Quarterly Threat Report: 2018 Q1

Dangerous user behavior, memcached servers, and defining the “new normal” of background attack scanning

Executive Summary

Rapid7 Threat Report: 2018 Q1

Spring is here! The sun is shining, the birds are chirping, and attackers are coming up with more convincing ways to steal user credentials. While fairer weather does not lull attackers into slowing their pace, it does mean that you can at least sit in the sunshine and read our findings from the past quarter before continuing the mission of defending your network against an often persistent, sometimes creative, and always-on-the-job adversary. This quarter's report covers three main areas of concern for the modern IT defender:

User Identity:
Credential theft, reuse, and subsequent suspicious logins are—today—the most commonly reported significant incident we’re seeing across both small (<1,000 endpoints) and large organizations (≥1,000 endpoints).

DDoS:
The DDoS landscape just got a lot more interesting with the debut of a new technique using misconfigured—and plentiful—memcached servers. The memcached attack on GitHub was a harbinger of things to come for DDoS mitigation practices.

SMB and SMI:
Finally, we take a look at the increasing levels of SMB and Cisco SMI attacker probes and attacks, where the former continues to define the “new normal” level of background malicious behavior around Windows networking, and the latter begins to bring shape to this relatively new attack vector targeting core router infrastructure.

Register for the webcast (May 17, 2 p.m. ET/11 a.m. PT): Hear directly from the researchers on what these trends mean for the rest of 2018. 

Incident Frequency by Organization Size

Read the Quarterly Threat Report: 2018 Q1

View Now

The DDoS landscape just got a lot more interesting with the debut of a new technique using misconfigured—and plentiful—memcached servers.

– Rapid7 Quarterly Threat Report: 2018 Q1

In Q1 we saw that the most common phishing campaigns were aimed at stealing credentials and masqueraded as DocuSign, Office365, and Dropbox, although there were other attempts to masquerade as Amazon Prime, Apple, and other sites or services.

– Rapid7 Quarterly Threat Report: 2018 Q1

The top four significant incident types in this quarter were suspicious logins, phishing, malware on system, and cryptocurrency mining.

– Rapid7 Quarterly Threat Report: 2018 Q1

SMB scans continue to hit high-water marks when defining the new normal levels of background attack scanning.

– Rapid7 Quarterly Threat Report: 2018 Q1

Webcast: May 17th 2PM ET / 11AM PT

Register for our webcast to hear directly from Rebekah Brown and Bob Rudis on what they think are the biggest takeaways from 2018 Q1 when it comes to the threat landscape.


Attacker Behavior Analytics

Our findings don't stop here. Learn how Rapid7 researchers take the threat trends they see in the wild and turn them into Attacker Behavior Analytics to feed threat detection in InsightIDR.