Threat Intelligence
4/20/2017
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

APT Attack Activity Occurs at 'Low, Consistent Hum,' Rapid7 Finds

Organizations in industries aligned to nation-state interests are main targets of nation-state attack threats, new quarterly threat report shows.

The quarterly threat intelligence reports that many security vendors publish on a regular basis usually tend to highlight threats that are either emerging or becoming more prevalent or dangerous in some way.

Reports, like one from Rapid7 this week that highlight security issues trending the opposite way, are somewhat less common but likely useful to organizations for that very reason.

Rapid7 first quarterly threat intelligence report is based on its analysis of a representative sample of security incidents handled for customers of the company's managed detection and response service. One of the key findings from that analysis was that advanced persistent threat (APT)-centric threats were less common than the hype around such attacks would suggest. Rapid7's analysis showed that advanced persistent threats, many of which are state-sponsored, were a non-issue for a majority of organizations in the first quarter of this year.

The organizations most impacted by APT activity belonged to industries that aligned with nation-state interests such as government, manufacturing, and aerospace. APT attacks that Rapid7 found were targeted and rare, generally took longer to contain, and required more post-incident handling than other attacks. But not all organizations are targets, which is why security administrators need to have a good handle on their threat profile and pay attention to developments that might cause that profile to change.

"Over the past year we saw targeted, sophisticated attacks at the same steady cadence," says Rebekah Brown, threat intelligence lead at Rapid7. But the attacks represented only a very small percentage of the overall threats that Rapid7 saw in its customers' environments, she says.

"We do see ebbs and flows of activity related to specific attacker groups, but the overall activity level is a low, consistent hum," she says.

Another discovery that Rapid7 made from its analysis of Q1 incident data among its customers was a lower than expected number of security alerts that required human intervention.

A great deal has been made about the need for organizations to put measures in place for filtering out the noise caused by the massive volume of log and event data generated by security controls and network infrastructure components. Security analysts have long stressed the importance of having correlation rules that weed out false positives from log and event data while surfacing alerts on issues that really merit a closer look.

"Our assessment is that the numbers are lower because customers are being more selective on what they alert on, and therefore are seeing fewer false positives," Brown says. Another possibility is that organizations are learning from the alerts and finding ways to mitigate or prevent activities that caused the alerts, she says.

It is also always possible that threats are becoming more evasive in response to actions taken by organization. "However, if that was the case, we would not have expected to see a consistent level of alerts across the quarter," Brown says. "There would likely have been a sharp decline as attackers shifted tactics."

Rapid7's examination of the events that triggered alerts showed that most alerts were tied to known bad activity, such as malware or multiple concurrent logins from different regions around the world. The quality of the alerts depended on the kind of data that was available to the alerting system. Inputs that were based on what Rapid7 described as low-fidelity indicators tended to generate more noise than actionable information.

One key takeaway from Rapid7 research is that alert fatigue is very real, says Bob Rudis, chief data scientist at Rapid7. "[It] causes organizations to miss real events because they’re trying to consume a firehose of alerts without proper tools, processes or staffing," he says.

Enterprises need to align their threat models and include known incident, event, and breach parameters when designing rules for alerts that are actionable, Rudis says.

Related stories:                               

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.