Whiteboard Wednesday:

Quarterly Threat Report: Q4 and 2018 Wrap-Up

March 20, 2019

In this week’s Whiteboard Wednesday, Kwan Lin, Senior Data Scientist, covers some of the major topics from our Q4 Threat Report. These topics include industry specific deceptive fake login pages, the most common username and password attempts by malicious actors, and the increase in the targeting of the Android debug bridge for crypto-mining. Learn how the patterns and trends our researchers detected can help steer the direction of your security program in 2019.

Video Transcript

My name is Kwan Lin, Senior Data Scientist at Rapid7, and one of the authors of the recently released 2018 Quarter 4 Threat Report. In this week's Whiteboard Wednesday, I'd like to review some of the findings found in the full report.

Show more Show less


One of the wonderful things about data is we can arrive at different perspectives depending on how we segment and transform datasets. For this particular release of the threat report, we looked at data for both the quarter as well as a full year.


We begin first with a macroscopic view of threat events across industries. Across a year-long time horizon, it appears that the volume of variety of threat events encountered by different industries rises dramatically. The conclusion we can draw from this is with the enough time almost all industries can expect to encounter any range of threats. It doesn't seem as if there are any structural barriers that would preclude particular industries from being targeted by specific methods.


We also took a closer look at the types of fake pages that different industries routinely encounter. These fake pages look terrifyingly like legitimate services such as DocuSign or OneDrive and exist to deceive employees into providing credentials.


Our broad tail analysis reveals that malicious actors have preferences for the types of fake pages that are presented to different industries. These malicious actors engage in particular activities repeatedly because they worked. Based on their experiences they know that sort of fake pages are more effective at phishing specific industries than others.


In yet another avenue of analysis we examined the most common set of username and password credentials attempted on different protocols in our Heisenberg honeypot cloud network. We find that for services such as Secure Shell, Microsoft SQL, Remote Desktop Protocol, and Telnet, amongst others credential combinations that included usernames, like root or admin, and passwords like password and 1, 2, 3, 4, 5 were extremely common.


These results might seem comical, but they're no laughing matter. The reason why malicious actors attempt these sorts of credentials is because they've learned that these simplistic credentials are fruitful. Enough publicly exposed surfaces utilize easily guessable or default credentials.


Over the course of the year we noticed the variety of trends for different attack techniques. One technique in particular appeared pretty dramatically during the year and targets the Android debug bridge, often with the intent of turning IPTV boxes and other Android devices into crypto-miners. What this revelation suggests to us is that malicious actors are still continually innovating and we shouldn't be surprised if we encounter newer, more creative attacks in the future.


We also noticed the persistence of older attack techniques. For instance, we monitored a continued and fairly steady rise in usage of EternalBlue attacks. From this, we can conclude that just because certain attack methods are older, it doesn't mean they're outmoded and unused.


Now let's take a few moments to go over some recommendations derived from this research that might help you improve your security posture of your organization.


First, take a moment to look at the thread event distribution charts in our report. Get a sense of what attack methods are most common for particular industries. This can help you determine how best to allocate your limited security resources to maximize the robustness of your security posture.


Second, just because your industry has not encountered particular threat events much before, it doesn't mean you're safe from the uncommon threats. With a long enough time horizon, anything can happen so you really should remain cautious.


Third, consider the relative frequency of different fake login pages that are targeted at different industries. Use this as a basis to minimize the risks that your people fall for fake login pages.


Fourth, double check that the credentials on your systems, particularly your publicly exposed systems, are not guessable and are not default. Better yet, consider introducing additional security measures such as two factor authentication.


Fifth, while you should be wary of newer attack methods, don't neglect older attack methods that are still very popular and just as effective as when they first appeared on the scene.


Now that was quite a bit of detail in a brief amount of time, but I hope you found it informative and useful. If you're interested in learning more about the threat patterns we observed in the fourth quarter and in 2018 at large, head on over to our website at rapid7.com to grab the full report.


If you have any questions, you can contact us by email at research@rapid7.com.


Thanks for your time and we look forward to sharing another threat report with you soon.

Quarterly Threat Report: Q4 and 2018 Wrap-Up

Gain actionable insights from Q4 2018 and last year's threat events overall.

Learn more
Try InsightIDR

Sign up for a 30-day free trial of the SIEM you always wanted.

Try Now