To provide insight into the methods devised by Rapid7, we'll need to revisit the detection methods implemented across InfoSec products and services and how we apply data differently. Rapid7 gathers volumes of threat intelligence on a daily basis - from new penetration testing tools, tactics, and procedures in Metasploit, vulnerability detections in Nexpose, and user behavior anomalies in InsightIDR. By continuously generating, refining and applying threat intelligence, we enable more robust detection strategies to identify adversaries wherever they may hide.

Slicing Through the Noise

There are many possible combinations of detection strategies deployed in enterprise environments, with varying levels of efficacy. At a minimum, most organizations have deployed Anti-Virus (AV) software and firewalls, and mature organizations may have web proxies, email scanners, and intrusion detection systems (IDS). These "traditional" detection technologies are suitable for blocking "known-bad" activity, but they provide little insight into the origin, purpose, and intent of detections. Additionally, many of these techniques falter against uncommon threats due to a lack of applicable rulesets or detection context.

Consider an AV detection for Mimikatz, a well-known credential dumper: Mimikatz may be detected by AV; however, standard AV detection alerts do not provide the background information required to accurately understand or prioritize the threat. The critical context in this scenario is that the presence of Mimikatz typically indicates an active, human attacker rather than an automated commodity malware infection. Additionally, a Mimikatz detection indicates that an attacker has already circumvented perimeter defenses, has the administrator rights required to dump credentials, and is moving laterally through your environment.

Without a thorough understanding or explanation of the samples your detection technologies identify as malicious you do not have the information required to understand the severity of detections. Responders who are not armed with appropriate context cannot differentiate or prioritize low, medium, and high severity events, and they often resort to chasing commodity malware and low severity alerts.

Adding Context – Intelligence Implementation

Many organizations integrate ‘threat feeds' into their existing technology to compensate for the lack of context and to increase detections for less common threats. Threat feeds come in many forms, from open source community-driven lists to paid private feeds. The effectiveness of these feeds strongly depends on a number of factors:

  • Intel type (hash, IP, domain, contextual, strategic)
  • Implementation
  • Indicator age
  • Intelligence source

When consuming intelligence feeds, context remains the critical element – feeds containing only hashes, domains, and IPs are the least effective form of threat intelligence due to the ease with which an attacker can modify infrastructure and tools. It is important to understand why a particular indicator has been associated with attacker activity, how old the intelligence is (as domains, IPs, tools are often rotated by attackers), and how widely the intelligence has been disseminated (does the attacker know that we know?).

We routinely work in environments wherein the customers have enabled every open source threat intel feed and every IDS rule available in their detection products, and they chase thousands of false positives daily. Effective threat intelligence application requires diligence, review, and active research into the origin, age, and type of indicators coming in through threat feeds.

Contextual intelligence feeds provide customers not only with indicators of compromise but also a thorough explanation of the attacker use of infrastructure, tools, and particular methodologies. Feeds containing contextual information are far more effective for successful threat detection, for example:

MALWARE DETECTED: FUZZY KOALA BACKDOOR

The ‘Fuzzy Koala Backdoor' is a fully-functional remote access utility that communicates to legitimate, compromised servers over DNS using a custom binary protocol. This backdoor provides file upload, file download, command execution, and VNC-type capabilities. The ‘Fuzzy Koala Backdoor' is typically delivered via spearphishing emails containing Office documents with malicious macros, and is sent via the ‘EvilSpam' mail utility.

Files Created:
%systemdrive%\programdata\iexplore.exe
%systemdrive%\programdata[a-z]{6}%UUID%.dll

Persistence:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell=explorer.exe,%systemdrive%\programdata\iexplore.exe

Network Indicators:
Domains:
SuperCoolEngineeringConference.com

With that context, a successful detection team can:

  • Look for other anomalous DNS traffic matching the attacker's protocol to catch additional domains
  • Look for unusual emails containing documents with macros
    • Including header data provided by the attacker's mail client
  • Identify systems on which Office applications spawned child processes
  • Identify file-based and registry-based indicators of compromise
  • Monitor for traffic to the legitimate compromised domain

Similarly, a successful incident detection and response team will build additional strategies to identify underlying attacker techniques and cycle out stale static indicators to minimize false positives.

Traditional detection mechanisms, including contextual intelligence feeds, provide security teams the ability to identify and respond to threats in the wild. In our next blog post we'll discuss approaches for finding previously-unseen malware and attacker activity using hunting and anomaly detection.