Tag Archives: Detection and Response

The Great Resignation: 4 Ways Cybersecurity Can Win

2022-01-24 Amy Hunt

Post Syndicated from Amy Hunt original https://blog.rapid7.com/2022/01/24/the-great-resignation-4-ways-cybersecurity-can-win/

The Great Resignation: 4 Ways Cybersecurity Can Win

Pandemics change everything.

In the Middle Ages, the Black Death killed half of Europe’s population. It also killed off the feudal system of landowning lords exploiting laborer serfs. Rampant death caused an extreme labor shortage and forced the lords to pay wages. Eventually, serfs had bargaining power and escalating wages as aristocrats competed for people to work their lands.

Think we invented “The Great Resignation?” 14th-century peasants did.

Last year, more than 40 million Americans quit their jobs. The trend raged across Europe. Workers in China went freelance. The Harvard Business Review reports resignations are highest in tech and healthcare, both seriously strained by the pandemic. Of course, cybersecurity has had a talent shortage for years now. As 2022 and back-to-office plans take shape, expect another tidal wave.

Here are four ideas about how to prepare for it and win.

1. You’ll do better if you label it The Great Rethinking

COVID-19’s daily specter of illness and death has spurred existential questions. “If life is so short, what am I doing? Is this all there is?”

Isolated with family every day, month after month, some of us have decided we’re happier than ever. Others are causing a big spike in divorce and the baby bust. Either way, people are confronting the quality of their relationships. Some friendships have made it into our small, carefully considered “safety pods,” and others haven’t.

As we rethink our most profound human connections, we’re surely going to rethink work and how we spend most of our waking hours.

2. Focus on our collective search for meaning

A mere 17% of us say jobs or careers are a source of meaning in life. But here, security professionals have a rare advantage.

Nearly all cybercrime is conducted by highly organized criminal gangs and adversarial nation states. They’ve breached power grids and pipelines, air traffic, nuclear installations, hospitals, and the food supply. Roughly 1 in 20 people a year suffer identity theft, which can produce damaging personal consequences that drag on and on. In December, hackers shut down city bus service in Honolulu and the Handi-Van, which people with disabilities count on to get around.

How many jobs can be defined simply and accurately as good vs evil? How many align everyday people with the aims of the FBI and the Department. of Justice? With lower-wage workers leading the Great Resignation last year, the focus has been on salary and raises. But don’t underestimate meaning.

3. Winners know silos equal stress and will get rid of them

Along with meaning and good pay, consider ways to make your security operations center (SOC) a better place to be. Consolidate your tools. Integrate systems. Extend your visibility. Improve signal-to-noise ratio. The collision of security information and event management (SIEM) and extended detection and response (XDR) protects you from a whole lot more than malicious attacks.

Remote work, hybrid work, and far-flung digital infrastructure are here to stay. So are attackers who’ve thrived in the last two years, shattering all records. If you’re among the 76% of security professionals who admit they really don’t understand XDR, know you’re not alone – but also know that XDR will soon separate winners from losers. Transforming your SOC with it will change what work is like for both you and your staff, and give you a competitive advantage.

4. You can take this message to the C-suite

Lower-wage workers started the trend, but CEO resignations are surging now (and it’s not just Jeff Bezos and Jack Dorsey). They’re employees, too, and the Great Rethinking has also arrived in their homes. Maybe COVID-19 meant they finally spent real time with their kids, and they’d like more of it, please. Maybe they’re exhausted from communicating on Zoom for the last two years. Maybe they think a new deal is in order for everyone.

As you make the case for XDR, consider your ability to give new, compelling context to your recommendations. XDR is the ideal collaboration between humans and machines, each doing what they do best. It reduces the chance executives will have to explain themselves on the evening news. It helps create work-life balance. Of course it makes sense.

And what about when things get back to normal? The history of diseases is they don’t really leave and we don’t really return to “normal.” Things change. We change. You can draw a straight line from the Black Death, to the idea of a middle class, then to the Renaissance. Here’s hoping.

Want more info on how XDR can help you meet today’s challenges?

Check out our resource center.

Evaluating MDR Vendors: A Pocket Buyer’s Guide

2022-01-13 Mikayla Wyman

Post Syndicated from Mikayla Wyman original https://blog.rapid7.com/2022/01/13/evaluating-mdr-vendors-a-pocket-buyers-guide/

Evaluating MDR Vendors: A Pocket Buyer's Guide

Cyberthreats are now the No. 1 source of stress among CEOs, with 71% of respondents to PwC’s 2021 CEO Study reporting they are “extremely concerned” about the issue. At the same time, the cybersecurity skills gap continues to grow, with 95% of security pros saying the shortage of talent in their field hasn’t improved. So while the seriousness of the problem has increased, the availability of in-house resources to adequately address it has not — particularly when it comes to finding talent with the specialized skills in detection and response.

These trends have led many organizations to partner with managed detection and response (MDR) service providers to address resource and skills gap challenges and build a strong competency to find and stop attackers in their environment.

By instantly extending your internal team’s capabilities with detection and response experts, MDR services can provide you the confidence that your environment is protected at all times.

And for those that struggle to build a fully staffed security operations center (SOC) with the right headcount, technology, and process to be effective — all while staying under a tight budget — MDR may provide a cost-effective method to quickly stand up a complete detection and response program.

In our 2022 MDR Buyer’s Guide, we outline the core capabilities that provide the foundation for evaluating MDR vendors. They include:

24×7 SOC team with expert analysts
Extended detection and response (XDR) technology
Strategic guidance and collaboration
Threat hunting
Managed response
Digital forensics and incident/breach response (DFIR)
Automation
A simple, predictable pricing
SLA delivery standards

If you’re looking for a deep dive into each of these criteria, download the full guide!

In this post, we’ll streamline the discussion into 4 big-picture questions, providing you a quick-reference guide to use in the early stages of your MDR vendor selection journey, as you begin to identify your needs and narrow down your options.

1. Is this partner simply an outsourced SOC, or can they help us advance our overall security program?

An MDR provider is not just a vendor but a partner — and people are the foundation of any great partnership. You’ll want to ensure you ask the right questions regarding who will be servicing your organization and how, including:

How many MDR SOC analysts will be monitoring my environment 24×7?
What’s the experience level of the MDR SOC team we’ll be working with?
What is the average tenure and attrition rate of the team?
Will your partner suggest operational and strategic guidance to improve your program based on real-time threat monitoring and proactive threat hunting?
Is there someone who will be our Security Advisor that we meet with regularly?
What is the customer experience like when I need to connect with the MDR team?

2. Do they have the right tools at their disposal?

MDR combines real-time threat monitoring across the most critical elements of your IT environment — endpoints, network, users, and cloud sources. And in case you haven’t noticed, those environments are becoming increasingly complex. The cloud is enabling rapid scaling, and threats can come from virtually anywhere.

To carry out their duties well in this context, MDR providers need to be using the right XDR technology for complete visibility and coverage. Here are some questions to ask that can help you get a better sense of how the MDR vendors you’re considering approach their technology implementation — and how that affects you as the customer.

Is the MDR SOC team using multiple third-party solutions, or a technology built by an embedded engineering team?
How do you detect threats that bypass preventative controls?
Will I have full access to your back-end technology? If not, will you provide self-service log search and dashboards?
Does the SOC perform proactive threat hunts on top of the real-time detections?
Will we have the ability to add SOAR automation capabilities to expedite the remediation process?

3. Can they pair insight with action?

The last thing you want to hear from an MDR provider is, “Hey, we found this threat — now you have to go fix it.” The vendors you’re considering should have a managed response approach to effectively curb attacks after detection.

To understand when and how vendors will respond to threats they detect, start with these key questions:

What types of managed response actions will the MDR SOC advisors take?
In what instances will the MDR service take response action on our behalf?
Will I have the opportunity to deny the containment response if I don’t want the SOC team to take action?

4. Does the service scale to our needs and budget?

Even if an MDR vendor sounds great on paper across all of these points, that doesn’t necessarily mean they’re right for you. After all, you wouldn’t buy a two-seater car as your primary vehicle for a family of four. It’s critical to evaluate your MDR provider on the axes of your program maturity and desired security outcomes — both as it is now and for your goals for the future. Here are a few questions that will help you get a sense of whether an MDR vendor’s service and pricing structure fits your organization’s requirements.

How is the MDR service priced?
In the event of a breach, does MDR include DFIR as you’d get if you had an incident response retainer?
Are there data allotment or retention limitations?
What is your mean time to detect (MTTD) and mean time to respond (MTTR)?

These kinds of questions should help point you in the right direction in your initial conversations with potential MDR vendors. As you begin to make more fine-tuned decisions, you’ll want to have a few more detailed questions to ask — which means understanding the ins and outs of the MDR landscape a little more fully.

Check out our full MDR Buyer’s Guide for 2022 to help you navigate your choices with confidence and clarity.

Demystifying XDR: How Humans and Machines Join Forces in Threat Response

2022-01-12 Jesse Mack

Post Syndicated from Jesse Mack original https://blog.rapid7.com/2022/01/12/demystifying-xdr-how-humans-and-machines-join-forces-in-threat-response/

Demystifying XDR: How Humans and Machines Join Forces in Threat Response

In our first post on demystifying the concepts and practices behind extended detection and response (XDR) technology, Forrester analyst Allie Mellen joined Sam Adams, Rapid7’s VP for Detection and Response, to outline the basic framework for XDR and highlight the key outcomes it can help security teams achieve. One of the core components of XDR is that it expands the sources of telemetry available to security operations center (SOC) teams so they have richer, more complete data to help them detect and respond to threats.

That raises the question: How do SOC analysts keep productivity high while sifting through huge volumes of data?

Automation is one of the key ways SOC teams make their processes more efficient as they identify the most relevant threats and initiate the right responses. But automation can’t do everything an analyst can, and finding the right balance between machine learning and human know-how is an essential part of a successful XDR implementation.

Become the bridge

As Sam pointed out in his discussion with Allie, the security analyst acts as a bridge between what the data is saying and what the right course of action is in response to it.

“I got the alert, and you know, that’s not the hard part anymore,” he said. “The hard part is responding to the alert and figuring out what to do with that alert – and really, what the impact is on my company.”

