If you are serious about detecting advanced attackers using compromised credentials on your network, there is one fact that you must come to terms with: you need to somehow collect data from your endpoints. There is no way around this fact. It is not only because the most likely way that these attackers will initially access your network is via an endpoint. Yes, that is true, but there are also behaviors, both simple and stealthy, that can only be detected if you have access to data on the systems themselves. Let me explain with the help of Matt Damon.
Monitor the endpoints or miss the activity
A year and a half ago, the InsightIDR team and I published a technical paper that walks through a series of scenarios in which centralized logs show either no trace of lateral movement taking place or an indecipherable amount of information about what actually took place. To quickly summarize our findings laid out in this paper: if you are looking to evade detection, it is very easy to do so by stealing passwords and hashes from endpoints and using them to access other endpoints in an organization. Attackers can typically move from one system to another as fast or slow as they wish because no user behavior analytics solution will see them unless they've configured their endpoints to forward event logs to their SIEM or installed a more flexible software agent to do it.
You must have endpoint data to stand a chance of detecting the early indicators of an intruder, but more likely, you need it to detect an attack at all. If you are not monitoring the endpoints in your organization, the odds that you would identify anomalous activity before the attacker reaches a critical server are extremely small. Think of it like Jason Bourne in the Bourne trilogy. The only times they were close to catching him were when he:
- Passed through a customs checkpoint - this is like detecting an attacker first reaching your network
- Approached his final target - this is the same as trying to spot data exfiltration from your critical server containing PCI data or intellectual property of some kind
If you are monitoring your endpoints, it is like having a view into every possible car that Bourne could steal while moving about the country between those two points. If you want to increase your chances of detecting attackers earlier and at more stages of their attack, you need to have a method of detecting them as they move from endpoint to endpoint. I described a few examples in an earlier blog, but we are always adding new indicators for this detection.
InsightIDR makes it easy with both proven Nexpose and newer Rapid7 technology
Partnerships and integrations are great for getting more value from a tight security budget, but when we recognized just how mandatory it is that InsightIDR monitor endpoints, we took advantage of existing Rapid7 resources: we re-purposed our proven Nexpose scan technology to offer negligible-bandwidth agent-less endpoint monitoring to every InsightIDR customer. Think of it as a Nexpose scan without the burden of looking for tens of thousands of vulnerabilities. The scan is extremely targeted at the data that helps us identify the indicators of lateral movement, as if you could just have every car in the country look for Jason Bourne's face and report back, rather than having to search through millions of hours of video feeds.
If you want to also watch the endpoints as they venture outside your perimeter, you understand a core reason why we developed our continuous agent. Then, as you use more Rapid7 products, you will realize benefits from the same agent [but that's a topic for another blog]. So if you start talking to a user behavior analytics vendor that promises to detect compromised accounts and advanced attacks, ask them how they collect the endpoint data to do so. If their response is to simply push all of the data into your SIEM and they will take care of it, prepare yourself for another high-maintenance process of custom scripts or configuration settings on all endpoints to forward the right data to that central place. Plus, the SIEMs may charge you a lot of money for endpoint data, which Rapid7 doesn't. Why give customers a reason not to send important data to their detection solution?
If you want to learn more about InsightIDR and use it to detect attacks on your organization, watch this on-demand demo. We won't rely on someone else to collect the data you need.