Rapid7 Research

Quarterly Threat Report:
Q1 2019

Michelle Martinez, Senior Threat Intelligence Analyst, Rapid7
Kwan Lin, Senior Data Scientist, Rapid7
Bob Rudis, Chief Data Scientist, Rapid7
May 28, 2019

DEFINITION

What is a threat?

When there is an adversary with the intent, capability, and opportunity, a threat exists. When two or more of these elements are present (e.g., intent and capability, but no opportunity), we call it an impending threat, because there is just one missing piece before it becomes a true threat. When there is just one element present (e.g., an opportunity in the form of a software vulnerability), we call it a potential threat. There is the potential for it to turn into a true threat, although there are additional components that need to come to fruition before it has a real impact to most organizations.
 

Introduction

The first quarter of 2019 has come, gone, and yielded yet another rich accumulation of data that enables us to derive systematic analysis of the threat landscape. In this issue of the Rapid7 Quarterly Threat Report, we take a closer look at the threat events across a number of dimensions, including industry segments and organization size. We also take an expansive view of inbound activity across the entire internet, and dive deeper into a number of common services across the internet. Furthermore, we’ve aligned our findings to the MITRE ATT&CK framework, essentially combining data with a structure used to better understand attacker methods.

Some highlights for this quarter include:

  • Remote entry still remains a top threat, especially among large organizations.
  • A detailed examination of the top credentials attempted against our Heisenberg nodes during Q1, and the frequency at which various emulated services are prodded on those nodes.
  • A closer look at the MITRE ATT&CK framework, including an assessment of the stages at which different attacker tactics are detected across various industries.

Threat Event Overview

Our Managed Detection and Response (MDR) services team collects quite a few details about threat incidents, including indicators that reveal particular threats. We can gather those indicators into broader groupings, which provide a more generalized perspective of the threat landscape. For instance, we can take indicators on accounts attempting access to critical organization assets, lateral movements, and suspicious authentications and collect those under the “Threat Movement” banner. Similarly, we can collect indications of multiple country authentications, authentications to critical assets from new sources, or attempted ingress from disabled accounts under “Remote Entry.” 

Through a series of transformations, aggregations, and separations, we can derive a systemic view of the most common groupings of threat events on a monthly basis. When we take such an approach, we can see that remote entry—despite its variations in forms and specifics—is consistently one of the most persistent threat types month to month.

Figure 1: 2019 Q1 Top 5 Threat Events Per Month Across All Organizations |

Key takeaway: Be wary of remote entry, whether it’s from attempted access from different countries, attempted access from purported third-party sources that your organization might have some sort of working relationship with, or any other variant that might suggest an attempted incursion from external origins.[1]  

[1] Check out Rapid7’s Under the Hoodie report, which takes a deeper dive into penetration testing engagements, including a focused view on external penetration testing engagements where our trained specialists attempt to gain entry to organization systems remotely. (And stay tuned for the 2019 report, coming soon!)

Small vs. Large Organizations

We also have a sense of organization scale, which enables us to discern patterns around how particular threat events affect large or small organizations differently. In this current analysis, we define large organizations as groups that have more than 1,000 assets under active monitoring, and small organizations as those with fewer.

To determine the prevalence of particular threat groups by organization size, we first separate the organizations by size, then derive a percentage view of the varying threat categories within the differently sized organizations. This provides us with a sense of what types of threat categories are more common for large and small organizations.

In this view, we see that remote entry was still the most prevalent threat category for large organizations throughout Q1 2019. However, the same cannot be said for small organizations; instead, the most prevalent threat category for small organizations was threat movement.

Figure 2: Q1 Incident Threat Event Frequency (percentages represent distributions of detected threat incident groupings within organization size) |

Key takeaway: Especially for smaller organizations, it's important to be wary of malicious actors attempting to make lateral movements through a network, possibly in an effort to gain access to restricted assets.

Industries at a Glance

Similar to how we can take the organizations we monitor and separate them into large or small groups, we can also enrich our data points further to enable us to separate threat events by industry, facilitating a segmented view where we can get a sense of the dangers that different industries should be particularly wary of. The taxonomy we rely upon to classify organizations by industry is based upon the North American Industry Classification Standard (NAICS), which we deem to be appropriate given that the majority of our observed groups are based within North America.

