Tag Archives: Threat Intel

For Health Insurance Companies, Web Apps Can Be an Open Wound

Post Syndicated from Paul Prudhomme original https://blog.rapid7.com/2022/02/23/for-health-insurance-companies-web-apps-can-be-an-open-wound/

For Health Insurance Companies, Web Apps Can Be an Open Wound

At IntSights, a Rapid7 company, our goal is to ensure organizations everywhere understand the threats facing them in today’s cyber landscape. With this in mind, we took a focused look at the insurance industry — a highly targeted vertical due to the amount of valuable data these organizations hold. We’ve collected our findings in the “2022 Insurance Industry Cyber Threat Landscape Report,” which you can read in full right now.

As part of this research, we reviewed threats specific to each vertical in the insurance industry. Healthcare insurance providers, in particular, have large targets on their backs. Criminals often aim to breach healthcare providers to gain access to various personal health information (PHI), which can include everything from sensitive patient health information to healthcare insurance policy details. Once this data falls into the wrong hands, it can be used to conduct fraud and exploit patients in a variety of ways.

This being the case, health insurance providers need to lock down their security perimeter as much as possible, and there’s one broader problem affecting the industry we want to highlight here: web app security. Security bugs or misconfigurations of public-facing customer web applications can often be overlooked, and they are major areas of concern because they serve as entry points for bad actors.

Let’s explore why these vulnerabilities are dangerous, how they happen in the first place, and what healthcare insurance providers can do to mitigate these threats and protect their policyholders.

Web apps as an entry point

Public-facing web applications are commonly used in the insurance industry to gather information about an individual or an organization. This data is often leveraged to generate a quote estimate for the type of insurance policy the person or company is looking for. While this can be a helpful way to personalize the customer experience and attract more customers to your business by showcasing competitive rates, it can also inadvertently expose inputted information if the app is misconfigured.

Take, for example, a vulnerability discovered in home and pet insurance provider Lemonade’s website. By simply clicking on public search results, a person could access and edit customers’ accounts without providing any credentials. From there, a bad actor could steal personally identifiable data and exploit it with barely any hassle at all.

The shocking part of this incident is that Lemonade spokespeople claimed this website flaw was “by design.” During the setup of the website, the team responsible likely didn’t realize anyone could log in, access a customer’s account, and even download a copy of that individual’s insurance policy. Since then, the indexed search results have stopped working, but it just goes to show how a simple oversight like that can be an open door for bad actors, who usually have to search much harder to find and exploit a vulnerability.

This is why health insurance companies should pay extra attention to how their public-facing apps, websites, and portals are configured. With the treasure trove of PHI they store — including everything from COVID-19 vaccination records to insurance policy details that list patient Social Security numbers, birthdates, and even Medicare or Medicaid coverage — healthcare organizations are prime targets for hackers eager to conduct insurance fraud, and a misconfiguration could give them easy access to this data.

How do misconfigurations happen?

Misconfigurations can happen at any level of an application stack, from the application server to the network services and beyond. As such, bad actors will try to exploit any misconfigurations in your stack by looking for unpatched flaws, unused pages, unprotected files or directories, and even dummy accounts that can get them into a system and open up access to data from within. This can lead to a complete system compromise and should be taken seriously.

But how do misconfigurations happen in the first place? Here are a few of the most common security misconfigurations in web apps:

  • Exposing too much information: If an attacker discovers what type of software you’re using for a public-facing web application, it will be much easier for them to search for and find vulnerabilities. There are some clever ways they go about learning this information; for example, they may be able to tell from an error message what type of back end you’re using. Anything that reveals stack traces or exposes information about what systems you’re using needs to be taken care of.
  • Default settings: When deploying new software, it usually comes out of the box with all functionality activated. However, every extra functionality is just another point of entry that you need to lock down. Never leave all default settings on, and make sure to change default accounts and passwords for everything, from admin consoles to hardware.
  • A lack of permissions: When your user permissions or account security settings are not strict, attackers may be able to access an account and run commands in the operating system. In the Lemonade example, for instance, anyone that found the account pages through search could log into the accounts without inputting user credentials.
  • Outdated software: Updating and patching software regularly is required to shore up any security vulnerabilities. This is even more critical for public-facing applications, as bad actors will often run down a list of known vulnerabilities to exploit a system. If the software isn’t up to date, it could leave a wide-open hole in your defenses.

How to resolve and prevent configuration issues in web apps

For healthcare security and health IT teams looking to find, fix, and prevent configuration issues in web apps, here are a few ways you can start:

  • Establish secure installation processes. A repeatable hardening process will help you deploy new software faster and easier in the future. This process, once outlined, should then be configured identically across your environments and automated to minimize effort.
  • Do not install unused features and frameworks. When first setting up your application, don’t deploy with the default settings. Review every feature, functionality, and framework, and remove any you do not want or plan to use. This will help you launch with a minimal platform that will be easier to harden.
  • Implement strict permissions. Ensure that different credentials are used in each environment, from development to production. Default user accounts and passwords should always be changed as soon as possible, and you will want to implement strict requirements for credentials.
  • Review and update configurations regularly. You might think you’re done once you’ve deployed your app, but you should always come back to review and update configurations on a consistent basis. Scan for errors, apply patches, and verify the effectiveness of your configurations and settings in all environments for maximum protection.
  • Generate a software bill of materials (SBOM) and cross-reference it against vulnerabilities often. It’s important to know every component comprised within a piece of software. You can easily generate an SBOM with a variety of open-source and commercially available third-party applications, and once you have it in hand, regularly cross-reference the components in it against known vulnerability lists.

Cyber threat intelligence can also help, as it can inform your health IT team about any threats facing your web app security. For example, threat intelligence can reveal what bad actors hope to acquire from your web apps and the methods they may try to use to obtain it. When you gather key information like this, you can tailor your defenses appropriately.

By leveraging robust cyber threat intelligence solutions and performing rigorous testing and scrutiny of public-facing web applications and other infrastructure, health insurance organizations and their healthcare security teams can better protect their environments and avoid inadvertently exposing customer data.

To learn more about the threats facing the insurance industry today — and some recommendations to protect against them — read the full research report here: “2022 Insurance Industry Cyber Threat Landscape Report.”

