Embed Size (px)
Citation preview
SOLUTION GUIDE
Catching Modern Threats: InsightIDR Detection Methodologies
How a multi-layered approach enables teams to detect malicious activity across the attack chain for known and unknown threats.
InsightIDR Detection Methodologies 2
TABLE OF CONTENTS
Introduction: Threat Detection in Modern Security Programs 3
The Importance of Known and Unknown 3
Legacy SIEM ROI Is Lost in the Modern Threat Landscape 4
Modern Threat Detection Requires a Two-Pronged Approach 4
InsightIDR for Modern Threat Detection 5
Detecting Malicious Activity with the Insight Agent 6
Behavior-based Detections 7
Threat Intelligence-based Detections 9
About InsightIDR 11
About Rapid7 11
InsightIDR Detection Methodologies 3
Introduction: Threat Detection in Modern Security ProgramsThe main goal of any security program is to prevent a breach from negatively impacting your business. In practical terms, this means:
• Preventing breaches using defensive measures to minimize the attack surface, and using technology to prevent threats that bypass these measures from causing damage. This could include technology, user education, physical measures, and administrative policies.
• Using technology and people to detect threats that bypass your defensive measures and are not stopped by preventative technology before they impact business.
• Using a combination of people and technology to respond to valid threats before they impact business.
In order to effectively protect an organization against loss, security analysts must be able to quickly detect threats. These types of threats can be measured in two ways:
• For common threats (which typically fall into the known threat category), impact could be measured in man hours to recover.
• For targeted threats (which typically fall in the unknown threat category), impact could be measured in reputation lost, financial loss, or cost of reparations.
The faster and earlier these threats can be detected in the attack chain, the less risk there is to the business. We’re now at a time where it’s imperative that modern security programs have a solution to detect both known and unknown threats in the environment. This whitepaper outlines how the detections in InsightIDR, Rapid7’s cloud SIEM, enable users to identify and respond to advanced threats.
The Importance of Known and UnknownMost SIEM tools are able to detect static, known threats by using threat intelligence and threat rules that leverage data from previously seen attacks, and then comparing it against logs to identify when threat signatures are present. In order to be successful in implementing this methodology, these tools must have quality threat intelligence with identifiable signatures to build rules against.
However, as companies better secure their servers and critical infrastructure, attackers are turning to endpoints—and the people using them—as the top point of entry to a network. Nearly all data breaches involve a compromised endpoint as a stage in the attack. This type of compromise can’t be detected by using signature or rule-based detections alone.
Today’s malware allows attackers to gain persistent access to internal networks, take over computing resources to monetize them for cryptomining, or escalate their privileges to move laterally to extract more sensitive hosts and data.
A robust threat detection program should combine:
• Security event threat detection technology to aggregate data from events across the network;
• Endpoint threat detection technology to provide detailed information about possibly malicious; and
• Human readable alerts and contextual information to allow security professionals to quickly analyze alerts and take action.
InsightIDR Detection Methodologies 4
Modern Threat Detection Requires a Two-Pronged ApproachRules-based detections targeting attacks that are well understood, that tend to follow a certain pattern, and that are more predictable, are still an important component of a strong SOC program. Brute-force attacks and spear phishing for example, are typically very recognizable and should be stopped early in the attack chain before things get critical.
However, as we discussed earlier, the modern network has evolved. And so, too, has the threat landscape. There are less predictable attacks for which rule-based detections are not enough. Things like insider threats and custom malware, for example, are more complex to detect and may evade traditional SIEMs. Recognizing these threats in the system requires a mix of anomaly detection (behavioral analytics) and human analysis to evaluate and take action on.
There is not one single tactic alone that can protect against everything, and the best solution for comprehensive attack coverage is a marriage of rule-based detections, anomalous detections with investigative support, and empowering people and processes to act fast.
Legacy SIEM ROI Is Lost in the Modern Threat LandscapeSecurity is much more than compliance and log management. However, many teams still rely on legacy, log-heavy tools to check the compliance box, missing potentially critical threats along the way.
These traditional SIEMs can consume a number of resources to tune and maintain deployment, configure data ingestion, manage logs, create rules, run analytics against the data, and apply threat intelligence (not to mention managing and maintaining on-premises hardware). More often than not, security teams are left chasing down alerts between different tools, losing cycles while potential attackers are further penetrating their network. What’s worse is that since legacy SIEMs are often focused on perimeter traffic and miss important contextual information from modern network sources (e.g. endpoints and users) alerts can often be false-positives. Teams are left drowning in data and missing the real threats that are lurking elsewhere in their network.
