Whiteboard Wednesday:

2019 Q1 Threat Report

June 12, 2019

Kwan Lin, Senior Data Scientist, covers some major findings from the Rapid7 2019 Q1 Threat Report, including our data-driven conclusions about the threat landscape and common threats that require some degree of user interaction. Learn more about our research and other actionable security tips in this week’s Whiteboard Wednesday.

Video Transcript

Hi, my name is Kwan Lin, Senior Data Scientist at Rapid7 and one of the authors of the recently released 2019 Quarter 1 Threat Report.

Show more Show less

In this week’s Whiteboard Wednesday, I’d like to briefly cover some of the key components of the report.

Our analysis is based on data we’ve collected from engagements run by our Managed Detection and Response team (or MDR), which provides security services to a broad range of organizations, and our Heisenberg system, a globally distributed honeypot cloud network with nodes across various service providers that monitors for inbound activity. The broad scale and variety of data enables us to perform varied analysis and to draw data-driven conclusions about the threat landscape.

One of the things we do with the data is aggregate threat events discovered across different organizations, and group them into classes of threats, which we further break down by month.

What we see is that the remote entry group - which includes specific threat events like attempted ingress using disabled accounts or multiple country authentications - is consistently one of the most common threats month to month.

When we transform the data to look at large organizations and small organizations separately - where we define “large” as organizations with 1,000 or more monitored assets - remote entry again remains the most common threat type for large organizations during the quarter as a whole.

The story is somewhat different for small organizations, where threat movement is the most prevalent threat type, though remote entry is not far behind.

We also look at threats that require some degree of user interaction. People are great assets to organizations, but they also represent one of the most prevalent threat vectors. The organizations we support routinely encounter fake login pages targeted at employees. These fake login pages are designed to mimic legitimate login pages - such as for email or content management systems - and are intended to capture credentials.

Our MDR team also maintains a set of custom threat indicators, which show that suspicious authentication remains one of the most common threat event types. In fact, we found that suspicious authentication was a more prominent threat this quarter than in the previous Threat Report. This reinforces the importance of sound practices around credentials.

We also tried something very different in this iteration of the Threat Report: we mapped Rapid7’s set of threat indicators to the MITRE organization’s ATT&CK framework. The ATT&CK framework represents a widely-curated body of knowledge on threats and represents a common taxonomy to help security professionals understand and communicate about threats. The tactics and techniques roughly align with sequentially-ordered attacker behaviors. For instance, based on the framework, initial access typically precedes defense evasion or lateral movement.

Using the ATT&CK framework, we found that of the set of detections our MDR team made, 90% of them were made by the Credential Access phase of the framework. The further found that phase along the chain where detections are made do vary dramatically by industry.


We’ll wrap here with a few tips derived from the full report.

First, be wary of remote entry and take the necessary precautions to minimize its risk. The evidence suggests that remote entry is extremely common and is not a non-issue.

Second, take a look at the broad threat landscape analysis we perform to identify possible threats that are prominent within your industry. Even though you may not have experienced particular threats, your peers within your industry might have, which might indicate threats that you too should be especially wary of. The analysis we provide might be useful to help you identify potential gaps in your security posture.

Third, instill within your organization a healthy fear of potentially fake login pages. Encourage your staff to take an extra moment to double check that the page they’re about to punch usernames and passwords into is actually the page they intend to access.

Fourth, try to think about security and detection within the MITRE ATT&CK framework, which provides a widely-adopted structure to understanding attacker behaviors and threats. With that mindset, take a look at our ATT&CK sequence analysis to understand where attackers are detected, and make an assessment of how well suited your security setup is to detecting threats along the ATT&CK framework.

If you’re interested in learning more about the 2019 Quarter 1 Threat Report, head on over to our website at Rapid7.com to grab the full report.

If you have any questions, feel free to contact us by email at research@rapid7.com.

We hope you find this issue of the Threat Report handy. Have a great day.

Quarterly Threat Report: Q1

Gain actionable insights from Q1 2019 and improve your security.

Learn More

Try InsightIDR

Sign up for a 30-day free trial of the technology behind our Quarterly Threat Reports.

Sign Up