Rapid7 believes that collaboration and information sharing is critical to solving today’s complex security challenges. With the passage of the Cybersecurity Information Sharing Act (CISA) in late 2015, the private and public sectors were empowered to safely share more information about cyber threats and work together to jointly defend against attacks. This threat intelligence report reaffirms Rapid7’s commitment to openly sharing security information and supporting the industry in raising and addressing issues that affect the cybersecurity community. This report follows the February announcement of Rapid7 as an affiliate member of the Cyber Threat Alliance (CTA), which describes itself as the industry’s first group of cybersecurity practitioners from organisations that work together in good faith to share threat information and improve global defenses against advanced cyber adversaries.
“The CTA commends Rapid7 for producing this report. It provides very useful insights into how the threat landscape is evolving. It also demonstrates why proactive, robust information sharing is a critical element of mitigating cyber vulnerabilities in such a rapidly evolving threat landscape,” said Michael Daniel, president of the CTA. “The CTA information sharing platform fulfills this role by enabling the automated near-real time sharing of rich, contextual cyber threat information. Automated information sharing, paired with context, enables CTA Members like Rapid7 to more efficiently deploy proactive defenses and provide more effective incident response to their respective customers.”
“Often, threat intelligence and data science reports present an abundance of statistics that are inaccessible and difficult to apply. Our goal with this report, and the ones to follow, is to provide incident response teams and SOC analysts with distilled learnings and practical, actionable guidance from the complex wealth of data Rapid7 gathers continuously,” said Rudis.
Key takeaways from the Q1 2017 report include:
#1. More is less. Less is more.
Reducing alert fatigue should always be a goal, but there’s more to it: A better signal-to-noise ratio means responders and analysts are more likely to see meaningful trends. By observing the timing of alerts generated, this Q1 analysis observed that attackers still heavily rely on user interaction. For instance, on Monday holidays, alerts dipped significantly, which our analysts attributed to a lack of employees interacting with malicious emails, attachments, etc.
#2. You find what you are looking for.
If you design indicators based only on currently available information, rather than seeking out additional intelligence or adding industry- and company-specific context, the result will be low-quality alerts. In other words: while most alerts are triggered from known, malicious activity, the quality of these alerts is entirely dependent on the established indicators.
#3. Advanced Persistent Threat (APT) is dead, long live APT.
Advanced Persistent Threats, Sophisticated Adversaries, Nation State Actors ... there are many ways to describe the types of sophisticated, targeted attacks many organisations fear. Understanding an organisation’s threat profile can help determine whether or not these types of attackers should be accounted for in the threat landscape. For organisations in industries that align with nation state interests — government, manufacturing, aerospace — sophisticated attack activity is alive and kicking. For the most part, this analysis observed that organisations outside those industries were not significantly affected by highly targeted attacks.
#4. I feel the need, the need to Strut with speed.
While a 30-day patching cycle was once generally effective, the Apache Struts vulnerability (CVE-2017-5638) presented a strong case to reevaluate this traditional thinking. Just days after the Apache Struts vulnerability was publicly disclosed, our analysts began to detect mass-exploitation attempts. Understanding the threat presented by new vulnerabilities, mapped to specific threat profiles, can help to determine when something needs to be prioritised.
