It’s hard to believe it’s already the end of September, and with it comes Rapid7’s Q2 2020 Quarterly Threat Report. As in previous quarters, our Rapid7 research team produced this report by analyzing the data from our internet telemetry-gathering systems Project Sonar and Project Heisenberg, as well as the threat reports generated by the Rapid7 Managed Detection and Response (MDR) team. Our goal is to use this data to highlight risks and threats so that organizations can make informed decisions on where to place their investments.
Here is a quick digest of things to look out for:
New features and data
Between authoring threat reports, the Rapid7 research team spends time refining our data collection and analysis tools and capabilities in an effort to enhance the insights we can derive for this report. In preparation for Q2, we added two notable data collection capabilities and one new feature to the report:
- We now see multiple events per threat, which allows us to better portray attacker tactics and techniques.
- We have increased context-gathering capabilities and now support the STIX 2.0 standard, which allows us to better name threats and describe impact.
- We have added two authors and a new section, “Focus on Response,” to pull back the curtain on incident response activities,
Visibility is the foundation on which security programs are built
The analysis of our honeypot data focused on two key campaigns. The first targets SQL servers and attempts to exploit EternalBlue and install cryptominers. The second is Mirai-like network connections for second-stage malware downloaders originating from over 8,000 sources and connected to two IP addresses.
Both examples illustrate the need for visibility. In the first case, knowing your external footprint allows you to deploy the appropriate defenses. In the second case, Network Traffic Analysis (NTA) is a critical component in monitoring for known threats in your environment.
Attackers are increasingly using the masquerading technique
With our added visibility into the multiple steps involved with successful breaches, we see the masquerading technique used in most attacks reported by the MDR team. Attackers are using various methods to subvert security controls, threat prevention technology, and traditional detection methods. Organizations that invest in stopping these types of threats typically do so by investing in additional detection methodologies like process behavior analysis and user behavior analysis.
Incident investigations are not for the faint of heart
This quarter, we’ve added two authors to the roster: Robert Knapp and Bryce Abdo. Robert is a principal on the Rapid7 incident response team, and Bryce is a lead on our detections team. Both have provided us with summaries of incidents they investigated during the quarter.
The first incident targeted an email server, while the other two involved ransomware. Their accounts of the investigation highlight the importance of authoring and rehearsing incident scenario plans, auditing evidence sources, and ensuring you have the expertise to guide you through the technical response.
These are just a few of the highlights from the report, and we invite you to read the full copy and enjoy the pretty pictures here. As always, we hope that you can use this information to help you advance security within your own organizations. If there are suggestions of data that we can include in the future, please leave a comment below or tweet at us, @Rapid7.