Faster Delivery = Happy Users
Automated Process = Fewer Errors
Standards = Cost Reduction
Order Visibility = Confidence
Linking Systems = Efficiency
What three categories do attackers exploit to get on your corporate network? Vulnerabilities, misconfigurations, and credentials. Whether the attack starts by stealing cloud service credentials, or exploiting a vulnerability on a misconfigured, internet-facing asset, compromising an internal asset is a great milestone for an intruder.
Once an endpoint is compromised, the attacker can:
For this reason, when investing in the technology that supports Rapid7’s Managed Detection and Response (MDR) service, we prioritized the native collection of endpoint data, specifically over layering advanced analytics to network data (e.g., NetFlow, full packet capture).
In this post, we’d like to share the benefits of this approach. Let’s walk through a simple malware attack that allows the intruder to communicate with the endpoint over encrypted channels.
“Bob in marketing has been an avid fan of Bitcoin since buying some at $18,000. As the price plummets, he grows increasingly uneasy, looking for a side hustle to supplement his losing investment. On his work asset, he downloads a “cryptocurrency miner,” which allows his computer to contribute computational power in exchange for payment in a digital asset. Unbeknownst to him, this is no miner, but a Trojan that provides an attacker remote access to the now compromised endpoint…”
While this scenario is tongue-in-cheek, opportunistic compromise is very real, given the recent wave of malicious browser extensions, more Adobe Flash 0-Days, and supply chain attacks on trusted, beloved software like CCleaner.
From a network analysis perspective, our hypothetical heroes have only a few opportunities to catch the attack:
If Bob works remotely or is frequently on the road, detection increasingly relies on faithful usage of VPN services. This is because network monitoring usually takes the form of appliances that connect into on-premise network infrastructure.
With our MDR service, it’s a different story. By collecting and analyzing the right types of endpoint data, our team has multiple ways to catch the attack. Our Insight Agent securely streams endpoint data to our Insight platform to run computationally demanding analytics. Close attention to running processes (especially parent-child relationships) and anomalous behavior on the asset opens up not only better detection, but faster, more thorough incident investigations.
Here’s how different types of endpoint data reveals both opportunistic and targeted attacks:
While our MDR team monitors for all of the above, we don’t start and end with the endpoint. Our veteran analysts use Rapid7 InsightIDR, our SIEM solution that comprehensively integrates with your security and network stack.
Managed detection and response services that only sensor the endpoint will not only miss attacks, but they’ll lack context on “who does what” in the company. Unlike your internal team, third-party analysts don’t know who’s regularly on the road, or who requires anomalous privileges for their job. For example, I have to expose myself to interesting extensions when delivering webcasts with third-party providers. I would not be happy if my asset was “contained” mid-demo…
For that reason, we pair your team with an assigned Customer Advisor, who will promptly notify you of findings—but only for the true items that require investigation. Our job is to tell you exactly what happened, and that includes:
While some of the above can be answered with network data, thoughtful endpoint data collection captures authentication, file system, process execution, and forensic artifacts critical across the entire incident response lifecycle.
This article was originally published here.