Professional Documents
Culture Documents
Catching Modern
Threats: InsightIDR
Detection Methodologies
How a multi-layered approach enables teams to detect malicious
activity across the attack chain for known and unknown threats.
TA B L E O F CO N T E N T S
• Preventing breaches using defensive measures • For common threats (which typically fall into the
to minimize the attack surface, and using known threat category), impact could be measured
technology to prevent threats that bypass in man hours to recover.
• For
these measures from causing damage. This
targeted threats (which typically fall in the
could include technology, user education,
unknown threat category), impact could be measured
physical measures, and administrative policies.
in reputation lost, financial loss, or cost of reparations.
• Using technology and people to detect threats
that bypass your defensive measures and are The faster and earlier these threats can be detected in the
not stopped by preventative technology before attack chain, the less risk there is to the business. We’re
they impact business. now at a time where it’s imperative that modern security
• Using a combination of people and technology to programs have a solution to detect both known and unknown
threats in the environment. This whitepaper outlines how the
respond to valid threats before they impact business.
detections in InsightIDR, Rapid7’s cloud SIEM, enable users
to identify and respond to advanced threats.
These traditional SIEMs can consume a number of resources to tune and maintain deployment, configure data ingestion,
manage logs, create rules, run analytics against the data, and apply threat intelligence (not to mention managing and
maintaining on-premises hardware). More often than not, security teams are left chasing down alerts between different tools,
losing cycles while potential attackers are further penetrating their network. What’s worse is that since legacy SIEMs are
often focused on perimeter traffic and miss important contextual information from modern network sources (e.g. endpoints
and users) alerts can often be false-positives. Teams are left drowning in data and missing the real threats that are lurking
elsewhere in their network.
However, as we discussed earlier, the modern network has evolved. And so, too, has the threat landscape. There are less
predictable attacks for which rule-based detections are not enough. Things like insider threats and custom malware, for
example, are more complex to detect and may evade traditional SIEMs. Recognizing these threats in the system requires
a mix of anomaly detection (behavioral analytics) and human analysis to evaluate and take action on.
There is not one single tactic alone that can protect against everything, and the best solution for comprehensive attack
coverage is a marriage of rule-based detections, anomalous detections with investigative support, and empowering people
and processes to act fast.
Rapid7 InsightIDR is a modern cloud SIEM that leverages both User and Attacker Behavior Analytics to detect intruder activity,
cutting down on false-positives and days’ worth of work for your security professionals. InsightIDR goes beyond traditional
SIEM monitoring, uniting data from endpoints, network traffic, logs, and cloud services in a single tool to hunt all of the most
common attack vectors behind breaches.
This combination gives you real-time visibility and detection for malware, fileless attacks, and the use of stolen credentials.
In fact, over 90% of all InsightIDR detections occur at or before “Credential Access,” well before any significant attacker impact
(Figure 1).
Figure 1
100% 100.0%
Detection %
75%
64.7% 66.5%
64.2%
50%
36.8%
25%
0%
Source: Rapid7 Managed Detection and Response Q1 2019 InsightIDR Detections
By alerting on stealthy intruder behavior as early as possible in the attack chain, InsightIDR provides the comprehensive
information and automation capabilities needed to take swift action on threats—before they get out of hand.
Intruder traps
“With InsightIDR ... we deployed agents on our servers and are forwarding sys
logs from our network devices to the cloud collectors. It has given us visibility that
we have never had before such as ingress and egress authentication attempts,
Office 365 authentications, and even potentially compromised accounts...[such as]
email addresses that may have been obtained and distributed for phishing).”
Gartner Peer Insights: Security Admin, Retail
User Behavior Analytics (UBA) enables your team to more Attacker Behavior Analytics (ABA) applies Rapid7’s
easily determine whether a potential threat is an outside existing experience, research, and practical understanding
attacker impersonating an employee, or an actual employee of attacker behaviors to generate investigative leads based
who presents some kind of risk, whether through negligence on known attacker tools, tactics, and procedures (TTP).
or malice. These include:
UBA connects activity on the network to a specific user • Malware, malware droppers, maldocs, and
as opposed to an IP address or asset. It is then compared fileless malware (opportunistic and targeted)
• Cryptojacking
against a normal baseline of event activity for that user.