When we arrange industries in order of frequency of aggregate threat events, we find that the industries that encountered the most threat events during the quarter were professional services, manufacturing, healthcare, and finance. While the most commonly targeted industries do fluctuate from period to period,[2] there is often a steady regularity to the most prominent industries. Often, the industries that are prominent in this analysis have access to gold mines for malicious actors, such as databases flush with personally identifiable information (PII) and repositories of financial records and access credentials, among other types of riches.

Along another dimension, we also arrange the types of threat events in descending order based on aggregate frequency across all industries. Such a combination of industry details and threat event details provides insight into the prevalence of different threat events for different industries. Just as we can often discern a regularity to the industry arrangement, we also observe some regularity (with slight variations) in the threat event frequency arrangement. We are left with a sense of the types of threats that are most common, and furthermore, we are informed of the prevalence of different threats within different industries. This enriches our understanding of the different types of threats that particular industries should be particularly wary of.

If we scan for notable outliers in the analysis, for instance, we find a comparatively high prevalence of harvested credentials in the construction industry, especially when compared against the relative orders of magnitude of this particular threat across other industries. In this case, “harvested credentials” refers to cases where multiple accounts attempt to authenticate to a single, possibly unusual location. Without intelligent systems like InsightIDR in place, keeping track of these types of events can be tricky and prone to alert fatigue. Yet, catching these types of events early can go a long way in preventing successful lateral movement, plus slow down or completely stop attackers cold.

Figure 3: 2019 Q1 Threat Event Distribution by Industry (click to view full size image) |

Key takeaway: Different industries encounter different threat events at different orders of magnitude. While our analysis is necessarily limited to the data we have direct access to, the patterns we have discerned can inform precautionary measures that can be pursued to optimally minimize potential threats that vary in prevalence for different industries.

[2] In the entirety of 2018, we found that the four most commonly targeted industries were information services, retail, healthcare, and professional services.

Phishing

People are some of the greatest and most potent assets for all organizations. Unfortunately, people are also appealing targets for malicious actors with nefarious aims to compromise organizations’ systems. Often, malicious actors attempt to gain a foothold within organizations’ hardened systems by pilfering credentials; these attempts often manifest as fake login pages that mimic actual login pages of legitimate services.

Through our analysis, we were able to broadly identify sets of phishing pages that were presented to various organizations across different industries. Fake login pages that mimicked Microsoft services—including Exchange, OneDrive, Office 365, and others—were detected with great regularity for almost all industries. Microsoft services most likely stand out in prominence due to their nigh ubiquity across most organizations.

Figure 4: 2019 Q1 Phishing Fake Login Pages |

Key takeaway: It’s important to be aware that the tools we rely on most often to do our jobs are regularly used as the cloaks to hide potential threats. The pages that we routinely bring up on our browsers and input our credentials into to gain access to needed services might not always be what we think they are. It’s worth exercising an extra moment of caution each time we type in usernames and passwords to ensure that the text in the browser’s address bar is correct and does not point to a phony path.

While phishing attacks to pilfer credentials occur across many organizations, we found that credential stuffing attempts using painfully obvious username and password combinations also happen quite frequently across different protocols.

The Rapid7 Project Heisenberg honeypot cloud network, a globally distributed system that sits and watches for inbound connections, is configured to emulate a range of services, including HTTP, telnet, Microsoft SQL, and SSH, among others.

Heisenberg routinely receives credentialed access attempts, which presumably originate from malicious actors simply scanning across the internet, knocking on doors, jostling doorknobs, and attempting key blanks in the hopes that something will give and grant them access. While this might seem silly, it’s a pattern we have seen with remarkable regularity. The conclusion we can draw from this behavior is that malicious actors continue to try this because it does bear fruit and render rewards. It might seem outrageous that usernames like “admin” or “root” with passwords like “password” or “123456” could work, but their high rate of occurrence in these credential access attempts suggests they have worked in the past and, unfortunately, will likely continue to work in the near future.

Figure 5: 2019 Q1 Top Credentials Attempted |

Heisenberg does see a regular tempo of connection attempts to ports that typically host services that require some form of credentialing to gain access. For example, on TCP port 23, which is typically utilized for telnet services, we observed a steady count of distinct originating sources in the double- and triple-digits range on a daily basis for each node of Heisenberg.

Figure 6: 2019 Q1 Five-Day Moving Average of Normalized Sources Targeting Telnet (Port 23) |

Not to be outdone, SSH also sees its fair share of credential stuffing (and, to a much lesser extent, vulnerability exploit) attacks. There is a disturbing trend in the volume of attacks coming at each honeypot node, with a normalized average of nearly 300 replay attempts per source IPv4 and a total of (now) over 2 million attempts per day.

