In this week's Whiteboard Wednesday, Bob Rudis, chief data scientist at Rapid7, discusses the latest Rapid7 Quarterly Threat Report, including what he believes to be the biggest lessons we learned in Q2 2017.
Welcome to this week's Whiteboard Wednesday. My name is Bob Rudis and I'm Rapid7's chief data scientist. Today we're gazing back into the threat landscape of the second quarter of 2017, but through the lens of Rapid7's Quarterly Threat Report. Now, we use that threat word quite a bit in InfoSec land. Our definition of a threat is when there is an adversary present with the intent, capability, and opportunity to do harm. It's extremely important to understand the threats facing your organization, both by looking at what events your incident response team has handled in the past and then trying to gain an understanding of the different types of threat actors that are out there, and what threat actions they may be likely to launch against you.Show more Show less
Now, we break down our Threat Report into lessons learned, and this time around we focused on three big ones. Let's take a look. First up is a big reminder to never underestimate a vulnerability. When Microsoft released an SMB patch back in the March and the Shadow Broker's dump appeared in April, many defenders looked at the exploits and dismissed the potential impact, since it appeared that the impact was only to outdated systems with patches readily available. Boy, were they wrong. Attackers took advantage of these vulnerabilities in spades, which led us to the WannaCry ransomworm and the Petya/NotPetya destructo worm. In fact, there are many well-known large organizations who are still suffering from the devastation wrought by Petya.
As you can see, our global honeypot network has seen a large increase in daily malicious SMB probes and attacks ever since WannaCry, so you should be working with your IT teams to ensure no systems are exposing SMB to the Internet. We found some further interesting probes and attacks on other related protocols, but you're going to have to dig into that report to check those out. Now, lesson number two actually flowed from lesson number one. During and after the large-scale attacks in Q2, we provided updated tools and guidance to Rapid7 customers on how to find systems that were vulnerable to WannaCry, SambaCry, and this Petya, NotPetya. We then set our sights on seeing just how widespread the attack surface for these vulnerabilities was on the big, bad Internet.
We used Project Sonar to do weekly protocol level checks for exposed Samba and Windows SMB systems on the Internet, and we found over four million of them spread all across the globe. We have made these data sets available on our research partner's site, Scans.io, so you can check to see if IPs in your company's allocated ranges are exposing these end points. The widespread opportunistic attacks that plagued us all this past quarter underscores just how imperative it is that you understand what ports and protocols you're exposing on your organization's perimeter or your Cloud environment and your mobile devices. The third and final lesson was that while there were headline grabbing exploits garnering the attention of the public, the day to day exploit attempts did not stop.
The same working week and working hours patterns still emerged across our managed detection and response customer base with a broad diversity of threat actions, most of which has nothing to do with the ransom and destructo worms. Now, it's easy to get sidetracked by focusing on the big blasts and miss these more mundane events. In fact, we detected a noticeable increase in the mean incident frequency across many industries in June, a possible indicator that attackers are hoping that defenders are busy digging for worms while they fish for gold. One new item to our threat report is the top five threat events per month across the industries. As you can see in the report, the threat landscape changes dramatically from month to month.
If you're not capturing this level of detail in your own organization, now is a good time to start. We provided the categories we used to track threat events and InsightIDR as part of the appendix in the Threat Report, so that you can use that to compare your notes from your own data with our report. You can use any methodology or taxonomy that works for you, but the important part is that you do track these events and analyze them in a similar way, plus compare notes with information sharing groups to see if there's a pattern in your sector or cross-sectors. We provided another industry level threat landscape matrix to help you gauge your own environment against what our managed detection and response team saw, but you should definitely be sharing your own view with trusted partners to get as diverse a picture as possible. You can grab a copy of both the Q2 and Q1 reports at rapid7.com and hit us up with any questions at firstname.lastname@example.org. That's it for this week's Whiteboard Wednesday. See you next time.
Want to learn more about the threat landscape in the second quarter of 2017? Download the report, hear from the researchers themselves, and more.Learn more
Don’t miss a thing: Let Rapid7 experts monitor and hunt attackers in your environment.Get More Info