In this week's Whiteboard Wednesday, Bob Rudis, chief data scientist at Rapid7, dives into the findings of our inaugural, quarterly Threat Report. Learn more about key takeaways from Q1, and for even more data, download the Threat Report in its entirety here.
Welcome to this week's Whiteboard Wednesday. My name is Bob Rudis, and I'm Rapid7's chief data scientist. Now, as the Beatles SecOps manager once said, "I get by with a little help from my friends"—and the Rapid7 managed detection and response team (also known as the MDR Team, or she would have said if the Beatles had a SecOps manager). In the alternate universe, the steampunk dystopian Beatles likely had or still have one, but I digress. What does the Rapid7 MDR team do? We help organizations detect and deter attackers by augmenting your company's security operations center with capabilities from our own legion of experts, who are armed with the advanced tools provided by our insight IDR platform, which aids in both identifying and investigating malicious activity in your network.Show more Show less
Rebekah Brown, thread intel lead for the MDR Team, and I combed through the details of our Q1 2017 MDR incidents across 10 industry groups to create Rapid7's inaugural threat report. Rather than produce a report that goes into painful detail about a single attack factor or event, we wanted to show you what a day in the life of a SecOps responder team or manager looks like so that you can see how your work compares to others in and across industries. We did that by looking at inside IDR events that triggered full on confirmed incidents from many angles.
Let's dive into some of the findings. First we can confirm that you are indeed special, just like your parents said you were. The threat landscape, defined in this case by the attacks seen by individual organizations, differs substantially by industry, with finance, retail, and professional services firms as defined by the North American Industry Classification System, each seeing a larger and uniquely different diversity of attacks than other industries. This is important as your organization should be reviewing your own events and incidents on a regular basis and identifying your own threat profile, which will enable you to craft better detections and defenses against attackers.
Another key finding is that most attacks rely on users being active during the workday. This fact correlates well to a large portion of attack types centering around both exploiting the human, which is fishing attacks, and using the secrets or access gained there to find internal targets, which is called lateral movement. If you perform the same working hours analysis on your own incidents, you will likely see a similar pattern. If you do, this should be a good reminder that security awareness programs combined with efforts to enable your workforce to become co-defenders of your critical assets are as or more important than the technical controls you employ.
Lastly, pay attention to the news. Our MDR team saw active malicious exploits across our customer base of the recent Apache Struts vulnerability the day after the proof of concept code was posted. You can no longer just rely on a 30-day patching cycle to keep you safe. There are many more insights in the full report available at community.rapid7.com. If you have any questions, you can reach out to Rebekah Brown or myself at firstname.lastname@example.org. That's it for this week's Whiteboard Wednesday. See you next time.