InsightIDR Detection Methodologies 5
InsightIDR is the only cloud SIEM that comes with direct endpoint visibility, extensive threat rules, network traffic detections, and behavioral analytics out of the box. Its cloud-based solution connects with your internal data sources, network activity, and data directly from user endpoints, reducing the time and effort needed to set up and maintain collecting, updating, and managing data sets (meaning your team will be able to detect attacks in days after purchase, not weeks or months).
Rapid7 InsightIDR is a modern cloud SIEM that leverages both User and Attacker Behavior Analytics to detect intruder activity, cutting down on false-positives and days’ worth of work for your security professionals. InsightIDR goes beyond traditional SIEM monitoring, uniting data from endpoints, network traffic, logs, and cloud services in a single tool to hunt all of the most common attack vectors behind breaches.
This combination gives you real-time visibility and detection for malware, fileless attacks, and the use of stolen credentials. In fact, over 90% of all InsightIDR detections occur at or before “Credential Access,” well before any significant attacker impact (Figure 1).
InsightIDR for Modern Threat Detection
Det
ectio
n %
Source: Rapid7 Managed Detection and Response Q1 2019 InsightIDR Detections
36.8%
64.2% 64.7% 66.5%
90.0% 91.6% 92.2%96.7% 96.9% 98.6% 100.0%
Initial Defense Credential Lateral Command Access Execution Persistence Evasion Access Discovery Movement Effects Collection and Control Impact
100%
75%
50%
25%
0%
By alerting on stealthy intruder behavior as early as possible in the attack chain, InsightIDR provides the comprehensive information and automation capabilities needed to take swift action on threats—before they get out of hand.
Figure 1
InsightIDR Detection Methodologies 6
Detecting Malicious Activity with the Insight AgentIn order to have complete coverage and visibility into the endpoint, the InsightIDR technology integrates with your existing network and security stack to collect and query endpoints through the Insight Agent and endpoint scan. Without an agent to collect and analyze critical data on the endpoint, customers are unable to detect advanced threats and cannot query the asset, either for incident investigation or response.
The Rapid7 Insight Agent provides critical, real-time visibility across your Windows, Mac, and Linux assets—no matter where they are in the world. You can detect modern malware that evades today’s anti-virus tech, gain visibility into your assets, and even take action through the agent to contain a found threat.
The Insight Agent is able to provide context to anomalous behaviors by analyzing:
Running processes
Security events
System event codes
Registry data
Intruder traps
Asset and user data
File audit logs
File and package data
InsightIDR Detection Methodologies 7
Detection Malicious Activity with the Insight SensorWhile the Insight Agents are responsible for collecting data on your assets, they do not account for network traffic, which is the data moving between your assets. To provide the network traffic visibility that’s needed to detect attackers, Rapid7’s Insight Network Sensor allows you to monitor, capture, and assess the end-to-end network traffic moving throughout your physical and virtual environment.
Network traffic monitoring is an increasingly significant security gap for organizations today. As a security practitioner looking to minimize your attack surface, you need to know of the types of network data traversing your network and how much of that data is moving: two critical areas that could indicate malicious activity in your environment.
InsightIDR can use network sensor data to generate investigations and alerts based on the network traffic traversing your environment, one of which is a new investigation data source based on IPv4 flow data. InsightIDR also leverages DNS and DHCP information that the network sensor extracts from network packets to produce other actionable alerts.
After the data becomes available in InsightIDR, the processed network traffic can be further leveraged as a foundation for log searching, data analysis, building custom reports and dashboards, top external clients making inbound connections, and other data points.
The Insight Sensor is able to provide visibility while adding several benefits beyond network traffic detection:
Passive monitoring
Works on any network
Efficient data collection
Sensitive environment coverage
One data set for multiple use cases
Rapid time to value
InsightIDR Detection Methodologies 8
Detecting threats using behavioral-based analytics is a core differentiator for Rapid7’s InsightIDR technology. The detection that InsightIDR provides across the attack chain stems from a combination of User and Attacker Behavior Analytics, endpoint data, and deception technology. Effective implementation of user- and deviation-based detection methodologies requires deep visibility into endpoints, network metadata, authentication/authorization events, and logs.
