APT Attack Activity Occurs at 'Low, Consistent Hum,' Rapid7 Finds
Organizations in industries aligned to nation-state interests are main targets of nation-state attack threats, new quarterly threat report shows.
April 20, 2017
The quarterly threat intelligence reports that many security vendors publish on a regular basis usually tend to highlight threats that are either emerging or becoming more prevalent or dangerous in some way.
Reports, like one from Rapid7 this week that highlight security issues trending the opposite way, are somewhat less common but likely useful to organizations for that very reason.
Rapid7 first quarterly threat intelligence report is based on its analysis of a representative sample of security incidents handled for customers of the company's managed detection and response service. One of the key findings from that analysis was that advanced persistent threat (APT)-centric threats were less common than the hype around such attacks would suggest. Rapid7's analysis showed that advanced persistent threats, many of which are state-sponsored, were a non-issue for a majority of organizations in the first quarter of this year.
The organizations most impacted by APT activity belonged to industries that aligned with nation-state interests such as government, manufacturing, and aerospace. APT attacks that Rapid7 found were targeted and rare, generally took longer to contain, and required more post-incident handling than other attacks. But not all organizations are targets, which is why security administrators need to have a good handle on their threat profile and pay attention to developments that might cause that profile to change.
"Over the past year we saw targeted, sophisticated attacks at the same steady cadence," says Rebekah Brown, threat intelligence lead at Rapid7. But the attacks represented only a very small percentage of the overall threats that Rapid7 saw in its customers' environments, she says.
"We do see ebbs and flows of activity related to specific attacker groups, but the overall activity level is a low, consistent hum," she says.
Another discovery that Rapid7 made from its analysis of Q1 incident data among its customers was a lower than expected number of security alerts that required human intervention.
A great deal has been made about the need for organizations to put measures in place for filtering out the noise caused by the massive volume of log and event data generated by security controls and network infrastructure components. Security analysts have long stressed the importance of having correlation rules that weed out false positives from log and event data while surfacing alerts on issues that really merit a closer look.
"Our assessment is that the numbers are lower because customers are being more selective on what they alert on, and therefore are seeing fewer false positives," Brown says. Another possibility is that organizations are learning from the alerts and finding ways to mitigate or prevent activities that caused the alerts, she says.
It is also always possible that threats are becoming more evasive in response to actions taken by organization. "However, if that was the case, we would not have expected to see a consistent level of alerts across the quarter," Brown says. "There would likely have been a sharp decline as attackers shifted tactics."
Rapid7's examination of the events that triggered alerts showed that most alerts were tied to known bad activity, such as malware or multiple concurrent logins from different regions around the world. The quality of the alerts depended on the kind of data that was available to the alerting system. Inputs that were based on what Rapid7 described as low-fidelity indicators tended to generate more noise than actionable information.
One key takeaway from Rapid7 research is that alert fatigue is very real, says Bob Rudis, chief data scientist at Rapid7. "[It] causes organizations to miss real events because they’re trying to consume a firehose of alerts without proper tools, processes or staffing," he says.
Enterprises need to align their threat models and include known incident, event, and breach parameters when designing rules for alerts that are actionable, Rudis says.
Related stories:
About the Author
You May Also Like