User interaction is still one of the biggest keys to the success of malicious activity. By observing the timing of alerts generated, Rapid7’s Q1 analysis observed that attackers still heavily rely on social engineering and permissions.
In its inaugural quarterly threat report, the firm found, for instance, that on Monday holidays, alerts dipped significantly, which the analysts attributed to a lack of employees interacting with malicious emails, attachments and links.
“Reducing alert fatigue should always be a goal, but there’s more to it: A better signal-to-noise ratio means responders and analysts are more likely to see meaningful trends,” the firm noted.
The report leverages intelligence from Rapid7’s Insight platform, Rapid7 Managed Services, Rapid7 Incident Response engagements, and the Metasploit community.
“Often, threat intelligence and data science reports present an abundance of statistics that are inaccessible and difficult to apply. Our goal with this report, and the ones to follow, is to provide incident response teams and SOC analysts with distilled learnings and practical, actionable guidance from the complex wealth of data Rapid7 gathers continuously,” said Bob Rudis, chief data scientist at Rapid7.
Also, if companies design indicators based only on currently available information, rather than seeking out additional intelligence or adding industry- and company-specific context, the result will be low-quality alerts, the report postulates. In other words: while most alerts are triggered from known, malicious activity, the quality of these alerts is entirely dependent on the established indicators.
The analysis also noted that many organizations fear sophisticated, targeted attacks from APTs. But understanding an organization’s threat profile can help determine whether or not these types of attackers should be accounted for in the threat landscape. For organizations in industries that align with nation-state interests—government, manufacturing, aerospace—sophisticated attack activity is alive and kicking. For the most part, this analysis observed that organizations outside those industries were not significantly affected by highly targeted attacks.
Similarly, Rapid7 found that understanding the threat presented by new vulnerabilities, mapped to specific threat profiles, can help to determine when something needs to be prioritized.
“While a 30-day patching cycle was once generally effective, the Apache Struts vulnerability (CVE-2017-5638) presented a strong case to reevaluate this traditional thinking,” the report said. “Just days after the Apache Struts vulnerability was publicly disclosed, our analysts began to detect mass-exploitation attempts.”