Posts by Matt Hathaway

4 min InsightIDR

Underestimating Attackers Gives Them an Advantage

All too often, the media reaction to data breaches is to tout the incredible sophistication of responsible parties, as if it is a shock that technological developments have made these events increasingly easier. There are some very key areas in which we need to stop underestimating the average attacker's abilities if we are going to slow down the growth of massive breaches and detect intruders more effectively. The term 'APT' distracts organizations from rational concerns When people first star

5 min SIEM

Why Flexible Analytics Solutions Can Help Your Incident Response Team

I happen to despise buzzwords, so it has been challenging for me to use the term "big data security analytics" in a sentence, mostly because I find it to be a technical description of the solutions in this space, rather than an indicator of the value they provide. However, since we build products based on the security problems we identify, I want to explain how those technologies can be used to target some highly pervasive incident response challenges. Detection and investigation problems conti

5 min Breach Preparedness

Attackers Have Luck On Their Side - Prevention Is Not Enough

Some security professionals mistake the "assume breach" mentality to be a statement that people are giving up on trying to prevent cyber attacks. To the contrary, many of us believe that you need to do everything in your power to incapacitate intruders, yet it is impossible to stop 100% of malicious actors from finding entry. There is solid logic behind this, and I want to use some (pre-Disney) Star Wars examples to illustrate. I apologize to any true fans out there - I have only watched the tri

5 min Skills

You Need To Understand Lateral Movement To Detect More Attacks

Thanks to well-structured industry reports like the annual Verizon DBIR, Kaspersky "Carbanak APT" report, and annual "M-Trends" from FireEye, the realities of modern attacks are reaching a much broader audience. While a great deal of successful breaches were not the work of particularly sophisticated attackers, these reports make it very clear that the techniques once only known to espionage groups are now mainstream. Lateral movement technologies have crossed the chasm I have written before ab

3 min Cloud Infrastructure

Incident Detection Needs to Account for Disruptive Technologies

Since InsightIDR [] was first designed, there has been a noteworthy consistency: it collects data from your legacy networking infrastructure, the mobile devices accessing your resources, and your cloud infrastructure. This is because we believe that you need to monitor users wherever they have access to the network to accurately detect misuse and abuse of company resources, be they malicious or negligent in origin. This doesn't mean tiptoeing around emp

4 min Honeypots

Leverage Attackers' Need To Explore For Detection

When you examine the sanitized forensic analyses, threat briefings, and aggregated annual reports, there are a two basic facts that emerge: 1. There are a lot of different attacker groups with access to the same Internet as baby boomers and short-term contractors. 2. Most of them are proficient at user impersonation once on the network to remain undetected for months. In this reality, our organizations need to do more than just build defenses and sit in waiting until known signature

3 min SIEM

Attackers Thrive on Chaos; Don't Be Blind to It

Many find it strange, but I really enjoy chaos. It is calming to see so many problems around in need of solutions. For completely different reasons, attackers love the chaos within our organizations. It leaves a lot of openings for gaining access and remaining undetected within the noise. Rapid7 has always focused on reducing the weaknesses introduced by chaos. Dr. Ian Malcolm taught us in Jurassic Park that you cannot control chaos. Instead, we strive to help you reduce and understand its impa

5 min Compliance

People and Process Are Keys to Compliance, Tech Simply Must Make Them Both More Efficient

Compliance is not always an exciting topic to write about, in fact it's almost NEVER an exciting topic to write about, but that doesn't diminish its importance. For those of you in security who must adhere to a varietal (first of many references to adult beverages) of compliance policies you know that it is often a painful, yet necessary, part of your jobs. Unfortunately, the log management and SIEM technologies we all deployed over the years have served compliance officers by making it possible

3 min Authentication

Insider Threat or Intruder: Effective Detection Doesn't Care

For various reasons, I have recently had a lot of conversations about insider threats. What is the best solution for them? How can they be detected? Does InsightIDR [] detect them? Rather than answering these questions with more questions, here is what I say: when you are detecting the malicious activity properly, the precise actor is unimportant. It is extremely important for the follow-up investigation and response that you know whether the person w

4 min SIEM

Enterprise Account Takeover: The Moment Intruders Become Insiders

Every time an attacker successfully breaches an organization, there is a flurry of articles and tweets attempting to explain exactly what happened so information security teams worldwide are able to either a) sleep at night because they have mitigated the vector or b) lose only one night of sleep mitigating it. Here's the problem: every breach is complex and involves a great deal more malicious actions than are published on your chosen 24-hour news website. The least detected action is the use o

5 min Cloud Infrastructure

Positive Secondary Effects: Incident Response Teams Benefit From Cloud Applications

We primarily hear the term "secondary effects" after natural disasters: "an earthquake causes a gas line to rupture and a fire ensues" or "a volcano erupts and the sulfur cloud shuts down all flights across the Atlantic", but there are a lot of positive secondary effects out there. If developed properly, cloud applications bring with them secondary effects of singular events to benefit the customer community. Since I work for a security company, I cannot write a blog post about cloud applicatio

3 min Phishing

Catching Stealthy Attackers: Detecting Log Deletion and Brand New Phishing Domains

It should come as no surprise by now that attackers are doing their best ninja impressions when trying to monetize the data on your network, whether it be credit card data, intellectual property, health records, or something else entirely. The longer their presence remains unknown, the more reconnaissance they can perform and valuable data they can access. Rapid7's InsightIDR [] team is constantly looking to detect behaviors that expose someone taking t

3 min SIEM

Alert Fatigue: Incident Response Teams Stop Listening to Monitoring Solutions

"Don't Be Noisy." It's that simple. This motto may be the only remaining principle of the concept that entered incubation in mid-2012 and eventually became InsightIDR. [] Of the pains that our customers shared with us up to that point, there was a very consistent challenge: monitoring products were too noisy. Whether they were talking about a firewall, a web proxy, SIEM, or a solution that doesn't fit into a simple category, these design partners told

2 min Authentication

Detecting Intruders Using Credentials: Lateral Movement Is Not Just for T3h 1337 h4x0|2

The largest challenge for organizations looking to detect and contain attackers is one of the hardest to overcome: disbelief. Disbelief that they will be targeted. Disbelief that someone will get past their perimeter. Disbelief that they will use stealth. Whether it is an expert group like APT1 or, more likely, just someone shelling out $50 to a phishing expert who sells his services on the open market, they will get in someday. Once they are in, most organizations are blind to the stealthy ac

4 min Incident Detection

Attackers Love When You Stop Watching Your Endpoints, Even For A Minute

One of the plagues of the incident detection space is the bias of functional fixedness. The accepted thought is that your monitoring is only effective for systems that are within the perimeter and communicating directly with the domain controller. And, the logic continues, when they are away from this trusted realm, your assets are protected only by the preventive software running on them. Given the continuous rise of remote workers (telecommuting rose 79 percent from 2005 to 2012), it's now tim