Additional reading:

The Big Target on Cyber Insurers’ Backs

Post Syndicated from Paul Prudhomme original https://blog.rapid7.com/2022/02/08/the-big-target-on-cyber-insurers-backs/

The Big Target on Cyber Insurers' Backs

Here at IntSights, a Rapid7 company, our goal is to equip organizations around the world with an understanding of the threats facing them in today’s cyber threat landscape. Most recently, we took a focused look at the insurance industry — a highly targeted vertical due to the amount of personally identifiable information (PII) these organizations hold. We’ve collected our findings in the “2022 Insurance Industry Cyber Threat Landscape Report,” which you can read in full right now.

While conducting this research, one key takeaway caught my eye: the big target on cyber insurers’ backs. Some of these organizations provide cyber insurance coverage for businesses, so in the event of a breach that imposes significant costs on a targeted business, that business is not 100% financially liable.

According to our cyber threat intelligence research, cyber insurance providers are even more appealing targets for bad actors in an industry already full of appealing targets. That begged the question: Why are cyber insurers so highly targeted? And what can they do to protect themselves in the face of these threats?

Cyber insurance providers are data goldmines

Typically, bad actors are angling to breach insurance companies to access PII or to collect policyholder details that they can use for insurance fraud. However, when hackers target cyber insurers, they’re seeking even more specific types of data, such as cyber insurance policy details and information outlining the security standards cyber insurance clients follow.

Why is this the case? A ransomware operation could, for example, leverage this information to build a list of potential targets covered under a cyber insurance policy. Some cyber insurance providers will pay an insured victim’s ransom, and if this is stated in the policy, these clients will bump up on the list of high-value targets, because the bad actors may assume they’re more likely to pay a ransom.

Knowledge of the security standards cyber insurers require their customers to fulfill is also dangerous in the wrong hands. It can help attackers craft their techniques to evade victims’ security measures. For example, they may completely avoid strongly defended points of entry and instead target areas of the perimeter with weaker protections. While not a guaranteed path to success, it gives bad actors more information to work with, and that’s never a good thing.

These are very real — and unique — threats facing the cyber insurance segment, and we’ve seen a few breaches like this play out already. In 2021, CNA Financial, a leading US insurance company that provides cyber insurance policies, suffered a cyberattack and reportedly paid a ransom of $40 million USD to ransomware operators.

Other cyber insurance companies that experienced breaches include Tokio Marine Insurance Singapore in August 2021 and global cyber insurer AXA in May 2021. The AXA breach happened shortly after it announced it would stop reimbursing new French customers for ransom payments after ransomware attacks. This was in response to claims by French officials that cyber insurance coverage of ransom payments encouraged more ransomware attacks and higher ransom demands. The attackers may have aimed to punish AXA for this decision, just going to show that the French officials may have been correct in their claim.

How cyber insurers can better protect their data

To defend themselves and their clients against ransomware attacks and data breaches, cyber insurers can follow a few simple steps:

  • Avoid publicly identifying specific customers by name for any reason. For example, it’s common practice to list the names of your biggest brands or enterprise clients on your website. However, this may make your business more appealing to hackers. They may view your organization as a gateway to gain access to your clients — if they can break through your security perimeter, they may get an even larger payload of data from the clients that can foot more expensive ransoms.
  • Refrain from listing any details about the cyber insurance policies you provide. If you publish information about how much your policy compensates the insured in the event of a ransomware attack or security breach, bad actors can use this data to calculate an optimal ransom amount that’s high enough to maximize profit but low enough for victims to accept. As such, your policy details will need extra protection, including encryption and network segmentation.
  • Scrutinize public-facing web applications and other infrastructure, like automated quote tools. Misconfiguration of these applications and bugs can inadvertently expose customer data. Hackers will often target these types of online portals and tools to learn more about a cyber insurer’s policies, and in some cases, they can even gain access to the information they store, which can then be exploited.
  • Finally, employ rigorous cyber threat intelligence. A key component of any risk management and cybersecurity strategy, threat intelligence can help cyber insurance providers understand the types of data that bad actors hope to steal from them, the methods they may use to obtain it, and even the ransomware operators targeting them. These insights can help your team shore up security against impending threats and remediate malicious actions faster in the event of a breach.

By following these recommendations, cyber insurance providers around the world can better protect their data as well as the sensitive information of their partners, clients, and customers. Because of all the valuable data these organizations house, the target on their backs won’t go away, so the best defensive strategy is a proactive one. Comprehensive cyber threat intelligence can play a critical role there.

Take a deep dive into the threats facing the insurance industry today by reading the full research report here: “2022 Insurance Industry Cyber Threat Landscape Report.”

Additional reading:

What’s New in Threat Intelligence: 2021 Year in Review

Post Syndicated from Stacy Moran original https://blog.rapid7.com/2022/01/07/whats-new-in-threat-intelligence-2021-year-in-review/

What's New in Threat Intelligence: 2021 Year in Review

This post was originally published on the IntSights blog.

Last year marked a huge milestone with the acquisition of IntSights by Rapid7. The IntSights team is very excited to join a company committed to simplifying and improving security outcomes for its customers. Rapid7’s focus is a great complement to the IntSights core mission to “democratize threat intelligence” for all. We look forward to continuing in this mission as part of the Rapid7 family, as our external threat intelligence solutions are incorporated within the Insight platform.