Figure 7: 2019 Q1 SSH Daily Volume-per-Heisenberg Node |

Key takeaway: Malicious actors routinely sweep across the internet looking for common ports and protocols, and attempt embarrassingly naive credential combinations with great regularity. To avoid falling victim to these brutish access attempts, it would be prudent to impede external access and to certainly utilize less-than-obvious credential combinations. Try not to expose cleartext authentication endpoints, if at all possible, and use passphrase-enabled certificate-based access for all SSH connections.

Curated Findings

Our specialists on the MDR team maintain sets of ABA custom indicators in addition to the programmatic defaults included in InsightIDR. The findings this quarter reveal some common top indicators that have been prevalent in past quarters as well, such as suspicious authentication, attacker, and malicious documents (Figure 8).

We did notice that, proportionately, suspicious authentication was far more prevalent in Q1 2019 than the previous quarter: While suspicious authentication represented only 43.8% of custom indicator incidents, it rose to represent 76.1% of custom indicators this quarter. Based on the data so far, we cannot make assertions about any particular cause; this rise might simply represent expected data variation. However, the fact that suspicious authentication consistently occupies the top position among our curated indicators leads us to believe that suspicious authentication will continue to remain one of the main threats likely to be encountered in the wild. This means that it’s a good idea to avoid credential reuse among different accounts.

Figure 8: 2019 Q1 Custom Indicator Groups |

Similar to the standard threat event distributions by industry, we are also able to segment the view of occurrences of custom indicators by industry. Our analysis indicates that most industries are amply exposed to a broad range of threats that might trigger different custom indicators, albeit to varying degrees.

Figure 9: 2019 Q1 Custom Rules—Incidents by Industry |

Key takeaway: The custom indicators our security specialists implemented (ABA), in addition to the standard set of indicators included across the InsightIDR solution, reveal a spread of threats across most industries under observation. The detections achieved by the custom indicators suggest that while standardized platform detection rules are great, the application of expertise can further enhance security for a range of organizations and industries.

Tools of the Trade

This quarter, we also took a closer look at the types of exploits, malware, trojans, and worms found on the endpoints our MDR analysts monitored. The No. 1 finding in terms of relative frequency was Emotet, which is a PowerShell dropper delivered typically in Word documents delivered through phishing emails. The next three—Ursnif, IsErik, and Gozi—are also PowerShell droppers delivered via phishing emails. 

Figure 10: 2019 Q1 Exploits, Malware, Trojans, and Worms |

Key takeaway: Be vigilant when opening emails and clicking on attached documents. If you don’t know the sender, definitely do not open the document.

Pitter-Patter from the Internet

Heisenberg lies in wait for inbound connections, and without fail, it regularly observes a steady stream of connection attempts across various ports and protocols. We keep a closer watch on particular ports used for popular services—such as 80 and 443 for HTTP and HTTPS, respectively—or those that have been entry points for particularly bad things in the past (such as 5555 for Android Debug Bridge (ADB) exploits for the Satori worm, or 11211 for amplified distributed denial-of-service attacks).

Figure 11: 2019 Q1 Daily Normalized Sources by Port |

We keep an especially close eye on port 445, usually utilized for Microsoft Server Message Block (SMB), and keenly monitor for signs of EternalBlue exploit attempts. Unfortunately, since EternalBlue arrived on the scene in mid-2017, we have seen an unwavering consistency to EternalBlue sources attempting connections to Heisenberg. Within the past few months, we have witnessed a sizable increase in the number of daily sources attempting connections, even when we normalize the count based on the number of Heisenberg nodes deployed to control for the possibility that the numbers might be inflated based on our infrastructure modifications and enhancements. Sadly, despite normalization, the prevailing results tell us that Heisenberg is not the reason why EternalBlue numbers look higher; EternalBlue was simply more common this past quarter. The conclusion we are left with is that EternalBlue is here to stay, and its prevalence has ascended to a new plateau.

Figure 12: 2019 Q1 5-Day Moving Average of Normalized EternalBlue Sources |

Key takeaways: The internet has become increasingly weaponized in recent years, and tools normally contained strictly in the domain of nation-state arsenals have proliferated to presumably non-state actors, resulting in a network security posture that is unfortunately fraught with greater peril. That being said, these are known dangers with well-defined remedies.[3] The threat posed in certain instances can be ameliorated with prudent and well-defined measures.

