Rapid7 Threat Report Q3 2017
After a springtime of ransomworms and destructive malware, the summer of 2017 saw a continued spread of ransomware (including server ransomware), new aws in major protocols like SMB were found, and many large/global organizations su ered through signi cant data loss events. It’s de nitely been an eventful quarter, which brings us back to our original goal with these quarterly reports: to paint a less chaotic picture of the threat landscape that defenders and organizations experienced during the previous quarter. We
do this by presenting both broad and more targeted industry-level views of threat events across multiple markets and providing insights into important events and patterns identi ed by our threat analysts and researchers.
You’ll also nd key takeaways that are applicable across organizations of every size, shape, locale, and industry, as well as a full description of what went into making this report. Our mission is for this report to serve as an informative and useful guidebook as you continue to develop your own detection and response programs.
We also love feedback! If you found a particular section useful, have questions about any of the data or visualizations, or desperately wish we’d included something we didn’t, reach out to us at firstname.lastname@example.org.
WHAT ISA THREAT?
We throw the term “threat” around a lot, and so it’s important to define exactly what it is we mean. When there is an adversary with the intent, capability, and opportunity, a threat exists.
When two or more of these elements are present (e.g. intent and capability, but no opportunity), we call it an impending threat, because there is just one missing piece before it becomes a true threat.
When there is just one element present (e.g. an opportunity in the form of a software vulnerability), we call it a potential threat. There is the potential
for it to turn into a true threat, although there are additional components that need to come to fruition before it has a real impact to most organizations.
2017Q3 BIRD’S EYE VIEW
This quarter, the adage “the more things change, the more they stay the same” was tting, as demonstrated in the two core charts we used to track events and attacker behavior. The weekly Monday through Friday workday pattern of incident distribution continued to be prevalent (as seen in Figure 1), with no signi cant events impacting the core cross-organization, cross-industry patterns, even though there were many notable, or well-publicized, events over the quarter.
Similarly, the industry “heavy hitters” ( nancial, professional, and retail) were still batting at professional levels across a wide spectrum of threat events (Figure 2 on the following page).
Keen observers will notice, however, that the diversity of threat events has grown across many industries. Real estate, transportation and warehousing, and wholesale trade in particular experienced increases in the variety of attacker methodology observed. A major reason we provide both of these views is to enable defenders to compare what they’ve experienced in their organizations against those in similar industries. Did you have to respond to the same threat event volumes or variety as your peers in Q3? If not, it’s important to take time to consider what made your experiences di erent and how that may impact your overall threat pro le.
We’d also be remiss if we didn’t revisit the view from Heisenberg Cloud (Rapid7’s internet-scale network of honeypot agents). In our 2017 Q2 Threat Report, we posited that there was a “new normal” developing for SMB (Server Message Block, TCP port 445) and also identi ed a spike in RDP (Remote Desktop Protocol, TCP port 3389) tra c. What do they look like this quarter?
Figure 3 (on the following page) shows that opportunistic SMB probes (“background radiation”) from unique sources are steadily increasing while RDP has moved back to previous levels. We cannot stress enough the need to remove services like SMB from direct internet connections. You can always check your ranges against Rapid7’s free, published scan data over at scans.io.
Keen observers will notice, however, that the diversity of threat events has grown across many industries.
LESSONS LEARNED: PSEXEC, MALWARE DETECTION RATIOS, AND THE TOP THREATS PER INDUSTRY
One thing has become clear over the past few quarters (and years): Attackers don’t always need to create their own specialized tools to compromise or move around in the networks they target. Sometimes they do (*cough* Shadow Brokers leaks), but more often than not attackers are using tools that are already in the environments that they target. The third quarter of 2017 was no exception.
PsExec is a Microsoft SysInternals Tool used to help administrators manage their networks. It executes commands on remote systems, and can be used interactively to help administrators troubleshoot or update those remote systems. PsExec solved the problem of remote administration for legitimate system admins, but if you look at any threat report that has come out recently or any list of IOCs (Indicators of Compromise) related to these attacks, you would probably think that PsExec is a tool used exclusively by adversaries (or pen testers). Often, the only way to tell the di erence between legitimate use of a tool and malicious use is to know your environment. Unfortunately, with PsExec, this is not as easy as it sounds.
Figure 4 shows weekly distributions of the number of PsExec events by type (Interactive or via Service Account) from July 24–September 25. Each day is represented by a violin plot with a superimposed box plot which, when combined, show the shape of the events that day.
Figure 4: PsExec Service vs Interactive Use
Weekly distribution of interactive & service account-originated PsExec calls across monitored organizations.
One thing has become clear over the past few quarters (and years): attackers don’t always need to create their own specialized tools to compromise or move around in the networks they target.