Threat Intelligence solutions compete in an increasingly crowded marketplace. Our solution stands out from others by removing the inherent complexity of threat intelligence while helping organizations of any size or maturity minimize their external risk while significantly reducing their workload. Over the course of 2021, we continued to deliver on this core promise by adding additional value to our products through:

  • Expanding detection coverage and sources across the clear, deep, and dark web
  • Helping customers speed their response processes through an expanded investigation toolset
  • Continuously improving the user experience, ensuring our solutions deliver immediate value out of the box

“IntSights’ competitive advantage lies in its simplicity.” – Dave Estlick, CISO, Chipotle

2021 IntSights External Threat Protection Suite highlights

Expanded threat coverage

Over the course of 2021, we increased our Threat Command detections coverage in several key areas to offer customers additional protection and value. These expanded capabilities include:

  • Phishing websites: Detection and alert coverage for additional Phishing feeds including AlienVault, OpenPhish, Phishing Domain Database, PhishStats, and PhishTank
  • Public repositories: Expanded coverage for leaked secrets in both GitHub and GitLab
  • Leaked databases: Alerts on leaked databases that contain organization-specific PII data (such as phone number, physical address, date of birth)
  • Black markets coverage: Expanded detections of customer products offered for sale in dark web black markets and ability for customers to view decision parameters to understand why specific threats were elevated to alerts
  • BOT data for sale: Option to use the new “Bot price” condition to trigger alerts based on bot prices and easily initiate bot purchase requests from the Threats page

“IntSights gives us the ability to see a more granular view of our threats in a very easy-to-use fashion.” – Zac Hinkel, Global Cyber Threat Manager, Hogan Lovells

Proactive phishing detection

In 2021, we offered a new solution called Phishing Watch that offers advanced and preemptive phishing detection capabilities that help customers identify attacks before phishing websites emerge. Phishing Watch employs a lightweight snippet installed on customer-facing websites that proactively detects the copying or redirection of legitimate/official websites to an illegitimate (and potentially phishing) website. Customers receive proactive notice of any phishing scams before they are employed, including the details required to enable automatic takedown of the phishing website and eradicate any threats in the early stages.

Expanded research and investigation capabilities

This year, we also greatly enhanced the investigation capabilities and content within our Threat Intelligence Platform (TIP) to accelerate customers’ ability to research and triage threats. The enhancements enable customers to easily understand the intent associated with indicators and prioritize those that pose the greatest risk. Features include:

  • Improved user interface that helps customers quickly investigate IOC and common cyber attack details
  • Expanded and accelerated investigation functionality including attack context, mapping tools, notes, and export functionality
  • Ability to easily share information on specific indicators with teams to enable better coordination and more proactive security posturing
  • Ability to analyze and understand the correlation of a CVE to cyber terms, view which feed reported the malware or actor, and see the first and last report date for better visibility and context on reported threats
What's New in Threat Intelligence: 2021 Year in Review
Users can view and search CVEs in the Investigation Map.

IntSights Extend (browser extension)

Introduced earlier this year, IntSights Extend actively parses, enriches, and highlights cyber threat intelligence data from any web-based application, such as a technical blog detailing the latest breach or a raw intelligence feed. It actively scrapes domains, URLs, IP addresses, file hashes, email addresses, and CVEs to deliver contextualized risk-prioritized alerts at the click of a mouse. Additionally, layering real-time enriched threat intelligence over any web-based application allows security practitioners to perform end-to-end investigation and analysis. They can immediately detect if threat indicators are active within their environment and block them directly from the browser. Customers can also easily pivot to the IntSights platform for further analysis, investigation, and action.

Threat library

Dedicated research analysts work behind the scenes to input up-to-the-minute intelligence. The research team includes detailed information on known threat actors, malware, campaigns, and associated MITRE TIDs to help security analysts spot trends and gain contextual details regarding threats targeting geographic regions, including threat actor engagement and reconnaissance. Security analysts can take immediate action on threats by adding IOCs associated with specific topics to their security devices, without ever leaving the library. The IOCs can also be tagged with malware, threat actor names, campaigns, and/or attack type to accelerate triage across existing security infrastructure.

What's New in Threat Intelligence: 2021 Year in Review

Vulnerability Risk Analyzer (VRA) customers can click on specific CVEs to view further details on the Vulnerabilities page. This helps customers prioritize vulnerabilities used in specific campaigns that affect their organization so they can focus on immediate updates and patching for the most relevant CVEs.

MITRE ATT&CK mapping

More advanced search capabilities to speed investigation plus details on MITRE ATT&CK framework tactics, techniques, and procedures (TTPs) are now mapped to Threat Library topics, bringing all relevant information related to a threat into one simplified view. Beyond the Threat Library, platform users can view and filter alerts by specific MITRE framework tactics and techniques for more context about threats in the customer environment.

IntelliFind

IntelliFind, our comprehensive dark web search tool, enables customers to directly search outside their digital footprint to immediately discover threat actor chatter and potential attacks targeting their organization or industry on the black market, hacking forums, paste sites, and other dark web sources across the attack surface. We offer the largest and most extensive database of these otherwise inaccessible sites.

Workflow improvements and technology integrations

Multi-tenant threat management

MSSPs and large enterprises with subsidiaries can now view and manage the threat data associated with all accounts, as well as navigate between customers, from a single dashboard, streamlining account management and saving money, time, and resources.

  • Threat Command: Those managing multi-tenant accounts can access each account’s Threat Command alerts, remediations, and associated policy options from the tenant view. The expanded functionality also makes it easier for tenants and subsidiaries to consume and act on threat intelligence to improve their digital risk protection and cybersecurity posture. Alerts for multiple accounts can be displayed and managed simultaneously, as well as aggregated by date and category. Multi-tenant account owners can also engage with our expert threat analysts in real time to dig deeper into specific alerts and proactively reduce response time.
  • TIP: MSSPs can see each tenant’s threat feeds and aggregated and prioritized IOCs from the TIP, as well as set IOC severity for all managed accounts.
  • IntelliFind: Using this exclusive dark web search tool, MSSPs gain access to advanced investigation capabilities and can view and manage queries and trigger alerts for multiple tenants via a single login.

The new MSSP capabilities allow us to view and manage all of our tenants from a single dashboard. We can switch between our customers’ tailored intelligence platforms with the click of a button. Also, we can easily generate reports to share with our customers, documenting the value they receive from Rapid7 threat intelligence.”Royi Biller, CEO, MT Cyber (MSSP)

Rapid7 InsightConnect Plugin for IntSights Threat Intelligence

Mutual customers of IntSights and Rapid7 InsightConnect (and InsightIDR or InsightVM) can now leverage contextualized threat alerts, indicators, and vulnerabilities within their Rapid7 SOAR solution, InsightConnect, helping them prioritize incident response and vulnerability management activities. This integration helps organizations gain a 360-degree view of the external threat landscape, align internal security enforcement, and expedite critical areas of security operations. The first ICON Plugin workflow (for Rapid7 InsightIDR) is now available in the Rapid7 Extensions Library. This workflow enriches IDR alerts by performing a lookup on all domains, hashes, URLs, and IPs in the Threat Intelligence Investigation module. In addition, IntSights can now directly trigger an incident response workflow in InsightConnect based on generated alerts, enabling more efficient and effective responses to threats that the IntSights platform detects.