For Allie, XDR helps analysts find a balance between security and productivity, but not by leaning too heavily on automation. In fact, she suggested we’ve had a “misplaced hope” for what machine learning can help us accomplish. Instead, it’s about setting up automation that augments the analysts’ work by helping them ask the right questions up front — and get to the answers faster.

Demystifying XDR: How Humans and Machines Join Forces in Threat Response

The expert and the end user

In addition, automation can’t always tell us who the expert actually is about a particular security event. Sam gave the example of a suspicious login from Bermuda: After receiving that alert, it’s actually no longer the analyst who’s the expert on that incident, but the end user who was involved. The logical next step is to pick up the phone or send an email and ask that user, “Are you in Bermuda?” — and that takes a human touch rather than an automated action.

“We assume we can get everything we need from the tools,” Allie pointed out, “and they abstract us away from the rest of the enterprise in that way. But it can be just as easy as turning to the person next to you and saying, ‘Hey, did you log into this?'”

Allie went on to note that this is one of the main reasons why it’s so important to foster a security culture throughout the whole business. When you build connections between the security team and individuals from other parts of the organization, and keep that rapport strong over time, SOC analysts can get many of the answers they need from their peers in other departments — and get to the answers much more quickly and accurately than a machine ever could.

Culture is a uniquely human thing, one that machines can never replicate or replace — and security culture is no exception. XDR broadens the data and tools that SOC teams can use to help them protect the organization, but even the best technology is no replacement for an educated team of end users who know how to implement security best practices, not to mention the sharp insights of seasoned SOC analysts. The real magic happens when all these elements, human and automated, work together — and in an XDR model, automation fills the gaps instead of taking center stage.

Want more XDR insights from our conversation with Allie? Check out the full talk.

What’s New in InsightIDR: Q4 2021 in Review

2022-01-06 Margaret Wei

Post Syndicated from Margaret Wei original https://blog.rapid7.com/2022/01/06/whats-new-in-insightidr-q4-2021-in-review/

What's New in InsightIDR: Q4 2021 in Review

More context and customization around detections and investigations, expanded dashboard capabilities, and more.

This post offers a closer look at some of the recent releases in InsightIDR, our extended detection and response (XDR) solution, from Q4 2021. Over the past quarter, we delivered updates to help you make more informed decisions, accelerate your time to respond, and customize your detections and investigations. Here’s a rundown of the highlights.

More customization options for your detection rules

InsightIDR provides a highly curated detections library, vetted by the security and operations center (SOC) experts on our managed detection and response (MDR) team — but we know some teams may want the ability to fine tune these even further. In our Q3 wrap-up, we highlighted our new detection rules management experience. This quarter, we’ve made even more strides in leveling up our capabilities around detections to help you make more informed decisions and accelerate your time to respond.

What's New in InsightIDR: Q4 2021 in Review — *Attacker Behavior Analytics Detection Rules viewed and sorted by rule priority*

New detection rules management interface: With this new interface, you can see a priority field for each detection provided by InsightIDR with new actions available.
- Change priority of detections and exceptions that are set to Creates Investigation as the Rule Action.
- View and sort on priority from the main detection management screen.
- More details on our detection rules experience can be found in our help docs, here.

Customizable priorities for UBA detection rules and custom alerts: Customers can now associate a rule priority (Critical, High, Medium, or Low) for all of their UBA and custom alert detection rules. The priority is subsequently applied to investigations created by a detection rule.
A simplified way to create exceptions: We added a new section to detection rule details within “create exception” to better inform on which data to write exceptions against. This will show up to the 5 most recent matches associated with that said detection rule — so now, when you go to write exceptions, you have all the information you may need all within one window.

MITRE ATT&CK Matrix for detection rules

This new view maps detection rules to MITRE tactics and techniques commonly used by attackers. The view lets you see where you have coverage with Rapid7’s out-of-the-box detection rules for common attacker use cases and dig into each rule to understand the nature of that detection.

Investigation Management reimagined

At Rapid7, we know how limited a security analyst’s time is, so we reconfigured our Investigation Management experience to help our users improve the speed and quality of their decision-making when it comes to investigations. Here’s what you can expect:

A revamped user interface with expandable cards displaying investigation information
The ability to view, set, and update the priority, status, or disposition of an investigation
Filtering by the following fields: date range, assignee, status, priority level

We also introduced MITRE-driven insights in Investigations. Now, you can click into the new MITRE ATT&CK tab of the Evidence panel in Investigation to see descriptions of each tactic, technique, and sub-technique curated by MITRE and link out to attack.mitre.org for more information.

Rapid7’s ongoing emergent threat response to Log4Shell

Like the rest of the security community, we have been internally responding to the critical remote code execution vulnerability in Apache’s Log4j Java library (a.k.a. Log4Shell).

Through continuous collaboration and ongoing threat landscape monitoring, our Incident Response, Threat Intelligence and Detection Engineering, and MDR teams are working together to provide product coverage for the latest techniques being used by malicious actors. You can see updates on our InsightIDR and MDR detection coverage here and in-product.

Stay up to date with the latest on Log4Shell:

View Log4Shell AttackerKB for our analysis
Check out The Everyperson’s Guide to Log4Shell
Head to our Log4Shell Resource Center for up-to-date information for customers

A continually expanding library of pre-built dashboards

InsightIDR’s Dashboard Library has a growing repository of pre-built dashboards to save you time and eliminate the need for you to build them from scratch. In Q4, we released 15 new pre-built dashboards covering:

Compliance (PCI, HIPAA, ISO)
General Security (Firewall, Asset Authentication)
Security Tools (Okta, Palo Alto, Crowdstrike)
Enhanced Network Traffic Analysis
Cloud Security

Additional dashboard and reporting updates

Updates to dashboard filtering: Dashboard Filtering gives users the ability to further query LEQL statements and the data across all the cards in their dashboard. Customers can now populate the dashboard filter with Saved Queries from Log Search, as well as save a filter to a dashboard, eliminating the need to rebuild it every session.
Chart captions: We’ve added the ability for users to write plain text captions on charts to provide extra context about a visualization.
Multi-group-by queries and drill-in functionality: We’ve enabled Multi-group-by queries (already being used in Log search) so that customers can leverage these in their dashboards and create cards with layered data that they can drill in and out of.

Updates to Log Search and Event Sources

We recently introduced Rapid7 Resource Names (RRN), which are unique identifiers added to users, assets, and accounts in log search. An RRN serves as a unique identifier for platform resources at Rapid7. This unique identifier will stay consistent with the resource regardless of any number of names/labels associated with the resource.

In log search, an “R7_context” object has been added for log sets that have an attributed user, asset, account, or local accounts. Within the “R7_context” object, you will see any applicable RRNs appended. You can utilize the RRN as a search in log search or in the global search (which will link to users and accounts or assets and endpoints pages) to assist with more reliable searches for investigation processes.

Event source updates

Log Line Attribution for Palo Alto Firewall & VPN, Proofpoint TAP, Fortinet Fortigate: When setting up an event source you now have an option to leverage information directly present in source log lines, rather than relying solely on InsightIDR’s traditional attribution engine.
Cylance Protect Cloud event source: You can configure CylancePROTECT cloud to send detection events to InsightIDR to generate virus infection and third-party alerts.
InsightIDR Event Source listings available in the Rapid7 Extensions Hub: Easily access all InsightIDR event source related content in a centralized location.

Updates to Network Traffic Analysis capabilities

Insight Network Sensor optimized for 10Gbs+ deployments: We have introduced a range of performance upgrades that make high-speed traffic analysis more accessible using off-the-shelf hardware, so you’re able to gain east-west and north-south traffic visibility within physical, virtual and cloud based networks. If you want to take full advantage of these updates check out the updated sensor requirements here.

InsightIDR Asset Page Updates: We have introduced additional data elements and visuals to the Assets page. This delivers greater context for investigations and enables faster troubleshooting, as assets and user information is in one location. All customers have access to:

Top IDS events triggered by asset
Top DNS queries

For customers with Insight Network Sensors and ENTA, these additional elements are available:

Top Applications
Countries by Asset Location
Top Destination IP Addresses

Stay tuned!

As always, we’re continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and release notes as we continue to highlight the latest in detection and response at Rapid7.

Sharing the Gifts of Cybersecurity – Or, a Lesson From My First Year Without Santa

2022-01-03 Amy Hunt

Post Syndicated from Amy Hunt original https://blog.rapid7.com/2022/01/03/sharing-the-gifts-of-cybersecurity-or-a-lesson-from-my-first-year-without-santa/

Sharing the Gifts of Cybersecurity – Or, a Lesson From My First Year Without Santa

Editor’s note: We had planned to publish our Hacky Holidays blog series throughout December 2021 – but then Log4Shell happened, and we dropped everything to focus on this major vulnerability that impacted the entire cybersecurity community worldwide. Now that it’s 2022, we’re feeling in need of some holiday cheer, and we hope you’re still in the spirit of the season, too. Throughout January, we’ll be publishing Hacky Holidays content (with a few tweaks, of course) to give the new year a festive start. So, grab an eggnog latte, line up the carols on Spotify, and let’s pick up where we left off.

My kid stopped believing this year.

I did what they recommend: said she was big enough to know the truth, that we are all Santas, and now she must be one, too. Every one of us — whether December means Christmas, Hanukkah, Kwanzaa, or just winter — is expected to give generously and sometimes anonymously, just to spread the goodness. And ideally, we do it a whole lot more than once a year.

Then, the a-ha moment arrived. You know who some of the best Santas on Earth are? The cybersecurity community. It’s full of givers, mostly with names we’ll never know.

Rewind to the early years of the internet: A 15-year-old hacked the source code for NASA’s International Space Station; Russians extracted $10 million from Citibank; the Department of Justice and Los Alamos National Laboratory (site of the Manhattan Project and home to classified nuclear and weapons secrets) were breached.

What happened next? Organized beneficence

In 1999, MITRE researchers released the first searchable public record of 321 common vulnerabilities. In less than 3 years, there were 2,000+ vulnerabilities shared. By 2013, the effort resulted in the MITRE ATT&CK Framework that documented attacker tactics and techniques based on real-world observations of advanced persistent threat actors. With this framework, the security community has a common language and library to understand attackers — and what we can do to stop them.

