In case you missed the big news, our 2018 Q3 Threat Report is out! We’re in the midst of both crypto-winter and real-life winter, which is perhaps why we’re seeing attackers burrow deep. More than ever, defenders need a unified approach to detect and respond to threats.
In this post, we’ll review three actionable findings based on data from our Project Heisenberg honeypot network, Project Sonar, and our 250+ managed detection and response (MDR) customers who use our underlying InsightIDR technology to unify security data and identify compromise in real time.
1. Which attack types most often lead to breaches?
There are three attack techniques that lead up to nearly every breach today:
This coincides with the top detections spotted across our MDR customer base, which highlights the need to have detection coverage that spans across user accounts, endpoints, and cloud services such as Office 365 or IaaS.
First on the chart is PowerShell, which we can bucket under malware. At best, the detected PowerShell is a weird misconfiguration or IT time-saver; at worst, the adversary is able to command and control a compromised asset via PowerShell commands. While this stealthier technique is designed to evade antivirus and prevention defenses, we can detect these attacker “micro-behaviors” with the endpoint telemetry we collect and analyze within InsightIDR. Detecting malicious use of native scripting utilities is impossible without an endpoint detection and response agent, which InsightIDR provides.
Next up is suspicious URL activity. This is closely linked to phishing, as it’s indicative of end users clicking on malicious links delivered via email, chat, or another vector. Of course, every organization is concerned about phishing—for our recommended strategy, reference, “Phishing Attacks Duping Your Users? Here’s a Better Anti-Phishing Strategy.”
InsightIDR adds detection value to organizations by applying user behavior analytics (UBA) to authentications across Active Directory and your internal network, along with cloud services, to flag anomalous user behavior and accounts being attacked (e.g., Office 365 brute-forcing from Nigeria). On top of that, DNS, web proxy, and firewall traffic is ingested and made fully searchable, and then matched against third-party threat intelligence (e.g., Google Safe Browsing and PhishTank), our machine learning, and intelligence shared within our InsightIDR customer community.
This directly ties into the top detection from InsightIDR: malicious login attempts. This can range from run-of-the-mill brute-forcing or trying exposed credentials from a leaked data breach to a more sophisticated attacker who has obtained credentials and is now on your internal network impersonating a legitimate employee.
This is where UBA is critical—you need to know about anomalous ingress and lateral movement, but don’t need an alert every time Stacy goes on vacation in Cancún or when Bob in Marketing has a cluster of failed logins. InsightIDR uses a combination of threat intelligence, UBA, and smart visualizations to help customers quickly identify anomalous logins and account takeovers.
For most companies, it’s not a simple process to detect attacks across these three techniques. While PowerShell detection requires being able to detect activity on the endpoint, URL access and login attempts require tracking and analyzing user behavior data. Today, UBA has converged with SIEM technology to help security teams baseline typical user activity (e.g., what processes they execute and where and how users log in) and find risky behavior and compromised accounts. It’s a critical part of a holistic detection strategy, and where we first invested in detection and response, so be wary of “modular, bolt-on analytics” claims that can produce more noise than value.
Since the data sources that reveal each attack type are different, companies are pushed toward fragmented detection solutions for phishing, endpoints, and user behavior—and wait, do you also need “next-gen, AI-powered” versions for all of these?!
InsightIDR is the only SIEM on the market with the capability to detect malware, phishing, and stolen credentials right out of the box. More importantly, because of continuous learning from our customers, the Metasploit community, our research, and fantastic in-house suite of services that spans pen testing to incident response, we have a resilient architecture built to detect the attacks of tomorrow, today.
2. Emotet: A malware nightmare
The second major theme we saw in Q3 was the persistence of Emotet, a popular malware campaign typically delivered via malicious spam or spear phishing (we’ve included some examples we encountered below). Over half of the malware we investigated throughout the quarter were variants of Emotet, targeting industries including construction, finance, healthcare, manufacturing, real estate, and utilities.
Given the range of impacted industries, it’s important to be on the lookout for Emotet. To see exactly how Emotet is impacting your industry, what it does once inside an organization, and our recommendations, see the full breakdown in the Q3 Threat Report. Guidance around email validation systems, file attachment blocking, and least-privilege access policies are among the tips provided.
If you use InsightIDR, you can subscribe to the Emotet threat feeds within the Threats community. Shoutout to all of the dedicated contributors who continue to share their curated threat intelligence!
3. Protocol poisoning flaring up as a threat vector
A particularly interesting development is protocol poisoning, which is the use of software such as Responder that is designed to confuse nodes on a local network, causing them to route data through it to capture credentials, hashes, and/or general data. Essentially, if attackers have already compromised a machine, they can run a program to steal more credentials and gain deeper access.
Protocol poisoning made our “Top 5 Threat Events Per Month” list twice in Q3 (see below). This can indicate not only an attacker foothold, but also specific intent to hunt for credentials and start lateral movement.
Responder, which attacks Windows networks when you have internal network access but no domain user, is a top tool in every pen tester’s toolbox. Therefore, like the rest of our detections, we’re focused on making sure it:
- Is easy to identify and monitor: For Responder, our Insight agent will issue queries or nonexistent host names over NBT-NS to reveal tools abusing trusted traffic .
- Provides context: Along with the alert, notable user and asset behavior is automatically surfaced on a visual timeline.
- Takes action: In InsightIDR, you can now disable a user account, kill a malicious process, or quarantine an asset right from within the console.
This all goes toward our mission of helping security teams reduce the complexity around detecting, investigating, and containing threats.
Test, test, and test
The last thing of note here is that as you prepare for these threats, you also need to test the detections and responses you have in place. Simulating protocol poisoning and malicious PowerShell commands to ensure working visibility is one part, but just as important is an organized, cohesive response in the event of a serious incident from both within the security team and the broader organization.
To Q4 and beyond!
The diverse behaviors our security operations centers (SOCs) detected and investigated in Q3 truly highlights the need for holistic detection, a strategy that can identify a wide range of attacks while providing important context. You can find all of our identified indicators in Appendix C of the Q3 Threat Report, which you can directly port into your SIEM to match against your data. If you don’t have centralized, working, or affordable log management today, you’re flying blind against the most prevalent attacks today.
To prepare your defenses, view our full report for free.