All posts by Rapid7

Anarchy in the UK? Not Quite: A look at the cyber health of the FTSE 350

2023-04-13 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/04/13/anarchy-in-the-uk-not-quite-a-look-at-the-cyber-health-of-the-ftse-350/

Anarchy in the UK? Not Quite: A look at the cyber health of the FTSE 350

The attack surface of the United Kingdom’s 350 largest publicly traded companies has—drum roll, please—improved. But it could be better. Those are the high level findings of the latest in Rapid7’s looks at the cybersecurity health of companies tied to some of the globe’s largest stock indices. This is the second time in more than two years that we looked at the FTSE 350 to gauge how well the entire UK’s business arena is faring against cyber threats. Turns out, they’ve improved in that time, and are on par with the other big indices we’ve looked at, though in some specific places, there is definitely room for improvement.

We chose the FTSE 350 as a benchmark in determining the cyber health of UK businesses because they are by and large some of the largest companies in the country and are not as resource constrained as some other, smaller, companies might be. This gives us a pretty even playing field on which to analyze their health and extrapolate out to the overall health of the region. We’ve done this with several other indices (most recently the ASX 200) and find it works well to provide a snapshot of what’s going on in the region.

In this report, we looked first at the overall attack surface of the FTSE 350 companies, broken down by industry. We also looked at the overall health of their email and web server security. All three areas showed improvement, as well as points for concern.

Attack Surface

By and large, the attack surfaces of the companies that make up the FTSE 350 was quite limited and in line with other major indices around the world. But, when you look at the individual industries that make up the FTSE you start to see some red flags.

For instance, financial and technology companies have by far the largest vulnerability through high risk ports exposed to the internet. Technology companies averaged well over 1000 ports with internet exposure and financial companies averaged nearly 800. That is 4 and 5 times the next highest industry (respectively). When it comes to particularly high risk ports, the financial sector is the biggest offender with an average of 12 high risk ports. For comparison, the technology sector had three.

Email Security

Email security is one area where we’ve seen some laudable improvement over the last time we looked at the FTSE 350. For instance, use of Domain-based Message Authentication, Reporting & Conformance (DMARC) policy is up 29%. However, the implementation of Domain Name System Security Extensions (DNSSEC) is at just 4% of the 350 companies that make up the index. Sadly, this too is on par with other indices. They should all seek improvements (alright, we’ll get off our soapbox).

Web Server Security

Going after vulnerable web servers is a favorite vector for attackers. When looking at the status of FTSE 350 company web servers we found that of the three most common types (NGinx, Apache, and IIS), not all were running high enough percentages of supported or fully patched versions. For instance, some 40% of NGinx servers were supported or fully patched, whereas 89% of Apache and 80% of IIS servers were. That’s a pretty big discrepancy. Thankfully, Apache and IIS are the dominant servers in this region, minimizing the overall risk.

If you want to take a look at our report you can read it here. If you’d like to check out the report we conducted for Australia’s ASX 200 it is available here.

7 Rapid Questions: Lindsey Searle

2023-04-11 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/04/11/7-rapid-questions-lindsey-searle/

7 Rapid Questions: Lindsey Searle

Welcome back to 7 Rapid Questions, our blog series where we ask passionate leaders at Rapid7 to give us an inside look at what it’s like to work on their team, and how they’re creating an impact every day.

In this installment, we talk to Lindsey Searle, Senior Manager, Customer Advisors on how her team helps solve customer challenges, and how candidates can stand out in the interview process.

What kind of challenges are you/your team responsible for solving for customers?

The security space is evolving every day as hackers continue to advance. Many customer teams find themselves overwhelmed and in need of more customized services to stay ahead, and that’s where we can help support.

Our team is the face of Rapid7 for Managed Services customers. We provide advisory services for clients of all shapes and sizes and at all levels of their security maturity journeys. The Customer Advisor team works closely with the Security Operations Center (SOC) to monitor customers’ in-scope environments and provide custom tailored guidance to enhance their security posture. Many of our customers consider us an extension of their in-house security team, and we strive to build close knit working relationships and trust with each and every one of them.

In addition to day to day monitoring, our Customer Advisors work with our clients to understand their security goals, make recommendations to achieve those goals, and are personally invested in seeing those initiatives through to completion.

What does your team look like (team size, types of teams etc.), what growth has there been?

The Customer Advisor organization at Rapid7 grew by 30% last year—we added 35 new people to the team in 2022, including Advisors at all levels, four new managers, and a Vice President.

