Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

4/20/2017
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

APT Attack Activity Occurs at 'Low, Consistent Hum,' Rapid7 Finds

Organizations in industries aligned to nation-state interests are main targets of nation-state attack threats, new quarterly threat report shows.

The quarterly threat intelligence reports that many security vendors publish on a regular basis usually tend to highlight threats that are either emerging or becoming more prevalent or dangerous in some way.

Reports, like one from Rapid7 this week that highlight security issues trending the opposite way, are somewhat less common but likely useful to organizations for that very reason.

Rapid7 first quarterly threat intelligence report is based on its analysis of a representative sample of security incidents handled for customers of the company's managed detection and response service. One of the key findings from that analysis was that advanced persistent threat (APT)-centric threats were less common than the hype around such attacks would suggest. Rapid7's analysis showed that advanced persistent threats, many of which are state-sponsored, were a non-issue for a majority of organizations in the first quarter of this year.

The organizations most impacted by APT activity belonged to industries that aligned with nation-state interests such as government, manufacturing, and aerospace. APT attacks that Rapid7 found were targeted and rare, generally took longer to contain, and required more post-incident handling than other attacks. But not all organizations are targets, which is why security administrators need to have a good handle on their threat profile and pay attention to developments that might cause that profile to change.

"Over the past year we saw targeted, sophisticated attacks at the same steady cadence," says Rebekah Brown, threat intelligence lead at Rapid7. But the attacks represented only a very small percentage of the overall threats that Rapid7 saw in its customers' environments, she says.

"We do see ebbs and flows of activity related to specific attacker groups, but the overall activity level is a low, consistent hum," she says.

Another discovery that Rapid7 made from its analysis of Q1 incident data among its customers was a lower than expected number of security alerts that required human intervention.

A great deal has been made about the need for organizations to put measures in place for filtering out the noise caused by the massive volume of log and event data generated by security controls and network infrastructure components. Security analysts have long stressed the importance of having correlation rules that weed out false positives from log and event data while surfacing alerts on issues that really merit a closer look.

"Our assessment is that the numbers are lower because customers are being more selective on what they alert on, and therefore are seeing fewer false positives," Brown says. Another possibility is that organizations are learning from the alerts and finding ways to mitigate or prevent activities that caused the alerts, she says.

It is also always possible that threats are becoming more evasive in response to actions taken by organization. "However, if that was the case, we would not have expected to see a consistent level of alerts across the quarter," Brown says. "There would likely have been a sharp decline as attackers shifted tactics."

Rapid7's examination of the events that triggered alerts showed that most alerts were tied to known bad activity, such as malware or multiple concurrent logins from different regions around the world. The quality of the alerts depended on the kind of data that was available to the alerting system. Inputs that were based on what Rapid7 described as low-fidelity indicators tended to generate more noise than actionable information.

One key takeaway from Rapid7 research is that alert fatigue is very real, says Bob Rudis, chief data scientist at Rapid7. "[It] causes organizations to miss real events because they’re trying to consume a firehose of alerts without proper tools, processes or staffing," he says.

Enterprises need to align their threat models and include known incident, event, and breach parameters when designing rules for alerts that are actionable, Rudis says.

Related stories:                               

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
A Lawyer's Guide to Cyber Insurance: 4 Basic Tips
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  7/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13951
PUBLISHED: 2019-07-18
The set_ipv4() function in zscan_rfc1035.rl in gdnsd 3.2.0 has a stack-based buffer overflow via a long and malformed IPv4 address in zone data.
CVE-2019-13952
PUBLISHED: 2019-07-18
The set_ipv6() function in zscan_rfc1035.rl in gdnsd 3.2.0 has a stack-based buffer overflow via a long and malformed IPv6 address in zone data.
CVE-2019-10100
PUBLISHED: 2019-07-18
The Sleuth Kit 4.6.0 and earlier is affected by: Integer Overflow. The impact is: Opening crafted disk image triggers crash in tsk/fs/hfs_dent.c:237. The component is: Overflow in fls tool used on HFS image. Bug is in tsk/fs/hfs.c file in function hfs_cat_traverse() in lines: 952, 1062. The attack v...
CVE-2019-10102
PUBLISHED: 2019-07-18
SaltStack Salt 2018.3, 2019.2 is affected by: SQL Injection. The impact is: An attacker could escalate privileges on MySQL server deployed by cloud provider. It leads to RCE. The component is: The mysql.user_chpass function from the MySQL module for Salt (https://github.com/saltstack/salt/blob/devel...
CVE-2019-10102
PUBLISHED: 2019-07-18
Gitea 1.7.0 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Attacker is able to have victim execute arbitrary JS in browser. The component is: go-get URL generation - PR to fix: https://github.com/go-gitea/gitea/pull/5905. The attack vector is: victim must open a specifically ...