Just a handful of years ago, drive-by exploit kits were how attackers attempted to attack companies and individuals. Today, it’s through the delivery of malicious documents and malware that can quickly contort and disguise where it’s coming from. Attack vectors are constantly evolving—here within our managed detection and response (MDR) team at Rapid7, it’s our job to stay several steps ahead of them for our customers.
What started as a rule management system on top of our alerting system quickly evolved into what we now call Attacker Behavior Analytics (ABA). Born out of our own desire to be able to quickly and accurately detect behaviors indicative of real threats, we soon realized all of our customers (across both MDR and InsightIDR, our threat detection and response solution) could benefit from this future-ready approach to detection.
As part of the original team who developed detections for our MDR customers, I’m going to explain more about how we use ABA, how we continue to create detections for it, and how we use it in-house every day.
How We Build Attacker Behavior Analytics
As you know, many security alerts can turn up to be false positives. Additionally, new threats can go undetected if you’re not collecting the right data or running the right analytics to spot compromise. We needed a way to address this for our MDR clients, so we began by creating a rule management system based off the Logentries alerting system. Using sources like the Metasploit project, our penetration testers, Cyber Threat Intelligence, and our own threat intelligence teams, we wrote several hundred detections to help us find evil things occurring inside our client environments.
Most of the rules we developed are behavior-based, since today’s attacks are typically delivered by the drop of malware from a malicious document or covert actions that static, signature-based methods fail to detect. We developed an automated custom feed to find malicious documents used in ongoing campaigns—any matches are then retrieved and analyzed in our own sandbox. We use this analysis, as well as other open & closed source intelligence sources, pen tests, and tactics, techniques, and procedures (TTPs) we have observed performed by actors during incident response engagements.
By analyzing how malicious documents and malware interact with various systems, we better understand their underlying intent. Then, we correlated how the malware would show up in data collected by the Insight Agent, our cross-product endpoint agent. From here, we developed behavior-based detections to hunt future malicious behavior, even if steps have been taken to evade common prevention defenses.
This library of detections powered the majority of the reporting output for our MDR clients, and not long after, the feature was dubbed Attacker Behavior Analytics and added to our InsightIDR solution as well.
How We Contribute to Attacker Behavior Analytics
All of the research we do inside the MDR team directly benefits Rapid7 customers. Any time we investigate a new threat and develop an ABA detection, it’s added to the wheelhouse of malicious behaviors InsightIDR can spot and alert on for customers. Everything from malicious documents (or maldocs), to droppers, to second-stage payloads can be detected, added to our research sandbox, and if verified, added to ABA within InsightIDR. Visit our Attacker Behavior Analytics library for an overview of some of the detections that have been added to InsightIDR so far.
Since the MDR team is made up of information security practitioners actively on the front lines of combating threats, we are a valuable source of information when it comes to spotting malicious activity. With this direct link to our Products team, we can quickly integrate new detections as they’re created. Furthermore, when an alert fires, ABA loads it with context, along with how to respond, so customers can jump right into remediation.
How We Use Attacker Behavior Analytics
We eat our own dog food because we use ABA every day to detect issues for our MDR customers. While other vendors can take weeks to find new threats, our team can’t afford to wait or waste time investigating false-positives alerting on stale malware or intelligence. Since we’re looking for unique behaviors that are indicators of a compromise, and have a dedicated analyst team to investigate these behaviors right away, we can discern the moment something drops if it’s evil or not. If it is, we inform our clients with a detailed Findings Report that details our investigation, recommended next steps, and ways to harden for the future.
Most other technologies in the industry look for known-bad static indicators like hashes, IPs, and domain names. However, alerts matching on these indicators requires follow-up investigation to validate their maliciousness, meaning the attack is usually well underway by the time it’s spotted.
In our experience, we’ve found that Attacker Behavior Analytics fills a big gap in monitoring and detection that antivirus, firewall, and other broad monitoring solutions cannot meet. In fact, for our MDR clients, we’re often looking at multiple feeds, but it’s the ABA detections that have given us the best insights and helped us find the latest and most advanced behavioral threats. For InsightIDR users, an alert is generated in real-time when attacker behavior is detected so they, too, can take quick action.
InsightIDR is the technology that powers our global SOCs, yet you can get up and running in your environment in just hours. See the power of ABA for yourself. Explore a 30-day free trial of InsightIDR today.