New detections have been introduced regularly since we first started developing our Incident Detection and Response (IDR) solutions four years ago. In fact, as of today, we have a collection of more than 50 of these running across customer data. But what does that mean? And what are the very latest detections to help your security program? Vendors have fancy names for what is under the covers of their tools: “machine learning,” “advanced analytics,” “autonomous sentient artificial intelligence” – ok, I made up the last one, but I bet you could see a vendor using that in their next press release. Our InsightIDR solution uses a variety of analytics, machine learning, and deception technology, but our customers don't necessarily worry about what we call it, at the end of the day they want one thing: detections of nefarious behavior.
No matter what you call it, the primary reason that InsightIDR's detections are so effective is that we rely on Rapid7's team of attack-minded experts to actually help develop the detection techniques that span the attack chain. Sure, some detections require extensive baselining of all user behavior, some require deception technology, and some require advanced log correlation. And while you can't detect everything, you must continually prioritize the most effective attacker techniques for various stages of the chain and apply a bit of the scientific method to detect them.
In that spirit, we recently introduced three new detections to InsightIDR that demonstrate how different the technology for each real world attacker technique may be when you're looking for indicators at each stage of the attack chain. And, since it fits well into National Cybersecurity Awareness month, I'd like to raise awareness about realistic attacker techniques to demonstrate why these new detections are more than just average IOCs_._ We want to make it uncomfortable for attackers exploring your network, forcing them from a casual jog through the forest to being afraid to take the wrong step like they've been dropped into a forest in The Hunger Games.
NetBIOS Name Service Poisoning – know when someone is tricking your Windows machines into sharing credentials.
You probably didn't see it, since few people did, but Terminator 3 brought a new terminator model, T-X, with a significant improvement over the terrifying T-1000: the ability to impersonate both a human and a weapon. While both the T-800 model and T-1000 were terrifying, they clearly had their limitations. When T-800 imitated a [ridiculously fit] human being, it made detecting threats more difficult than looking for shiny metal, but the T-1000 was able to pretend to be any person, including those of authority and yet, in Arnold's own words, it couldn't form “complex machines.” This is what made the next T-X model even more terrifying and hard to detect: it could pose as a human and form complex machines.
Similarly, there are many SIEM implementations capable of detecting brute force attempts to impersonate humans by stealing their accounts and a bevy of new user behavior analytics vendors claiming they can spot the T-1000 impersonating an authority figure to access more critical systems, but neither is able to spot a very common complex machine: protocol poisoning. Today, it is very easy for both simulated and real attackers, once on the network, to listen and respond to requests to resolve host names broadcast over the local network segment with tools like Responder. In his retelling of his Hacking Team hack, Phineas Fisher called it “The most useful tool for attacking windows networks when you have access to the internal network, but no domain user.”
Despite attackers pretending to be these trusted systems within the organization, the vast majority of Rapid7 penetration test clients fail to detect this behavior, even with massive detection investments. This is why the Rapid7 InsightIDR team strove to make it absurdly easy to detect. Since InsightIDR already has a presence on the network, the Insight agents are instructed to issue queries for non-existent host names over NBT-NS (as the most vulnerable systems would) and any received responses will expose the spoofer. It's a little like asking what's wrong with “Wolfie” when the real mom would clearly know the dog is named “Max” [and yes, I know that was the T-1000 – I barely remember T3].
EMET – install it. Right now. Then, actually monitor what it sees.
In one of Hollywood's best movies about barroom brawls, Road House, the hero Dalton rented a comfortable room from an unassuming man named “Emmett.” Emmett was not only a source of comic relief when his house was set ablaze, but he turned out to be valuable asset when the real town proprietors decided to take their town back. We'll never know whether Dalton should have confided in Emmett more about his challenges at the Double Deuce, but thanks to the magic of hindsight, it seems like he would have at least been a valuable source of information.
One of the biggest failings of the security industry is the fact that Microsoft's free Exploit Mitigation Experience Toolkit (EMET – not pronounced the same, I think) is not currently installed on every Windows machine in existence. We can examine the reasons why in another blog someday, but if your organization actually does have the EMET agent installed broadly, your biggest question is probably whether anything is getting actively blocked by EMET. If you want to find out, you can spend a lot of time managing the Windows Event Collector and building correlation rules or you can simply deploy InsightIDR and receive these alerts alongside all of the notable behaviors and alerts across the attack chain for each user and asset. This valuable source of information can quickly show you someone is on the network attempting to exploit systems, and even when though they were effectively mitigated, this means you can take action much earlier in the attack chain.
Honey files – because exfiltration is likely to precede the file opening.
If you learned everything you know about wealthy people from movies, as I did, you obviously know that cat burglars discreetly come into your house, slink around various monitoring systems, and carefully look through all of your valuables until the right one is identified, just like Clint Eastwood's character in Absolute Power. In this scenario, it may feel like the most effective type of detection is a silent alarm which triggers when each jewelry box is opened, but that could lead to a noise of false alarms [sounds like legacy SIEM]. This is how most people have been forced to detect attacks with file integrity management solutions - by filtering through the thousands of file changes that occur every day and hoping to catch the real problem. It's akin to the false alarms with the jewelry boxes where the alarm is more likely because of a pet bumping the jewelry box or another family member perusing.
In the cyber-attack world, cat burglars rarely waste their time opening each and every file on a system until they find the right one. “Smash and grab” is the wrong phrase for it, but they quickly zip entire folders in short order, exfiltrate them to a safe drop server, and move on to the next system because they know their backdoor connection could get severed at any time. This is why the InsightIDR team made it so easy for you to use another form of deception on top of the honey pots, honey users, and honey credentials. If you haven't managed to stop the attack by the time it reaches the “Mission Target” stage, having some useless files there and alerting even if they're copied guarantees you know when someone has reached the valuables. It's like planting a necklace of large, cubic zirconia in a fancy jewelry box and only sounding that silent alarm when the box is swept into the cat burglar's oversized sack of stolen goodies.