Executive Summary

Rapid7’s Managed Detection and Response (MDR) service generated 112 alerts to identify malicious activity in Company Name’s environment in February. MDR did not identify malicious activity which required incident response during this period.

Total Logs collected

3,518,304,611

Alerts Generated

112

Incident Reports

0

Collected Log Data

The following table identifies the data sources from which InsightIDR collected logs last month, the log set in InsightIDR log search where the logs are stored, and the number of log files collected per data source. The MDR team uses this data when investigating an incident.

You can also view your logs in InsightIDR by clicking Log Search from the left menu.

Alerts

The MDR Security Operations Center performed in-depth validation of 112 alerts by priority. The MDR team applied user behavior analytics to retrace the user and activity behind each alert. As part of this analysis, the MDR team reviewed domains and URLs accessed by users, processes executed by users, historical logon activity, and system roles associated with the alerts.

For more information about alert priorities and closed alert dispositions, go to the Key Terms and Definitions tab.

List of Closed Alerts

This table lists the alerts that were closed during the month of February. The table is generated by matching signatures to logs and events from the Company Name’s environment.

Incidents

MDR did not respond to any security incidents during the month of February.

Collected Endpoint Data

Threat Hunts Performed

During the month of February, MDR’s threat hunters performed 2 hunts in Company Name’s environment. Details of these threat hunts can be found in the table below. If evidence of compromise was identified as a result of these threat hunt(s), our incident response process would have been initiated (see the ‘Incidents’ section of this report).

Newly Created Rules and Suppressions

In February, Rapid7s MDR’s Threat Intelligence and Detection Engineering (TIDE) team created 376 new detection rules. The TIDE team also implemented 1 suppressions, tuning the rules listed under “Rules with new Suppressions.” Each month, TIDE actively researches new detections to increase coverage, and implements suppressions to raise the fidelity of existing detections which helps cover the Company Name’s environment.

Newly Created Rules

Rules With New Suppressions

• Suspicious Process - Execution From Root Of Users

Endpoints

The Insight Agent is deployed on 1,650 of the 1,700 endpoints that your organization asked the MDR team to monitor. We encourage you to deploy the Insight Agent on the remaining endpoints so we can provide forensic analysis, hunt activities, alert recommendations for all 1,700 planned endpoints.

You have a total of 1,700 endpoint licenses. If the endpoint data provided in this report is inconsistent with planned deployment targets, contact your Customer Advisor.

Endpoint Agents

97

Endpoint Agents

1,650

Endpoint Agents

1,700

Endpoint Agents

1,700

Users

This section provides the total number of administrators identified in your environment.

Administrators

20

Non-Expiring Passwords

Non-expiring passwords are at high risk of credential theft and reuse. Malicious actors could reuse these passwords on third-party sites. Rapid7 recommends limiting the use of non-expiring passwords. Implementing user password rotation reduces the risk of unauthorized access from harvested credentials.

Non Expiring

14

Service Accounts

0

Users with Non-Expiring Passwords

IDR Identified Administrators

The following users were observed performing administrator-level actions in your environment. Rapid7 recommends reconciling this list with the approved administrators for your organization.

Applications

This section provides visibility into various categories of software observed being executed in the Company Name’s environment. Rapid7 recommends reviewing the following applications to determine if they are authorized and approved according to the Company Name’s acceptable use policy.

Potentially Unwanted Programs (PUPs)

PUPs are often non-malicious in nature, but may be admin tools, browser toolbars and other types of software that may serve no business need.

Rapid7 did not identify any potentially unwanted programs in the Company Name’s environment.

Remote Access Solutions

Remote access solutions can be used by threat actors to gain remote access to a system.

Rapid7 identified remote access software ‘(Zoho Assist, Citrix Receiver, OpenVPN, VNC, TeamViewer, AnyDesk, SplashTop, Chrome Remote Desktop)’ installed on several systems in the Company Name’s environment. Rapid7 recommends reviewing the software’s presence on each system to determine whether it has a business need and if the system owner is authorized to use the application.

Cloud Storage Solutions

Rapid7 identified cloud storage solutions ‘(Microsoft OneDrive, Box.com, Egnyte, Google Drive, iCloud)’ installed on several systems in the Company Name’s environment.

Users may upload sensitive or proprietary data to non-approved cloud storage solutions, Rapid7 recommends ensuring that users follow corporate cloud storage usage policies by uninstalling unwanted software or blocking unapproved cloud storage network traffic.

Imposter Domain Names

Rapid7 identified multiple registered domains potentially designed to be imposters of the Company Name’s registered domains. Rapid7 recommends reviewing and blocking the identified domains, if they serve no business need.

Managed Detection and Response Overview

When you use Rapid7 MDR services, your logs are collected and matched against curated rules. Each time an event matches certain rule criteria, an alert is sent to our MDR team, and they respond with an investigation. The following sections describe how Rapid7s MDR team defines the priority, status, and disposition of alerts, and provide an overview of our incident reports.

Alert Priority

Rapid7 will prioritize alerts based on a combination of the likelihood of malicious activity and the potential impact of the detected activity.

Incident Severity

Rapid7 determines the severity of an incident based on a number of factors, including:

• Intent: Whether the threat appears to be targeted or opportunistic/automated, and the likely objectives of the attack
• Scope: The number and criticality of systems and users impacted
• Ongoing Activity: Whether the incident appears to have been fully contained

Closed Alert Dispositions

Once an alert has been investigated, it is marked as Closed, and is assigned one of the following dispositions:

Data Source Descriptions

Incident Reports

An incident report is created when our MDR team responds to a confirmed malicious incident in your environment. This is a detailed report providing an overview of the incident, findings details, analysis, root cause, and recommended corrective actions to prevent the likelihood of recurrence and/or improve your ability to detect and respond to similar incidents in the future.

Threat Hunting

The MDR service relies on multiple methods of compromise detection within client environments. In addition to real-time alerting MDR frequently performs targeted threat intelligence-driven hunting by querying forensically-relevant data available to Rapid7 Threat Hunters. If a hunt yields a positive identification of compromise, or potential for compromise, customers will be notified immediately, provided with remediation and mitigation recommendations and a full incident report within 24 hours of the conclusion of the investigation.

Endpoints

% Endpoints Covered - This represents both the overall percentage of endpoints in your organization that have Insight Agents deployed and the percentage of endpoints the MDR team is able to monitor. It is calculated using the total number of endpoints that your organization asked us to monitor, or “Planned Endpoints” in this report, and the actual number of monitored endpoints, which are referred to as “Monitored Endpoints” in this report. The number of Total Endpoint Licenses is not included as part of this percentage.

Monitored Endpoints - The number of endpoints with an Insight Agent installed, and as a result, the number of endpoints the MDR team is able to monitor.

Planned Endpoints - The total number of endpoints the MDR team expected to monitor based on information your organization provided to the MDR team. If the number of planned endpoints is greater than the number of monitored endpoints, this means that there are still endpoints that the MDR team was asked to monitor without an Insight Agent installed. The Insight Agent must be installed on all endpoints that you want the MDR team to monitor.

Total Endpoint Licenses - This is the total number of licenses purchased by your organization, and specified in your contract. This may be higher than your Planned Endpoints based on your organization’s growth estimates and contingency plans.