As our threat intelligence lead here at Rapid7, my job is to coordinate threat intel across all of our products to help customers answer questions and take action. What an attacker is doing, what information they are trying to steal, how they may attempt to get it, and why an attacker might be targeting a specific industry or country—these are all important questions we try to answer. We analyze the different behaviors our security operations centers (SOC) identify on customer networks, combine that with adversary research, and communicate that intelligence so our customers can effectively deflect attacks. This is all part of our Attacker Behavior Analytics (ABA) intelligence.
In this post, I’ll explain our process for creating ABA, including how we identify and validate behaviors, and how this feeds into our technology.
How Attacker Behaviors Are Detected
Our in-house SOC, run by our Managed Detection and Response (MDR) team, has their eyes and ears out for anything and everything that could be malicious. For example, they constantly monitor clients’ endpoint logs so that the moment they see something strange, they can pull back relevant forensic artifacts, including the malware, to understand exactly what the adversary is doing. Because our teams do this day-in and day-out, they’re able to pick up on patterns, such as specific techniques adversaries use, manipulations of certain files, or social engineering tricks aimed at getting users to click on links and enter in passwords.
When these behaviors are spotted, rules are created so that when the behavior (such as the download of a Word document from a specific site) is detected again across customers, the threat intelligence team gets notified. We then dig in and investigate how widespread the behavior is across an organization, industry, and the world, and how similar the activities are to each other.
The key is to understand the end goal of the attack. Is it to exfiltrate credit card information? Move laterally through the network, compromise systems, and add them to a botnet? Steal information around sensitive technologies? Once we know more about the goal, we can strategically pivot to gather more information. We want to understand not only what behaviors are malicious, but what the behavior means and the type of threat activity it can lead to. The answers to these questions can inform where in the logs to look for these behaviors, what customers need to know in order to respond, and much more.
This first started off as a service we offered only to our managed detection and response (MDR) customers, but we quickly realized every company could benefit from this. This gave birth to Attacker Behavior Analytics (ABA) that are now built in to InsightIDR. Customers don’t just receive alerts highlighting certain behaviors—they also receive all the information we know about that behavior. This also includes validation and response recommendations so they know where to find this activity and what files or accounts to pull back to prevent the adversary from getting any further. We want our customers to be able to respond in the same way our SOC analysts would, which is why we load ABA with an action plan.
Widespread Intel Feeds Attacker Behavior Analytics
One of the many great things about Rapid7 is how collaborative our teams are. This is especially true when it comes to our ABA intelligence. ABA is a cohesive effort between our SOC team, Intelligence team, and Incident Response (IR) team. Specifically, here is how we break it down:
- SOC analysts focus on the what: What is going on, what am I seeing?
- Intelligence team focuses on the why: Is the attack targeting retail, finance, or everyone? Is it after specific data? Is it part of an adversary campaign we know of?
- IR team focuses on the response: What do we do to not only stop this attack, but any future ones so it doesn’t come back tomorrow?
Much like how our teams come together to create ABA, so too do our intel feeds, which contain indicators of compromise that we use to enrich our understanding of a behavior. Alongside multiple open source feeds, we utilize intel from the Cyber Threat Alliance, Project Heisenberg (which is a collection of low-interaction honeypots deployed around the world), as well as research from our MDR team and our Rapid7 Research teams.
When conducting our analysis, we determine which feeds and teams can provide information on the relevant behaviors and threats. If we need more information about an exploitable vulnerability, for example, we know to talk to our Metasploit team. If we need more information about a phishing email, we can look to InsightPhish or a variety of open source feeds that focus on phishing activities. If we need more information on incidents that are impacting networking devices, such as VPNFilter, we’ll pull data from the Cyber Threat Alliance. More often than not, we check every source and will zero in on sources we know we can give us in-depth intel on the subject we are looking into.
Formulating a Response
As we touched on earlier, not only do we detect and validate attacker behaviors that are known to be associated with malicious activity, but we also add actionable context to each alert a customer receives so that they can see the full picture. This includes:
- A description of the log activity or other behaviors they’ll see that indicate an issue
- A description of the larger threat (if applicable) and the behavior it is associated with so they understand the scope
- A remediation recommendation that explains what the customer needs to do, where, and when so that they can respond faster
A detection is only as good as its response, which is why as our own MDR SOC team deals with these threats in customer environments, we develop a response plan for the rest of our customers so they can respond as fast as we can, no matter how small or large their security team.
The Greater Vision
Attacker Behavior Analytics is more than just detection—it’s about incident validation, prioritization, and response. Because of that, the intel we gather for ABA can be spread across our other solutions here at Rapid7. In fact, we are the only company in InfoSec with an offering that provides insights into every area of security. Being able to spot attacks at the behavior level is still a relatively new approach in the security industry, and I am excited to work at a company with so many resources at our fingertips. This allows us to invest in understanding them, building rapid responses, and rolling out that intel to all of our customers.
What’s especially fascinating about studying attacker behaviors is it allows us to detect attacks and formulate a response before an attack is even launched. There are many behaviors that are indicators of impending attacks, and by monitoring for those, we can catch and remediate issues at the very beginning of the attack chain.