(stealing CPU cycles
Once collected and analyzed, it can be used to detect the
to mine cryptocurrency)
use of compromised credentials, lateral movement, and
other malicious behavior. • Pentesting and attack tools
Your team is able to leverage these UBA indicators to
• Suspicious persistence
dynamically prioritize and rank alert criticality based on • Anomalous data exfiltration
the presence or absence of notable behaviors associated
with the alert by:
• New attacker behavior
ABA detection methods are constantly updated based on
• Detecting unknown threats based on single our team’s investigations, combined with Rapid7’s research
occurrences, or groups of notable events based and threat intelligence analysts to extract key behaviors
on specific user behaviors or deviations from from threats identified in our customer environments. After
known-good baselines. performing research on related attacks and behaviors, we
• Detecting insider threats based on groups of craft new ABA detections and implement them into the
InsightIDR product to simplify and accelerate detection and
notable events describing the sequence of events
typically associated with information theft by an reduce your time to remediation. These sources include:
authorized party.
• Found once, applied everywhere: Your security team • High-fidelity alerts grant context to take action:
gets the benefit of the learnings from Rapid7 customer Alerts include context from our analysts and threat
detections. For example, when our SOC team finds new intel teams, so you can make better decisions, remediate
attack methodologies—either by way of our SOC, threat the problem, mitigate risk, and contain
intelligence team, or Rapid7 research—those TTPs are the alert from directly inside your Findings Report.
• Constantly
updated in InsightIDR investigations.
evolving ABA detections: Whenever possible,
• Detections based on behaviors, not signatures: the alert will detail known, recent adversary groups using a
Through InsightIDR, your team is armed with similar technique in a confirmed attack.
high-fidelity endpoint data to identify novel
variations of new attacker techniques.
As a key advantage of our cloud deployment model, our detections are updated automatically to our entire user population of
customers after a thorough prototyping, testing, and validation process. All new indicators are applied to one month’s historic
data so your environment is instantly protected.
• IDS, DNS, & DHCP Network Traffic: The Rapid7 MDR proprietary DPI engine captures and analyzes traffic in
team has carefully filtered IDS events to capture only readable, interpretable details, without the complexity
the most critical and actionable detections for teams and overhead of full packet capture. This passive analysis
to focus on, helping cut down on noise and increase approach drastically reduces data volume and does not
analyst’s confidence in taking action. This means when impact performance, while retaining the critical data ideal
malware, botnets, or other compromises are detected, for investigations, deeper forensic activities, and custom
teams won’t have to go through tedious cycles to rule creation. With this rich flow data, teams have deep detail
determine their validity. with which to track attacker entry and movement across the
• Strategic threat intelligence is provided per industry of an impending attack. Our reports include mitigation
sector and is aimed at decision-makers to help shape recommendations to increase resilience against specific
strategies to prevent threats from materializing. threats to your organization.
• Tactical threat intelligence is applied in our attacker • Technical threat intelligence in the form of indicators of
behavior analysis methodologies and leverages compromise are applied across our customer base. The
complex rules to generate investigative leads across Rapid7 Threat Intelligence team actively maintains the
multiple event sources and over time. quality of the technical threat intelligence to
• Operational ensure fidelity, context, and timeliness for our MDR threat
threat intelligence is provided by way of
analysts.
proactive threat reports and indicates the likelihood
We’re committed to openly sharing security information that not only helps the entire cybersecurity community to learn, grow,
and address issues in the security world, but also to improve our products and detections. Figure 3 shows the common sources
that lead to Rapid7’s security expertise and intelligence advantage:
Figure 3
About Rapid7
Organizations around the globe trust Rapid7 technology, services, and research to help them securely advance.
The visibility, analytics, and automation delivered through our Insight cloud simplifies the complex and helps
security teams reduce vulnerabilities, monitor for malicious behavior, investigate and shut down attacks, and
automate routine tasks. Learn more at www.rapid7.com.