Tag Archives: Threat Intel

Better Together: XDR, SOAR, Vulnerability Management, and External Threat Intelligence

Post Syndicated from Matthew Gardiner original https://blog.rapid7.com/2021/11/15/better-together-xdr-soar-vulnerability-management-and-external-threat-intelligence/

Better Together: XDR, SOAR, Vulnerability Management, and External Threat Intelligence

One of the biggest challenges with both incident response and vulnerability management is not just the raw number of incidents and vulnerabilities organizations need to triage and manage, but the fact that it’s often difficult to separate the critical incidents and vulnerabilities from the minor ones. If all incidents and vulnerabilities are treated as equal, teams will tend to underprioritize the critical ones and overprioritize those that are less significant. In fact, ZDNet reports that only 5.5% of all vulnerabilities are ever exploited in the wild. Meaning that fixing all vulnerabilities with equal priority is a significant misallocation of resources, as 95% of them will likely never be exploited.

Unjamming incident response and vulnerability management

My experience with organizations over the years shows a similar issue with security incidents. Clearly not all incidents are created equal in terms of risk and potential impact, so if your organization is treating them equally, this also is a sign of misprioritization. And what organization has a surplus of incident response cycles to waste? Without some informed triaging and prioritization, the remediation of both incidents and vulnerabilities can get jammed up, and the security team can be blamed for “crying wolf” by raising the security alarm too often without strong evidence.

How to better prioritize security incidents and vulnerabilities? Fundamentally, it comes down to simultaneously having the right data and intelligence from both inside your IT environment and the world outside. What if you could know with high certainty what you have, what is currently going on inside your IT environment, and how and whether the threat actors’ current tools, tactics, techniques, and procedures are currently active and relevant to you? If this information and analysis was available at the right time, it would go a long way to helping prioritize responses to both detected incidents and discovered vulnerabilities.

Integrating XDR, SOAR, vulnerability management, and external threat intelligence

The key building blocks of this approach require the combination of extended detection and response (XDR) for continuous visibility and threat detection; vulnerability management for vulnerability detection and management; SOAR for security management, integration, and automation; and external threat intelligence to inject information about what threat actors are actually doing and how this relates back to the organization. The intersection of these four security systems and sources of intelligence is where the magic happens.

Separately, XDR, SOAR, vulnerability management, and external threat intelligence are valuable in their own right. But when used closely together, they deliver greater security insights that help guide incident response and vulnerability management. Together, they help security teams focus their limited resources on the risks that matter most.

What Rapid7 is doing about it

Rapid7 is on the forefront of bringing this integrated approach to market. It starts — but does not end — with possessing all the underlying technology and expertise necessary to bring this approach to life through our products in XDR, SOAR, vulnerability management, and external threat intelligence. New and particularly important to this story is how Rapid7’s external threat intelligence offering, brought forward by the recent acquisition of IntSights, is integrated and directly available to assist with incident and vulnerability management prioritization and automation.

The newly released InsightConnect for IntSights Plugin enables, among other capabilities, the enrichment of indicators — IP addresses, domains, URLs, file hashes — with what is known about them in the outside world, such as whether they are part of attackers’ infrastructure, their registration details, when they were first seen, any associations with threat actor groups, severity, and other key aspects. This information, when linked to alerts and vulnerabilities, can help drive the response prioritizations that are incredibly important to improving incident response and vulnerability management effectiveness and efficiency.

This is just the start of integrating IntSights threat intelligence into Rapid7’s broader set of security offerings. Stay tuned for additional integration news as Rapid7 brings best-of-breed solutions further, combining our vulnerability management, detection and response, and threat intelligence products and services to solve more real-world security challenges.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

4 Simple Steps for an Effective Threat Intelligence Program

Post Syndicated from Alon Arvatz original https://blog.rapid7.com/2021/10/15/4-simple-steps-for-an-effective-threat-intelligence-program/

4 Simple Steps for an Effective Threat Intelligence Program

Threat intelligence is a critical part of an organization’s cybersecurity strategy, but given how quickly the state of cybersecurity evolves, is the traditional model still relevant?

Whether you’re a cybersecurity expert or someone who’s looking to build a threat intelligence program from the ground up in 2021, this simple framework transforms the traditional model, so it can apply to the current landscape. It relies on the technologies available today and can be implemented in four simple steps.