Our team is composed of all levels of security professionals, from associate CAs at the start of their career to tenured Lead and Principal Advisors. We have CAs supporting all three branches of Managed Services, and our teams are blended across Managed Detection and Response (MDR), Managed Vulnerability Management (MVM), and Managed Application Security (MAS) to allow for cross functional collaboration and learning.

We are fortunately in a position where as our Managed Services business grows, our Customer Advisor team has continued to expand, as it is a standard part of the service offering.

What makes the culture at R7 different from other tech / cyber security companies?

I always find it difficult to describe the Rapid7 culture when I interview candidates because it’s something that you really have to see to understand and believe. The underlying fact is that all Rapid7 employees are passionate about security—we are here because we want to help our customers succeed, and we truly enjoy working together for that common goal.

At the same time, every single person is unapologetically unique and does not hesitate to bring their own perspective to the table. We have a great balance of external hires bringing in fresh ideas, as well as internal hires that provide a different approach to a situation when you’ve worked on the other side of the curtain.

What 3 biggest things have you learned in your time at Rapid7?

One: Take the time to thank people for helping you out! We do ‘guitar picks’ at Rapid7—it’s an internal website where you can give fellow moose a virtual kudos and recognition, whether it be for a great presentation they gave, or for filling in for you on an assignment, or for just being awesome. Everyone in the company can see it, and the recipient gets a notification that they’ve received one. Sending a pick takes minutes but can make someone’s day! Our Chief People Officer selects a guitar pick submission and sends it out to the whole company every morning. It’s a quick and meaningful way to thank those around us.

Two: Don’t be afraid to ask questions—we are all constantly learning and there is definitely someone out there who can help.

Three: There is a Slack emoji for just about every situation, and if it doesn’t exist—make one! In fact, our recent Slack migration took longer than expected due to the 10,000+ custom emojis that Rapid7 employees have created. One of our core values is ‘Bring You’ so this is just one example of how people are getting creative to express themselves in different ways and build camaraderie in a globally distributed organization.

How does Rapid7 set you up for success in your role?

I was incredibly impressed with the corporate onboarding provided by Rapid7 when I went through it myself in late 2021. You attend your onboarding sessions with all new hires starting at the company that week and already start to build a network within your first few hours here.

Rapid7 is big on encouraging Insight Coffees—an informal 30 minute meeting with another Rapid7 employee to get to know them on a personal and professional level. Those connections stick with you throughout your time here and only strengthen your ability to work together down the road.

Our company culture is built around helping each other and working together as a team, which puts you in a great spot to be successful in your role.

What can a candidate do to stand out in the interview process?

Honestly, just be yourself—Bring You is a core value at Rapid7 and something that truly sets us apart from other companies. Finding people who embrace our collaborative culture and partner well to share ideas is a major piece of the Rapid7 interview process. These soft skills weigh as heavily as prior work experience and technical competency. Your individuality will set you apart from other candidates—so let your true self shine!

What advice would you give someone thinking about coming to work here?

Bring energy and enthusiasm, and take the time to build meaningful relationships with the people you work with. It is much easier to wake up and log on for the day when you are looking forward to interacting with your team members and your customers. At Rapid7 we live by the core value of ‘Impact Together’—teamwork makes the dream work! We have a far greater chance at success when working together than we do when trying to climb the ladder individually.

To learn more about Rapid7 Managed Services:

CLICK HERE

Raptor Technologies Volunteer Management Client-Side Security Controls (FIXED)

2023-04-11 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/04/11/raptor-technologies-volunteer-management-client-side-security-controls-fixed/

Raptor Technologies Volunteer Management Client-Side Security Controls (FIXED)

Prior to Mar 18, 2023, due to a reliance on client-side controls, authorized users of Raptor Technologies Volunteer Management SaaS products could effectively enumerate authorized users, and could modify restricted and unrestricted fields in the accounts of other users associated with the same Raptor Technologies customer.

Product description

Raptor Technologies Volunteer Management for Schools product is used by school districts to authenticate pre-approved volunteers, and print badges for the volunteers to use for entry to the school.

Each volunteer has an account in the Raptor Technologies system, and the account contains information about the volunteer, a photo which matches the volunteer’s photo ID, details of what buildings access is allowed to, and for what activities. This account is set up and populated by school officials after a potential volunteer submits an online application for access.

Credit

This issue was discovered by Tony Porterfield, Principal Cloud Solutions Architect at Rapid7, while using the application as an end-user. It is being disclosed in accordance with Rapid7’s vulnerability disclosure policy.