The IntSights bidirectional app for Splunk enables customers to bring actionable threat intelligence into their Splunk solution for a holistic view of threats targeting their environment. Building on existing functionality that facilitated the import of prioritized IOCs from the IntSights platform, the app introduced earlier this year enables customers to:

  • Identify attacks in progress on their network by correlating indicators in their environment with IntSights high-severity IOCs
  • Import Threat Command alerts and prioritized vulnerabilities from Vulnerability Risk Analyzer into the Splunk environment to continue triaging external threats directly from the Splunk dashboard
  • Instantly analyze and prioritize credible threats in the IntSights environment. When an alert, IOC, or CVE is found in the customer’s Splunk environment, it is flagged simultaneously in Splunk and IntSights so that users can take action in either platform.
What's New in Threat Intelligence: 2021 Year in Review

Our native bidirectional application for IBM QRadar allows customers to leverage the robust enrichment and investigation capabilities of the IntSights TIP in their QRadar environments. Mutual customers can:

  • Detect IOCs found in the network
  • View top malware and threat actors targeting the organization
  • Conduct comprehensive, end-to-end investigations directly within the Qradar environment

Looking ahead

Looking ahead to 2022, some of the key themes and areas of investment that Rapid7’s Threat Intelligence customers will experience include:

  • Delivering more visibility for faster decision-making with a new Strategic Intelligence module and custom reporting capabilities
  • Key integrations with Rapid7 products including the InsightIDR XDR/SIEM solution, the InsightConnect SOAR platform, and the InsightVM vulnerability management solution
  • New pricing and packaging model that scales with customer needs across the maturity spectrum
  • Continued investment in expanding intelligence sources and detections for reduced noise and better protection
  • Driving growth through a more optimized Threat Intelligence experience for MSSP partners

A big thank you to all of our customers and partners for working with us this year. We look forward to delivering even more value to our Threat Intelligence customers as part of the Rapid7 family, as well as sharing more about these investments and additional updates with you in 2022.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Log4Shell Makes Its Appearance in Hacker Chatter: 4 Observations

Post Syndicated from Alon Arvatz original https://blog.rapid7.com/2021/12/14/log4j-makes-its-appearance-in-hacker-chatter-4-observations/

Log4Shell Makes Its Appearance in Hacker Chatter: 4 Observations

It’s been a long few days as organizations’ security teams have worked to map, quantify, and mitigate the immense risk presented by the Log4Shell vulnerability within Log4j. As can be imagined, cybercriminals are working overtime as well, as they seek out ways to exploit this vulnerability.

Need clarity on detecting and mitigating Log4Shell?

Sign up for our webinar on Thursday, December 16, 2021

The Rapid7 Threat Intelligence team is tracking the attacker’s-eye view and the related chatter on the clear, deep, and dark web within our Threat Intelligence platform. Here are 4 observations based on what we’ve seen at the onset of the identification of CVE-2021-44228.

1. We see a spike in hacker chatter and security researchers’ publications about Log4j.

Log4Shell Makes Its Appearance in Hacker Chatter: 4 Observations

Increased hacker chatter is a key indicator of an emerging threat that security teams must account for. Clearly the spike here is no surprise – however, it is important to monitor and understand the types and scope of the chatter in order to get a clear picture of what’s on the horizon.

2. Hackers – specifically from the Russian, Chinese, and Turkish communities – show interest in the vulnerability and are actively sharing scanners and exploits.

Log4Shell Makes Its Appearance in Hacker Chatter: 4 Observations

The following two screenshots show that bad actors have already developed and shared proof of concepts exploiting the vulnerability in Log4j. They also show the extent to which this vulnerability impacts user communities such as PC gamers, social media users, Apple/iCloud customers, and more.

Log4Shell Makes Its Appearance in Hacker Chatter: 4 Observations
Log4Shell discussion on a Russian cybercrime forum
Log4Shell Makes Its Appearance in Hacker Chatter: 4 Observations
Log4j discussion on a Turkish cybercrime forum

3. Code with a proof of concept for the exploit has been published on GitHub.

Log4Shell Makes Its Appearance in Hacker Chatter: 4 Observations

The underground cybercrime community functions like any other business model, but what sets it apart is the spirit with which bad actors share their work for mass consumption. The example above is completely open and free for anyone to access and utilize.

4. Various scanners were published on GitHub to identify vulnerable systems.

Scanners are the cybercriminal’s tool of choice for finding specific vulnerabilities in networks communicating via the internet. Using a scanner, any company — regardless of size — can be a target.

Log4Shell Makes Its Appearance in Hacker Chatter: 4 Observations
Log4j Scanner Discussion on Reddit
Log4Shell Makes Its Appearance in Hacker Chatter: 4 Observations
Log4Shell Makes Its Appearance in Hacker Chatter: 4 Observations
A fully automated, accurate, and extensive scanner for finding vulnerable Log4j hosts

While others look inside, we look outside

The bottom line is that threat actors are showing great interest in Log4j within underground communities, and they are leveraging these communities to share information and experience regarding exploiting this vulnerability. That emphasizes the need to quickly patch this vulnerability, before multiple cybercriminals put their hands on an exploit and start to utilize it on a large scale.

Read more about the Log4Shell vulnerability within Log4j, and what your team can do in response.

Better Together: XDR, SOAR, Vulnerability Management, and External Threat Intelligence

Post Syndicated from Matthew Gardiner original https://blog.rapid7.com/2021/11/15/better-together-xdr-soar-vulnerability-management-and-external-threat-intelligence/

Better Together: XDR, SOAR, Vulnerability Management, and External Threat Intelligence

One of the biggest challenges with both incident response and vulnerability management is not just the raw number of incidents and vulnerabilities organizations need to triage and manage, but the fact that it’s often difficult to separate the critical incidents and vulnerabilities from the minor ones. If all incidents and vulnerabilities are treated as equal, teams will tend to underprioritize the critical ones and overprioritize those that are less significant. In fact, ZDNet reports that only 5.5% of all vulnerabilities are ever exploited in the wild. Meaning that fixing all vulnerabilities with equal priority is a significant misallocation of resources, as 95% of them will likely never be exploited.

