-day trial of InsightIDR.

Get Started

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
Follow
308 Followers
About Rapid7
Rapid7 (NASDAQ:RPD) powers the practice of SecOps by delivering shared visibility, analytics, and automation that unites security, IT, and DevOps teams. The Rapid7 Insight platform empowers these teams to jointly manage and reduce risk, detect and contain attackers, and analyze and optimize operations. Rapid7 technology, services, and research drive vulnerability management, application security, incident detection and response, and log management for more than 7,000 organizations across more than 120 countries, including 52% of the Fortune 100.
Promoted Content
30-Day Trial: UBA-Powered SIEM with Rapid7's InsightIDR
Rapid7 InsightIDR delivers trust and confidence: you can trust that any suspicious behavior is being detected, and have confidence that with the full context, you can quickly remediate. From working hand-in-hand with security teams, we understand how painful it is to triage, false-positive, vague alerts and jump between siloed tools, each monitoring a bit of the network. InsightIDR combines SIEM, UBA, and EDR capabilities to unify your existing network & security stack. By correlating the millions of events your organization generates daily to the exact users and assets behind them, you can reliably detect attacks and expose risky behavior - all in real-time.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

Cybrary|0P3N

i2p Networks, Tor and Freenet Features: Pros + Cons
Views: 77 / January 23, 2019
DNS Rebinding – Behind The Enemy Lines
Views: 2437 / January 19, 2019
My IT Learning Journey
Views: 2844 / January 18, 2019
A New Age of Digital Interconnection
Views: 2267 / January 18, 2019
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel