New Detections

Video Activity

This lesson explains three of the latest detections in Rapid7 InsightIDR, focused on detecting elusive attacker behavior in three different phases of the Attack Chain.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
24 minutes
Difficulty
Beginner
Video Description

This lesson explains three of the latest detections in Rapid7 InsightIDR, focused on detecting elusive attacker behavior in three different phases of the Attack Chain.

Video Transcription
00:00
>> We just want
00:00
to spend a minute apiece on three new types of
00:00
detection in Inside Idea.
00:00
The first of which is really showing
00:00
you when an attacker is on the network,
00:00
and they're are attempting to steal credentials.
00:00
They often that once gaining access and
00:00
network if no credentials are on that first asset,
00:00
what you can do is you can spin up
00:00
an application called Responder.
00:00
Responder does as it's named,
00:00
and responds whenever any system out there
00:00
sends out a request
00:00
>> to resolve the name of another asset.
00:00
>> In order to do this, the handshake involves
00:00
handing Responder your credentials.
00:00
When I say your credentials,
00:00
the asset does it for you.
00:00
You have no idea this is happening as a user,
00:00
and so it's great to be
00:00
stealthily collecting credentials across the network.
00:00
What we've done at Rapid7
00:00
is make sure our agents send out
00:00
these fake messages asking for
00:00
something to resolve these names periodically,
00:00
and we'll just notify you when something
00:00
responds because it just frankly shouldn't.
00:00
That's the first detection. There's no setup involved.
00:00
The agents already do it for you.
00:00
The second one I want to show you
00:00
is an integration with EMET,
00:00
>> the Exploit Mitigation Experience Toolkit
00:00
>> from Microsoft.
00:00
>> A lot of people have this installed on a network.
00:00
It's free to you, free to install.
00:00
You can push it out with group policy,
00:00
if you wish to do so.
00:00
But a lot of times what we hear from
00:00
our customers is that
00:00
they don't know if it's doing anything.
00:00
So we developed this integration that
00:00
>> if we access to an endpoint,
00:00
>> and we see EMET is installed,
00:00
>> we will let you know
00:00
>> if it's, in fact, mitigating anything,
00:00
>> and so in this case, it looks like somebody
00:00
attempted to exploit outlook.exe,
00:00
and it was blocked by Microsoft EMET.
00:00
So that's great to know.
00:00
It's a great indicator [inaudible] ,
00:00
Then they accessed a new asset somewhere.
00:00
This is very concerning.
00:00
I would want to dig deeper.
00:00
Again, this is completely baked in.
00:00
There's no effort to set this up.
00:00
We would just notify you when it
00:00
happens from any system that has EMET installed,
00:00
when it blocks anything,
00:00
a good indicator to know something's going on.
00:00
The last one I want to show you
00:00
is in fact what we call honey files.
00:00
These are just complementing
00:00
our other types of deception technology we have
00:00
but to essentially say
00:00
don't deal with file integrity monitoring.
00:00
It's often very noisy.
00:00
It's challenging to keep on top of.
00:00
In this case, there isn't one set up
00:00
with same alert indicator.
00:00
All I have to do is I go here where
00:00
I could also set up honey users.
00:00
I can do that in a different video.
00:00
But in honey files,
00:00
say, I have a fake file on my network.
00:00
Inside IDR is collecting events on that asset,
00:00
and so here I just enter what's the file path.
00:00
You see an example here,
00:00
C:\User\Docs\Example.text.
00:00
You could name it as something that's
00:00
a financial file or whatever you want,
00:00
and then which asset,
00:00
any assets connected, add this, and that's it.
00:00
From then on, anytime that file is touched,
00:00
if it's copied, if it's zipped,
00:00
if it looks like anything an attacker would do,
00:00
we will notify you
00:00
that this fake file is being accessed,
00:00
and give you that alert.
00:00
Thanks. That's all there is to it.
Up Next