Q&A with Rebekah Brown, Rapid7 Threat Intel Lead, on Attacker Behavior Analytics

Last updated at Sat, 09 Dec 2023 20:13:15 GMT

A company is only as effective as the people behind it. Recently, I had the pleasure of sitting down with one of our incredibly talented threat intelligence analysts, Rebekah Brown, to learn more about her experience working on the front line of one of our newest and rapidly growing features, Attacker Behavior Analytics (or ABA), which is changing the world of incident detection and response.

1. Tell us about your role in threat intelligence at Rapid7.

My job is to coordinate threat intelligence across all of Rapid7’s products. Working alongside our in-house security operations center (SOC) for our managed detection and response (MDR) services team, my team and I are constantly investigating threats and suspicious behaviors. We not only want to know what attackers are out there, but what their intent is, what information they’re looking to steal, how they get in, and so on. We also look at attacks from a broader lens by understanding what else is going on in the world that might make an attacker more likely to target an industry or country in particular.

Before joining Rapid7, I worked in similar roles at Nike and in the U.S. Marine Corp where I learned just how important it was to have a strategic view on security, and how monitoring for malicious behaviors, not just static indicators, can be a far more effective threat detection technique.

2. What is your role in creating Attacker Behavior Analytics?

Attacker Behavior Analytics was built to solve a critical need companies are facing today: to detect malicious behaviors at the earliest point in the attack chain—even if they’ve been altered to evade threat intelligence defenses.

Once our managed detection and response (MDR) team detects suspicious behavior (e.g. manipulation of a file, unusual login), they create a rule to detect future behaviors. As this behavior alerts, it gives the threat intelligence team an opportunity to better understand the behavior in order to identify if it is isolated to one victim or part of a larger campaign, if it is targeting a specific industry, and if other malicious activities were see in conjunction with the behavior. Since we are on the front line of behavior detection, the intel we gather and rules we develop are presented to our InsightIDR team to become part of Attacker Behavior Analytics, which is then fed into a multitude of Rapid7 products to help customers detect and respond to attacks as early in the attack chain as possible.

Working alongside our SOC and Intel teams, we can pull together the who, what, where, when, and why of an attacker behavior so we can load ABA with context and create threat response recommendations. These offer step-by-step instructions so customers know what systems, files, and logs to look into to remove a threat and prevent it from coming back tomorrow … or ever.

3. What do you appreciate most about ABA?

What I love most about Attacker Behavior Analytics is that it’s a team effort. ABA is a product of the collaboration between our threat intel, MDR, Rapid7 Labs, IDR, and other Rapid7 teams, allowing us to fully understand attacker behaviors and arm our customers with the information they need to know.

It really does take a village to pull together all this information, and one of my favorite parts about working for Rapid7 is that we have the resources and expertise to do this. At the end of the day, everyone wants to help our customers better secure and protect their networks, and Attacker Behavior Analytics is one of those places where we can see this come to life. If you remember the show Voltron, when something urgent happened, all teams assembled and became one working entity. Here at Rapid7, we actually say “Voltron unite!” when we come together like this. At least I do, and everyone else just humors me.

4. In your experience working with customers, what do they love most about these threat detections?

The fact that ABA, alongside our InsightIDR product, is able to identify a lot of different activity is really important to customers. Because ABA helps customers rapidly determine which behaviors are malicious and whether they’re part of a larger campaign, it helps customers understand the bigger picture of what’s going on, such as an industry-wide attack or nation-state attack. Customers often tell me they appreciate how easy we make it to piece together activities.

ABA looks for one-off suspicious activity, as well as clusters of activity happening at the same time. This helps us define what we’re seeing, how widespread it is, where it’s coming from, what the goal of the attack is, and, ultimately, how we can stop it. Because these detections are based on behaviors—many of which happen in the early stages of the attack chain—customers are able to spot and stop attacks faster, which is incredibly valuable.

5. What are your top incident detection and response best practices for security teams?

There’s a saying that, “When everything is a priority, nothing is a priority.” That’s why my first piece of advice is that you should have a solid understanding of your own internal environment. Knowing what security vulnerabilities you have will help you to better interpret ABA, other types of detections, and threats you read about in the news. For example, if you determine that weak password use and phishing are the two main ways threats infiltrate your networks, then this will help you prioritize security awareness training over other things like state-sponsored malware or DDoS attacks that are far less relevant to you. There’s a constant alarm in the media that whenever something happens to one company, everyone needs to jump on it, but if you have self-awareness, you’ll be a better judge of what you should be spending your time on.

It’s also important to recognize that threats aren’t black and white. There is a spectrum of threats and the impact can vary from company to company. It’s tools like InsightVM, Rapid7’s vulnerability management solution, that can help better prioritize alerts based on what’s most important to the business, and if you use InsightIDR, you can see overtime what is really happening on your network. If you see that 70% of issues are coming from spear phishing, for example, that’s an area you should really focus on from a technology, response, and user awareness perspective.

Thank you, Rebekah!

A big thanks goes out to Rebekah for spending some time with us diving into how ABA was created, why she was drawn to it (as well as why many customers are), and for offering some pro tips to our readers.