Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

4/20/2017
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

APT Attack Activity Occurs at 'Low, Consistent Hum,' Rapid7 Finds

Organizations in industries aligned to nation-state interests are main targets of nation-state attack threats, new quarterly threat report shows.

The quarterly threat intelligence reports that many security vendors publish on a regular basis usually tend to highlight threats that are either emerging or becoming more prevalent or dangerous in some way.

Reports, like one from Rapid7 this week that highlight security issues trending the opposite way, are somewhat less common but likely useful to organizations for that very reason.

Rapid7 first quarterly threat intelligence report is based on its analysis of a representative sample of security incidents handled for customers of the company's managed detection and response service. One of the key findings from that analysis was that advanced persistent threat (APT)-centric threats were less common than the hype around such attacks would suggest. Rapid7's analysis showed that advanced persistent threats, many of which are state-sponsored, were a non-issue for a majority of organizations in the first quarter of this year.

The organizations most impacted by APT activity belonged to industries that aligned with nation-state interests such as government, manufacturing, and aerospace. APT attacks that Rapid7 found were targeted and rare, generally took longer to contain, and required more post-incident handling than other attacks. But not all organizations are targets, which is why security administrators need to have a good handle on their threat profile and pay attention to developments that might cause that profile to change.

"Over the past year we saw targeted, sophisticated attacks at the same steady cadence," says Rebekah Brown, threat intelligence lead at Rapid7. But the attacks represented only a very small percentage of the overall threats that Rapid7 saw in its customers' environments, she says.

"We do see ebbs and flows of activity related to specific attacker groups, but the overall activity level is a low, consistent hum," she says.

Another discovery that Rapid7 made from its analysis of Q1 incident data among its customers was a lower than expected number of security alerts that required human intervention.

A great deal has been made about the need for organizations to put measures in place for filtering out the noise caused by the massive volume of log and event data generated by security controls and network infrastructure components. Security analysts have long stressed the importance of having correlation rules that weed out false positives from log and event data while surfacing alerts on issues that really merit a closer look.

"Our assessment is that the numbers are lower because customers are being more selective on what they alert on, and therefore are seeing fewer false positives," Brown says. Another possibility is that organizations are learning from the alerts and finding ways to mitigate or prevent activities that caused the alerts, she says.

It is also always possible that threats are becoming more evasive in response to actions taken by organization. "However, if that was the case, we would not have expected to see a consistent level of alerts across the quarter," Brown says. "There would likely have been a sharp decline as attackers shifted tactics."

Rapid7's examination of the events that triggered alerts showed that most alerts were tied to known bad activity, such as malware or multiple concurrent logins from different regions around the world. The quality of the alerts depended on the kind of data that was available to the alerting system. Inputs that were based on what Rapid7 described as low-fidelity indicators tended to generate more noise than actionable information.

One key takeaway from Rapid7 research is that alert fatigue is very real, says Bob Rudis, chief data scientist at Rapid7. "[It] causes organizations to miss real events because they’re trying to consume a firehose of alerts without proper tools, processes or staffing," he says.

Enterprises need to align their threat models and include known incident, event, and breach parameters when designing rules for alerts that are actionable, Rudis says.

Related stories:                               

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...