SOLUTION GUIDE

Catching Modern
Threats: InsightIDR
Detection Methodologies
How a multi-layered approach enables teams to detect malicious
activity across the attack chain for known and unknown threats.
TA B L E O F CO N T E N T S

Introduction: Threat Detection

in Modern Security Programs 3
The Importance of Known and Unknown 3
Legacy SIEM ROI Is Lost in
the Modern Threat Landscape 4
Modern Threat Detection
Requires a Two-Pronged Approach 4
InsightIDR for Modern Threat Detection 5
Detecting Malicious Activity
with the Insight Agent 6
Behavior-based Detections 7
Threat Intelligence-based Detections 9
About InsightIDR 11
About Rapid7 11

InsightIDR Detection Methodologies 2

Introduction: Threat Detection
in Modern Security Programs
The main goal of any security program is to prevent
a breach from negatively impacting your business.
In practical terms, this means:
• Preventing breaches using defensive measures
to minimize the attack surface, and using
technology to prevent threats that bypass
these measures from causing damage. This
could include technology, user education,
physical measures, and administrative policies.
• Using technology and people to detect threats
that bypass your defensive measures and are
not stopped by preventative technology before
they impact business.
• Using a combination of people and technology to
respond to valid threats before they impact business.
The Importance of Known
and Unknown
Most SIEM tools are able to detect static, known threats by
using threat intelligence and threat rules that leverage data
from previously seen attacks, and then comparing it against
logs to identify when threat signatures are present. In order
to be successful in implementing this methodology, these
tools must have quality threat intelligence with identifiable
signatures to build rules against.
However, as companies better secure their servers and
critical infrastructure, attackers are turning to endpoints—
and the people using them—as the top point of entry to a
network. Nearly all data breaches involve a compromised
endpoint as a stage in the attack. This type of compromise
can’t be detected by using signature or rule-based
detections alone.
In order to effectively protect an organization against loss,
security analysts must be able to quickly detect threats.
These types of threats can be measured in two ways:
• For common threats (which typically fall into the
known threat category), impact could be measured
in man hours to recover.
• For
targeted threats (which typically fall in the
unknown threat category), impact could be measured
in reputation lost, financial loss, or cost of reparations.
The faster and earlier these threats can be detected in the
attack chain, the less risk there is to the business. We’re
now at a time where it’s imperative that modern security
programs have a solution to detect both known and unknown
threats in the environment. This whitepaper outlines how the
detections in InsightIDR, Rapid7’s cloud SIEM, enable users
to identify and respond to advanced threats.
Today’s malware allows attackers to gain persistent access
to internal networks, take over computing resources to
monetize them for cryptomining, or escalate their privileges
to move laterally to extract more sensitive hosts and data.
A robust threat detection program should combine:
• Security event threat detection technology to
aggregate data from events across the network;
• Endpoint threat detection technology to provide
detailed information about possibly malicious; and
• Human readable alerts and contextual information
to allow security professionals to quickly analyze
alerts and take action.
InsightIDR Detection Methodologies 3
Legacy SIEM ROI Is Lost in
the Modern Threat Landscape
Security is much more than compliance and log management. However, many teams still rely on legacy, log-heavy tools to
check the compliance box, missing potentially critical threats along the way.

These traditional SIEMs can consume a number of resources to tune and maintain deployment, configure data ingestion,
manage logs, create rules, run analytics against the data, and apply threat intelligence (not to mention managing and
maintaining on-premises hardware). More often than not, security teams are left chasing down alerts between different tools,
losing cycles while potential attackers are further penetrating their network. What’s worse is that since legacy SIEMs are
often focused on perimeter traffic and miss important contextual information from modern network sources (e.g. endpoints
and users) alerts can often be false-positives. Teams are left drowning in data and missing the real threats that are lurking
elsewhere in their network.

Modern Threat Detection Requires

a Two-Pronged Approach
Rules-based detections targeting attacks that are well understood, that tend to follow a certain pattern, and that are more
predictable, are still an important component of a strong SOC program. Brute-force attacks and spear phishing for example,
are typically very recognizable and should be stopped early in the attack chain before things get critical.

However, as we discussed earlier, the modern network has evolved. And so, too, has the threat landscape. There are less
predictable attacks for which rule-based detections are not enough. Things like insider threats and custom malware, for
example, are more complex to detect and may evade traditional SIEMs. Recognizing these threats in the system requires
a mix of anomaly detection (behavioral analytics) and human analysis to evaluate and take action on.

There is not one single tactic alone that can protect against everything, and the best solution for comprehensive attack
coverage is a marriage of rule-based detections, anomalous detections with investigative support, and empowering people
and processes to act fast.

