In this week’s Whiteboard Wednesday, Kwan Lin, Senior Data Scientist at Rapid7, takes us through the major findings and patterns in the threat landscape of 2018 Q1, as detailed in our Quarterly Threat Report. These insights are derived from threat intelligence gathered through the Rapid7 Insight platform, Managed Services, Incident Response engagements, Project Sonar, Heisenberg Cloud, and the Metasploit community. Walk away with our researchers’ takeaways and action items, so you can stay safer for the rest of 2018.
Ready to dive deeper into our team’s findings? Read the full report, Quarterly Threat Report: 2018 Q1. Wondering about the technology behind the intelligence? Start your free 30-day InsightIDR trial today.
Welcome to this week’s Whiteboard Wednesday. My name is Kwan Lin, Senior Data Scientist at Rapid7. Today, I’d like to speak with you about Rapid7’s first quarter Threat Report for 2018.Show more Show less
In this threat report, we’ll take a wide-angle view of data collected by the Rapid7 Heisenberg honeypot cloud network and by our security practitioners in the Managed Detection and Response teams.
There were a number of trends that really stood out this time around.
Each quarter, we take a look at threat event distributions by industry. We noticed that some historically popular targets - such as the financial, professional, and administrative industries - gave way to healthcare as the most frequently targeted industry. The increasing popularity of targeting healthcare is a trend we’ve noticed since 2015. There’s certainly a lot about healthcare that makes it an appealing target: it’s an industry that’s inherently dependent on difficult-to-secure IT infrastructures and the industry as a whole retains a huge volume of sensitive financial and personally identifiable data. Many of the most common attack vectors include remote access, suspicious logins, and account leaks.
We also took a look at incident frequency types by organization size. As in prior quarters, threat movement and remote entry attempts remain some of the most prominent threat types. For remote entry in particular, we noticed that it decreased for larger organizations and increased for smaller organizations. In general, this might be a reflection of the fact that larger organizations tend to have more established security functions that focus on addressing exposed systems. There were certainly plenty of vulnerabilities identified this past quarter that allowed remote access, including exposed systems susceptible to the GoScanSSH malware family.
During the quarter, we also observed numerous cases of usage of legitimate credentials by illegitimate actors to access services often relied-upon by business operations. While these credentials can be obtained by adversaries through guessing or brute-force attempts, we did also notice that many common phishing campaigns were aimed squarely at stealing credentials for such common services as DocuSign, Office365, and Dropbox, amongst others.
Another approach we took with examining the available data was to examine patterns around adversarial actions that triggered multiple alerts. When we broke down these actions into weekly patterns, two weeks in particular stood out, neither of which involved any high profile attacks or vulnerabilities, but rather reflected higher than normal conventional incidents, such as phishing and suspicious login activity. These patterns are consistent with an assertion we have maintained in prior threat reports: traditional malicious activity is ever present and should not be neglected as potential hazards.
We also took a closer look at amplified distributed denial of service attacks. Amplification attacks work by misdirecting service replies to a spoofed address, which results in a flooding of a target system with unsolicited replies. Attackers through amplification can magnify a single protocol exchange by an order than can be tens of thousands of times more significant, as was the case with the use of memcached as an amplification DDoS protocol. We compared the bandwidth amplification factor - a measure of the ratio of bytes in a service response to bytes sent by attackers - across a range of common amplification susceptible protocols. We also utilized our Heisenberg honeypot network to monitor for inbound traffic directed at ports related to common amplification susceptible protocols, and found a number of spikes over the quarter - as if attackers were taking stock of hosts that were vulnerable to being co-opted to participate in an attack.
Additionally, during the quarter, Cisco released a security advisory about vulnerabilities present in the Smart Install (or SMI) feature available in its software on select devices, which allows for unauthenticated arbitrary remote code execution. Immediately following the release of the advisory, we observed a significant uptick in malicious activity that appears to be seeking to exploit vulnerable Cisco SMI-enabled devices. There have been a regular series of spikes in activity targeting Cisco SMI-enabled devices ever since.
I’ll leave you now with some general recommendations on how to better safeguard your environment based on some of our findings from this past quarter. First, if you’re in the healthcare industry, do take care be extra vigilant. Our findings indicate that you have become an especially popular target for malicious actors. Second, given that threat movement and remote entry attempts were so common, it’s worth checking yourself for exposed systems. Close obvious vulnerabilities that allow for easy incursions. Third, be especially wary of credential leaks. Since there is such a concerted effort to collect credentials through phishing, it might be prudent to remind your teams about the dangers of phishing. Fourth, since our findings indicate that so many threat vectors are through conventional attacks rather than headline-grabbing exploits, continue to watch for the mundane dangers. Fifth, given the heightened threat posted by DDoS amplification attacks, organizations that are particularly concerned about application or network availability should consider bolstering DDoS defenses and perform business continuity tests to prepare for DDoS attack scenarios. Sixth, organizations that utilize Cisco devices equipped with the SMI functionality should check firewall rules for possible SMI exposure on the public Internet. SMI should really only be exposed internally to a very limited audience.
We hope that the information we have shared through the Quarter 1 Threat Report for 2018 has provided you with a better sense of the state of security—or rather, anti-security —as of the last few months. Visit rapid7.com to grab a copy of the full report, which includes many more details than what we’ve discussed here today. If you have any questions, feel free to reach out to us at firstname.lastname@example.org. Thank you for your time, and have a great and safe day.