Rapid7 Launches Quarterly Threat Intelligence Report
“The CTA commends
The report leverages intelligence from Rapid7’s Insight platform, Rapid7 Managed Services, Rapid7 Incident Response engagements, and the Metasploit community.
“Often, threat intelligence and data science reports present an abundance of statistics that are inaccessible and difficult to apply. Our goal with this report, and the ones to follow, is to provide incident response teams and SOC analysts with distilled learnings and practical, actionable guidance from the complex wealth of data
Key takeaways from the Q1 2017 report include:
#1. More is less. Less is more.
Reducing alert fatigue should always be a goal, but there’s more to it: A better signal-to-noise ratio means responders and analysts are more likely to see meaningful trends. By observing the timing of alerts generated, this Q1 analysis observed that attackers still heavily rely on user interaction. For instance, on Monday holidays, alerts dipped significantly, which our analysts attributed to a lack of employees interacting with malicious emails, attachments, etc.
#2. You find what you are looking for.
If you design indicators based only on currently available information, rather than seeking out additional intelligence or adding industry- and company-specific context, the result will be low-quality alerts. In other words: while most alerts are triggered from known, malicious activity, the quality of these alerts is entirely dependent on the established indicators.
#3. Advanced Persistent Threat (APT) is dead, long live APT.
Advanced Persistent Threats, Sophisticated Adversaries, Nation State Actors ... there are many ways to describe the types of sophisticated, targeted attacks many organizations fear. Understanding an organization’s threat profile can help determine whether or not these types of attackers should be accounted for in the threat landscape. For organizations in industries that align with nation state interests — government, manufacturing, aerospace — sophisticated attack activity is alive and kicking. For the most part, this analysis observed that organizations outside those industries were not significantly affected by highly targeted attacks.
#4. I feel the need, the need to Strut with speed.
While a 30-day patching cycle was once generally effective, the Apache Struts vulnerability (
For the full report, please visit: https://www.rapid7.com/info/threat-report
To hear about this inaugural report, join authors
Threat intelligence analysis fuels
In addition to reporting out to the community, Rapid7’s threat intelligence findings are leveraged to inform and help guide the Company’s products and services. Strengthening Rapid7’s understanding of the attacker mindset, the team’s analysis is used to evaluate threats, understand the behavioral markers associated with those threats, and adapt solutions to defend against them.
“Our goal is to build solutions that can quickly implement the learnings of our intelligence findings to get ahead of attacks before they’re reported in the wild,” said Brown. “For example, once we understand the behavior of a threat group, we use Metasploit to simulate that behavior and build detections for our incident detection and response products and services — and that’s hopefully before a real-world attack has occurred.”
The newly expanded Rapid7 Insight analytics platform allows for the fast application of threat learnings across its offering, including incident detection and response, vulnerability management, operations, and application security solutions. The cloud-based platform gives customers the ability to collect the necessary data and leverage the appropriate analytics to detect, prioritize, and stop threats. Specifically, InsightIDR customers can subscribe to curated threat analysis and alerts through the Company’s complimentary MDR Threat Intel service for live, advanced detection.
Rachel E. Adam Rapid7, Senior PR Manager firstname.lastname@example.org (857) 415-4443