MITRE ATT&CK is open and available to anyone for use at no charge. Of course, detailed ATT&CK mapping is part of InsightIDR’s vast library of critical attacker behaviors and endpoint detections.

Not long after MITRE published its first vulnerabilities, military systems at the Pentagon and NASA were breached by a guy looking for evidence of UFOs. The fun never ends. That same year, security expert and open source guru H.D. Moore released the first edition of his Metaspoit Project with 11 exploits. Metasploit 2.0 followed quickly. With the 3.0 release, users began to contribute and a community was born.

Today, Rapid7’s Metasploit is a voluntary collaboration between 300,000+ users and contributors around the world, including Rapid7 security engineers. It includes more than 1677 exploits organized over 25 platforms, and nearly 500 payloads. And it’s a favorite of pen testers and red teamers worldwide.

The Cyber Threat Alliance took everything up a notch

A nonprofit working to improve the security of our global digital ecosystem by enabling near real-time, high-quality threat information sharing, the Cyber Threat Alliance (CTA) has staff and a technology platform for sharing advanced threat data. CTA members — often competitors — work together in good faith to distribute timely, actionable, contextualized, and campaign-based intelligence.

Rapid7 is among the members who, on average, share 5 million observable events per month. And the result: We all get ever-better at thwarting adversaries and improving our collective security.

In 2017, the holiday spirit became a quarterly thing for us

That’s the year Rapid7 released our first threat intelligence report. Today, our quarterly Threat Reports share clear, distilled learnings and practical guidance from the wealth of data we continuously gather. Our sources include:

Metasploit, now the world’s most used pen testing framework
Rapid7’s Insight platform, covering vulnerability management, application security, detection and response, external threat intelligence, orchestration and automation, and more
Rapid7’s Project Sonar, which conducts internet-wide surveys across more than 70 different services and protocols to gain insights into global exposure to common vulnerabilities typically unknown to IT teams
Project Heisenberg, a globally distributed, low-interaction honeypot network that monitors for malicious inbound connections, and a forum for collaboration and confirmation relationships with other internet-scale researchers
Our global network of Managed Detection and Response (MDR) SOCs that use and vet Rapid7 products, do proactive threat hunting along with daily triage and remote incident response, and provide raw intelligence around emergent threats

The Internet connects everyone and everything with no centralized control. We put it together that way, and there’s clearly no grand plan to make it secure. So we step up. Every time the malware operation Emotet resurfaces, a group of security researchers and system administrators reunites to fight it. (The only name we really know is what they call themselves: “Cryptolaemus.” That’s a mealy bug that goes after unhealthy plants.)

Yes, humans are cybersecurity’s weakest link, but…

My father-in-law sent a $300 gift card to a hacker. We’re easy marks, ruled by emotions that haven’t changed much since we were cave-dwelling Paleolithic hominins.

But we’re also us. You.

Whatever winter holiday you celebrated, here’s hoping it was a good one. And that you raised a glass to all the good folks, the good fight. Don’t stop believing.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

More Hacky Holidays blogs

Demystifying XDR: A Forrester Analyst Lays the Foundation

2021-12-08 Jesse Mack

Post Syndicated from Jesse Mack original https://blog.rapid7.com/2021/12/08/demystifying-xdr-a-forrester-analyst-lays-the-foundation/

Demystifying XDR: A Forrester Analyst Lays the Foundation

Extended detection and response (XDR) is no longer a future state in cybersecurity practice — it’s a full-fledged reality for some. In fact, it’s been a thing for a lot longer than you might think.

Still, XDR is new vocabulary for many security operations center (SOC) teams, and the contours of this wide-ranging term can often feel a little fuzzy.

Sam Adams, VP for Detection and Response at Rapid7, recently sat down with Forrester Analyst Allie Mellen to dig deeper into the conceptual framework behind XDR and unpack how organizations can benefit from this approach.

Defining XDR

Allie and her colleagues at Forrester think of XDR “as an extension of endpoint detection and response technology,” she told Sam. “It’s about taking that philosophy that endpoint detection and response vendors have had for a long time around protecting where the business data is, around protecting the endpoint, and recognizing that, ultimately, that’s not enough for a SOC.”

Demystifying XDR: A Forrester Analyst Lays the Foundation

The key concept behind XDR is to expand the sources of telemetry that SOC teams have at their disposal in order to widen their capabilities and help them better protect their organizations.

Identifying the right detections

Sam echoed the importance of this shift in mindset. He noted that when Rapid7 first launched InsightIDR as a security information and event management (SIEM) tool, we started out with a more prescriptive mindset: “Let’s find attacker behavior we’re interested in finding and figure out what sort of data we need to collect that.” But that quickly shifted to an approach that opened up the data sources, rather than narrowing them down.

“What we realized really early in our SIEM journey, and in our journey in building a detection and response platform, was that the endpoint data was an incredibly rich source of detections,” Sam said.

But at some point, you have to figure out what detections are most important. Allie noted that while SIEM has been an integral tool for SOC teams because it lets them easily bring in new sources of telemetry, endpoint detection and response vendors are introducing tools with much more targeted detections. An XDR vendor’s ability to identify threats and author detections for them is a key value-add for many end users.

“One of the reasons that they’re drawn to XDR is because a lot of the detection engineering is done for them,” Allie said, “and they know that they can trust it because it’s backed by this vendor that specializes not only in the technology but also has a whole threat research team dedicated to finding these threats and turning them into detections.”

Threat detected — what next?

These capabilities also enhance the “R” in XDR, with dynamic response recommendations that reflect the detections themselves, rather than a predetermined playbook. And given the current cybersecurity talent shortage, it’s all the more important for security teams to democratize this skill set so they can act quickly, with better insight.

But as Allie points out, it’s the intermediary step between detection and response that often trips teams up.

“The longest part of the incident response life cycle is investigation,” she said. This step can be especially difficult when detections are particularly complex.

Demystifying XDR: A Forrester Analyst Lays the Foundation

But while investigation and root cause analysis remain a challenge, the slow-downs in this stage of the detection-and-response life cycle provide an important insight into the gaps that XDR needs to fill.

“While tools are able to provide detections and while we can orchestrate response actions, we’re not really giving the analyst everything they need to make a decision up front,” Allie said.

3 key outcomes of XDR

With XDR, Allie says, the goal is to better understand what’s going on in your environment and what to do about it by bringing in data across telemetry sources beyond just the endpoint. This drives better outcomes in 3 core areas:

Improving detection efficacy: Whether you’re looking to lighten your detection engineer’s workload or you simply don’t have one on staff, XDR aims to provide the most effective detections on an ongoing basis.
Making investigation easier: XDR makes analysts’ lives easier, too, by expanding the pool of telemetry sources to provide more comprehensive data and insights on threats.
Enabling faster response: With better, shorter investigations, SOC analysts will know what to do next — and be able to put the gears in motion more quickly.

By bringing these benefits along with proactive use cases like threat hunting, the vision is for XDR to become the go-to tool for everything SOC teams need to do to keep organizations secure.

Want more XDR insights from our conversation with Allie? Check out the full talk.

The End of the Cybersecurity Skills Crisis (Maybe?)

2021-11-22 Amy Hunt

Post Syndicated from Amy Hunt original https://blog.rapid7.com/2021/11/22/the-end-of-the-cybersecurity-skills-crisis-maybe/

The End of the Cybersecurity Skills Crisis (Maybe?)

In just 4 years, you can learn to be fluent in Mandarin.

In 2 years, NASA can get you through astronaut training.

But the cybersecurity skills gap? It’s dire and dead-stuck in its fifth straight year of zero progress.

Globally, 3.5 million cybersecurity jobs remain unfilled, and of those candidates who do apply for open jobs, only 25% are qualified. Industry news and conferences are full of hot takes about XDR and how it will change everything in, say, another 5 years. The question is, who has that kind of time?

And don’t count on artificial intelligence to save the day: While it will be used to combat attacks with something like a “digital immune system,” the bad guys will use AI to enable attacks, too. We’ll always need humans and machines to collaborate, each doing what they do best.

Why the answer can’t be (and isn’t) another 5 years away

You know digital transformation and cloud migration are straining traditional security tools. Most enterprises are cobbling together a (sort of) full picture, running an average of 45 different cybersecurity-related tools on their networks. Most have arduous deployments, long ramp-ups, and heavy configurations. When all that’s done, they’re still tracking multiple threat intelligence feeds, drowning in alerts, and processing them manually. (ISC)2 is piloting a new, entry-level cybersecurity certification for fresh talent. Can anyone really train for all that?

But right now, today, a number of Rapid7 customers are achieving XDR efficiency and outcomes with InsightIDR. It’s reducing workloads, simplifying operations, easing staffing requirements, and preventing burnout. (If you haven’t yet, take a look at InsightIDR’s origin story, and you’ll understand exactly how and why.)

XDR is here, helping analysts at every level operate like experts

InsightIDR – a cloud-native, SaaS-delivered, unified SIEM and XDR – gives you contextualized intelligence from the clear, deep, and dark web, along with expertly vetted detections and the guided automation teams need. It fundamentally changes data analysis, investigation, threat hunting, and response.

Teams get curated detections out of the box, as well as a prescriptive approach to attacks. Expect automated response recommendations and prebuilt workflows for activities like containing threats on an endpoint, suspending user accounts, and integrating with ticketing systems like Jira and ServiceNow. Wizard guides help even the greenest analyst know where to go next.

InsightIDR also opens up end-to-end automation opportunities. You can automate common security tasks that reduce noise from alerts, directly contain threats such as malware or stolen credentials, integrate with ticketing and case management tools, and more.

Analysts handle anomalies quickly and well with intuitive search and query language, attribution of data to specific users, detailed correlation across events, and visualizations. InsightIDR lightens the workload and gives analysts a big jump start on the things that matter most.

A prediction

The day is coming (and who knows — it might be here) when cybersecurity job candidates will want to know exactly what technology they’ll be working with at your company. They’ll expect XDR. And they’ll have their own interview questions:

Are the more mundane, repetitive tasks automated yet?
Are you still tab-hopping, multi-tasking, and working distracted?
What’s your signal-to-noise ratio these days?
What’s the stress level like? Is it really a 40-hour week?

