Argus - Fotolia

Human interaction still key to cyber attacks, study reveals

An analysis of threats faced by organisations in the first quarter of 2017 reveals that cyber attackers still rely heavily on user interaction

Security alerts at weekends and on public holidays dip significantly, which researchers at security firm Rapid7 attribute to a lack of employees interacting with malicious emails, attachments, links and websites.

“One of the primary lessons we pulled out from our data is that, across the board, attackers still rely on user interaction to carry out their attacks,” the researcher wrote in the first Rapid7 quarterly threat intelligence report.

“This means that security measures a user can circumvent, wittingly or unwittingly, are not going to be completely successful at deterring attacks.” 

In February 2017, Rapid7 became an affiliate member of the Cyber Threat Alliance, a group of cyber security practitioners from organisations that have chosen to work together to share threat information for the purpose of improving defences against advanced cyber adversaries.

The publication of quarterly threat intelligence reports, the company said, reaffirms Rapid7’s commitment to openly sharing security information and supporting the industry in raising and addressing issues that affect the cyber security community.

The report is aimed at providing actionable guidance to assist incident response teams to adapt to new and emerging threats faster, and is based on intelligence from Rapid7’s Insight platform, Rapid7 Managed Services, Rapid7 Incident Response engagements, and the Metasploit community.

The second key finding of the report is that if organisations design indicators based only on currently available information, rather than seeking out additional intelligence or adding industry- and company-specific context, the result will be low-quality alerts. 

While most alerts are triggered from known, malicious activity, the quality of these alerts is entirely dependent on the established indicators, the report said.

The third key finding of the report is that for organisations in industries that align with nation state interests – such as government, manufacturing and aerospace – sophisticated attacks are a real threat. However, organisations outside those industries were not significantly affected by highly targeted attacks in the first quarter of 2017, the study found.

Understanding an organisation’s threat profile can help determine whether or not these types of attackers should be accounted for in the threat landscape, the report said.

Read more about threat intelligence

  • The cyber criminal network is truly global and collaborative, making use of popular messaging services, a study has revealed
  • Threat intelligence tools are a growing market and enterprises need to be able to see through the hype to get the best product for them.
  • Learn how threat intelligence services benefit enterprise security and how to subscribe to the right threat intelligence service.
  • Threat intelligence is quickly becoming an essential ingredient for protecting corporate systems and data.

The fourth key finding of the report is that while a 30-day patching cycle was once generally effective, the Apache Struts vulnerability (CVE-2017-5638) presented a strong case to re-evaluate this traditional thinking.

Just days after the Apache Struts vulnerability was publicly disclosed, Rapid7 analysts began to detect mass-exploitation attempts. Understanding the threat presented by new vulnerabilities, mapped to specific threat profiles, can help to determine when something needs to be prioritised, the report said.

“The Cyber Threat Alliance commends Rapid7 for producing this report. It provides very useful insights into how the threat landscape is evolving,” said Michael Daniel, president of the CTA.

“It also demonstrates why proactive, robust information sharing is a critical element of mitigating cyber vulnerabilities in such a rapidly evolving threat landscape,” he said.

Daniel, a former White House cyber security co-ordinator, said the CTA information sharing platform fulfills this role by enabling the automated near-real time sharing of rich, contextual cyber threat information.

“Automated information sharing, paired with context, enables CTA Members such as Rapid7 to more efficiently deploy proactive defenses and provide more effective incident response to their respective customers,” he said.

Read more on Hackers and cybercrime prevention