Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

4/20/2017
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

APT Attack Activity Occurs at 'Low, Consistent Hum,' Rapid7 Finds

Organizations in industries aligned to nation-state interests are main targets of nation-state attack threats, new quarterly threat report shows.

The quarterly threat intelligence reports that many security vendors publish on a regular basis usually tend to highlight threats that are either emerging or becoming more prevalent or dangerous in some way.

Reports, like one from Rapid7 this week that highlight security issues trending the opposite way, are somewhat less common but likely useful to organizations for that very reason.

Rapid7 first quarterly threat intelligence report is based on its analysis of a representative sample of security incidents handled for customers of the company's managed detection and response service. One of the key findings from that analysis was that advanced persistent threat (APT)-centric threats were less common than the hype around such attacks would suggest. Rapid7's analysis showed that advanced persistent threats, many of which are state-sponsored, were a non-issue for a majority of organizations in the first quarter of this year.

The organizations most impacted by APT activity belonged to industries that aligned with nation-state interests such as government, manufacturing, and aerospace. APT attacks that Rapid7 found were targeted and rare, generally took longer to contain, and required more post-incident handling than other attacks. But not all organizations are targets, which is why security administrators need to have a good handle on their threat profile and pay attention to developments that might cause that profile to change.

"Over the past year we saw targeted, sophisticated attacks at the same steady cadence," says Rebekah Brown, threat intelligence lead at Rapid7. But the attacks represented only a very small percentage of the overall threats that Rapid7 saw in its customers' environments, she says.

"We do see ebbs and flows of activity related to specific attacker groups, but the overall activity level is a low, consistent hum," she says.

Another discovery that Rapid7 made from its analysis of Q1 incident data among its customers was a lower than expected number of security alerts that required human intervention.

A great deal has been made about the need for organizations to put measures in place for filtering out the noise caused by the massive volume of log and event data generated by security controls and network infrastructure components. Security analysts have long stressed the importance of having correlation rules that weed out false positives from log and event data while surfacing alerts on issues that really merit a closer look.

"Our assessment is that the numbers are lower because customers are being more selective on what they alert on, and therefore are seeing fewer false positives," Brown says. Another possibility is that organizations are learning from the alerts and finding ways to mitigate or prevent activities that caused the alerts, she says.

It is also always possible that threats are becoming more evasive in response to actions taken by organization. "However, if that was the case, we would not have expected to see a consistent level of alerts across the quarter," Brown says. "There would likely have been a sharp decline as attackers shifted tactics."

Rapid7's examination of the events that triggered alerts showed that most alerts were tied to known bad activity, such as malware or multiple concurrent logins from different regions around the world. The quality of the alerts depended on the kind of data that was available to the alerting system. Inputs that were based on what Rapid7 described as low-fidelity indicators tended to generate more noise than actionable information.

One key takeaway from Rapid7 research is that alert fatigue is very real, says Bob Rudis, chief data scientist at Rapid7. "[It] causes organizations to miss real events because they’re trying to consume a firehose of alerts without proper tools, processes or staffing," he says.

Enterprises need to align their threat models and include known incident, event, and breach parameters when designing rules for alerts that are actionable, Rudis says.

Related stories:                               

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13991
PUBLISHED: 2020-09-24
vm/opcodes.c in JerryScript 2.2.0 allows attackers to hijack the flow of control by controlling a register.
CVE-2020-15160
PUBLISHED: 2020-09-24
PrestaShop from version 1.7.5.0 and before version 1.7.6.8 is vulnerable to a blind SQL Injection attack in the Catalog Product edition page with location parameter. The problem is fixed in 1.7.6.8
CVE-2020-15162
PUBLISHED: 2020-09-24
In PrestaShop from version 1.5.0.0 and before version 1.7.6.8, users are allowed to send compromised files. These attachments allowed people to input malicious JavaScript which triggered an XSS payload. The problem is fixed in version 1.7.6.8.
CVE-2020-15843
PUBLISHED: 2020-09-24
ActFax Version 7.10 Build 0335 (2020-05-25) is susceptible to a privilege escalation vulnerability due to insecure folder permissions on %PROGRAMFILES%\ActiveFax\Client\, %PROGRAMFILES%\ActiveFax\Install\ and %PROGRAMFILES%\ActiveFax\Terminal\. The folder permissions allow "Full Control" t...
CVE-2020-17365
PUBLISHED: 2020-09-24
Improper directory permissions in the Hotspot Shield VPN client software for Windows 10.3.0 and earlier may allow an authorized user to potentially enable escalation of privilege via local access. The vulnerability allows a local user to corrupt system files: a local user can create a specially craf...