Millennials (ages 25-40) and Gen Z (recently in the job market and our future) are the most tech-savvy generations yet; Gen Z in particular is off the charts. Both put work-life balance above any other job characteristic — including pay and advancement opportunities. Techvalidate just asked InsightIDR customers if the platform ushered in better work-life balance. Almost 40% said yes.

The workplace is already trying to adjust, culturally and otherwise.

Both Millennials and Gen Z experience more anxiety and stress than older workers and their bosses. And while Millennials hope and angle for good work-life balance, Gen Z demands it rather assertively. They’ll ask for “mental health days” from time to time. No job gets to make their personal lives shambolic — it’s just not worth it. And the #1 source of job information they turn to? Your current and former employees.

If you have a band of stressed-out burnouts posting on Glassdoor, think about how that looks to a potential candidate. How you and your current staff are doing matters.

Here’s the thing — and forgive the rose-colored glasses

Cybersecurity is important, pioneering work that makes a difference. You protect companies, our economy, our country, and individual human beings. Security professionals do daily battle with criminal organizations, adversarial nation-states, and everyday duplicity. And it’s a job that didn’t even exist when most entry-level applicants were born.

Forrester analyst Allie Mellen believes in humanizing security operations, “taking away all the boring minutia we hate to do, and just leaving the really cool, creative stuff for us.” Mellen said, “XDR is definitely pushing down that path.” We think that’s an adventure anyone would line up for, as good as anything NASA has.

Start by downloading our eBook: “4 Ways XDR Levels Up Security Programs.”

Building Threat-Informed Defenses: Rapid7 Experts Share Their Thoughts on MITRE ATT&CK

2021-11-04 Margaret Wei

Post Syndicated from Margaret Wei original https://blog.rapid7.com/2021/11/04/building-threat-informed-defenses-rapid7-experts-share-their-thoughts-on-mitre-att-ck/

Building Threat-Informed Defenses: Rapid7 Experts Share Their Thoughts on MITRE ATT&CK

MITRE ATT&CK is considered by practitioners and the analyst community to be the most comprehensive framework of cybersecurity attacks and mitigation techniques available today. MITRE helps the security industry speak the same language and stick to a well-known, common framework.

To get more details on MITRE’s ATT&CK Matrix for Enterprise and its impact, I spoke with 3 members of Rapid7’s Managed Detection and Response team who have firsthand experience working with this framework every day — read our conversation below!

Laying some groundwork here, what are your thoughts on the MITRE ATT&CK framework?

John Fenninger, Manager of Rapid7’s Detection and Response Services, kicked us off by sharing his perspective:

“MITRE ATT&CK is an incredibly valuable framework for both vendors and customers. From things like compliance to more immediate needs like investigating an ongoing attack, MITRE makes it easy to see specific techniques that customers may not have heard of and helps think of tactical moves customers can protect against. With InsightIDR specifically, we align our detections to MITRE to give both our MDR SOC analysts and customers visibility into how far along a threat is on the ATT&CK chain.”

Rapid7 is not only a consumer of the MITRE ATT&CK Framework but an active contributor as well — in 2020, Rapid7 Incident Response Consultant Ted Samuels made a contribution to MITRE around a discovery for group policy objects that is now in the latest version of the ATT&CK framework.

Can you share your perspective on how the MITRE framework is used, and by who?

When it comes to leveraging the MITRE ATT&CK framework, there are 2 key audiences to consider, says Rapid7’s Senior Detection & Response Analyst, Vidya Tambe:

“There are 2 main categories of users — people who write detections and people who do the analysis of the detections, and the MITRE framework is important for both. From the analyst side, we want to know what stage of attack each alert is at, and based on where the alert falls, we know how critical an incident is. With MITRE, we can track how an attacker got to where they are and what kind of escalations they did — overall, it helps us back-track to see what they were able to compromise.

“From the detection writing standpoint, we want to stop attacks before they get too far into someone’s environment. Attacker techniques are always evolving, and while we aim to write detections for all the phases, a primary focus is to try and write detections early on to stop attackers as early in the ATT&CK chain as possible.”

What advice do you have for security teams when it comes to leveraging the MITRE framework to drive successful detection and response?

Rapid7 Detection and Response Analyst Carlo Anez Mazurco shared some advice for teams when it comes to using the MITRE framework at their organization:

“The MITRE Framework allows us to build a threat-informed defense. It shows us the 3 main areas that we need to focus on for data collection, data analysis, and expansion of detections. For teams to successfully utilize the MITRE framework, they need visibility into the following data sources at a minimum:

Process and process command line monitoring can be collected via Sysmon, Windows Event Logs, and many EDR platforms
File and registry monitoring is also often collected by Sysmon, Windows Event Logs, and many EDR platforms
Authentication logs collected from the domain controller
Packet capture, especially east/west capture, such as those collected between hosts and enclaves in your network

“Teams need a platform like InsightIDR, Rapid7’s extended detection and response solution, where the data from all of these sources can be ingested. Whatever platform or tool teams choose to use for this data ingestion should include MITRE mappings to attacker behaviors to understand what attackers are trying to do inside our environment at each stage, the TTPs (Tactics, Techniques, Procedures) of each threat actor should be documented in each alert — InsightIDR maps its detections to the MITRE framework to do just this for users.”

You mentioned InsightIDR has MITRE mapping — can you dig a little more into how this impacts customers?

“Our InsightIDR platform helps our customers collect all the necessary data sources,” Carlo continued. “That includes process and process command line monitoring via our endpoint Insight Agent, as well as file monitoring. Plus, authentication logs are collected from domain controllers and also via the Insight Agent, and network flow inside the environment can be gathered through our Insight Network Sensor.

“Our ABA and UBA detections are mapped to the MITRE framework to show our customers which TTPs are the most commonly used by threat actors in their environment, and it gives an insight into the attack patterns in real time. You can see an example of this in one of our past Rapid7 Threat Reports here.

“Additionally, our Rapid7 Threat Intelligence team is always developing new threat detections based on the threat intelligence feeds and public repositories of attacker behaviors. These new detections are mapped to the TTPs inside the MITRE framework and pushed out to all Rapid7 customers.”

We also recently released a new view of Detection Rules in InsightIDR where all detections are mapped to the MITRE ATT&CK Framework, and users can see associated MITRE tactics, techniques, and sub-techniques for detections while performing an investigation.

Interested in learning more?

As you can see, we really value the MITRE ATT&CK framework here at Rapid7. With InsightIDR your detections are vetted by a team of professional SOC analysts and mapped to MITRE to take the guessing game of what an attacker might do next.

If you’re looking to hear more from us on MITRE, watch a quick 3-minute rundown on the framework here.

4 Simple Steps for an Effective Threat Intelligence Program

2021-10-15 Alon Arvatz

Post Syndicated from Alon Arvatz original https://blog.rapid7.com/2021/10/15/4-simple-steps-for-an-effective-threat-intelligence-program/

4 Simple Steps for an Effective Threat Intelligence Program

Threat intelligence is a critical part of an organization’s cybersecurity strategy, but given how quickly the state of cybersecurity evolves, is the traditional model still relevant?

Whether you’re a cybersecurity expert or someone who’s looking to build a threat intelligence program from the ground up in 2021, this simple framework transforms the traditional model, so it can apply to the current landscape. It relies on the technologies available today and can be implemented in four simple steps.

A quick look at the threat intelligence framework

The framework we’ll be referencing here is called the Intelligence Cycle, which breaks down into four phases:

4 Simple Steps for an Effective Threat Intelligence Program

This is the traditional framework you can use to implement a threat intelligence program in your organization. Let’s take a deeper look at each step, update them for the modern day, and outline how you can follow them in 2021.

To do this, we’ll leverage a use case of credential leakage as an example, which is a very important use case today. According to Verizon’s 2021 Data Breach Investigations Report, credentials remain one of the most sought-after data types, and it’s this type of data that gets compromised the fastest. As such, credential leakage is an area organizations of all sizes should be aware of and familiar with, making it an optimal choice for illustrating how to build an effective threat intelligence program.

1. Set a direction

The first step in this process is to set the direction of your program, meaning you need to outline what you’re looking for and what questions you want to ask and answer. To help with this, you can create Prioritized Intelligence Requirements, or PIRs, and a desired outcome.

For both your PIRs and desired outcome, you should aim to be as explicit as possible. In the case of credential leakage, for example, let’s set our PIR as: “I want to identify any usernames and passwords belonging to my employees that have been exposed to an unauthorized entity.”

We’ve selected these credentials for this example, because they are risky for the organization. Depending on your needs, you may identify different credentials with higher risk, but this is the type we’re focusing on for this use case.

With this very specific PIR outlined, we can now determine a desired outcome, which would be something like: “I want to force password reset for any of these passwords that are being used in the corporate environment before threat actors can use them.”

This is crucial, and later, we’ll see how the desired outcome impacts how we build this threat intelligence program.

2. Map out what data to collect

Once you’ve set your PIRs and desired outcome, you need to map out the sources of intelligence that will serve the direction.

For this use case, let’s identify how threat actors gain credentials. A few of the most common sources include:

Endpoints (usually harvested by botnets)
Third-party breaches
Code repositories
Posts on a forum/pastebin
Dark web black markets that buy/sell credentials

In the past, you might have turned to individual vendors who could help you with each of these areas. For example, you may have worked with an organization that specializes in endpoint security and another that could tackle incident response management for third-party breaches. But today, you’re better off finding a vendor who can support all the sources you need and provide complete coverage for all areas of risk, especially for something like credential leakage.

Regardless, by mapping out these sources, you can outline the areas you need to focus on for analysis.

3. Select your approach to analysis

Next up is analysis. You can take two approaches:

Automated analysis: You can leverage AI or sophisticated algorithms that will classify relevant data into alerts of credential leakage, where the emails and passwords can be extracted and pulled out.
Manual analysis: You can manually analyze the information by gathering all the data and having the analysts on your team review the data and decide what’s relevant to your organization.

The biggest advantage of manual analysis is flexibility. You can put more human resources, intelligence, and insight into the process to surface only what is relevant. But there are also disadvantages — for example, this process is much slower than automated analysis.