InsightIDR Detection Methodologies 4

InsightIDR for Modern
Threat Detection
InsightIDR is the only cloud SIEM that comes with direct endpoint visibility, extensive threat rules, network traffic detections, and
behavioral analytics out of the box. Its cloud-based solution connects with your internal data sources, network activity, and data
directly from user endpoints, reducing the time and effort needed to set up and maintain collecting, updating, and managing
data sets (meaning your team will be able to detect attacks in days after purchase, not weeks or months).

Rapid7 InsightIDR is a modern cloud SIEM that leverages both User and Attacker Behavior Analytics to detect intruder activity,
cutting down on false-positives and days’ worth of work for your security professionals. InsightIDR goes beyond traditional
SIEM monitoring, uniting data from endpoints, network traffic, logs, and cloud services in a single tool to hunt all of the most
common attack vectors behind breaches.

This combination gives you real-time visibility and detection for malware, fileless attacks, and the use of stolen credentials.
In fact, over 90% of all InsightIDR detections occur at or before “Credential Access,” well before any significant attacker impact
(Figure 1).

Figure 1

Initial Defense Credential Lateral Command

Access Execution Persistence Evasion Access Discovery Movement Effects Collection and Control Impact

100% 100.0%
Detection %

96.7% 96.9% 98.6%

91.6% 92.2%
90.0%

75%

64.7% 66.5%
64.2%

50%

36.8%

25%

0%
Source: Rapid7 Managed Detection and Response Q1 2019 InsightIDR Detections

By alerting on stealthy intruder behavior as early as possible in the attack chain, InsightIDR provides the comprehensive
information and automation capabilities needed to take swift action on threats—before they get out of hand.

InsightIDR Detection Methodologies 5

Detecting Malicious Activity
with the Insight Agent
In order to have complete coverage and visibility into the
endpoint, the InsightIDR technology integrates with your The Insight Agent is able to provide
existing network and security stack to collect and query
context to anomalous behaviors
endpoints through the Insight Agent and endpoint scan.
Without an agent to collect and analyze critical data on the by analyzing:
endpoint, customers are unable to detect advanced threats
and cannot query the asset, either for incident investigation
or response. Running processes

The Rapid7 Insight Agent provides critical, real-time Security events

visibility across your Windows, Mac, and Linux assets—no
matter where they are in the world. You can detect modern
malware that evades today’s anti-virus tech, gain visibility System event codes
into your assets, and even take action through the agent to
contain a found threat.
Registry data

Intruder traps

Asset and user data

File audit logs

File and package data

InsightIDR Detection Methodologies 6

Detection Malicious Activity
with the Insight Sensor
While the Insight Agents are responsible for collecting The Insight Sensor is able to provide
data on your assets, they do not account for network
visibility while adding several benefits
traffic, which is the data moving between your assets. To
provide the network traffic visibility that’s needed to detect beyond network traffic detection:
attackers, Rapid7’s Insight Network Sensor allows you to
monitor, capture, and assess the end-to-end network traffic
moving throughout your physical and virtual environment. Passive monitoring

Network traffic monitoring is an increasingly significant Works on any network

security gap for organizations today. As a security
practitioner looking to minimize your attack surface, you
need to know of the types of network data traversing Efficient data collection
your network and how much of that data is moving: two
critical areas that could indicate malicious activity in your
environment. Sensitive environment coverage

InsightIDR can use network sensor data to generate

investigations and alerts based on the network traffic One data set for multiple use cases
traversing your environment, one of which is a new
investigation data source based on IPv4 flow data.
Rapid time to value
InsightIDR also leverages DNS and DHCP information
that the network sensor extracts from network packets to
produce other actionable alerts.

After the data becomes available in InsightIDR, the

processed network traffic can be further leveraged as a
foundation for log searching, data analysis, building custom
reports and dashboards, top external clients making
inbound connections, and other data points.

InsightIDR Detection Methodologies 7

Behavior-based Detections
Detecting threats using behavioral-based analytics is a core differentiator for Rapid7’s InsightIDR technology. The detection
that InsightIDR provides across the attack chain stems from a combination of User and Attacker Behavior Analytics, endpoint
data, and deception technology. Effective implementation of user- and deviation-based detection methodologies requires deep
visibility into endpoints, network metadata, authentication/authorization events, and logs.