Unjamming incident response and vulnerability management

My experience with organizations over the years shows a similar issue with security incidents. Clearly not all incidents are created equal in terms of risk and potential impact, so if your organization is treating them equally, this also is a sign of misprioritization. And what organization has a surplus of incident response cycles to waste? Without some informed triaging and prioritization, the remediation of both incidents and vulnerabilities can get jammed up, and the security team can be blamed for “crying wolf” by raising the security alarm too often without strong evidence.

How to better prioritize security incidents and vulnerabilities? Fundamentally, it comes down to simultaneously having the right data and intelligence from both inside your IT environment and the world outside. What if you could know with high certainty what you have, what is currently going on inside your IT environment, and how and whether the threat actors’ current tools, tactics, techniques, and procedures are currently active and relevant to you? If this information and analysis was available at the right time, it would go a long way to helping prioritize responses to both detected incidents and discovered vulnerabilities.

Integrating XDR, SOAR, vulnerability management, and external threat intelligence

The key building blocks of this approach require the combination of extended detection and response (XDR) for continuous visibility and threat detection; vulnerability management for vulnerability detection and management; SOAR for security management, integration, and automation; and external threat intelligence to inject information about what threat actors are actually doing and how this relates back to the organization. The intersection of these four security systems and sources of intelligence is where the magic happens.

Separately, XDR, SOAR, vulnerability management, and external threat intelligence are valuable in their own right. But when used closely together, they deliver greater security insights that help guide incident response and vulnerability management. Together, they help security teams focus their limited resources on the risks that matter most.

What Rapid7 is doing about it

Rapid7 is on the forefront of bringing this integrated approach to market. It starts — but does not end — with possessing all the underlying technology and expertise necessary to bring this approach to life through our products in XDR, SOAR, vulnerability management, and external threat intelligence. New and particularly important to this story is how Rapid7’s external threat intelligence offering, brought forward by the recent acquisition of IntSights, is integrated and directly available to assist with incident and vulnerability management prioritization and automation.

The newly released InsightConnect for IntSights Plugin enables, among other capabilities, the enrichment of indicators — IP addresses, domains, URLs, file hashes — with what is known about them in the outside world, such as whether they are part of attackers’ infrastructure, their registration details, when they were first seen, any associations with threat actor groups, severity, and other key aspects. This information, when linked to alerts and vulnerabilities, can help drive the response prioritizations that are incredibly important to improving incident response and vulnerability management effectiveness and efficiency.

This is just the start of integrating IntSights threat intelligence into Rapid7’s broader set of security offerings. Stay tuned for additional integration news as Rapid7 brings best-of-breed solutions further, combining our vulnerability management, detection and response, and threat intelligence products and services to solve more real-world security challenges.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

4 Simple Steps for an Effective Threat Intelligence Program

Post Syndicated from Alon Arvatz original https://blog.rapid7.com/2021/10/15/4-simple-steps-for-an-effective-threat-intelligence-program/

4 Simple Steps for an Effective Threat Intelligence Program

Threat intelligence is a critical part of an organization’s cybersecurity strategy, but given how quickly the state of cybersecurity evolves, is the traditional model still relevant?

Whether you’re a cybersecurity expert or someone who’s looking to build a threat intelligence program from the ground up in 2021, this simple framework transforms the traditional model, so it can apply to the current landscape. It relies on the technologies available today and can be implemented in four simple steps.

A quick look at the threat intelligence framework

The framework we’ll be referencing here is called the Intelligence Cycle, which breaks down into four phases:

4 Simple Steps for an Effective Threat Intelligence Program

This is the traditional framework you can use to implement a threat intelligence program in your organization. Let’s take a deeper look at each step, update them for the modern day, and outline how you can follow them in 2021.

To do this, we’ll leverage a use case of credential leakage as an example, which is a very important use case today. According to Verizon’s 2021 Data Breach Investigations Report, credentials remain one of the most sought-after data types, and it’s this type of data that gets compromised the fastest. As such, credential leakage is an area organizations of all sizes should be aware of and familiar with, making it an optimal choice for illustrating how to build an effective threat intelligence program.

1. Set a direction

The first step in this process is to set the direction of your program, meaning you need to outline what you’re looking for and what questions you want to ask and answer. To help with this, you can create Prioritized Intelligence Requirements, or PIRs, and a desired outcome.

For both your PIRs and desired outcome, you should aim to be as explicit as possible. In the case of credential leakage, for example, let’s set our PIR as: “I want to identify any usernames and passwords belonging to my employees that have been exposed to an unauthorized entity.”

We’ve selected these credentials for this example, because they are risky for the organization. Depending on your needs, you may identify different credentials with higher risk, but this is the type we’re focusing on for this use case.

With this very specific PIR outlined, we can now determine a desired outcome, which would be something like: “I want to force password reset for any of these passwords that are being used in the corporate environment before threat actors can use them.”

This is crucial, and later, we’ll see how the desired outcome impacts how we build this threat intelligence program.

2. Map out what data to collect

Once you’ve set your PIRs and desired outcome, you need to map out the sources of intelligence that will serve the direction.

For this use case, let’s identify how threat actors gain credentials. A few of the most common sources include:

  • Endpoints (usually harvested by botnets)
  • Third-party breaches
  • Code repositories
  • Posts on a forum/pastebin
  • Dark web black markets that buy/sell credentials

In the past, you might have turned to individual vendors who could help you with each of these areas. For example, you may have worked with an organization that specializes in endpoint security and another that could tackle incident response management for third-party breaches. But today, you’re better off finding a vendor who can support all the sources you need and provide complete coverage for all areas of risk, especially for something like credential leakage.

Regardless, by mapping out these sources, you can outline the areas you need to focus on for analysis.