A quick look at the threat intelligence framework

The framework we’ll be referencing here is called the Intelligence Cycle, which breaks down into four phases:

4 Simple Steps for an Effective Threat Intelligence Program

This is the traditional framework you can use to implement a threat intelligence program in your organization. Let’s take a deeper look at each step, update them for the modern day, and outline how you can follow them in 2021.

To do this, we’ll leverage a use case of credential leakage as an example, which is a very important use case today. According to Verizon’s 2021 Data Breach Investigations Report, credentials remain one of the most sought-after data types, and it’s this type of data that gets compromised the fastest. As such, credential leakage is an area organizations of all sizes should be aware of and familiar with, making it an optimal choice for illustrating how to build an effective threat intelligence program.

1. Set a direction

The first step in this process is to set the direction of your program, meaning you need to outline what you’re looking for and what questions you want to ask and answer. To help with this, you can create Prioritized Intelligence Requirements, or PIRs, and a desired outcome.

For both your PIRs and desired outcome, you should aim to be as explicit as possible. In the case of credential leakage, for example, let’s set our PIR as: “I want to identify any usernames and passwords belonging to my employees that have been exposed to an unauthorized entity.”

We’ve selected these credentials for this example, because they are risky for the organization. Depending on your needs, you may identify different credentials with higher risk, but this is the type we’re focusing on for this use case.

With this very specific PIR outlined, we can now determine a desired outcome, which would be something like: “I want to force password reset for any of these passwords that are being used in the corporate environment before threat actors can use them.”

This is crucial, and later, we’ll see how the desired outcome impacts how we build this threat intelligence program.

2. Map out what data to collect

Once you’ve set your PIRs and desired outcome, you need to map out the sources of intelligence that will serve the direction.

For this use case, let’s identify how threat actors gain credentials. A few of the most common sources include:

  • Endpoints (usually harvested by botnets)
  • Third-party breaches
  • Code repositories
  • Posts on a forum/pastebin
  • Dark web black markets that buy/sell credentials

In the past, you might have turned to individual vendors who could help you with each of these areas. For example, you may have worked with an organization that specializes in endpoint security and another that could tackle incident response management for third-party breaches. But today, you’re better off finding a vendor who can support all the sources you need and provide complete coverage for all areas of risk, especially for something like credential leakage.

Regardless, by mapping out these sources, you can outline the areas you need to focus on for analysis.

3. Select your approach to analysis

Next up is analysis. You can take two approaches:

  1. Automated analysis: You can leverage AI or sophisticated algorithms that will classify relevant data into alerts of credential leakage, where the emails and passwords can be extracted and pulled out.
  2. Manual analysis: You can manually analyze the information by gathering all the data and having the analysts on your team review the data and decide what’s relevant to your organization.

The biggest advantage of manual analysis is flexibility. You can put more human resources, intelligence, and insight into the process to surface only what is relevant. But there are also disadvantages — for example, this process is much slower than automated analysis.

In the first phase of our program, we specified that we want to force password resets before threat actors leverage them for a cyberattack. This means that speed is extremely crucial in this use case. Now, you can see how the desired outcome is helping us make a decision about the type of approach we should take for analysis.

Automated analysis also requires significantly fewer resources. You don’t need a bunch of analysts to sort through the raw data and surface what is relevant. The classification and alerting of credential leakage is fully automated here. Plus, if threats are being automatically classified, they can likely be automatically remediated.

Let’s take a look at this in practice: Say your algorithm finds an email and password mentioned on a forum. The AI can classify the incident and extract the relevant information (e.g., the email/username and password) in a machine-readable format. Then, a response can be automatically applied, like force resetting the password for the identified user.

As you can see, there are advantages and disadvantages for each approach. When you assess them against our desired outcome, it’s clear that we should go with an automated approach for our credential leakage use case.

4. Disseminate analysis to take action

Finally, we come to the final phase: dissemination. Traditionally, when it comes to the intelligence cycle and the dissemination of threat intelligence, we talk about sending alerts and reports to the relevant stakeholders to review, so they can take action and respond accordingly.

