Welcome to this week's Whiteboard Wednesday. My name is Kwan Lin, senior data scientist at Rapid7. Today, I'd like to speak with you about Rapid7's Threat Report for the third quarter of 2017.
Throughout the period, Rapid7's InsightIDR solution, managed detection and response (MDR) team, and lab's research arm, collected quite a few bits of data on security incidents. Security practitioners had a lot to contend with this quarter, but out of the chaos of malicious malware and ruinous ransomware, amongst other pernicious predations, comes insight diligently derived from systematic scrutiny of diverse data.
First, let's see a bird's-eye view of the threat landscape. We saw that as in previous quarters, the vast majority of incidents rely on exploiting people. These incidents might be mundane and not quite exciting enough for the headlines, but are nonetheless persistent and worthy of attention.
As before, we saw a clear temporal pattern to these incidents, which correlates well to the premise that they hedge on hacking humans. The vast majority of incidents tend to occur along a regular Monday through Friday workday pattern. Consider this a reminder that technical solutions on their own are not sufficient. Your staff need to remain vigilant to social engineering and other threats specifically targeting employees.
When we examine threat distributions by type, as well as industry, we notice an increase in the variety of incidents affecting different industries. In particular, industries like real estate and warehousing might have experienced a wider assortment of threat incident types than they may have in the past.
Now, let's dive into some of the lessons we've learned, that might be of benefit to you. First, as trite as this might sound, old familiar tools are still some of the most dangerous tools. We took a closer look at one tool in particular, PsExec. Many administrators are familiar with PsExec, an older tool from Microsoft that empowers admins to remotely manage networks.
In this quarter, as in the past, it has proven to be a double-edged sword. Malicious actors often utilize PsExec in an offensive manner. The tricky thing about it is there's very little consistency with the patterns around its legitimate uses, making it tough to establish a baseline that would enable us to easily identify suspicious activity. We looked at the data across numerous organizations, on a week-by-week basis, and didn't see any clear patterns.
Given how dangerous it can be, what can you do about it? Optimally, you might want to stop using PsExec and switch to something a bit more secure. Alternatively, if that's not an option, you might just have to take a closer look at the details within your own organization. Consider things like when it's being used, and is it running outside of normally scheduled operations? Or who's using it? Maybe it’s suspicious that someone from HR or finance is trying to use it.
Second, conventional malware is still a very persistent danger, and you shouldn't let your guard down or be distracted by newer threats. We systematically passed numerous malware samples, collected over the quarter, through VirusTotal, one of many services that runs a broad array of anti-malware scanning engines. Each scan returns a detection ratio, which we can think of as a proxy indicator of the nature, longevity, and detectability of any suspected piece of malware.
When we examine VirusTotal patterns by industry, we noticed that each industry had its own detection ratio pattern, suggesting that different industries might be prone to encountering different sets of malware. Some industries run into mostly older, familiar malware, while others have comparatively more encounters with newer, more sophisticated malware. Practically speaking, that might mean that different defenses are warranted for different industries.
Have a look at the VirusTotal patterns we found for a range of industries, and see how your organization aligns with your particular industry. This arrogant view might help inform you in tuning your malware defenses.
Third, pay attention to remote entry attempts. There seem to be a greater degree of consistency, month-to-month, in terms of the types of threats that were prevalent across organizations and industries. Some of the most common threats involved remote entry attempts, especially targeting highly privileged service accounts. Take some time to review service account permissioning, credentials, and monitoring.
What we have suggested in this quarter, through our report, is hardly revolutionary but it is a reminder that old threats and vulnerabilities are still very relevant, and still deserving of your concern.
For more details of what we talked about today, check out the full report at rapid7.com. If you have any questions, feel free to reach out to us at research@rapid7.com.
That's it for this week's Whiteboard Wednesday, and we'll talk to you next week.