In an ideal world, this chart would be blank. Since PsExec’s rst release in the mid-1990s, there have been many other tools provided by Microsoft and third parties to help system administrators manage their networks without introducing all of the vectors for attackers that PsExec does.
In an optimal but achievable world, the shapes would look almost exactly the same every day, meaning each type of PsExec event happens with the same frequency in each organization every day. That realistically optimal scenario would mean each organization is running PsExec in a controlled, measured, de ned way. Still not truly ideal, but not terrible. It would mean that when there is adversarial use of this tool it would stand out. It would operate in a di erent way (interactive rather than from a service account, for example), or would occur outside of the normal days that the sysadmin is using PsExec for patching.
What you see in these views are signi cantly di erent shapes every single day. That means the organizations represented here had vastly di erent PsExec execution pro les. This is seen more clearly in Weeks 36–39 on the Service Account panel. Each week a few organizations (highlighted in orange) had substantially more PsExec events than they did in previous weeks. This could mean attackers ran rampant across workstations and servers, but it could also mean that new administrative processes were put in place that substantially increased the number of PsExec calls.
In information security, we talk about how important it is to know what normal looks like, so that we can detect adversary behavior, even when it attempts to mimic what is normal. What we see with PsExec is that normal looks like ¿x_x ڑ. This could explain why attackers are able to use this tool so often, in so many di erent attacks, and are successful in many of them.
What Should You Do?
The best option would be to use a more secure, more controlled tool for system administration. If that isn’t an option for you, then the best bet would be to try to make your processes more “normal” so that adversary activity stands out more.
Other things to look for to help determine whether or not PsExec usage is legitimate or not include:
• Where is PsExec being run from? If a system administrator is using it then it may be okay. If a user in HR is using it to execute commands on a research and engineering system then something strange is probably going on.
• What is being done? If you only use PsExec to update systems and you are seeing it in interactive mode then it may be malicious.
• Is something amiss? Renamed or relocated versions of PsExec are not typical behavior in most organizations and usually mean someone is trying to evade detection (whether it’s a malicious actor or a curmudgeonly sysadmin who doesn’t want to give up PsExec even when policy says they must).
PsExec as an IOC
When it comes to information sharing and operationalization of threat intelligence, it is very important to understand the information that you are acting on. If PsExec was included in a list of IOCs (which it often is), then it may generate a lot of false positives if you have determined that it is normal activity for your network. Always validate and understand the information before you start to alert on it. We are expecting the trend of adversaries using this (and other) legitimate and semi-legitimate tools to continue, and that means any indicators related to these tools will continue to show up in threat reporting.
Total Recall: Malware Detection
Despite the attack vectors used in recent headline-grabbing breaches, adversaries continue to rely on a familiar pattern of compromising humans to eventually be in a position to install malware that gains them a foothold in an organization’s network (as seen in Figure 2). This foothold spawns internal network reconnaissance and lateral movement activities that all too frequently end in access and ex ltration of data. Malicious Microsoft O ce documents, pernicious PDFs, fouled fonts, and deleterious doppleganger downloads are just some of the vehicles that deliver their payloads. It’s up to the combined malware defenses of an organization to detect, quarantine, and alert upon nding evidence of these programs.
Detection capabilities vary due to the di erent ways these anti-malware systems are updated, con gured, and perform analysis. Because suspicious events happen all the time, defenders often nd themselves in possession of something that seems sketchy and requires further analysis. Many responders turn to VirusTotal (VT) as a way to check a potential malware sample against a wide array of anti-malware scanning engines to see how many currently detect them, and many organizations have automation in place to perform this task at-scale and without the need to consume the most valuable security resource they have: an incident responder’s time.
The results of these submissions are a list of which engines classi ed a sample as malicious (or not). The ratio of malicious ags to total engines online is what’s known as the “detection ratio.” Higher ratio could indicate that a malware found has been around long; or, it could just mean that it is easier to detect. Conversely, lower ratios may mean that a sample is fairly new or that a sample is more di cult for some scanners to identify as malicious.
Figure 5 shows the distribution of detection ratio scores for all the malware samples across all Rapid7 Managed Detection & Response (MDR) customers in the third quarter of 2017. Larger bumps—like many on the left-hand side of the chart—indicate more malware samples detected with that ratio. Again, we’ve broken the information down by industry so defenders can compare their data to what
is seen here. It’s not too di cult to discern that not all industries are alike (we seem to keep saying that quite a bit!). There are many possible reasons for this, ranging from some organizations (and, hence, industries) facing more sophisticated/targeted/customized attacks to some anti-malware systems not being con gured or used as e ectively as possible.
What Should You Do?