Behavior-based Detections
“With InsightIDR ... we deployed agents on our servers and are forwarding sys logs from our network devices to the cloud collectors. It has given us visibility that
we have never had before such as ingress and egress authentication attempts, Office 365 authentications, and even potentially compromised accounts...[such as]
email addresses that may have been obtained and distributed for phishing).”Gartner Peer Insights: Security Admin, Retail
User Behavior Analytics (UBA): Attacker Behavior Analytics (ABA):
Figure 2: Rapid7 MDR Aligns to MITRE ATT&CK Framework
InsightIDR Detection Methodologies 9
User Behavior Analytics (UBA)
User Behavior Analytics (UBA) enables your team to more easily determine whether a potential threat is an outside attacker impersonating an employee, or an actual employee who presents some kind of risk, whether through negligence or malice.
UBA connects activity on the network to a specific user as opposed to an IP address or asset. It is then compared against a normal baseline of event activity for that user. Once collected and analyzed, it can be used to detect the use of compromised credentials, lateral movement, and other malicious behavior.
Your team is able to leverage these UBA indicators to dynamically prioritize and rank alert criticality based on the presence or absence of notable behaviors associated with the alert by:
• Detecting unknown threats based on single occurrences, or groups of notable events based on specific user behaviors or deviations from known-good baselines.
• Detecting insider threats based on groups of notable events describing the sequence of events typically associated with information theft by an authorized party.
• Associating user behaviors based on notable events with alerts and investigations to improve the validation and investigation analyst workflows.
• Providing the data needed to associate technical evidence with human understandable behavior for threat reporting.
InsightIDR provides your team with a technological advantage by utilizing our proprietary attribution engine with models that are purpose-built to detect behaviors indicative of true threats, while sorting out users who may be doing unusual tasks but are not actually compromised or performing malicious actions. Many traditional SIEM solutions claim to utilize UBA detections, but SIEM engines aren’t built for real-time attribution, unlike Rapid7’s InsightIDR technology. This is because users and assets constantly move around in a modern network architecture, leading to an engine that cannot accurately map events to entities.
Attacker Behavior Analytics (ABA)
Attacker Behavior Analytics (ABA) applies Rapid7’s existing experience, research, and practical understanding of attacker behaviors to generate investigative leads based on known attacker tools, tactics, and procedures (TTP). These include:
• Malware, malware droppers, maldocs, and fileless malware (opportunistic and targeted)
• Cryptojacking (stealing CPU cycles to mine cryptocurrency)
• Pentesting and attack tools
• Suspicious persistence
• Anomalous data exfiltration
• New attacker behavior
ABA detection methods are constantly updated based on our team’s investigations, combined with Rapid7’s research and threat intelligence analysts to extract key behaviors from threats identified in our customer environments. After performing research on related attacks and behaviors, we craft new ABA detections and implement them into the InsightIDR product to simplify and accelerate detection and reduce your time to remediation. These sources include:
• Rapid7 MDR customers
• The Metasploit Community
• Project Heisenberg (our honeypot network)
• Project Sonar (our internet-side scanning project)
• Incident Response engagements
• InsightIDR customers sharing intel
• Rapid7’s Threat Intelligence team and community (e.g. Cyber Threat Alliance)
InsightIDR Detection Methodologies 10
Other key advantages include:
• Found once, applied everywhere: Your security team gets the benefit of the learnings from Rapid7 customer detections. For example, when our SOC team finds new attack methodologies—either by way of our SOC, threat intelligence team, or Rapid7 research—those TTPs are updated in InsightIDR investigations.
• Detections based on behaviors, not signatures: Through InsightIDR, your team is armed with high-fidelity endpoint data to identify novel variations of new attacker techniques.
• High-fidelity alerts grant context to take action: Alerts include context from our analysts and threat intel teams, so you can make better decisions, remediate the problem, mitigate risk, and contain the alert from directly inside your Findings Report.
• Constantly evolving ABA detections: Whenever possible, the alert will detail known, recent adversary groups using a similar technique in a confirmed attack.
As a key advantage of our cloud deployment model, our detections are updated automatically to our entire user population of customers after a thorough prototyping, testing, and validation process. All new indicators are applied to one month’s historic data so your environment is instantly protected.
Rapid7 leverages proprietary threat intelligence derived from research, previous investigations and monitoring findings, as well as third-party sources. Rapid7’s Threat Intelligence team is responsible for maintaining this intelligence and working alongside our SOC analysts to constantly apply threat detection and incident response learnings across all MDR customer environments Rapid7's Threat Intelligence team brings expertise and data sources from the public sector, private sector, and open sources to fuel threat detection and incident response.
Threat Intelligence-based Detections
• Strategic threat intelligence is provided per industry sector and is aimed at decision-makers to help shape strategies to prevent threats from materializing.