But, as our example in the previous section shows, the future (and current state) of this process is fully automated remediation. With this in mind, we shouldn’t just discuss how we distribute alerts and information in the organization — we should also think about how we can take the intelligence and distribute it to security devices to automatically prevent the upcoming attack.

For leaked credentials, this could mean sending the intelligence to the active directory to automatically force password reset without human intervention. This is a great example of how shifting to an automated solution can dramatically reduce the time to remediation.

Once again, let’s go back to our PIR and desired outcome: We want to force the password reset before the threat actor uses the password. Speed is key here, so we should definitely automate the remediation. As such, we need a solution that takes the intelligence from the sources we’ve mapped out, automatically produces an alert with the information extracted, and then automatically remediates the threat to reduce risk as fast as possible.

This is how detection and response should look in 2021.

A simplified and modernized approach to threat intelligence

In summary, this revamped Intelligence Cycle resembles how to build an effective threat intelligence program today.

Start by identifying your PIRs and desired outcome. Then, decide on a collection plan by outlining all sources that will drive the relevant intelligence. Next, for the vast majority of use cases, it’s important to have an automated analysis algorithm in place to classify alerts quickly and precisely. And finally, you should transition from manual dissemination to automated remediation, which can dramatically reduce time to remediation — something that’s more critical than ever due to the current state of cybersecurity.

By following these steps, you can build an effective threat intelligence program, and with this foundation in place, you can fine-tune it until you have a seamless process that saves your organization time and reduces risk across the board.

Curious to learn more? Read about Rapid7’s approach to automatic detection and response here.

SANS 2021 Threat Hunting Survey: How Organizations’ Security Postures Have Evolved in the New Normal

Post Syndicated from Margaret Wei original https://blog.rapid7.com/2021/09/17/sans-2021-threat-hunting-survey-how-organizations-security-postures-have-evolved-in-the-new-normal/

SANS 2021 Threat Hunting Survey: How Organizations' Security Postures Have Evolved in the New Normal

It’s that time of year once again: The SANS Institute — the most trusted resource for cybersecurity research — has conducted its sixth annual Threat Hunting Survey, sponsored by Rapid7. The goal of this survey is to better understand the current threat hunting landscape and the benefits provided to an organization’s security posture as a result of threat hunting.

This year’s survey, “A SANS 2021 Survey: Threat Hunting in Uncertain Times,” has a unique focus, one that’s taken into consideration the impact of COVID-19 and how it’s affected organizations’ threat hunting. The findings indicate that the global pandemic has had a relatively mixed impact on the organizations surveyed, with many respondents unsure of what type of impact it’s had — and will have — on their threat hunting efforts.

Here’s a preview of the survey’s findings and its takeaways for organizations navigating today’s cybersecurity landscape.

Fewer organizations are performing threat hunting in 2021

According to the survey results, 12.6% fewer organizations are performing threat hunting in 2021 when compared to those surveyed in 2020. This is concerning, as threat hunting is an ever-evolving field, and organizations that don’t dedicate resources to it won’t be able to keep pace with the changes in tactics and techniques needed to find threat actors.

But what caused this dip? It seems to be a combination of organizations reducing their external spend with third parties and their overall internal staff in response to COVID-19. That said, this reduction cannot be fully accounted for by the pandemic.

Despite this decrease, there is good news: 93.1% of respondents indicated they have dedicated threat hunting staff, and the majority of respondents plan to increase spending on staffing and tools for threat hunting in the near future. Over the year to come, we’ll likely see an extended detection and response (XDR) approach leveraging tools like InsightIDR playing a key role in these efforts.

The threat hunting toolbox is evolving

The tools organizations are using to conduct threat hunting are evolving — but have they advanced enough to keep up with the modern cybersecurity landscape?

The output of threat hunting depends on three factors: visibility, skills, and threat intelligence. To achieve this output, threat hunters need the right tools. After asking respondents about their organizations’ tool chests, SANS found that over 75% of respondents are using a tool set that includes EDRs, SIEMs, and IDS/IPS.

It should come as no surprise that these tools are at the top — these are essential to establishing visibility. What is interesting, however, is the second-place spot taken by customizable tools, followed by threat intelligence platforms. This indicates there’s room for improvement for solutions vendors regarding threat hunting — and users are looking for deep insights. Tools like Rapid7’s cloud SIEM solution that cut through the noise and surface the threats that really matter are key in today’s complex IT environments.