 

[13Microsoft released a patch that addresses the danger posed by Eternal Blue: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010 (Last accessed May 20, 2019)

MITRE ATT&CK Framework

The MITRE Organization maintains the Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) Framework as a curated body of knowledge to provide awareness of the methods threat actors utilize, and to enable cybersecurity practitioners to operate with greater awareness. ATT&CK is a rich taxonomy of knowledge that we are in the process of mapping our general and custom InsightIDR detections to in order to help share and communicate threats to both our customers and community.

The MITRE ATT&CK matrix organizes sequences of tactics (short-term, tactical adversary goals during an attack), along with underlying techniques (the means by which adversaries achieve tactical goals). We primarily focus on the “Enterprise” matrix here and in day-to-day operations, since that’s where the majority of the threat actors operate in our corpus. The tactics columns are ordered by “kill chain” phase, and it is possible for a technique to be associated with more than one phase. This is a view of the entire “Enterprise” matrix:

Figure 13: MITRE Enterprise Matrix (click to view full-size image) |

Ideally, would-be attackers are stopped well before the Exfiltration or Impact stages, but organizations need to balance where they make investments in tools, resources, and processes (e.g., it may be more cost-effective and ultimately more successful for a given organization to invest in detections and mitigations at the “Lateral Movement” tactic phase than in “Privilege Escalation”).

Over the coming months, we’ll be sharing different ways of looking at incidents through various ATT&CK lenses. This quarter, we’re looking at two different views: First, we’ll look at the overall ATT&CK Enterprise matrix for Q1, 2019 (Figure 14), focusing on the prevalence of the “core” technique detection that enabled incident containment and closure. Then, we’ll dive into a preliminary look at discrete ATT&CK technique detection distributions by industry.

Q1 2019 Managed Detection and Response ATT&CK Map

ATT&CK-savvy readers will likely notice that the “Exfiltration” column is missing, which only means there were no technique detections for that phase. This new incident analytics view enables us to assert the following: that tactics for initial access often leverage some external remote service technique, that credential access tactics frequently rely on user interface spoofing, and that the impact of incursions often involves some form of data encryption.

Figure 14: 2019 Q1 MDR Incidents Mapped to the MITRE ATT&CK Framework |

While you should strive to record ATT&CK events throughout the lifecycle of an incident, you can ease your way into ATT&CK adoption by recording what you can, when you can, then use this new context to review historical incidents and make any needed changes in your security operations tooling or playbooks.

Q1 2019 Industry ATT&CK Event Distributions

While we do not have all detections mapped to ATT&CK tactics and techniques, we do have a sufficient body of them mapped. Take a look at Figure 15, which shows the prevalence of InsightIDR detections by tactic phase.

Figure 15: InsightIDR Detections Discover Over 90% of Attacker Actions by 'Credential Access' |

Over 90% of all InsightIDR detections occur at or before “Credential Access,” well before any significant attacker impact. There isn’t a great deal of external baseline/benchmarking data available for us to say “This is great!” or “This is normal,” but we can assert with confidence that the earlier attackers are stopped, the better.

An overall view is great (at least for us as we handle incidents and work on improving InsightIDR), but we also wanted to see what this looked like per industry, since each organization and industry are their own types of special snowflakes. For this report, we’re showing how the total cumulative detections per industry compare to the above full view:

Figure 16: Managed Detection and Response ATT&CK Detections by Industry |

The thick, gray line in the background of Figure 16 tracks with the overall detections in Figure 15, and each line corresponds to an industry. The diversity of cumulative detection distribution per industry is not unexpected. Different attackers have different targets and apply different techniques to achieve their goals. Furthermore, each individual organization employs different security controls that feed into InsightIDR, and some may be more effective than others at enabling detections in a given phase.

We used “totals” this time, since we’re still working on the complete ATT&CK mappings. Future views will include more detailed mean/median measures, as well as temporal views to enable your organization to compare and contrast your results with those in our corpus. If there are aggregate ATT&CK views you’d like to see produced to enable more robust benchmarking, just drop an email to research@rapid7.com with your request and we’ll see if we can work them into future reports.

Key takeaways: By aligning our sometimes esoteric definitions and terminology around threat actor actions to an industry standard, we are better able to broadly communicate messages about the threat landscape to our customers and general cybersecurity community. Furthermore, you now have new tools that use this common taxonomy to help benchmark and improve your incident response program.