In the first phase of our program, we specified that we want to force password resets before threat actors leverage them for a cyberattack. This means that speed is extremely crucial in this use case. Now, you can see how the desired outcome is helping us make a decision about the type of approach we should take for analysis.

Automated analysis also requires significantly fewer resources. You don’t need a bunch of analysts to sort through the raw data and surface what is relevant. The classification and alerting of credential leakage is fully automated here. Plus, if threats are being automatically classified, they can likely be automatically remediated.

Let’s take a look at this in practice: Say your algorithm finds an email and password mentioned on a forum. The AI can classify the incident and extract the relevant information (e.g., the email/username and password) in a machine-readable format. Then, a response can be automatically applied, like force resetting the password for the identified user.

As you can see, there are advantages and disadvantages for each approach. When you assess them against our desired outcome, it’s clear that we should go with an automated approach for our credential leakage use case.

4. Disseminate analysis to take action

Finally, we come to the final phase: dissemination. Traditionally, when it comes to the intelligence cycle and the dissemination of threat intelligence, we talk about sending alerts and reports to the relevant stakeholders to review, so they can take action and respond accordingly.

But, as our example in the previous section shows, the future (and current state) of this process is fully automated remediation. With this in mind, we shouldn’t just discuss how we distribute alerts and information in the organization — we should also think about how we can take the intelligence and distribute it to security devices to automatically prevent the upcoming attack.

For leaked credentials, this could mean sending the intelligence to the active directory to automatically force password reset without human intervention. This is a great example of how shifting to an automated solution can dramatically reduce the time to remediation.

Once again, let’s go back to our PIR and desired outcome: We want to force the password reset before the threat actor uses the password. Speed is key here, so we should definitely automate the remediation. As such, we need a solution that takes the intelligence from the sources we’ve mapped out, automatically produces an alert with the information extracted, and then automatically remediates the threat to reduce risk as fast as possible.

This is how detection and response should look in 2021.

A simplified and modernized approach to threat intelligence

In summary, this revamped Intelligence Cycle resembles how to build an effective threat intelligence program today.

Start by identifying your PIRs and desired outcome. Then, decide on a collection plan by outlining all sources that will drive the relevant intelligence. Next, for the vast majority of use cases, it’s important to have an automated analysis algorithm in place to classify alerts quickly and precisely. And finally, you should transition from manual dissemination to automated remediation, which can dramatically reduce time to remediation — something that’s more critical than ever due to the current state of cybersecurity.

By following these steps, you can build an effective threat intelligence program, and with this foundation in place, you can fine-tune it until you have a seamless process that saves your organization time and reduces risk across the board.

Curious to learn more? Read about Rapid7’s approach to automatic detection and response here.

Velociraptor to Announce Winners of Its 2021 Contributor Competition

2021-10-07 Carlos Canto

Post Syndicated from Carlos Canto original https://blog.rapid7.com/2021/10/07/velociraptor-to-announce-winners-of-its-2021-contributor-competition/

Velociraptor to Announce Winners of Its 2021 Contributor Competition

Velociraptor and Rapid7 are excited to announce the winners of our 2021 Velociraptor Contributor Competition on Friday, October 8. This competition encourages development of useful content and extensions to the Velociraptor platform. Submissions include new functionality in the form of VQL artifacts, Velociraptor plugins, or new Velociraptor code and integrations. Judging will be done by a panel of various digital forensics and incident response (DFIR) industry leaders and security experts.

You can watch the announcement of the winners LIVE at the SANS Threat Hunting Summit on Friday, October 8th at 1 pm ET. To register for the summit, head to this page and click on the “Register for Summit” link. Registration is completely free.

Velociraptor to Announce Winners of Its 2021 Contributor Competition

The competition carries 3 prize levels: First prize is $5,000 USD, second prize is $3,000 USD, and third prize is $2,000 USD. The winning submissions will also be published on the Velociraptor website.

Velociraptor is an advanced DFIR tool that enhances visibility into all of your endpoints. To learn more about Velociraptor, visit our website or follow us on Twitter @velocidex.

What’s New in InsightIDR: Q3 2021 in Review

2021-10-05 Margaret Wei

Post Syndicated from Margaret Wei original https://blog.rapid7.com/2021/10/05/whats-new-in-insightidr-q3-2021-in-review/

What's New in InsightIDR: Q3 2021 in Review

This post offers a closer look at some of the recent updates and releases in InsightIDR, our extended detection and response solution, from Q3 2021.

Welcome IntSights to the Rapid7 Insight Platform family!

As you may have seen in recent communications, Rapid7 acquired IntSights, a leading provider of external threat intelligence and remediation. We’re excited to introduce their flagship external threat intelligence product, Threat Command, as part of our Rapid7 portfolio. Threat Command allows any SecOps team, regardless of size or capability maturity, to expand identification and remediation across an ever-expanding attack surface, while automating threat mitigation.

New detection rule management experience

We’re excited to announce that InsightIDR customers now have more customization and increased visibility for Attacker Behavior Analytics (ABA) detections. We’re continuing to make improvements and additions to our detections management experience — here are the latest additions:

Detection rules — Filter detection rules by threat group, rule behavior, and attributes for more visibility into your alerts and investigations.
MITRE ATT&CK mapping — View and filter detections by specific MITRE ATT&CK framework tactics and techniques for more context to the alerts in your environment.
Create exceptions to a detection rule — In the past, IDR customers could only turn alerts on or off for notable events. Now, you can create an exception that allows you to filter out noise and turn off detections based on key value pairs.

See the latest detection management experience in the demo below:

What's New in InsightIDR: Q3 2021 in Review

526 new ABA detection rules added to IDR

We’ve also added 526 new ABA detection rules into InsightIDR to expand its coverage of Windows, Mac, and Linux suspicious process threats, covering a wide variety of techniques on the MITRE ATT&CK matrix. These detection rules can be tuned to your environment by creating exceptions and modifying the rule action to only receive the alerts you care about. Visit the Detection Library for actionable descriptions and recommendations.

MITRE ATT&CK details in investigations

In addition to our detections updates, we’ve made improvements to our investigations experience to provide deeper insight into an attacker’s position in the killchain and give context into the nature of an alert.

When performing an investigation in InsightIDR, detections will be mapped to a description of the associated MITRE tactics, techniques, and sub-techniques. You’ll also be prompted to visit attack.mitre.org to view context rich adversary behavior profiles with descriptions, mitigation strategies, and detection recommendations for each tactic, technique and sub-technique, developed by MITRE.

What's New in InsightIDR: Q3 2021 in Review

Monitor event source health

We recently released new visual tools to help you easily view the health of your event source data. You now have extensive visibility into data transmission and parsing rates of your event source. This allows you to check if an event source is running as intended, quickly identify any issues or unusual activity, or visually compare data for each event source.

New pre-built dashboards for HIPAA, ISO 27001, and more

We recently introduced a library of pre-built dashboards that make it easier than ever to get insight from your environment. Entire dashboards, created by our Rapid7 experts, can be set up in just a few clicks. Our dashboards cover a variety of topics, including key compliance frameworks like PCI, ISO 27001, and HIPAA; security tools like Zscaler and Okta; and more general dashboards covering Asset Authentication and Firewall activity.

The Lost Bots vlog series

Rapid7’s latest vlog series, The Lost Bots, hosted by Detection and Response Practice Advisor and former CISO Jeffrey Gardner, offers a look into the latest and greatest in security. In each episode, Jeffrey talks with fellow industry experts about current events and trends in the security space, best practices, and lessons from our Rapid7 SOC team. Each episode is available on our blog, as well as our Rapid7 YouTube channel.

Rapid7 MDR named an IDC MarketScape Leader

We’re thrilled that Rapid7’s MDR was recognized as a Leader in the IDC MarketScape: Managed Detection and Response 2021 Vendor Assessment. This IDC MarketScape report shows an unbiased look at 15 MDR players in the US market, evaluating each on capabilities. We credit this recognition to customers like you who provide the critical feedback and guidance to improve our service — thank you!

Attack Surface Visibility, now in MDR Essentials

Our goal with Attack Surface Visibility — built exclusively for our MDR Essentials — is to help customers act proactively with a monthly snapshot of how exposed their attack surface looks to an opportunistic attacker. While this certainly is not a replacement for a true vulnerability management program, Attack Surface Visibility lets your team see obvious weak points that attackers may exploit and helps optimize your efforts with clear, prioritized actions to remediate risks and improve your security posture.

Stay tuned!

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

[The Lost Bots] Episode 6: D&R + VM = WINNING!

2021-10-04 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2021/10/04/the-lost-bots-episode-6-d-r-vm-winning/

[The Lost Bots] Episode 6: D&R + VM = WINNING!

Welcome back to The Lost Bots, a vlog series where Rapid7 Detection and Response Practice Advisor Jeffrey Gardner talks all things security with fellow industry experts. In this episode, we’re joined by fellow Practice Advisor Devin Krugly to discuss how Detection and Response + Vulnerability Management = a winning combination. Often viewed as two separate and distinct entities, Jeffrey and Devin explore how the combination can greatly improve your response efforts and the ways in which you can set up a successful vulnerability management program.

[The Lost Bots] Episode 6: D&R + VM = WINNING!

Stay tuned for future episodes of The Lost Bots! Coming soon: Jeffrey discusses veterans in cybersecurity with fellow security professionals who are vets themselves.

SANS 2021 Threat Hunting Survey: How Organizations’ Security Postures Have Evolved in the New Normal

2021-09-17 Margaret Wei

Post Syndicated from Margaret Wei original https://blog.rapid7.com/2021/09/17/sans-2021-threat-hunting-survey-how-organizations-security-postures-have-evolved-in-the-new-normal/

SANS 2021 Threat Hunting Survey: How Organizations' Security Postures Have Evolved in the New Normal

It’s that time of year once again: The SANS Institute — the most trusted resource for cybersecurity research — has conducted its sixth annual Threat Hunting Survey, sponsored by Rapid7. The goal of this survey is to better understand the current threat hunting landscape and the benefits provided to an organization’s security posture as a result of threat hunting.