Overall security posture has improved — but there’s room to grow

The improvements seen in organizations’ overall security posture as a result of threat hunting continue to show steady numbers. According to the study, organizations have seen anywhere from a 10-25% improvement in their security posture from threat hunting over the last year. In addition, 72.3% of respondents claimed threat hunting had a positive improvement on their organization over time.

These are brilliant results to see, and they reinforce the positive impact threat hunting can have, even in the face of today’s extraordinary challenges.

That said, while there are clear benefits to threat hunting, there are some barriers to success for organizations, namely:

  • Over half (51.3%) of all respondents indicated the primary barrier for them as threat hunters is a lack of skilled staff and training.
  • This was closely followed (43%) by an even split of challenges between the limitations of tools or technologies and a lack of defined processes.

Organizations can start addressing these challenges in a variety of ways, including adopting best-in-class detection and response tooling and owning documentation, education, and maintenance at scale. These are manageable barriers that will come down with time, and despite a global pandemic, the overall outlook is good, as the general trend to more threat hunting appears to sustain with this year’s survey.

Hopefully, these numbers continue to increase next year, and more organizations will reap the benefits of threat hunting.

To take a deeper dive into the survey’s findings, download the full report: A SANS 2021 Survey: Threat Hunting in Uncertain Times.

Learn more about how Rapid7’s Incident Detection and Response solutions can help you protect your organization and boost your ability to swiftly thwart attackers.

SANS Experts: 4 Emerging Enterprise Attack Techniques

Post Syndicated from Aaron Wells original https://blog.rapid7.com/2021/09/02/sans-experts-4-emerging-enterprise-attack-techniques/

SANS Experts: 4 Emerging Enterprise Attack Techniques

In a recent report, a panel of SANS Institute experts broke down key takeaways and emerging attack techniques from this year’s RSA Security Conference. The long and short of it? This next wave of malicious methodologies isn’t on the horizon — it’s here.

When it comes to supply-chain and ransomware attacks, bad actors seem to have migrated to new ground over the last 2 years. The SANS Institute report found that government, healthcare, and retail (thanks in large part to online spending at the height of the pandemic) were the sectors showing the largest spike from the first quarter of 2020 to this year, in terms of finding themselves in attackers’ crosshairs. As larger incidents increase in frequency, let’s take a look at 4 specific attack formats trending toward the norm and how you can stay ahead of them.

1. Cracks in the facade of software integrity

Developers are under greater pressure to prioritize security (i.e., shift left) within the Continuous Integration/Continuous Delivery (CI/CD) lifecycle. This would seem to be at stark odds with the number of applications built on open-source software (OSS). And, if a security organization is part of a supply chain, how many pieces of OSS are being used at one time along that chain? The potential is huge for an exponential jump in the number of vulnerabilities in that group of interdependent organizations.

There are ways to mitigate these seemingly unstoppable threats. Measures like file integrity monitoring (FIM) surface changes to critical files on your network, alerting you to suspicious activity while also providing context as to the affected users and/or assets. Threat hunting can also help to expose vulnerabilities.

Used with a cloud-native, extended-detection-and-response (XDR) approach, Rapid7’s proactive threat-hunting capabilities leverage multiple security and telemetry sources to act on fine-grained insights and empower teams to quickly take down threats.

2. Do you have a token to get into that session?

Commonly, applications make use of tokens to identify a person wishing to access secure data, like banking information. A user’s mobile app will exchange the token with a server somewhere to verify that, indeed, this is the actual user requesting the information and not an attacker. Improper session handling happens when the protocols according to which these applications are working don’t properly secure identifying tokens.

The issue of improper user authentication was exacerbated by the onslaught of the pandemic, as companies raced to secure — or not — enterprise software for a quickly scaled-up remote workforce. To resolve this issue, individual users can simply make it a best practice to always hit that little “log off/out” button once they’re finished. Businesses can also do this by setting tokens to automatically expire after a predetermined length of time.  