Figure 2: Rapid7 MDR Aligns to MITRE ATT&CK Framework

User Behavior Analytics (UBA): Attacker Behavior Analytics (ABA):

“With InsightIDR ... we deployed agents on our servers and are forwarding sys
logs from our network devices to the cloud collectors. It has given us visibility that
we have never had before such as ingress and egress authentication attempts,
Office 365 authentications, and even potentially compromised accounts...[such as]
email addresses that may have been obtained and distributed for phishing).”
Gartner Peer Insights: Security Admin, Retail

InsightIDR Detection Methodologies 8

User Behavior Analytics (UBA)
User Behavior Analytics (UBA) enables your team to more
easily determine whether a potential threat is an outside
attacker impersonating an employee, or an actual employee
who presents some kind of risk, whether through negligence
or malice.
UBA connects activity on the network to a specific user
as opposed to an IP address or asset. It is then compared
against a normal baseline of event activity for that user.
Once collected and analyzed, it can be used to detect the
use of compromised credentials, lateral movement, and
other malicious behavior.
Your team is able to leverage these UBA indicators to
dynamically prioritize and rank alert criticality based on
the presence or absence of notable behaviors associated
with the alert by:
• Detecting unknown threats based on single
occurrences, or groups of notable events based
on specific user behaviors or deviations from
known-good baselines.
• Detecting insider threats based on groups of
notable events describing the sequence of events
typically associated with information theft by an
authorized party.
• Associating user behaviors based on notable
events with alerts and investigations to improve
the validation and investigation analyst workflows.
• Providing the data needed to associate technical
evidence with human understandable behavior for
threat reporting.
InsightIDR provides your team with a technological
advantage by utilizing our proprietary attribution engine
with models that are purpose-built to detect behaviors
indicative of true threats, while sorting out users who
may be doing unusual tasks but are not actually
compromised or performing malicious actions. Many
traditional SIEM solutions claim to utilize UBA detections,
but SIEM engines aren’t built for real-time attribution,
unlike Rapid7’s InsightIDR technology. This is because
users and assets constantly move around in a modern
network architecture, leading to an engine that cannot
accurately map events to entities.
Attacker Behavior Analytics (ABA)
Attacker Behavior Analytics (ABA) applies Rapid7’s
existing experience, research, and practical understanding
of attacker behaviors to generate investigative leads based
on known attacker tools, tactics, and procedures (TTP).
These include:
• Malware, malware droppers, maldocs, and
fileless malware (opportunistic and targeted)
• Cryptojacking
(stealing CPU cycles
to mine cryptocurrency)
• Pentesting and attack tools
• Suspicious persistence
• Anomalous data exfiltration
• New attacker behavior
ABA detection methods are constantly updated based on
our team’s investigations, combined with Rapid7’s research
and threat intelligence analysts to extract key behaviors
from threats identified in our customer environments. After
performing research on related attacks and behaviors, we
craft new ABA detections and implement them into the
InsightIDR product to simplify and accelerate detection and
reduce your time to remediation. These sources include:
• Rapid7 MDR customers
• The Metasploit Community
• Project Heisenberg (our honeypot network)
• Project Sonar (our internet-side scanning project)
• Incident Response engagements
• InsightIDR customers sharing intel
• Rapid7’s Threat Intelligence team and community
(e.g. Cyber Threat Alliance)
InsightIDR Detection Methodologies 9
 Other key advantages include:

• Found once, applied everywhere: Your security team
gets the benefit of the learnings from Rapid7 customer
detections. For example, when our SOC team finds new
attack methodologies—either by way of our SOC, threat
intelligence team, or Rapid7 research—those TTPs are
• High-fidelity alerts grant context to take action:
Alerts include context from our analysts and threat
intel teams, so you can make better decisions, remediate
the problem, mitigate risk, and contain
the alert from directly inside your Findings Report.

• Constantly
updated in InsightIDR investigations.
evolving ABA detections: Whenever possible,
• Detections based on behaviors, not signatures: the alert will detail known, recent adversary groups using a
Through InsightIDR, your team is armed with similar technique in a confirmed attack.
high-fidelity endpoint data to identify novel
variations of new attacker techniques.
As a key advantage of our cloud deployment model, our detections are updated automatically to our entire user population of
customers after a thorough prototyping, testing, and validation process. All new indicators are applied to one month’s historic
data so your environment is instantly protected.

Network Traffic Analysis (NTA)

With the lightweight Insight Network Sensor, customers can continuously monitor network traffic at any location or site across
their network. This data helps minimize the attack surface and detect intrusions (or other potential security events) on the
network. Network traffic detections are generated by two data sets. Together, these network analytics help analysts ensure
continuous visibility everywhere, recognize compromise quickly, and trace the attackers across systems and applications.

