Whiteboard Wednesday:

Q4 Threat Report and 2017 Trends

March 21, 2018

In this week’s Whiteboard Wednesday, Kwan Lin, senior data scientist on the research team at Rapid7, presents notable findings from the threat landscape of Q4 of 2017, and persistent trends from throughout the year. Learn more about how data collected from our InsightIDR solution, Managed Detection and Response services, and research arm revealed key trends in incident frequency, threats facing the real estate and construction industries, and EternalBlue exploits.

Want to dive deeper into the takeaways from our threat research? Check out our Quarterly Threat Report: Q4 and 2017 Wrap-Up.

Video Transcript

Welcome to this week's Whiteboard Wednesday. My name is Kwan Lin, Senior Data Scientist at Rapid7. Today, I'd like to speak with you about Rapid7's final Threat Report for 2017. We launched our first Threat Report at the start of 2017 with the intention of analyzing data collected in InsightIDR and our managed detection and response teams. Our goal was to develop an understanding of threats, trends, and patterns surrounding attackers. 2017 was certainly a busy year for cybersecurity threats involving some notable ransom worms, IoT botnets, and nation-state tools that become widely distributed. We've learned quite a few lessons by stepping back and taking a look at the expansive threat landscape, lessons that we would like to share with you.

Show more Show less

First, the evidence we've collected can manifest a very regular, predictable, temporal pattern for when threats arise. Specifically, most of the threat alerts we picked up on occurred between Mondays and Fridays. The frequency ebbed and flowed with regular work hours. The timing of the threats suggests that many of the exploits employed rely on the presence of active employees. Phishing emails require someone on the other end to open them. Spoof login websites require users to attempt logins for credentials to be harvested. The temporal pattern of the threats also suggests the adversaries are leveraging the landscape for camouflage. Malicious behavior is more difficult to detect when it blends in to the regular rhythm of the workday. Furthermore, we can speculate that many adversaries operate on a regular work week schedule probably because many of them do in fact operate as businesses. Don't be surprised if adversaries have regular staff meetings and maintain customer support functions.

Second, we notices that remote entry prevailed as one of the most common attack types throughout much of the year. Remote entry was prominent issue for both small and large organizations, though with a higher occurrence rate for small organizations.

Third, we noticed a significant increase in intrusion attempts on the real estate and construction industries over the course of 2017. This is likely due to the broadening of focus beyond financial institutions to other sectors that have significant financial transactions and manage sizable volumes of information that can be exploited and commoditized. The real estate industry, and thus indirectly the construction industry, have experienced significant waves of activity. That activity translates into numerous exchanges of financial and personal information in sectors that are not regulated in the same manners as the financial sector. All of these factors in confluence, makes real estate and construction appealing targets.

Fourth, we took a deeper dive into EternalBlue. Since the shadow brokers released the eternal series of exploits in April of 2017, which specifically targeted the SMB protocol, we have noticed a significant increase in the overall level of scamming activity directed at SMB ports and Rapid7’s Project Heisenberg honeypot network. We are in a position to follow the bread crumbs to identify the countries and sections of the internet from which EternalBlue exploit attempts originated. There were some notable concentrations for EternalBlue exploit origins, which we further detail in the full report.

We've learned a lot from 2017, but how can this information help you? Here are some tips based on our findings. One, watch the clock. There are certain times when threats are more likely to occur. If you're faced with research, resource, and retention constraints consider adjusting your security staffing and operations appropriately to match expected incident frequency patterns, but don't lose sight of potential outliers.

Two, takes steps to secure remote systems. Some things you might consider doing might include, monitoring credential breaches, bolstering controls around service accounts, and taking a look at Rapid7's publicly accessible Project Sonar database to identify vulnerable systems or ports.

Three, be aware that just because your organization might not be a traditional banking or financial services organization, it doesn't mean that you're not an enticing target. Consider the set of valuable your organization and your industry as a whole handles, and take the appropriate measures to keep that data safe.

Four, pay attention to the origination points for particular types of activity. Compare that to the findings in our threat report. It might give you a leg up on potential dangers.

We hope that the information we have shared through the final threat report for 2017 proves to be interesting and insightful. Visit Rapid7.com to gain access to the full report, which contains significantly more details than what we've discussed today. If you have any questions, feel free to reach out to us at research@rapid7.com. That's it for this week's Whiteboard Wednesday. Have a marvelous day.

Rapid7 Quarterly Threat Report: Q4 and 2017 Wrap-Up

Want to learn more about the threat landscape in the fourth quarter of 2017 and trends throughout the year? Download the report, hear from the researchers themselves, and more.

Learn More

Fundamentals: Threat Hunting and Detection

New to threat hunting and detection? Learn about the defensive methods available to help you detect and mitigate threats in your environment quickly.

Read More