At the enterprise level, security organizations can use a comprehensive application-testing strategy to monitor for weak session handling and nefarious attacker actions like:

  • Guessing a valid session token after only short-term monitoring
  • Using static tokens to target users, even if they’re not logged in
  • Leveraging a token to delete user data without knowing the username/password

3. Turning the machines against us

No, that’s not a Terminator reference. If someone has built out a machine-learning (ML) algorithm correctly, it should do nothing but assist an organization in accomplishing its business goals. When it comes to security, this means being able to recognize traffic patterns that are relatively unknown and classifying them according to threat level.

However, attackers are increasingly able to corrupt ML algorithms and trick them into labeling malicious traffic as safe. Another sophisticated method is for attackers to purchase their own ML products and use them as training grounds to produce and deploy malware. InsightIDR from Rapid7 leverages user-behavior analytics (UBA) to stay ahead of malicious actions against ML algorithms.

Understanding how your ML product functions is key; it should build a baseline of normal user behavior across the network, then match new actions against data gleaned from a combination of machine learning and statistical algorithms. In this way, UBA exposes threats without relying on prior identification in the wild.

4. Ramping up ransomware

Let’s face it: Attackers all over the world are essentially creating repositories and educational platforms in how to evolve and deploy ransomware. It takes sophistication, but ransomware packages are now available more widely to the non-tech set to, for lack of a more apt phrase, plug and play.

As attack methodologies ramp up in frequency and size, it’s not just data at risk anymore. Bad actors are threatening companies with wide public exposure and potentially a catastrophic loss to reputation. But there are opportunities to learn offensive strategies, as well as how attacker techniques can become signals for detection.

Target shifts

If the data in the SANS report tells us anything, it’s that attackers and their evolving methodologies — like those mentioned above — are constantly searching not just for bigger targets and paydays, but also easier paths to their goals.

Targeted industry shifts in year-over-year data show that the company or sector you’re in clearly makes no difference. Perhaps the biggest factor in bad actors’ strategies is the degree of ease with which they get what they want — and some industries still fall woefully behind when it comes to security and attack readiness.

Learn more about the latest threat trends

Read the full SANS report

[R]Evolution of the Cyber Threat Intelligence Practice

Post Syndicated from Alon Arvatz original https://blog.rapid7.com/2021/08/25/r-evolution-of-the-cyber-threat-intelligence-practice/

[R]Evolution of the Cyber Threat Intelligence Practice

The cyber threat intelligence (CTI) space is one of the most rapidly evolving areas in cybersecurity. Not only are technology and products being constantly updated and evolved, but also methodologies and concepts. One of the key changes happening in the last few years is the transition from threat intelligence as a separate pillar — which disseminates threat reports to the security organization — to threat intelligence as a central hub that feeds all the functions in the security organization with knowledge and information on the most prioritized threats. This change requires a shift in both mindset and methodology.

Traditionally, CTI has been considered a standalone practice within the security organization. Whether the security organization has dedicated personnel or not, it has been a separate practice that produces reports about various threats to the organization — essentially, looking at the threat landscape and making the same threat data accessible to all the functions in the security organization.

Traditional CTI model

[R]Evolution of the Cyber Threat Intelligence Practice
A traditional model of the CISO and the different functions in their security organization

The latest developments in threat intelligence methodologies are disrupting this concept. Effectively, threat intelligence is no longer a separate pillar, but something that should be ingested and considered in every security device, process, and decision-making event. Thus, the mission of the threat intelligence practitioner is no longer to simply create “threat reports,” but also to make sure that every part of the security organization effectively leverages threat intelligence as part of its day-to-day mission of detection, response, and overall risk management.

The evolution of threat intelligence is supported by the following primary trends in the cybersecurity space:

  1. Automation — Due to a lack of trained human resources, organizations are implementing more automation into their security operations. Supported by adoption of SOAR technologies, machine-to-machine communication is becoming much easier and more mainstream. Automation allows for pulling data from your CTI tools and constantly feeding it into various security devices and security processes, without human intervention. Essentially, supporting seamless and near-real-time integration of CTI into various security devices, as well as automated decision-making processes.
  2. Expanded access to threat intelligence — Threat intelligence vendors are investing a lot more in solutions that democratize threat intelligence and make it easy for various security practitioners to consume — for example, native applications for Security Information and Event Management (SIEM) to correlate threat data against internal logs, or browser extensions that inject threat context and risk analysis into the browser. Previously, you had lots of threat data that needed manual labor to review and take action; today, you have actionable insights that are seamlessly integrated into your security devices.

