2018 Q1 Threat Report (Rapid7)

This quarter’s report covers three main areas of concern for the modern IT defender:

• First, credential theft, reuse, and subsequent suspicious logins are—today— the most commonly reported significant incident we’re seeing across both small (<1,000 endpoints) and large organizations (≥1,000 endpoints).

• Second, the DDoS landscape just got a lot more interesting with the debut of a new technique using misconfigured—and plentiful—memcached servers.

• Finally, we take a look at the increasing levels of SMB and Cisco SMI attacker probes and attacks, where the former continues to define the “new normal” level of background malicious behavior around Windows networking, and the latter begins to bring shape to this relatively new attack vector targeting core router infrastructure.

  What follows is a breakdown of trends we saw throughout 2018 Q1, including what we’re referring to as “significant investigations,” takeaways for the next quarter, and an overview of our methodologies and the resources at our disposal when crafting this report.