This year’s survey, “A SANS 2021 Survey: Threat Hunting in Uncertain Times,” has a unique focus, one that’s taken into consideration the impact of COVID-19 and how it’s affected organizations’ threat hunting. The findings indicate that the global pandemic has had a relatively mixed impact on the organizations surveyed, with many respondents unsure of what type of impact it’s had — and will have — on their threat hunting efforts.

Here’s a preview of the survey’s findings and its takeaways for organizations navigating today’s cybersecurity landscape.

Fewer organizations are performing threat hunting in 2021

According to the survey results, 12.6% fewer organizations are performing threat hunting in 2021 when compared to those surveyed in 2020. This is concerning, as threat hunting is an ever-evolving field, and organizations that don’t dedicate resources to it won’t be able to keep pace with the changes in tactics and techniques needed to find threat actors.

But what caused this dip? It seems to be a combination of organizations reducing their external spend with third parties and their overall internal staff in response to COVID-19. That said, this reduction cannot be fully accounted for by the pandemic.

Despite this decrease, there is good news: 93.1% of respondents indicated they have dedicated threat hunting staff, and the majority of respondents plan to increase spending on staffing and tools for threat hunting in the near future. Over the year to come, we’ll likely see an extended detection and response (XDR) approach leveraging tools like InsightIDR playing a key role in these efforts.

GET THE FULL REPORT

The threat hunting toolbox is evolving

The tools organizations are using to conduct threat hunting are evolving — but have they advanced enough to keep up with the modern cybersecurity landscape?

The output of threat hunting depends on three factors: visibility, skills, and threat intelligence. To achieve this output, threat hunters need the right tools. After asking respondents about their organizations’ tool chests, SANS found that over 75% of respondents are using a tool set that includes EDRs, SIEMs, and IDS/IPS.

It should come as no surprise that these tools are at the top — these are essential to establishing visibility. What is interesting, however, is the second-place spot taken by customizable tools, followed by threat intelligence platforms. This indicates there’s room for improvement for solutions vendors regarding threat hunting — and users are looking for deep insights. Tools like Rapid7’s cloud SIEM solution that cut through the noise and surface the threats that really matter are key in today’s complex IT environments.

Overall security posture has improved — but there’s room to grow

The improvements seen in organizations’ overall security posture as a result of threat hunting continue to show steady numbers. According to the study, organizations have seen anywhere from a 10-25% improvement in their security posture from threat hunting over the last year. In addition, 72.3% of respondents claimed threat hunting had a positive improvement on their organization over time.

These are brilliant results to see, and they reinforce the positive impact threat hunting can have, even in the face of today’s extraordinary challenges.

That said, while there are clear benefits to threat hunting, there are some barriers to success for organizations, namely:

Over half (51.3%) of all respondents indicated the primary barrier for them as threat hunters is a lack of skilled staff and training.
This was closely followed (43%) by an even split of challenges between the limitations of tools or technologies and a lack of defined processes.

Organizations can start addressing these challenges in a variety of ways, including adopting best-in-class detection and response tooling and owning documentation, education, and maintenance at scale. These are manageable barriers that will come down with time, and despite a global pandemic, the overall outlook is good, as the general trend to more threat hunting appears to sustain with this year’s survey.

Hopefully, these numbers continue to increase next year, and more organizations will reap the benefits of threat hunting.

To take a deeper dive into the survey’s findings, download the full report: A SANS 2021 Survey: Threat Hunting in Uncertain Times.

Learn more about how Rapid7’s Incident Detection and Response solutions can help you protect your organization and boost your ability to swiftly thwart attackers.

[The Lost Bots] Episode 5: Insider Threat

2021-09-13 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2021/09/13/the-lost-bots-episode-5-insider-threat/

[The Lost Bots] Episode 5: Insider Threat

Welcome back to The Lost Bots, a vlog series where Rapid7 Detection and Response Practice Advisor Jeffrey Gardner talks all things security with fellow industry experts. This episode, we’re joined by Alan Foster (Manager, Domain Engineers) to discuss insider threats. It’s a topic we’ve all heard about, especially for those of us who are compliance-focused, but it’s also one whose definition has changed in response to recent breaches. Watch below to learn about the various types of insider threats (including those you may not have thought about), which threat(s) could cause the most damage, and tips to reduce the risk.

[The Lost Bots] Episode 5: Insider Threat

Stay tuned for future episodes of The Lost Bots! Coming soon: Jeffrey tackles vulnerability management and how it can not only reduce risk but also assist in your incident response programs.

Security at Scale in the Open-Source Supply Chain

2021-09-08 Aaron Wells

Post Syndicated from Aaron Wells original https://blog.rapid7.com/2021/09/08/security-at-scale-in-the-open-source-supply-chain/

Security at Scale in the Open-Source Supply Chain

“We’ve all heard of paying it forward, but this is ridiculous!” That’s probably what most of us think when one of our partners or vendors inadvertently leaves an open door into our shared supply-chain network; an attacker can enter at any time. Well, we probably think in slightly more expletive-laden terms, but nonetheless, no organization or company wants to be the focal point of blame from a multitude of (formerly) trusting partners or vendors.

Open-source software (OSS) is particularly susceptible to these vulnerabilities. OSS is simultaneously incredible and incredibly vulnerable. In fact, there are so many risks that can result from largely structuring operations on OSS that vendors may not prioritize patching a vulnerability once their security team is alerted. And can we blame them? They want to continue operations and feed the bottom line, not put a pause on operations to forever chase vulnerabilities and patch them one-by-one. But that leaves all of their supply-chain partners open to exploitation. What to do?

The supply-chain scene

Throughout a 12-month timeframe spanning 2019-2020, attacks aimed at OSS increased 430%, according to a study by Sonatype. It’s not quite as simple as “gain access to one, gain access to all,” but if a bad actor is properly motivated, this is exactly what can happen. In terms of motivation, supply-chain attackers can fall into 2 groups:

Bandwagoners: Attackers falling into this group will often wait for public disclosure of supply-chain vulnerabilities.
Ahead-of-the-curvers: Attackers falling into this group will actively hunt for and exploit vulnerabilities, saddling the unfortunate organization with malware and threatening its entire supply chain.

To add to the favor of attackers, the same Sonatype study also found that a shockingly low percentage of security organizations do not even learn of new open-source vulnerabilities in the short term after they’re disclosed. Sure, everyone’s busy and has their priorities. But that ethos exists while these vulnerabilities are being exploited. Perhaps the project was shipped on time, but malicious code was simultaneously being injected somewhere along the line. Then, instead of continuing with forward progress, remediation becomes the name of the game.

According to the Sonatype report, there were more than a trillion open-source component and container download requests in 2020 alone. The most important aspects to consider then are the security history of your component(s) and how dependents along your supply chain are using them. Obviously, this can be overwhelming to think about, but with researchers increasingly focused on remediation at scale, the future of supply-chain security is starting to look brighter.

Learn more about open-source security + win some cash!

Submit to the 2021 Velociraptor Contributor Competition

Securing at scale

Instead of the one-by-one approach to patching, security professionals need to start thinking about securing entire classes of vulnerabilities. It’s true that there is no current catch-all mechanism for such efficient action. But researchers can begin to work together to create methodologies that enable security organizations to better prioritize vulnerability risk management (VRM) instead of filing each one away to patch at a later date.

Of course, preventive security measures — inclusive of our shift-left culture — can help to mitigate the need to scale such remediation actions; the fact remains though that bad actors will always find a way. Therefore, until there are effective ways to eliminate large swaths of vulnerabilities at once, there is a growing need for teams to adhere to current best practices and measures like:

Dedicating time and resources to help ensure code is secure all along the chain
Thinking holistically about the security of open-source code with regard to the CI/CD lifecycle and the entire stack
Being willing to pitch in and develop coordinated, industry-wide efforts to improve the security of OSS at scale
Educating outside stakeholders on just how interdependent supply-chain-linked organizations are

As supply-chain attackers refine their methods to target ever-larger companies, the pressure is on developers to refine their understanding of how each and every contributor on a team can expose the organization and its partners along the chain, as The Linux Foundation points out. However, is this too much to put on the shoulders of DevOps? Shifting left to a DevSecOps culture is great and all, but teams are now being asked to think in the context of securing an entire supply chain’s worth of output.

This is why the industry at large must continue the push for research into new ways to eliminate entire classes of vulnerabilities. That’s a seismic shift left that will only help developers — and really, everyone — put more energy into things other than security.

Monitoring mindfully

While a proliferation of OSS components — as advantageous as they are for collaboration at scale — can make a supply chain vulnerable, the power of one open-source community can help monitor another open-source community. Velociraptor by Rapid7 is an open-source digital forensics and incident response (DFIR) platform.

This powerful DFIR tool thrives in loaded conditions. It can quickly scale incident response and monitoring and help security organizations to better prioritize remediation — actions well-suited to address the scale of modern supply-chain attacks. How quickly organizations choose to respond to incidents or vulnerabilities is, of course, up to them.

Supply chain security is ever-evolving

If one link in the chain is attacked via a long-languishing vulnerability whose risk has increasingly become harder to manage, it almost goes without saying that company’s partners or vendors immediately lose confidence in it because the entire chain is now at risk. The public’s confidence likely will follow.

There are any number of preventive measures an interdependent security organization can implement. However, the need for further research into scaling security for whole classes of vulnerabilities comes at a crucial time as global supply-chain attacks more frequently occur in all shapes and sizes.

Want to contribute to a more secure open-source future?

Submit to the 2021 Velociraptor Contributor Competition

Cybersecurity as Digital Detective Work: DFIR and Its 3 Key Components

2021-09-03 Jesse Mack

Post Syndicated from Jesse Mack original https://blog.rapid7.com/2021/09/03/cybersecurity-as-digital-detective-work-dfir-and-its-3-key-components/

Cybersecurity as Digital Detective Work: DFIR and Its 3 Key Components

Thanks to CSI and the many other crime-solving shows that have grasped our collective imagination for decades, we’re all at least somewhat familiar with the field of forensics and its unique appeal. At some point, anyone who’s watched these series has probably envisioned themselves in the detective’s shoes, piecing together the puzzle of a crime scene based on clues others might overlook — and bringing bad guys to justice at the end.