There are other services like VT and most have similar detections metrics you can use to compare. So what does your detection ratio look like? Are you tracking similar distributions internally (i.e. comparing various user group or business unit distributions)? Where do your distributions tend to cluster? Does that pro le change from day to day, week to week, and month to month? What do those changes mean in terms of your threat pro le and, if you’ve caught more false positives in the mix, does that trigger a review of anti-malware defense choices and con gurations? If you don’t have such a process in place, you’re now armed with what the landscape looks like in your industry to begin performing these comparisons.
Threats per Industry: Are You Being Served?
As noted in the previous report, we took our discrete threat events from InsightIDR (Rapid7’s incident detection and response solution) and collapsed them into smaller threat categories (see Appendix A for more information on the methodology we used to compile the report, including a breakdown of these categories). These categories give us new ways to look at the threat events, and we were fairly surprised when we took a look at this quarter’s top 5 threat events per month (across all organizations/ industries). If you recall—or quickly ip to page
Figure 5: VirusTotal Detection Ratio Distribution
VirusTotal detection ratios capture how many discrete malware-analysis tools identify a submitted sample as malicious or not. Higher ratio could indicate malware that has been around for a while or that is just easy to detect. Lower ratios may mean that a sample is fairly new or also more difficult for some scanners to identify as malicious.
8 of the 2017 Q2 report—each column was signi cantly di erent, indicating a fairly diverse set of threat actions across organizations. That was de nitely not the case this quarter, as can be seen in Figure 6.
The exact same items in the “remote entry” group claimed the #1 and #5 spots each month. We will need to complete a few more future reports before we can say that this is unusual, but at the very least it is an incredible curiosity, especially if we look at this with the lter from our previous discussion on PsExec.
What Should You Do?
Service accounts need to be protected as well as—if not better than—standard user or administrative accounts. Weak controls around service accounts can eventually place attackers in a powerful position to further compromise network resources. The PsExec section demonstrated that it’s critical to restrict what these accounts can do, and to pro le what are benign/allowed actions in
order to establish a “normal” baseline for detecting anomalies or malicious use. The vast majority of the events and incidents came from Microsoft Windows environments, and Microsoft has a helpful resource that shows how to secure critical and service accounts in your organization.
PREDICTIONS AND EVOLVING DEFENSES
Prediction #1: Increased Use of Built-In Tools
Given the trends established in Q2 and Q3 of this year, we expect attackers to continue to leverage built-in Windows management tools to achieve lateral movement within networks once a foothold is gained. One-o incursions on isolated systems will become increasingly rare, and responders will nd themselves hunting down infected neighbors with greater frequency.
What to Do
IT departments should make an e ort to gain more control over the use of powerful admin-level tools like PsExec and begin to pro le and establish baselines for legitimate use to make it easier to identify potentially malicious behavior. Oh, and remember there’s an impending change to another powerful tool: PowerShell. Microsoft is in the process of renaming the binary for PSCore to “pwsh.” This could generate some false positives until all tools recognize the change.
Prediction #2: Targeting Service Accounts
Attackers will tend to compromise service accounts—those accounts used by business processes with unusually high access privileges and weak credential management—when given half a chance. Those features make these accounts treasured prizes, but there are a few, basic steps you can follow to ensure they remain out of reach.
What to Do
Take time over the next few months to create a project plan to review service account provisioning, credential handling, permissions, and monitoring. Start identifying groups of users and business processes to track in general, but develop these pro les and compare malware detection ratios on user, group, and business processes bases. This will provide a better understanding of the ebb and ow of activity in your organization and make it easier to tailor defenses more appropriately.
Here’s hoping for a quiet fourth quarter. It’s been quite a year for incident responders, and we look forward to delivering our Q4 threat landscape breakdown in the early weeks of 2018 to give you something to curl up with in front of a warm re.
APPENDIX A: METHODOLOGY
We gathered up closed and con rmed incidents from across a representative sample of our Managed Detection and Response (MDR) customers using our InsightIDR platform for the second quarter of 2017. Where possible, we’ve provided full incident counts or percentages; when more discrete information needed to be provided by industry we normalized the values by number of customers per industry. While we wanted to share as much information as possible, the precise number of organizations, industries, and organizations-per-industry is information no reputable vendor would publicly disclose.
As noted in situ, for this report we also incorporated data from both Project Sonar and Heisenberg Cloud. Raw Sonar scan data is available at https://scans.io, and you can contact email@example.com for questions regarding Heisenberg Cloud honeypot data or any other ndings or data used in this report.
The following table provides a full breakdown of the InsightIDR threat events and the threat event groups they belong in (as seen in Figure 6). Appendix B has the full, expanded listing of InsightIDR threat events.