3. Select your approach to analysis

Next up is analysis. You can take two approaches:

  1. Automated analysis: You can leverage AI or sophisticated algorithms that will classify relevant data into alerts of credential leakage, where the emails and passwords can be extracted and pulled out.
  2. Manual analysis: You can manually analyze the information by gathering all the data and having the analysts on your team review the data and decide what’s relevant to your organization.

The biggest advantage of manual analysis is flexibility. You can put more human resources, intelligence, and insight into the process to surface only what is relevant. But there are also disadvantages — for example, this process is much slower than automated analysis.

In the first phase of our program, we specified that we want to force password resets before threat actors leverage them for a cyberattack. This means that speed is extremely crucial in this use case. Now, you can see how the desired outcome is helping us make a decision about the type of approach we should take for analysis.

Automated analysis also requires significantly fewer resources. You don’t need a bunch of analysts to sort through the raw data and surface what is relevant. The classification and alerting of credential leakage is fully automated here. Plus, if threats are being automatically classified, they can likely be automatically remediated.

Let’s take a look at this in practice: Say your algorithm finds an email and password mentioned on a forum. The AI can classify the incident and extract the relevant information (e.g., the email/username and password) in a machine-readable format. Then, a response can be automatically applied, like force resetting the password for the identified user.

As you can see, there are advantages and disadvantages for each approach. When you assess them against our desired outcome, it’s clear that we should go with an automated approach for our credential leakage use case.

4. Disseminate analysis to take action

Finally, we come to the final phase: dissemination. Traditionally, when it comes to the intelligence cycle and the dissemination of threat intelligence, we talk about sending alerts and reports to the relevant stakeholders to review, so they can take action and respond accordingly.

But, as our example in the previous section shows, the future (and current state) of this process is fully automated remediation. With this in mind, we shouldn’t just discuss how we distribute alerts and information in the organization — we should also think about how we can take the intelligence and distribute it to security devices to automatically prevent the upcoming attack.

For leaked credentials, this could mean sending the intelligence to the active directory to automatically force password reset without human intervention. This is a great example of how shifting to an automated solution can dramatically reduce the time to remediation.

Once again, let’s go back to our PIR and desired outcome: We want to force the password reset before the threat actor uses the password. Speed is key here, so we should definitely automate the remediation. As such, we need a solution that takes the intelligence from the sources we’ve mapped out, automatically produces an alert with the information extracted, and then automatically remediates the threat to reduce risk as fast as possible.

This is how detection and response should look in 2021.

A simplified and modernized approach to threat intelligence

In summary, this revamped Intelligence Cycle resembles how to build an effective threat intelligence program today.

Start by identifying your PIRs and desired outcome. Then, decide on a collection plan by outlining all sources that will drive the relevant intelligence. Next, for the vast majority of use cases, it’s important to have an automated analysis algorithm in place to classify alerts quickly and precisely. And finally, you should transition from manual dissemination to automated remediation, which can dramatically reduce time to remediation — something that’s more critical than ever due to the current state of cybersecurity.

By following these steps, you can build an effective threat intelligence program, and with this foundation in place, you can fine-tune it until you have a seamless process that saves your organization time and reduces risk across the board.

Curious to learn more? Read about Rapid7’s approach to automatic detection and response here.

SANS 2021 Threat Hunting Survey: How Organizations’ Security Postures Have Evolved in the New Normal

Post Syndicated from Margaret Wei original https://blog.rapid7.com/2021/09/17/sans-2021-threat-hunting-survey-how-organizations-security-postures-have-evolved-in-the-new-normal/

SANS 2021 Threat Hunting Survey: How Organizations' Security Postures Have Evolved in the New Normal

It’s that time of year once again: The SANS Institute — the most trusted resource for cybersecurity research — has conducted its sixth annual Threat Hunting Survey, sponsored by Rapid7. The goal of this survey is to better understand the current threat hunting landscape and the benefits provided to an organization’s security posture as a result of threat hunting.

This year’s survey, “A SANS 2021 Survey: Threat Hunting in Uncertain Times,” has a unique focus, one that’s taken into consideration the impact of COVID-19 and how it’s affected organizations’ threat hunting. The findings indicate that the global pandemic has had a relatively mixed impact on the organizations surveyed, with many respondents unsure of what type of impact it’s had — and will have — on their threat hunting efforts.

Here’s a preview of the survey’s findings and its takeaways for organizations navigating today’s cybersecurity landscape.

Fewer organizations are performing threat hunting in 2021

According to the survey results, 12.6% fewer organizations are performing threat hunting in 2021 when compared to those surveyed in 2020. This is concerning, as threat hunting is an ever-evolving field, and organizations that don’t dedicate resources to it won’t be able to keep pace with the changes in tactics and techniques needed to find threat actors.

But what caused this dip? It seems to be a combination of organizations reducing their external spend with third parties and their overall internal staff in response to COVID-19. That said, this reduction cannot be fully accounted for by the pandemic.

Despite this decrease, there is good news: 93.1% of respondents indicated they have dedicated threat hunting staff, and the majority of respondents plan to increase spending on staffing and tools for threat hunting in the near future. Over the year to come, we’ll likely see an extended detection and response (XDR) approach leveraging tools like InsightIDR playing a key role in these efforts.

The threat hunting toolbox is evolving

The tools organizations are using to conduct threat hunting are evolving — but have they advanced enough to keep up with the modern cybersecurity landscape?

The output of threat hunting depends on three factors: visibility, skills, and threat intelligence. To achieve this output, threat hunters need the right tools. After asking respondents about their organizations’ tool chests, SANS found that over 75% of respondents are using a tool set that includes EDRs, SIEMs, and IDS/IPS.

It should come as no surprise that these tools are at the top — these are essential to establishing visibility. What is interesting, however, is the second-place spot taken by customizable tools, followed by threat intelligence platforms. This indicates there’s room for improvement for solutions vendors regarding threat hunting — and users are looking for deep insights. Tools like Rapid7’s cloud SIEM solution that cut through the noise and surface the threats that really matter are key in today’s complex IT environments.