Cybersecurity lends itself particularly well to this analogy. It takes an expert eye and constant vigilance to stay a step ahead of the bad actors of the digital world. And after all, there aren’t many other areas in the modern tech landscape where the matter at hand is actual crime.

Digital forensics and incident response (DFIR) brings detective-like skills and processes to the forefront of cybersecurity practice. But what does DFIR entail, and how does it fit into your organization’s big-picture incident detection and response (IDR) approach? Let’s take a closer look.

What is DFIR — and are you already doing it?

Security expert Scott J. Roberts defines DFIR as “a multidisciplinary profession that focuses on identifying, investigating, and remediating computer-network exploitation.” If you hear that definition and think, “Hey, we’re already doing that,” that may because, in some sense, you already are.

Perhaps the best way to think of DFIR is not as a specific type of tech or category of tools, but rather as a methodology and a set of practices. Broadly speaking, it’s a field within the larger landscape of cybersecurity, and it can be part of your team’s incident response approach in the context of the IDR technology and workflows you’re already using.

To be good at cybersecurity, you have to be something of a detective — and the detective-like elements of the security practice, like log analysis and incident investigation, fit nicely within the DFIR framework. That means your organization is likely already practicing DFIR at some level, even though you might not have the full picture in place just yet.

3 key components of DFIR

The question is, how do you go from doing some DFIR practices piecemeal to a more integrated approach? And what are the benefits when you do it well? Here are 3 key components of a well-formulated DFIR practice.

1. Multi-system forensics

One of the hallmarks of DFIR is the ability to monitor and query all critical systems and asset types for indications of foul play. Roberts breaks this down into a few core functions, including file-system forensics, memory forensics, and network forensics. Each of these involves monitoring activity for signs of an attack on the system in question.

He also includes log analysis in this category. Although this is largely a tool-driven process these days, a SIEM or detection-and-response solution like InsightIDR can help teams keep on top of their logs and respond to the alerts that really matter.

2. Attack intelligence

Like a detective scouring the scene of a crime for that one clue that cracks the case, spotting suspicious network activity means knowing what to look for. There’s a reason why the person who solves the crime on our favorite detective shows is rarely the rookie and more often the grizzled veteran — a keen interpretative eye is formed by years of practice and skill-building.

For the practice of DFIR, this means developing the ability to think like an attacker, not only so you can identify and fix vulnerabilities in your own systems, but so that you can also spot the signs they’ve been exploited — if and when that happens. A pentesting tool like Metasploit provides a critical foundation for practicing DFIR with a high level of precision and insight.

3. Endpoint visibility

It’s no secret there are now more endpoints in corporate networks than ever before. The huge uptick in remote work during the COVID-19 pandemic has only increased the number and types of devices accessing company data and applications.

To do DFIR well in this context, security teams need visibility into this complex system of endpoints — and a way to clearly organize and interpret data gathered from them. A tool like Velociraptor can be critical in this effort, helping teams quickly collect and view digital forensic evidence from all of their endpoints, as well as proactively monitor them for suspicious activity.

A team effort

The powerful role open-source tools like Metasploit and Velociraptor can have in DFIR reminds us that incident response is a collaborative effort. Joining forces with other like-minded practitioners across the industry helps detection-and-response teams more effectively spot and stop attacks.

Velociraptor has launched a friendly competition to encourage knowledge-sharing within the field of DFIR. They’re looking for useful content and extensions to their open-source platform, with cash prizes for those that come up with submissions that add the most value and the best capabilities. The deadline is September 20, 2021, and there’s $5,000 on the line for the top entry.

Go head-to-head with other digital detectives

Submit to the 2021 Velociraptor Contributor Competition

SANS Experts: 4 Emerging Enterprise Attack Techniques

2021-09-02 Aaron Wells

Post Syndicated from Aaron Wells original https://blog.rapid7.com/2021/09/02/sans-experts-4-emerging-enterprise-attack-techniques/

SANS Experts: 4 Emerging Enterprise Attack Techniques

In a recent report, a panel of SANS Institute experts broke down key takeaways and emerging attack techniques from this year’s RSA Security Conference. The long and short of it? This next wave of malicious methodologies isn’t on the horizon — it’s here.

When it comes to supply-chain and ransomware attacks, bad actors seem to have migrated to new ground over the last 2 years. The SANS Institute report found that government, healthcare, and retail (thanks in large part to online spending at the height of the pandemic) were the sectors showing the largest spike from the first quarter of 2020 to this year, in terms of finding themselves in attackers’ crosshairs. As larger incidents increase in frequency, let’s take a look at 4 specific attack formats trending toward the norm and how you can stay ahead of them.

1. Cracks in the facade of software integrity

Developers are under greater pressure to prioritize security (i.e., shift left) within the Continuous Integration/Continuous Delivery (CI/CD) lifecycle. This would seem to be at stark odds with the number of applications built on open-source software (OSS). And, if a security organization is part of a supply chain, how many pieces of OSS are being used at one time along that chain? The potential is huge for an exponential jump in the number of vulnerabilities in that group of interdependent organizations.

There are ways to mitigate these seemingly unstoppable threats. Measures like file integrity monitoring (FIM) surface changes to critical files on your network, alerting you to suspicious activity while also providing context as to the affected users and/or assets. Threat hunting can also help to expose vulnerabilities.

Used with a cloud-native, extended-detection-and-response (XDR) approach, Rapid7’s proactive threat-hunting capabilities leverage multiple security and telemetry sources to act on fine-grained insights and empower teams to quickly take down threats.

2. Do you have a token to get into that session?

Commonly, applications make use of tokens to identify a person wishing to access secure data, like banking information. A user’s mobile app will exchange the token with a server somewhere to verify that, indeed, this is the actual user requesting the information and not an attacker. Improper session handling happens when the protocols according to which these applications are working don’t properly secure identifying tokens.

The issue of improper user authentication was exacerbated by the onslaught of the pandemic, as companies raced to secure — or not — enterprise software for a quickly scaled-up remote workforce. To resolve this issue, individual users can simply make it a best practice to always hit that little “log off/out” button once they’re finished. Businesses can also do this by setting tokens to automatically expire after a predetermined length of time.

At the enterprise level, security organizations can use a comprehensive application-testing strategy to monitor for weak session handling and nefarious attacker actions like:

Guessing a valid session token after only short-term monitoring
Using static tokens to target users, even if they’re not logged in
Leveraging a token to delete user data without knowing the username/password

Get the full report

3. Turning the machines against us

No, that’s not a Terminator reference. If someone has built out a machine-learning (ML) algorithm correctly, it should do nothing but assist an organization in accomplishing its business goals. When it comes to security, this means being able to recognize traffic patterns that are relatively unknown and classifying them according to threat level.

However, attackers are increasingly able to corrupt ML algorithms and trick them into labeling malicious traffic as safe. Another sophisticated method is for attackers to purchase their own ML products and use them as training grounds to produce and deploy malware. InsightIDR from Rapid7 leverages user-behavior analytics (UBA) to stay ahead of malicious actions against ML algorithms.

Understanding how your ML product functions is key; it should build a baseline of normal user behavior across the network, then match new actions against data gleaned from a combination of machine learning and statistical algorithms. In this way, UBA exposes threats without relying on prior identification in the wild.

4. Ramping up ransomware

Let’s face it: Attackers all over the world are essentially creating repositories and educational platforms in how to evolve and deploy ransomware. It takes sophistication, but ransomware packages are now available more widely to the non-tech set to, for lack of a more apt phrase, plug and play.

As attack methodologies ramp up in frequency and size, it’s not just data at risk anymore. Bad actors are threatening companies with wide public exposure and potentially a catastrophic loss to reputation. But there are opportunities to learn offensive strategies, as well as how attacker techniques can become signals for detection.

Evaluate your security plan: The Cybersecurity Maturity Assessment provides a view of your current security posture and a guide to strategic planning.
Consult with Rapid7 on security improvements: Sustainable programs — from vulnerability management to incident response — are the backbone of success. Create processes and collateral to run any facet of your security program.

Target shifts

If the data in the SANS report tells us anything, it’s that attackers and their evolving methodologies — like those mentioned above — are constantly searching not just for bigger targets and paydays, but also easier paths to their goals.

Targeted industry shifts in year-over-year data show that the company or sector you’re in clearly makes no difference. Perhaps the biggest factor in bad actors’ strategies is the degree of ease with which they get what they want — and some industries still fall woefully behind when it comes to security and attack readiness.

Learn more about the latest threat trends

Read the full SANS report

[The Lost Bots] Episode 4: Deception Technology

2021-08-30 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2021/08/30/the-lost-bots-episode-4-deception-technology/

[The Lost Bots] Episode 4: Deception Technology

Welcome back to The Lost Bots, a vlog series where Rapid7 Detection and Response Practice Advisor Jeffrey Gardner talks all things security with fellow industry experts. This episode is a little different, as it’s Jeffrey talking one-on-one with you about one of his favorite subjects: deception technology! Watch below to learn about the history, special characteristics, goals, and possible roadblocks (with counterpoints!) of what he likes to call “HoneyThings,” and also learn practical advice about the application of this amazing technology.

[The Lost Bots] Episode 4: Deception Technology

Stay tuned for future episodes of The Lost Bots! Coming soon: Jeffrey tackles insider threats — where the threat is definitely inside your organization, but maybe not in the way you think.

[R]Evolution of the Cyber Threat Intelligence Practice

2021-08-25 Alon Arvatz

Post Syndicated from Alon Arvatz original https://blog.rapid7.com/2021/08/25/r-evolution-of-the-cyber-threat-intelligence-practice/

[R]Evolution of the Cyber Threat Intelligence Practice

The cyber threat intelligence (CTI) space is one of the most rapidly evolving areas in cybersecurity. Not only are technology and products being constantly updated and evolved, but also methodologies and concepts. One of the key changes happening in the last few years is the transition from threat intelligence as a separate pillar — which disseminates threat reports to the security organization — to threat intelligence as a central hub that feeds all the functions in the security organization with knowledge and information on the most prioritized threats. This change requires a shift in both mindset and methodology.

Traditionally, CTI has been considered a standalone practice within the security organization. Whether the security organization has dedicated personnel or not, it has been a separate practice that produces reports about various threats to the organization — essentially, looking at the threat landscape and making the same threat data accessible to all the functions in the security organization.