Updated CTI model

[R]Evolution of the Cyber Threat Intelligence Practice
Today’s new model of the CISO and the role of threat intelligence in supporting the different functions in their organization

The new mission of the CTI practitioner

The new mission of the CTI practitioner is to tailor threat intelligence to every function in the security organization and make it an integral part of the function’s operations. This new approach requires them to not only update their mission, but also to gain new soft skills that allow them to collaborate with other functions in the security organization.

The CTI practitioner’s newly expanded mindset and skill set would include:

  1. Developing close relationships with various stakeholders — It’s not enough to send threat reports if the internal client doesn’t know how to consume them. What looks simple for a CTI specialist is not necessarily simple to other security practitioners. Thus, in order to achieve the CTI mission, it’s important to develop close relationships with various stakeholders so that the CTI specialist can better understand their pain points and requirements, as well as tailor the best solution for them to consume. This activity serves as a platform to raise their awareness of CTI’s value, thereby helping them come up with and commit to new processes that include CTI as part of their day-to-day.
  2. Having solid knowledge of the company strategy and operations — The key to a successful CTI program is relevancy; without relevancy, you’re left with lots of unactionable threat data. Relevancy is twice as important when you want to incorporate CTI into various functions within the organization. Relevant CTI can only be achieved when the company business, organizational chart, and strategy are clear. This clarity enables the CTI practitioner to realize what intelligence is relevant to each function and tailor it to the needs of each function.
  3. Deep understanding of the company tech stack — The CTI role doesn’t require only business understanding, but also deep technical understanding of the IT infrastructure and architecture. This knowledge will allow the CTI specialist to tailor the intelligence to the risks imposed on the company tech stack, and it will support building a plan to correlate internal logs against external threat intelligence.

Following are a few examples of processes the threat intelligence team needs to implement in order to tailor threat intelligence to other security functions and make it an integral part of their operations:

  1. Third-party breach monitoring — With the understanding that the weakest link might be your third party, there’s an increasing importance of timely detection of third-party breaches. CTI monitoring supports early detection of those cases and is followed by the IR team minimizing the risk. An example of this is monitoring ransomware gangs’ leak sites for any data belonging to your company that has been leaked from any third party.
  2. SOC incident triage — One of the main missions of the Security Operations Center (SOC) is to identify cyber incidents and make a quick decision on mitigation steps. This can be tremendously improved through threat intelligence information to triage the indicators (e.g., domains and IP addresses) of each event. Threat intelligence is the key to an effective and efficient triage of these events. This can be easily achieved through a threat intelligence browser extension that triages the IOCs while browsing in the SIEM.
  3. Vulnerability prioritization process — The traditional vulnerability prioritization process relies on the CVSS score and the criticality of the vulnerable assets. This focuses the prioritization efforts on the impact of an exploitation of the vulnerabilities and gives very little focus on the probability that these vulnerabilities will be exploited. Hacker chatter from the Dark Web and security researchers’ publications can help provide a good understanding of the probability that a certain vulnerability will actually be leveraged by a threat actor to launch a cyberattack. This probability factor is an essential missing piece in the vulnerability prioritization process.
  4. Trends analysis — The CTI practitioner has access to a variety of sources, allowing them to monitor trends in the cybersecurity domain, their specific industry, or in the data held in the company. This should be provided to leadership (not only security leadership) in order to allow smart, agile decision-making on existing risks.
  5. Threat intel and cybersecurity knowledge sharing — As with “traditional” intelligence, knowledge sharing can be a major force multiplier in cyber intelligence, too. Threat intel teams should aim to create as much external cooperation with other security teams — especially from the industry they work in — as they can. This will allow the team and the security organization to better understand the risks posed to the industry and, accordingly, their company. This information will also allow the CISO better visibility into the threat landscape that’s relevant to the company.

A valuable proposition

While the evolving CTI model is making threat intelligence implementation a bit more complex, as it includes collaboration with different functions, it makes the threat intelligence itself far more valuable and impactful than ever before. The future of cyber threat intelligence is getting a lot more exciting!