Overall security posture has improved — but there’s room to grow

The improvements seen in organizations’ overall security posture as a result of threat hunting continue to show steady numbers. According to the study, organizations have seen anywhere from a 10-25% improvement in their security posture from threat hunting over the last year. In addition, 72.3% of respondents claimed threat hunting had a positive improvement on their organization over time.

These are brilliant results to see, and they reinforce the positive impact threat hunting can have, even in the face of today’s extraordinary challenges.

That said, while there are clear benefits to threat hunting, there are some barriers to success for organizations, namely:

  • Over half (51.3%) of all respondents indicated the primary barrier for them as threat hunters is a lack of skilled staff and training.
  • This was closely followed (43%) by an even split of challenges between the limitations of tools or technologies and a lack of defined processes.

Organizations can start addressing these challenges in a variety of ways, including adopting best-in-class detection and response tooling and owning documentation, education, and maintenance at scale. These are manageable barriers that will come down with time, and despite a global pandemic, the overall outlook is good, as the general trend to more threat hunting appears to sustain with this year’s survey.

Hopefully, these numbers continue to increase next year, and more organizations will reap the benefits of threat hunting.

To take a deeper dive into the survey’s findings, download the full report: A SANS 2021 Survey: Threat Hunting in Uncertain Times.

Learn more about how Rapid7’s Incident Detection and Response solutions can help you protect your organization and boost your ability to swiftly thwart attackers.

SANS Experts: 4 Emerging Enterprise Attack Techniques

Post Syndicated from Aaron Wells original https://blog.rapid7.com/2021/09/02/sans-experts-4-emerging-enterprise-attack-techniques/

SANS Experts: 4 Emerging Enterprise Attack Techniques

In a recent report, a panel of SANS Institute experts broke down key takeaways and emerging attack techniques from this year’s RSA Security Conference. The long and short of it? This next wave of malicious methodologies isn’t on the horizon — it’s here.

When it comes to supply-chain and ransomware attacks, bad actors seem to have migrated to new ground over the last 2 years. The SANS Institute report found that government, healthcare, and retail (thanks in large part to online spending at the height of the pandemic) were the sectors showing the largest spike from the first quarter of 2020 to this year, in terms of finding themselves in attackers’ crosshairs. As larger incidents increase in frequency, let’s take a look at 4 specific attack formats trending toward the norm and how you can stay ahead of them.

1. Cracks in the facade of software integrity

Developers are under greater pressure to prioritize security (i.e., shift left) within the Continuous Integration/Continuous Delivery (CI/CD) lifecycle. This would seem to be at stark odds with the number of applications built on open-source software (OSS). And, if a security organization is part of a supply chain, how many pieces of OSS are being used at one time along that chain? The potential is huge for an exponential jump in the number of vulnerabilities in that group of interdependent organizations.

There are ways to mitigate these seemingly unstoppable threats. Measures like file integrity monitoring (FIM) surface changes to critical files on your network, alerting you to suspicious activity while also providing context as to the affected users and/or assets. Threat hunting can also help to expose vulnerabilities.

Used with a cloud-native, extended-detection-and-response (XDR) approach, Rapid7’s proactive threat-hunting capabilities leverage multiple security and telemetry sources to act on fine-grained insights and empower teams to quickly take down threats.

2. Do you have a token to get into that session?

Commonly, applications make use of tokens to identify a person wishing to access secure data, like banking information. A user’s mobile app will exchange the token with a server somewhere to verify that, indeed, this is the actual user requesting the information and not an attacker. Improper session handling happens when the protocols according to which these applications are working don’t properly secure identifying tokens.

The issue of improper user authentication was exacerbated by the onslaught of the pandemic, as companies raced to secure — or not — enterprise software for a quickly scaled-up remote workforce. To resolve this issue, individual users can simply make it a best practice to always hit that little “log off/out” button once they’re finished. Businesses can also do this by setting tokens to automatically expire after a predetermined length of time.  

At the enterprise level, security organizations can use a comprehensive application-testing strategy to monitor for weak session handling and nefarious attacker actions like:

  • Guessing a valid session token after only short-term monitoring
  • Using static tokens to target users, even if they’re not logged in
  • Leveraging a token to delete user data without knowing the username/password

3. Turning the machines against us

No, that’s not a Terminator reference. If someone has built out a machine-learning (ML) algorithm correctly, it should do nothing but assist an organization in accomplishing its business goals. When it comes to security, this means being able to recognize traffic patterns that are relatively unknown and classifying them according to threat level.

However, attackers are increasingly able to corrupt ML algorithms and trick them into labeling malicious traffic as safe. Another sophisticated method is for attackers to purchase their own ML products and use them as training grounds to produce and deploy malware. InsightIDR from Rapid7 leverages user-behavior analytics (UBA) to stay ahead of malicious actions against ML algorithms.

Understanding how your ML product functions is key; it should build a baseline of normal user behavior across the network, then match new actions against data gleaned from a combination of machine learning and statistical algorithms. In this way, UBA exposes threats without relying on prior identification in the wild.

4. Ramping up ransomware

Let’s face it: Attackers all over the world are essentially creating repositories and educational platforms in how to evolve and deploy ransomware. It takes sophistication, but ransomware packages are now available more widely to the non-tech set to, for lack of a more apt phrase, plug and play.

As attack methodologies ramp up in frequency and size, it’s not just data at risk anymore. Bad actors are threatening companies with wide public exposure and potentially a catastrophic loss to reputation. But there are opportunities to learn offensive strategies, as well as how attacker techniques can become signals for detection.

Target shifts

If the data in the SANS report tells us anything, it’s that attackers and their evolving methodologies — like those mentioned above — are constantly searching not just for bigger targets and paydays, but also easier paths to their goals.

Targeted industry shifts in year-over-year data show that the company or sector you’re in clearly makes no difference. Perhaps the biggest factor in bad actors’ strategies is the degree of ease with which they get what they want — and some industries still fall woefully behind when it comes to security and attack readiness.