Traditional CTI model

[R]Evolution of the Cyber Threat Intelligence Practice — *A traditional model of the CISO and the different functions in their security organization*

The latest developments in threat intelligence methodologies are disrupting this concept. Effectively, threat intelligence is no longer a separate pillar, but something that should be ingested and considered in every security device, process, and decision-making event. Thus, the mission of the threat intelligence practitioner is no longer to simply create “threat reports,” but also to make sure that every part of the security organization effectively leverages threat intelligence as part of its day-to-day mission of detection, response, and overall risk management.

Trends supporting a new CTI workflow

The evolution of threat intelligence is supported by the following primary trends in the cybersecurity space:

Automation — Due to a lack of trained human resources, organizations are implementing more automation into their security operations. Supported by adoption of SOAR technologies, machine-to-machine communication is becoming much easier and more mainstream. Automation allows for pulling data from your CTI tools and constantly feeding it into various security devices and security processes, without human intervention. Essentially, supporting seamless and near-real-time integration of CTI into various security devices, as well as automated decision-making processes.
Expanded access to threat intelligence — Threat intelligence vendors are investing a lot more in solutions that democratize threat intelligence and make it easy for various security practitioners to consume — for example, native applications for Security Information and Event Management (SIEM) to correlate threat data against internal logs, or browser extensions that inject threat context and risk analysis into the browser. Previously, you had lots of threat data that needed manual labor to review and take action; today, you have actionable insights that are seamlessly integrated into your security devices.

Updated CTI model

The new mission of the CTI practitioner

The new mission of the CTI practitioner is to tailor threat intelligence to every function in the security organization and make it an integral part of the function’s operations. This new approach requires them to not only update their mission, but also to gain new soft skills that allow them to collaborate with other functions in the security organization.

The CTI practitioner’s newly expanded mindset and skill set would include:

Developing close relationships with various stakeholders — It’s not enough to send threat reports if the internal client doesn’t know how to consume them. What looks simple for a CTI specialist is not necessarily simple to other security practitioners. Thus, in order to achieve the CTI mission, it’s important to develop close relationships with various stakeholders so that the CTI specialist can better understand their pain points and requirements, as well as tailor the best solution for them to consume. This activity serves as a platform to raise their awareness of CTI’s value, thereby helping them come up with and commit to new processes that include CTI as part of their day-to-day.
Having solid knowledge of the company strategy and operations — The key to a successful CTI program is relevancy; without relevancy, you’re left with lots of unactionable threat data. Relevancy is twice as important when you want to incorporate CTI into various functions within the organization. Relevant CTI can only be achieved when the company business, organizational chart, and strategy are clear. This clarity enables the CTI practitioner to realize what intelligence is relevant to each function and tailor it to the needs of each function.
Deep understanding of the company tech stack — The CTI role doesn’t require only business understanding, but also deep technical understanding of the IT infrastructure and architecture. This knowledge will allow the CTI specialist to tailor the intelligence to the risks imposed on the company tech stack, and it will support building a plan to correlate internal logs against external threat intelligence.

Following are a few examples of processes the threat intelligence team needs to implement in order to tailor threat intelligence to other security functions and make it an integral part of their operations:

Third-party breach monitoring — With the understanding that the weakest link might be your third party, there’s an increasing importance of timely detection of third-party breaches. CTI monitoring supports early detection of those cases and is followed by the IR team minimizing the risk. An example of this is monitoring ransomware gangs’ leak sites for any data belonging to your company that has been leaked from any third party.
SOC incident triage — One of the main missions of the Security Operations Center (SOC) is to identify cyber incidents and make a quick decision on mitigation steps. This can be tremendously improved through threat intelligence information to triage the indicators (e.g., domains and IP addresses) of each event. Threat intelligence is the key to an effective and efficient triage of these events. This can be easily achieved through a threat intelligence browser extension that triages the IOCs while browsing in the SIEM.
Vulnerability prioritization process — The traditional vulnerability prioritization process relies on the CVSS score and the criticality of the vulnerable assets. This focuses the prioritization efforts on the impact of an exploitation of the vulnerabilities and gives very little focus on the probability that these vulnerabilities will be exploited. Hacker chatter from the Dark Web and security researchers’ publications can help provide a good understanding of the probability that a certain vulnerability will actually be leveraged by a threat actor to launch a cyberattack. This probability factor is an essential missing piece in the vulnerability prioritization process.
Trends analysis — The CTI practitioner has access to a variety of sources, allowing them to monitor trends in the cybersecurity domain, their specific industry, or in the data held in the company. This should be provided to leadership (not only security leadership) in order to allow smart, agile decision-making on existing risks.
Threat intel and cybersecurity knowledge sharing — As with “traditional” intelligence, knowledge sharing can be a major force multiplier in cyber intelligence, too. Threat intel teams should aim to create as much external cooperation with other security teams — especially from the industry they work in — as they can. This will allow the team and the security organization to better understand the risks posed to the industry and, accordingly, their company. This information will also allow the CISO better visibility into the threat landscape that’s relevant to the company.

A valuable proposition

While the evolving CTI model is making threat intelligence implementation a bit more complex, as it includes collaboration with different functions, it makes the threat intelligence itself far more valuable and impactful than ever before. The future of cyber threat intelligence is getting a lot more exciting!

Learn more about operationalizing cyber threat intelligence

Cybercriminals Selling Access to Compromised Networks: 3 Surprising Research Findings

2021-08-24 Paul Prudhomme

Post Syndicated from Paul Prudhomme original https://blog.rapid7.com/2021/08/24/cybercriminals-selling-access-to-compromised-networks-3-surprising-research-findings/

Cybercriminals Selling Access to Compromised Networks: 3 Surprising Research Findings

Cybercriminals are innovative, always finding ways to adapt to new circumstances and opportunities. The proof of this can be seen in the rise of a certain variety of activity on the dark web: the sale of access to compromised networks.

This type of dark web activity has existed for decades, but it matured and began to truly thrive amid the COVID-19 global pandemic. The worldwide shift to a remote workforce gave cybercriminals more attack surface to exploit, which fueled sales on underground criminal websites, where buyers and sellers transfer network access to compromised enterprises and organizations to turn a profit.

Having witnessed this sharp rise in breach sales in the cybercriminal ecosystem, IntSights, a Rapid7 company, decided to analyze why and how criminals sell their network access, with an eye toward understanding how to prevent these network compromise events from happening in the first place.

We have compiled our network compromise research, as well as our prevention and mitigation best practices, in the brand-new white paper “Selling Breaches: The Transfer of Enterprise Network Access on Criminal Forums.”

During the process of researching and analyzing, we came across three surprising findings we thought worth highlighting. For a deeper dive, we recommend reading the full white paper, but let’s take a quick look at these discoveries here.

1. The massive gap between average and median breach sales prices

As part of our research, we took a close look at the pricing characteristics of breach sales in the criminal-to-criminal marketplace. Unsurprisingly, pricing varied considerably from one sale to another. A number of factors can influence pricing, including everything from the level of access provided to the value of the victim as a source of criminal revenue.

That said, we found an unexpectedly significant discrepancy between the average price and the median price across the 40 sales we analyzed. The average price came out to approximately $9,640 USD, while the median price was $3,000 USD.

In part, this gap can be attributed to a few unusually high prices among the most expensive offerings. The lowest price in our dataset was $240 USD for access to a healthcare organization in Colombia, but healthcare pricing tends to trend lower than other industries, with a median price of $700 in this sample. On the other end of the spectrum, the highest price was for a telecommunications service provider that came in at about $95,000 USD worth of Bitcoin.

Because of this discrepancy, IntSights researchers view the average price of $9,640 USD as a better indicator of the higher end of the price range, while the median price is more representative of typical pricing for these sales — $3,000 USD was also the single most common price. Nonetheless, it was fascinating to discover this difference and dig into the reasons behind it.

2. The numerical dominance of tech and telecoms victims

While the sales of network access are a cross-industry phenomenon, technology and telecommunications companies are the most common victims. Not only are they frequent targets, but their compromised access also commands some of the highest prices on the market.

In our sample, tech and telecoms represented 10 of the 46 victims, or 22% of those affected by industry. Out of the 10 most expensive offerings we analyzed, four were for tech and telecommunications organizations, and there were only two that had prices under $10,000 USD. A telecommunications service provider located in an unspecified Asian country also had the single most expensive offering in this sample at approximately $95,000 USD.

After investigating the reasoning behind this numerical dominance, IntSights researchers believe that the high value and high number of tech and telecommunications companies as breach victims stem from their usefulness in enabling further attacks on other targets. For example, a cybercriminal who gains access to a mobile service provider could conduct SIM swapping attacks on digital banking customers who use two-factor authentication via SMS.

These pricing standards were surprisingly expensive compared to other industries, but for good reason: the investment may cost more upfront but prove more lucrative in the long run.

3. The low proportion of retail and hospitality victims

As previously mentioned, we broke down the sales of network access based on the industries affected, and to our surprise, only 6.5% of victims were in retail and hospitality. This seemed odd, considering the popularity of the industry as a target for cybercrime. Think of all the headlines in the news about large retail companies falling victim to a breach that exposed millions of customer credentials.

We explored the reasoning behind this low proportion of victims in the space and came to a few conclusions. For example, we theorized that the main customers for these network access sales are ransomware operators, not payment card data collectors. Payment card data collection is likely a more optimal way to monetize access to a retail or hospitality business, whereas putting ransomware on a retail and hospitality network would actually “kill the goose that lays the golden eggs.”

We also found that the second-most expensive offering in this sample was for access to an organization supporting retail and hospitality businesses. The victim was a third party managing customer loyalty and rewards programs, and the seller highlighted how a buyer could monetize this indirect access to its retail and hospitality customer base. This victim may have been more valuable because, among other things, loyalty and rewards programs are softer targets with weaker security than credit cards and bank accounts; thus, they’re easier to defraud.

Learn more about compromised network access sales

Curious to learn more about the how and why of cybercriminals selling compromised network access? Read our white paper, Selling Breaches: The Transfer of Enterprise Network Access on Criminal Forums, for the full story behind this research and how it can inform your security efforts.