Christiaan Beek
Senior Director of Threat Analytics at Rapid7
With the cybersphere erupting with new threats, vectors and AI-augmented attacks, keeping up with what's out there and what can pose harm to your operations can seem like a herculean task.
Luckily, detectives of the digital frontier exist to lend a helping hand. These threat intelligence experts keep their eyes on the analytics of attacks and shine a light on the dark web to uncover not only what threats are circulating, but what’s the next threat on the horizon.
This enables companies to save resources to find ways to manage the threats instead of stretching them to finding out what they are. Few people are more experienced to lead this investigation than Senior Director of Threat Analytics at Rapid7 Christiaan Beek, a man who has dedicated more than 20 years to threat research, intelligence and gathering.
With the threat landscape being so dynamic, Cyber Magazine spoke to Christiaan to find out more about his role in helping keep companies ahead of their adversaries and what threats might be lurking over the horizon.
How has your experience at a number of cyber companies shaped your approach to threat analytics at Rapid7?
I began in offensive security as a pentester and later became a forensic investigator. Both roles taught me how to break into systems and the challenges in hunting and defending against threats.
From there, I worked for several companies designing threat intelligence backends, developing new systems for gathering intelligence, and leading threat intelligence and vulnerability research. This is where I observed the struggles threat teams face in processing their data.
I realised the struggle to process data, along with the lack of tools and technology to investigate incidents properly, meant it was critical to provide customers with context into cyber incidents.
Therefore, when I joined Rapid7, and even before at McAfee, I focused on how we can turn all the telemetry and data we have into actionable insights. Only by providing context and actionable intelligence can organisations truly prioritise tasks and address critical security gaps.
With your background in incident response, how do you see the relationship between reactive and proactive security measures evolving?
The combination of offensive and defensive security measures is vital. It allows security teams to approach tasks differently, find hidden details, and quickly identify signs of a breach.
For example, when I was a forensic investigator, the biggest challenge for me was trying to find evidence of a cyber breach. However, my background in offensive security meant I understood how to break into systems, making it slightly easier to find evidence of a breach.
The relationship between reactive and proactive security measures will only get stronger in the future. We’ll see these measures combined with the telemetry data organisations gather, enabling security teams to better understand the techniques used by criminals and how they are applied.
How do you approach the challenge of gathering and analysing threat data from diverse sources, what insights does this reveal and why is this comprehensive approach important?
At Rapid7, we use a mixture of open-source and internal-source data. However, my core principle when gathering and analysing threat data is to focus on curated intelligence.
Simply gathering as much data as possible is counterproductive because it pollutes your systems and signatures, overwhelming the security team with numerous alerts to manage. To ensure we have curated and actioned intelligence, we rate and verify our sources of intelligence.
For instance, when an IP address is flagged as malicious in a report, the threat actor typically abandons it, so continuously logging it as malicious is pointless. Therefore, at Rapid7, we implement a strategy where, after a certain period, we acknowledge past malicious activity but refrain from labelling it as malicious to avoid cluttering signatures.
SOC teams are already inundated with tasks, so our approach helps reduce the noise they encounter. Moreover, it assures them that any alert they receive has undergone verification and scrutiny.
What have you in your role as Senior Director of Threat Analytics identified as one of the biggest cyber threats currently?
The biggest issue remains ignorance. Whilst attacks can be complex, organisations often fail to adequately secure their networks. If they got the basics right, attackers would find it a lot harder to breach networks.
For example, in our latest Attack Intelligence Report, 41% of incidents occurred due to missing or unenforced multi-factor authentication (MFA) on internet-facing systems. By not doing MFA right, companies are just sitting ducks for cybercriminals.
Despite the necessity for advanced cybersecurity solutions, maintaining basic cyber hygiene is a straightforward and effective method to reduce the risk of an attack.
Cybercriminals tend to take the path of least resistance for quick profits. Implementing barriers correctly such as MFA slows them down and increases the cost of mounting an attack. Consequently, they are more likely to bypass organisations with robust defences.
Why is innovation in research techniques crucial for staying ahead of cyber threats?
Innovation is crucial for every cybersecurity company. It enables researchers to uncover new malware families and techniques used by attackers to evade security measures.
Attackers constantly innovate; therefore, a similar level of innovation is needed from researchers to stay ahead.
I love to innovate, and I always encourage my team to be curious and inventive. This approach is essential for demonstrating Rapid7’s commitment to identifying new trends and, more importantly, defending against them.
We analyse data collected by our labs team to identify emerging techniques observed in real-world attacks. Subsequently, we test our products against these techniques to identify and address any vulnerabilities, thereby enhancing protection for our customers.
How does trend analysis contribute to predictive security and can you elaborate on how this approach can add innovations to cybersecurity?
Trend analysis enables security teams to identify what cybercriminals are targeting and helps security companies uncover any existing gaps in their products.
At Rapid7, we’ve been tracking several APT groups known for their innovation and frequent use of new techniques. Upon identifying a new technique, we promptly engage our engineering team to verify our product's ability to defend against it. This ensures that our products can effectively safeguard our customers against the latest threats.
Based on your extensive experience, how has the nature of cyber threats evolved over the years, and what implications does this have for businesses?
The most significant change we've witnessed is in how payloads are deployed. Five years ago, malware resembled a Swiss army knife, offering a plethora of functionalities and tools. However, malware now is more fragmented.
Attackers now utilise 'living off the land' techniques/binaries, where the final payload typically incorporates only one or two functionalities. Malware is increasingly employed as a means to infiltrate a company's network, with a strong emphasis on remaining undetected thereafter.
This evolution has been driven by advancements in endpoint security. The fragmentation of malware now significantly complicates detection for organisations and researchers alike.
Why is collaboration within the cybersecurity community important, and how does it contribute to more effective threat intelligence?
Collaboration is crucial because no single security company has full visibility into the cyber world.
Rapid7 is a member of the Cyber Threat Alliance, where we regularly share our observations with other companies and exchange insights with them. Despite being competitors, it's essential that we collaborate to solve major issues together.
Moreover, collaboration between the private and public sectors has significantly strengthened over the years. The recent ransomware and dark web takedowns highlight the positive outcomes that can be achieved through closer collaboration. While at Rapid7, I’ve worked closely with Europol in supporting the takedown of certain ransomware networks.
How do you see the role of AI and machine learning in shaping the future of threat analytics?
AI is a promising technology, and we’re beginning to see maturity in machine learning. It’s being used to automate tasks and enhance technologies that detect and prevent attacks.
However, humans are still essential for training these models. Poor data leads to poor outputs and results. Therefore, companies must understand their AI objectives and employ experts capable of accurately defining AI models.
In the past, I’ve witnessed instances where people developed a malware detection model without understanding how the malware operates. Consequently, the model identified incorrect artefacts from the malware, resulting in numerous false positives.
Looking ahead, what trends do you anticipate will have the most significant impact on the field of threat analytics in the coming years?
The challenge in threat analytics lies in striking the right balance between gathering necessary data and addressing data privacy concerns.
We are increasingly engaging in conversations with customers about data privacy and protection. It’s a conversation we very much welcome, and one that the entire security industry should be having.
I’m also excited about the emergence of AI-specific CPU architectures. They will enable significant advancements in processing power, enhancing capabilities in data analytics and data virtualisation on the defensive side of security.
To read the full story in the magazine click HERE
**************
Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024
**************
Cyber Magazine is a BizClik brand