Learn more about the latest threat trends

Read the full SANS report

[R]Evolution of the Cyber Threat Intelligence Practice

Post Syndicated from Alon Arvatz original https://blog.rapid7.com/2021/08/25/r-evolution-of-the-cyber-threat-intelligence-practice/

[R]Evolution of the Cyber Threat Intelligence Practice

The cyber threat intelligence (CTI) space is one of the most rapidly evolving areas in cybersecurity. Not only are technology and products being constantly updated and evolved, but also methodologies and concepts. One of the key changes happening in the last few years is the transition from threat intelligence as a separate pillar — which disseminates threat reports to the security organization — to threat intelligence as a central hub that feeds all the functions in the security organization with knowledge and information on the most prioritized threats. This change requires a shift in both mindset and methodology.

Traditionally, CTI has been considered a standalone practice within the security organization. Whether the security organization has dedicated personnel or not, it has been a separate practice that produces reports about various threats to the organization — essentially, looking at the threat landscape and making the same threat data accessible to all the functions in the security organization.

Traditional CTI model

[R]Evolution of the Cyber Threat Intelligence Practice
A traditional model of the CISO and the different functions in their security organization

The latest developments in threat intelligence methodologies are disrupting this concept. Effectively, threat intelligence is no longer a separate pillar, but something that should be ingested and considered in every security device, process, and decision-making event. Thus, the mission of the threat intelligence practitioner is no longer to simply create “threat reports,” but also to make sure that every part of the security organization effectively leverages threat intelligence as part of its day-to-day mission of detection, response, and overall risk management.

The evolution of threat intelligence is supported by the following primary trends in the cybersecurity space:

  1. Automation — Due to a lack of trained human resources, organizations are implementing more automation into their security operations. Supported by adoption of SOAR technologies, machine-to-machine communication is becoming much easier and more mainstream. Automation allows for pulling data from your CTI tools and constantly feeding it into various security devices and security processes, without human intervention. Essentially, supporting seamless and near-real-time integration of CTI into various security devices, as well as automated decision-making processes.
  2. Expanded access to threat intelligence — Threat intelligence vendors are investing a lot more in solutions that democratize threat intelligence and make it easy for various security practitioners to consume — for example, native applications for Security Information and Event Management (SIEM) to correlate threat data against internal logs, or browser extensions that inject threat context and risk analysis into the browser. Previously, you had lots of threat data that needed manual labor to review and take action; today, you have actionable insights that are seamlessly integrated into your security devices.

Updated CTI model

[R]Evolution of the Cyber Threat Intelligence Practice
Today’s new model of the CISO and the role of threat intelligence in supporting the different functions in their organization

The new mission of the CTI practitioner

The new mission of the CTI practitioner is to tailor threat intelligence to every function in the security organization and make it an integral part of the function’s operations. This new approach requires them to not only update their mission, but also to gain new soft skills that allow them to collaborate with other functions in the security organization.

The CTI practitioner’s newly expanded mindset and skill set would include:

  1. Developing close relationships with various stakeholders — It’s not enough to send threat reports if the internal client doesn’t know how to consume them. What looks simple for a CTI specialist is not necessarily simple to other security practitioners. Thus, in order to achieve the CTI mission, it’s important to develop close relationships with various stakeholders so that the CTI specialist can better understand their pain points and requirements, as well as tailor the best solution for them to consume. This activity serves as a platform to raise their awareness of CTI’s value, thereby helping them come up with and commit to new processes that include CTI as part of their day-to-day.
  2. Having solid knowledge of the company strategy and operations — The key to a successful CTI program is relevancy; without relevancy, you’re left with lots of unactionable threat data. Relevancy is twice as important when you want to incorporate CTI into various functions within the organization. Relevant CTI can only be achieved when the company business, organizational chart, and strategy are clear. This clarity enables the CTI practitioner to realize what intelligence is relevant to each function and tailor it to the needs of each function.
  3. Deep understanding of the company tech stack — The CTI role doesn’t require only business understanding, but also deep technical understanding of the IT infrastructure and architecture. This knowledge will allow the CTI specialist to tailor the intelligence to the risks imposed on the company tech stack, and it will support building a plan to correlate internal logs against external threat intelligence.

Following are a few examples of processes the threat intelligence team needs to implement in order to tailor threat intelligence to other security functions and make it an integral part of their operations:

  1. Third-party breach monitoring — With the understanding that the weakest link might be your third party, there’s an increasing importance of timely detection of third-party breaches. CTI monitoring supports early detection of those cases and is followed by the IR team minimizing the risk. An example of this is monitoring ransomware gangs’ leak sites for any data belonging to your company that has been leaked from any third party.
  2. SOC incident triage — One of the main missions of the Security Operations Center (SOC) is to identify cyber incidents and make a quick decision on mitigation steps. This can be tremendously improved through threat intelligence information to triage the indicators (e.g., domains and IP addresses) of each event. Threat intelligence is the key to an effective and efficient triage of these events. This can be easily achieved through a threat intelligence browser extension that triages the IOCs while browsing in the SIEM.
  3. Vulnerability prioritization process — The traditional vulnerability prioritization process relies on the CVSS score and the criticality of the vulnerable assets. This focuses the prioritization efforts on the impact of an exploitation of the vulnerabilities and gives very little focus on the probability that these vulnerabilities will be exploited. Hacker chatter from the Dark Web and security researchers’ publications can help provide a good understanding of the probability that a certain vulnerability will actually be leveraged by a threat actor to launch a cyberattack. This probability factor is an essential missing piece in the vulnerability prioritization process.
  4. Trends analysis — The CTI practitioner has access to a variety of sources, allowing them to monitor trends in the cybersecurity domain, their specific industry, or in the data held in the company. This should be provided to leadership (not only security leadership) in order to allow smart, agile decision-making on existing risks.
  5. Threat intel and cybersecurity knowledge sharing — As with “traditional” intelligence, knowledge sharing can be a major force multiplier in cyber intelligence, too. Threat intel teams should aim to create as much external cooperation with other security teams — especially from the industry they work in — as they can. This will allow the team and the security organization to better understand the risks posed to the industry and, accordingly, their company. This information will also allow the CISO better visibility into the threat landscape that’s relevant to the company.

A valuable proposition

While the evolving CTI model is making threat intelligence implementation a bit more complex, as it includes collaboration with different functions, it makes the threat intelligence itself far more valuable and impactful than ever before. The future of cyber threat intelligence is getting a lot more exciting!