Rapid7 launches quarterly threat intelligence report

Rapid7 has released its first threat intelligence report, an analysis of threats faced by organisations in Q1 of 2017. Designed to provide a clear picture of the threat landscape and share key learnings on threat types by industry, the report also provides a glimpse into a day in the life of an incident responder.

  • 6 years ago Posted in
Rapid7 believes that collaboration and information sharing is critical to solving today’s complex security challenges. With the passage of the Cybersecurity Information Sharing Act (CISA) in late 2015, the private and public sectors were empowered to safely share more information about cyber threats and work together to jointly defend against attacks. This threat intelligence report reaffirms Rapid7’s commitment to openly sharing security information and supporting the industry in raising and addressing issues that affect the cybersecurity community. This report follows the February announcement of Rapid7 as an affiliate member of the Cyber Threat Alliance (CTA), which describes itself as the industry’s first group of cybersecurity practitioners from organisations that work together in good faith to share threat information and improve global defenses against advanced cyber adversaries.
 
“The CTA commends Rapid7 for producing this report. It provides very useful insights into how the threat landscape is evolving. It also demonstrates why proactive, robust information sharing is a critical element of mitigating cyber vulnerabilities in such a rapidly evolving threat landscape,” said Michael Daniel, president of the CTA. “The CTA information sharing platform fulfills this role by enabling the automated near-real time sharing of rich, contextual cyber threat information. Automated information sharing, paired with context, enables CTA Members like Rapid7 to more efficiently deploy proactive defenses and provide more effective incident response to their respective customers.”
 
The report leverages intelligence from Rapid7’s Insight platform, Rapid7 Managed Services, Rapid7 Incident Response engagements, and the Metasploit community. Rapid7 plans to issue its threat analysis findings on a quarterly basis. The analysis was led by Rapid7’s Rebekah Brown, threat intelligence lead, and Bob Rudis, chief data scientist, and provides actionable guidance to assist incident response teams to more quickly adapt to new and emerging threats.
 
“Often, threat intelligence and data science reports present an abundance of statistics that are inaccessible and difficult to apply. Our goal with this report, and the ones to follow, is to provide incident response teams and SOC analysts with distilled learnings and practical, actionable guidance from the complex wealth of data Rapid7 gathers continuously,” said Rudis.
 
Key takeaways from the Q1 2017 report include: 
 
#1. More is less. Less is more. 
Reducing alert fatigue should always be a goal, but there’s more to it: A better signal-to-noise ratio means responders and analysts are more likely to see meaningful trends. By observing the timing of alerts generated, this Q1 analysis observed that attackers still heavily rely on user interaction. For instance, on Monday holidays, alerts dipped significantly, which our analysts attributed to a lack of employees interacting with malicious emails, attachments, etc.
 
#2. You find what you are looking for. 
If you design indicators based only on currently available information, rather than seeking out additional intelligence or adding industry- and company-specific context, the result will be low-quality alerts. In other words: while most alerts are triggered from known, malicious activity, the quality of these alerts is entirely dependent on the established indicators.
 
#3. Advanced Persistent Threat (APT) is dead, long live APT.
Advanced Persistent Threats, Sophisticated Adversaries, Nation State Actors ... there are many ways to describe the types of sophisticated, targeted attacks many organisations fear. Understanding an organisation’s threat profile can help determine whether or not these types of attackers should be accounted for in the threat landscape. For organisations in industries that align with nation state interests — government, manufacturing, aerospace — sophisticated attack activity is alive and kicking. For the most part, this analysis observed that organisations outside those industries were not significantly affected by highly targeted attacks.

#4. I feel the need, the need to Strut with speed. 
While a 30-day patching cycle was once generally effective, the Apache Struts vulnerability (CVE-2017-5638) presented a strong case to reevaluate this traditional thinking. Just days after the Apache Struts vulnerability was publicly disclosed, our analysts began to detect mass-exploitation attempts. Understanding the threat presented by new vulnerabilities, mapped to specific threat profiles, can help to determine when something needs to be prioritised.
Research shows ‘game needs to be changed,’ with security innovation years behind that of the...
73% of organizations lack automated patch management, and 62% experienced incidents involving...
Quest Software has signed a definitive agreement with Clearlake Capital Group, L.P. (together with...
Dell EMC PowerProtect Cyber Recovery for AWS provides a fast, easy-to-deploy public cloud vault to...
Aqua’s cloud native application protection platform becomes the only solution that protects cloud...
54% of organisations working on a security transformation project now or in the next 12 months.
Node4 has released its Mid-Market IT Priorities Report 2021. The independent report reveals that...
Zscaler Zero Trust exchange cloud-based architecture enables superior green security capabilities...