• Tactical threat intelligence is applied in our attacker behavior analysis methodologies and leverages complex rules to generate investigative leads across multiple event sources and over time.
• Operational threat intelligence is provided by way of proactive threat reports and indicates the likelihood
of an impending attack. Our reports include mitigation recommendations to increase resilience against specific threats to your organization.
• Technical threat intelligence in the form of indicators of compromise are applied across our customer base. The Rapid7 Threat Intelligence team actively maintains the quality of the technical threat intelligence to ensure fidelity, context, and timeliness for our MDR threat analysts.
Network Traffic Analysis (NTA)With the lightweight Insight Network Sensor, customers can continuously monitor network traffic at any location or site across their network. This data helps minimize the attack surface and detect intrusions (or other potential security events) on the network. Network traffic detections are generated by two data sets. Together, these network analytics help analysts ensure continuous visibility everywhere, recognize compromise quickly, and trace the attackers across systems and applications.
• IDS, DNS, & DHCP Network Traffic: The Rapid7 MDR team has carefully filtered IDS events to capture only the most critical and actionable detections for teams to focus on, helping cut down on noise and increase analyst’s confidence in taking action. This means when malware, botnets, or other compromises are detected, teams won’t have to go through tedious cycles to determine their validity.
• Network Flow data: Rapid7 also leverages a proprietary Deep Packet Inspection (DPI) engine to capture all raw network traffic flows, extracting rich metadata. Rapid7’s
proprietary DPI engine captures and analyzes traffic in readable, interpretable details, without the complexity and overhead of full packet capture. This passive analysis approach drastically reduces data volume and does not impact performance, while retaining the critical data ideal for investigations, deeper forensic activities, and custom rule creation. With this rich flow data, teams have deep detail with which to track attacker entry and movement across the network so they can accelerate investigations and better inform response action.
InsightIDR Detection Methodologies 11
Rapid7 Research and Threat Intelligence Sources
We’re committed to openly sharing security information that not only helps the entire cybersecurity community to learn, grow, and address issues in the security world, but also to improve our products and detections. Figure 3 shows the common sources that lead to Rapid7’s security expertise and intelligence advantage:
Figure 3
Incident Response EngagementsManaged Services SOC
Affiliate Member Board & Committee Seats
+200k Contributors +3k Exploits
Global Internet Scanning
Scheduled & Ad Hoc Hunts In Your Environment
+700k Vulnerabilities
Rapid7 Customers
Intelligence Sharing
Metasploit Community Project Sonar
Threat Hunters
Vulnerability Disclosure
300+ Global Honeypots
Project Heisenberg
Rapid7 CustomersOur detections are enhanced from learnings across our millions of Insight Agents deployed on customer endpoints, MDR customers, and Incident Response engagements.
Intelligence SharingRapid7 is part of the Cyber Threat Alliance (CTA), a community of security research organizations with a mission to improve cybersecurity cooperation to improve defenses against cyber adversaries. Rapid7 is an Affiliate member of the CTA with Board and Committee seats.
Metasploit CommunityMetasploit is the world's most-used penetration testing software used to uncover weaknesses in defenses with over 3,000 exploits and over 200,000 active contributors.
Project Heisenberg CloudA collection of over 200 low-interaction, global honeypots distributed both geographically and across IP space. The honeypots offer the front end of various services to learn what other scanners are up to (usually no good), and to conduct "passive scanning" to help enhance our understanding of attacker methods.
Project SonarA security research project by Rapid7 that conducts internet-wide scans across different services and protocols to gain insight into global exposure to common vulnerabilities.
Pen Test EngagementsRapid7 service engagements allow us to leverage real-world experiences of our engineers and investigators gathered over thousands of pen tests.
Vulnerability DisclosureRapid7 publishes our data for free to encourage scientists, engineers, and anyone else interested in the nature and form of the internet to make their own discoveries.
InsightIDR Detection Methodologies 12
About InsightIDR
Rapid7 InsightIDR leverages attacker analytics to detect intruder activity earlier in the attack chain, cutting down false positives and days’ worth of work for security professionals. It hunts for actions indicative of compromised credentials, spots lateral movement across assets, detects malware, and sets traps for intruders.
About Rapid7
Organizations around the globe trust Rapid7 technology, services, and research to help them securely advance. The visibility, analytics, and automation delivered through our Insight cloud simplifies the complex and helps security teams reduce vulnerabilities, monitor for malicious behavior, investigate and shut down attacks, and automate routine tasks. Learn more at www.rapid7.com.