• IDS, DNS, & DHCP Network Traffic: The Rapid7 MDR
team has carefully filtered IDS events to capture only
the most critical and actionable detections for teams
to focus on, helping cut down on noise and increase
analyst’s confidence in taking action. This means when
malware, botnets, or other compromises are detected,
teams won’t have to go through tedious cycles to
determine their validity.
proprietary DPI engine captures and analyzes traffic in
readable, interpretable details, without the complexity
and overhead of full packet capture. This passive analysis
approach drastically reduces data volume and does not
impact performance, while retaining the critical data ideal
for investigations, deeper forensic activities, and custom
rule creation. With this rich flow data, teams have deep detail
with which to track attacker entry and movement across the

• Network network so they can accelerate investigations and better

Flow data: Rapid7 also leverages a proprietary
inform response action.
Deep Packet Inspection (DPI) engine to capture all raw
network traffic flows, extracting rich metadata. Rapid7’s

Threat Intelligence-based Detections

Rapid7 leverages proprietary threat intelligence derived from research, previous investigations and monitoring findings, as well
as third-party sources. Rapid7’s Threat Intelligence team is responsible for maintaining this intelligence and working alongside
our SOC analysts to constantly apply threat detection and incident response learnings across all MDR customer environments
Rapid7's Threat Intelligence team brings expertise and data sources from the public sector, private sector, and open sources to
fuel threat detection and incident response.

• Strategic threat intelligence is provided per industry of an impending attack. Our reports include mitigation
sector and is aimed at decision-makers to help shape recommendations to increase resilience against specific
strategies to prevent threats from materializing. threats to your organization.

• Tactical threat intelligence is applied in our attacker • Technical threat intelligence in the form of indicators of
behavior analysis methodologies and leverages compromise are applied across our customer base. The
complex rules to generate investigative leads across Rapid7 Threat Intelligence team actively maintains the
multiple event sources and over time. quality of the technical threat intelligence to

• Operational ensure fidelity, context, and timeliness for our MDR threat
threat intelligence is provided by way of
analysts.
proactive threat reports and indicates the likelihood

InsightIDR Detection Methodologies 10

 Rapid7 Research and Threat Intelligence Sources

We’re committed to openly sharing security information that not only helps the entire cybersecurity community to learn, grow,
and address issues in the security world, but also to improve our products and detections. Figure 3 shows the common sources
that lead to Rapid7’s security expertise and intelligence advantage:

Figure 3

Rapid7 Customers Vulnerability Disclosure

Incident Response Engagements +700k Vulnerabilities
Managed Services SOC

Intelligence Sharing Threat Hunters

Affiliate Member Scheduled & Ad Hoc Hunts
Board & Committee Seats In Your Environment

Metasploit Community Project Heisenberg Project Sonar

+200k Contributors 300+ Global Honeypots Global Internet Scanning
+3k Exploits

Rapid7 Customers Project Sonar

Our detections are enhanced from learnings across our
millions of Insight Agents deployed on customer endpoints,
MDR customers, and Incident Response engagements.
Intelligence Sharing
Rapid7 is part of the Cyber Threat Alliance (CTA), a
community of security research organizations with a
mission to improve cybersecurity cooperation to improve
defenses against cyber adversaries. Rapid7 is an Affiliate
member of the CTA with Board and Committee seats.
Metasploit Community
Metasploit is the world's most-used penetration testing
software used to uncover weaknesses in defenses with
over 3,000 exploits and over 200,000 active contributors.
A security research project by Rapid7 that conducts
internet-wide scans across different services and
protocols to gain insight into global exposure to
common vulnerabilities.
Pen Test Engagements
Rapid7 service engagements allow us to leverage
real-world experiences of our engineers and
investigators gathered over thousands of pen tests.
Vulnerability Disclosure
Rapid7 publishes our data for free to encourage
scientists, engineers, and anyone else interested
in the nature and form of the internet to make their
own discoveries.

Project Heisenberg Cloud

A collection of over 200 low-interaction, global honeypots
distributed both geographically and across IP space.
The honeypots offer the front end of various services to
learn what other scanners are up to (usually no good),
and to conduct "passive scanning" to help enhance our
understanding of attacker methods.

InsightIDR Detection Methodologies 11

About InsightIDR
Rapid7 InsightIDR leverages attacker analytics to detect intruder activity earlier in the attack chain, cutting down
false positives and days’ worth of work for security professionals. It hunts for actions indicative of compromised
credentials, spots lateral movement across assets, detects malware, and sets traps for intruders.

About Rapid7
Organizations around the globe trust Rapid7 technology, services, and research to help them securely advance.
The visibility, analytics, and automation delivered through our Insight cloud simplifies the complex and helps
security teams reduce vulnerabilities, monitor for malicious behavior, investigate and shut down attacks, and
automate routine tasks. Learn more at www.rapid7.com.

InsightIDR Detection Methodologies 12