Conclusion

We’ve bounded well into a new year, and while some of the data sets and analytical methods we’ve used are tried and familiar, regular readers may have noticed some fresher methods. The attempts at something different afford new perspectives, which optimally enable better understanding of threats and inform more effective measures at mitigating those dangers. Now, we leave you, our dear readers, with a few suggestions derived from our analysis on how you could possibly improve your security posture:

  1. Achtung! Watch out for remote entry attempts. It’s been prominent month to month and across organizations large and small.
  2. The threat event distribution view in Figure 3 can be used to identify potential outlier threats. While there are some threats that in relative terms are not particularly common across the board, they do sometimes appear prominently within a particular vertical for specific industries.
  3. Some of the most popular web applications used in business are also unsurprisingly the most frequently spoofed. Before you or your employees let muscle memory take over and punch in usernames and passwords, make it a habit to take a brief pause and check that web page and URL for any oddities.
  4. We’ve hammered on this point quite a bit across different mediums, but we’ll say it again: EternalBlue is part of the regular rhythm of the internet and poses a non-trivial threat. Make sure your SMB servers are appropriately remediated.
  5. Utilize our mapping of detected threats to the MITRE ATT&CK tactics and techniques matrix. It standardizes our conception of threats to a popularly utilized framework for understanding dangers. Think of it as a Rosetta Stone for communicating findings to broad security audiences.

Appendix

APPENDIX A: METHODOLOGY

We gathered up closed and confirmed incidents from across a representative sample of our Managed Detection and Response (MDR) customers using our InsightIDR solution for the first quarter of 2019. Where possible, we’ve provided full incident counts or percentages; when more discrete information needed to be provided by industry, we normalized the values by number of customers per industry. While we wanted to share as much information as possible, the precise number of organizations, industries, and organizations-per-industry is information no reputable vendor would publicly disclose.

Additionally, we also used coded incident data provided by our MDR incident responders. Each coded incident contains one or more alerts from the raw event data, along with an incident narrative. We refer to these as “significant
investigations,” and they help capture the stories that the discrete alerts tell.

As noted in situ, for this report we also incorporated data from both Project Sonar and Project Heisenberg. Raw Sonar scan data and limited Heisenberg data is available at no cost via httpd://opendata.rapid7.com/, and you can contact research@rapid7.com for questions regarding those data sources or any other findings/data used in this report. Known benign traffic was filtered out of all honeypot data using feeds provided by GreyNoise Intelligence (https://greynoise.io/#rapid7). The following table provides a full breakdown of the InsightIDR threat events and the threat event groups they belong in (as seen in Figure 1). Appendix B has the full, expanded listing of InsightIDR threat events.

IDR Threat Categories:
Dangerous User Behavior
Account Visits Suspicious Link
Password Set To Never Expire
Network Access For Threat
Threat Probing
Asset Connects To Network Honeypot
Watched Impersonation
Threat Movement
Account Authenticated To Critical Asset
Lateral Movement Domain Credentials
Lateral Movement Local Credentials
Suspicious Authentication
Remote Entry
Wireless Multiple Country Authentications
Multiple Country Authentications
Ingress From Non Expiring Account
Ingress From ServiceAccount
Service Account Authenticated From New Source
Account Authenticated To Critical Asset From New Source
New Local User Primary Asset
Ingress From Disabled Account
Failed Access Attempt
Authentication Attempt From Disabled Account
Brute Force Against Domain Account
Brute Force Against Local Account
Brute Force From Unknown Source
Malicious Behavior On Asset Level
Remote File Execution
Log Deletion Local Account
Harvested Credentials
Log Deletion
Virus Alert
Network Access For Threat
Suspicious Behavior On Asset Level
Malicious Hash On Asset
Malicious Behavior Network Level
Advanced Malware Alert
Protocol Poison
Administrator Impersonation
Account Adjustment
Account Privilege Escalated
Account Enabled
Account Password Reset
Account Locked
DomainAdmin Added

APPENDIX B: INSIGHTIDR THREAT EVENTS

For a full list of threat events and their descriptions, view this document.

About Rapid7

Rapid7 (Nasdaq: RPD) is advancing security with visibility, analytics, and automation delivered through our Insight cloud. Our solutions simplify the complex, allowing security teams to work more effectively with IT and development to reduce vulnerabilities, monitor for malicious behavior, investigate and shut down attacks, and automate routine tasks. Customers around the globe rely on Rapid7 technology, services, and research to improve security outcomes and securely advance their organizations.