Last updated at Sat, 18 Nov 2023 19:52:07 GMT

This blog post is part of an ongoing series, MDR Vendor Must-Haves.

Let’s start with an analogy: Say you’re a fisherman out on a mission to specifically catch tuna. You throw out a net, and when you bring it in, the net scooped up a bunch of other fish, too. Either you have to sort through them, or a whole bunch of fish will be harmed.

Security tools that are often based on static rule sets designed to look for specific events can lead to tons of false positives, catching users or assets that are actually innocent but require analysts to perform thorough investigations.

Threats and attackers come in all shapes and sizes, and each type of threat and attacker requires different methods for detection and response. Common threats that affect every business require up-to-date and well-managed threat intelligence to quickly identify and remediate. More complex, targeted attacks perpetuated through sophisticated attackers require equally adaptive detections, as their tools will be unknown to the threat intelligence industry.

So while rules are easy to write, they’re not the most accurate way to detect real threats today. This is where behavioral analytics comes in.

The best Managed Detection and Response (MDR) providers use a combination of threat intelligence, User Behavior Analytics (UBA), Attacker Behavior Analytics (ABA), and human threat hunts to provide detection for threats and attackers.

That’s because today’s attackers can easily contort malware and switch up their infrastructure, leaving security teams that chase attackers with static indicators and artifacts constantly feeling a step behind.

While IP addresses, processes, and domains change, there is an underlying set of stealthy attacker techniques that foreshadow every successful breach. Investigating these behaviors is key to finding a stealthy attacker, even if they alter their entry mechanism to evade prevention defenses.

According to Sam Adams, Rapid7’s vice president of product, “relying on math alone cannot solve this problem”. Adams continues, “Many vendors think that if they have a multitude of mathematical and machine learning techniques, that alone is enough to detect attackers. While you may occasionally catch one, it can easily lead to drowning in false positives, which makes it hard for teams to know which alerts are real and which are not”.

How Rapid7 MDR can help

Rapid7 MDR’s layered ABA and highly skilled SOC analysts clear the fog around attacker techniques. The information we see from Project Heisenberg, our honeypot network, and our hundreds of MDR customers is infused with context from our threat intelligence teams and ultimately formed into proactive detections that help us differentiate unusual admin activity from attacker activity.

For example, when Rapid7 MDR adds ABA against real-time endpoint data and combines that with UBA information and Network Traffic Analysis (NTA), we understand who logged on to a system, where they’re located, what the host connected to, and the specific actions taken. Furthermore, Rapid7 MDR is able to look earlier in the attack lifecycle to find scenarios where:

  • Log collection and endpoint event analysis is required from the most critical systems/applications (including systems and apps outside of the traditional network, such as cloud services) and your existing security technology.
  • Efficient detection of malicious tools, tactics, and procedures (TTPs) requires visibility across the entire attack lifecycle.
  • Attackers hide behind routine actions on the machine where it’s necessary to leverage start/stop process data to correlate events to uncover malice.
  • Attackers impersonate one of your employees.
  • Attackers are invisible and require analysis of network activity to uncover malicious connections at the perimeter or between endpoints on your network.

This is one of the reasons why Forrester analysts noted Rapid7’s “security professionals with extensive incident response and threat hunting experience” deliver MDR service through a “white-glove, behavioral detection-inspired approach” in The Forrester Wave™: Managed Detection and Response Q1 2021.

Why does this matter?

High-fidelity alerts grant context to take action

Alerts include context from our analysts and threat intel teams, so you can make better decisions, remediate the problem, mitigate risk, and contain the alert directly inside your Findings Report.

Detections are based on behaviors, not signatures

By leveraging InsightIDR and top security experts, your team can feel confident that we’re able to detect attackers with high-fidelity endpoint data to identify novel variations of new attacker techniques.

Found once, applied everywhere

Your security team gets the benefit of the learnings from Rapid7 customer detections. For example, when our SOC team finds new attack methodologies—either by way of our SOC, threat intelligence team, or Rapid7 research—those TTPs are updated in InsightIDR investigations.


By including ABA as a threat detection methodology, Rapid7’s threat intelligence team can quickly develop new rules for emerging attacker behavior and push detections out within minutes of discovering a new technique or trend.


UBA is adept at identifying breaches in the “lateral movement” phase of the attack chain. ABA allows us to detect attacker activities in all other phases of the attack lifecycle.

Constantly evolving ABA detections

Whenever possible, the alert will detail known, recent adversary groups using a similar technique in a confirmed attack. As a key advantage of our cloud deployment model, our detections are updated automatically to our entire user population of customers after a thorough prototyping, testing, and validation process. All new indicators are applied to one month’s historic data so your environment is instantly protected.


Indicators of attack are now surfaced on the InsightIDR visual timeline, along with unusual behaviors. This combination makes it even easier for the Rapid7 MDR SOC (or your team) to perform investigations and have confidence in the results of the Findings reports.