IDR Threat Categories:
Dangerous User Behavior
Account Visits Suspicious Link Password Set To Never Expire Network Access For Threat
Asset Connects To Network Honeypot Watched Impersonation
Account Authenticated To Critical Asset Lateral Movement Domain Credentials Lateral Movement Local Credentials Suspicious Authentication
Wireless Multiple Country Authentications Multiple Country Authentications Ingress From Non Expiring Account Ingress From ServiceAccount
Service Account Authenticated From New Source
Account Authenticated To Critical Asset From New Source
New Local User Primary Asset Ingress From Disabled Account
Failed Access Attempt
Authentication Attempt From Disabled Account Brute Force Against Domain Account Brute Force Against Local Account Brute Force From Unknown Source
Malicious Behavior On Asset Level
Remote File Execution VirusAlert Log Deletion Local Account Harvested Credentials Log Deletion Virus Alert Network Access For Threat
Suspicious Behavior On Asset Level Malicious Hash On Asset
Malicious Behavior Network Level
Advanced Malware Alert Protocol Poison Administrator Impersonation
Account Privilege Escalated Account Enabled Account Password Reset Account Locked DomainAdmin Added
APPENDIX B: INSIGHTIDR THREAT EVENTS
Account Authenticated To Critical Asset
A new user authenticates to a restricted asset.
Account Authenticated To Critical Asset From New Source
A permitted user authenticates to a restricted asset from a new source asset.
Account Authenticates With New Asset
A permitted user is authenticating to an application from a new source asset.
An account was created on a agged asset.
A previously disabled user account is re-enabled by an administrator.
A user's credentials may have been leaked to the public domain.
Account Password Reset
A user resets the password for an account.
Account Privilege Escalated
An administrator assigns higher level of privileges to the account.
Account Received Suspicious Link
A user receives an email containing a link agged by the community or threat feeds.
Account Visits Suspicious Link
A user accesses a link URL identi ed as a threat from the Threats section or from other intel sources.
Advanced Malware Alert
An advanced malware system generates an alert.
Asset Connects To Network Honeypot
There was an attempt to connect to a network honeypot.
Authentication Attempt From Disabled Account
A disabled user attempts to access an asset.
Brute Force Against Domain Account
A domain account has failed to authenticate to the same asset excessively.
Brute Force Against Local Account
A local account has failed to authenticate to the same asset excessively.
Brute Force From Unknown Source
An unknown source has failed to authenticate to the same asset excessively.
Domain Admin Added
A user has been added to a privileged LDAP group.
First Ingress Authentication From Country
A user logs onto the network for the rst time from a di erent country.
First Time Admin Action
An administrator action was used for the rst time in this domain.
Multiple accounts are attempting to authenticate to a single, unusual location.
Ingress From Disabled Account
A disabled user logs onto the network or a monitored cloud service.
Ingress From Non Expiring Account
An account with a password that never expires accesses the network from an external location.
Ingress From Service Account
A service account accesses the network from an external location.
Lateral Movement Domain Credentials
A domain account attempts to access several new assets in a short period of time.
Lateral Movement Local Credentials
A local account attempts to access several assets in a short period of time.
A user deletes event logs on an asset.
Log Deletion Local Account
A local account deletes event logs on an asset.
Malicious Hash On Asset
A agged process hash starts running on an asset for the rst time.
Multiple Country Authentications
A user accesses the network from several di erent countries within a short period of time.
Multiple Organization Authentications
A user accesses the network from multiple external organizations too quickly.
Network Access For Threat
A user accesses a domain or IP address tagged in the Threats section.
New Local User Primary Asset
A new local user account was added to the primary asset of a domain user.
New Mobile Device
A user accesses the network from a new mobile device.
Password Set To Never Expire
A password of an account has been set to never expire.
Poisoning of a network protocol, such as via Responder, is detected.
Remote File Execution
Remote le execution has been detected.
Service Account Authenticated From New Source
A service account authenticates from a new source asset.
Spoofed Domain Visited
A user makes a DNS query to a newly registered internet domain.
A suspicious authentication was detected.
A virus alert was triggered from an asset.
A user authenticates to a watched user's account.
Wireless Multiple Country Authentications
A user logs onto the network using a mobile device from too many countries in a short period of time.
With Rapid7, technology professionals gain the clarity, command, and con dence to safely drive innovation and protect against risk. We make it simple to collect operational data across systems, eliminating blind spots and unlocking the information required to securely develop, operate, and manage today’s sophisticated applications and services. Our analytics and science transform your data into key insights so you can quickly predict, deter, detect, and remediate attacks and obstacles to productivity. Armed with Rapid7, technology professionals nally gain the insights needed to safely move their business forward. To learn more about Rapid7, visit www.rapid7.com.
Email us at firstname.lastname@example.org