24 minutes

Video Description

This lesson explains three of the latest detections in Rapid7 InsightIDR, focused on detecting elusive attacker behavior in three different phases of the Attack Chain.

Video Transcription

So we just want to spend a minute of peace on three new types of detection inside idea,
the first of which is it is really showing you when Attackers on the network and they're attempting to steal credentials. They often that once gaining access in network, if no credentials air on that first asset.
What you can do is you can spin up an application cult responder
responder does as it's named and responds whenever any system out there sends out a request to resolve the name of another asset.
In order to do this, the handshake involves handing responder your credentials. And when I say your credentials, the asset does it for you. You have no ideas is happening as a user.
And so it's it's great to be stealthily collecting credentials across the network.
What we've done at Rapid seven is make sure agent send out these fake messages, asking for something to resolve these names periodically. And we'll just notify you when something responds, because it just frankly, shouldn't.
So that's the first detection, and there's no set up involved. The agents already do it for you.
The 2nd 1 I want to show you
is called is an integration with E. Met, the
exploit mitigation experienced toolkit from Microsoft, and a lot of people have this installed in the network. It's free to you. Free to install can push it out with group policy if if you wish to do so. But a lot of times, what we hear from our customers is that they don't know if it's doing anything. And so we developed this integration that
if we have access an end point
and we see him, it is installed. We will let you know if it's in fact mitigated anything. And so in this case
it looks like somebody attempted to exploit
Outlook that taxi,
and it was blocked by Microsoft E. Met. And so that's great to know. It's great, indicators say, and then they accessed a new assets somewhere. This is very concerning. I would want to dig deeper again. This is completely baked in. There's no effort to set this up. We would just notify you when it happens from any system that has even installed when it blocks anything.
Good indicator to know something's going on,
and the last one I want to show you
in fact, what what we call honey files. And so these are
just complimenting our other types of deception technology we have. But to essentially say, Don't deal with violent technically monitoring, it's often very noisy. It's challenging t keep on top of.
And if you, in this case, there isn't one set up the same sort of alert indicator. All I have to do is I go here where I could also set up Honey. Users could do that. A different video. But honey files I'll have to do is say, I'm gonna have a fake file on my network
inside I TR is collecting events on that
asset. And so here I just enter. What's the file path? You see an example here, See user docks, example that text you could name of something that's a financial file or whatever you want, and then which asset. So any assets connected
add this and that's it. And from that on any time that application, that file is touched if it's copied. If it zipped, if it looks like anything an attacker would do, we will notify you that this fake system is being This fig file is being accessed and give you that.
So thanks, that's all there is to it.

Up Next