Exploitation

Prior to the fix deployed by Raptor Technologies on March 18, 2023, lack of server-side authorization checks allowed an authenticated user to edit restricted fields in the user’s own account and other users’ accounts. There are client-side controls in place to prevent these accesses, but there were gaps in the server-side checking that allowed crafted API requests to make these changes to user records.

There is a PersonID field in the profile update request payload, and it was possible to modify another user’s account by using a PersonID field that did not match that of the authenticated user. The PersonID is observed to be a relatively short decimal number that may have been prone to enumeration. The Community feature provides a list of all users with access to the same schools who have agreed to have their contact information shared. The user list returned by the server contains the PersonID for each user listed, which would have allowed an adversary to make targeted changes to specific user accounts within the community.

An example of a user’s profile page is shown below. The areas highlighted in yellow contain identity and access information sourced from the application submitted by the user. Controls in the browser client prevent a user from editing these fields when updating the profile.

Raptor Technologies Volunteer Management Client-Side Security Controls (FIXED)

When the Save button is clicked, a POST to
apps.raptortech.com/Portal/Profile/Save

Is initiated, with a payload of content type:
Content-Type: application/x-www-form-urlencoded

The payload includes all of the fields visible on the page (along with some that are not). The fields in this POST request’s payload are listed below, with personal information redacted.

Person.ImageName=<redacted>&
Person.PersonId=<redacted>&
Person.PersonaType=<redacted>&
Person.RequireDateOfBirth=True&
Person.RequireIdNumber=False&
Person.IdNumber_Short=<redacted>&
Scope=Client&
Person.IsOfficial=True&
Person.FirstName=<redacted>
Person.MiddleName=<redacted>&
Person.LastName=<redacted>&
Person.DateOfBirth=<redacted>&
Person.IdType=<redacted>DLID
&Person.IdNumber=<redacted>&
MaidenName=&
Gender=Male
Race=Unspecified&
ExpirationDate=<redacted>&
HoursResetDate=<redacted>&
ModifyBuildingsEnabled=False&
Email=<redacted>&
Buildings[0]=<redacted>
Functions[0]=<redacted>&
AffiliationId=<redacted>&
ProfileId=<redacted>&
Person.RequireIdType=False&
Address.Id=<redacted>
&Address.IsRequired=False&
Address.IsInternationalCountry=False&
Address.IsRequiredAndIsNotInternationalCountry=False&
Address.Line1=<redacted>&
Address.Line2=&
Address.Line3=&
Address.City=<redacted>&
Address.State=<redacted>&
Address.ZipCode=<redacted>&
Address.Country=US&
PrimaryPhone=<redacted>&
SecondPhone=&
ThirdPhone=&
PreferredLanguage=0

Impact

Updating Restricted Fields: Fields that the client prevents from modifying could be changed in the apps.raptortech.com/Portal/Profile/Save body, with the results persisting in the user’s profile. Thus, it was possible to modify restricted fields related to the user’s identity by manipulating this request’s payload.

Updating other users’ information: The payload of the Portal/Profile/Save request includes a field for the Person.PersonID. It was possible to modify the profile of another user associated with the same Raptor Technologies customer by entering the other user’s Person.PersonID in the payload of the request.

Community feature discloses PersonIDs: The ‘Community’ feature presents a list of other members of the user’s community, who have opted in to sharing their information. The browser interface only displays the users’ names and contact information. However, the list of information returned by the server for the
apps.raptortech.com/Portal/Community/gvVolunteerContactInformation_Read
endpoint includes each community member’s PersonID. Prior to the fix, this information disclosure could be combined with the lack of server-side authorization checks to make targeted changes to the accounts of other community members.

The fields included for each user in the response are listed below for reference:

{
    "$id": "2",
    "PersonId": <6 or 7 digits>,
    "ProfileId": <5 digits>,
    "FirstName": "<redacted>",
    "LastName": "<redacted>",
    "PrimaryPhone": "<redacted>",
    "SecondPhone": "",
    "Email": "<redacted>",
    "AllowToContact": true,
    "PreventFromBeingContacted": false,
    "PrimaryPhoneDisplay": "<redacted>",
    "SecondPhoneDisplay": ""
}

Remediation

On March 18, 2023, Raptor Technologies deployed an update to its Volunteer Management application to address this issue.

Since this is a SaaS / cloud-hosted solution, end users, implementers and integrators should not need to do anything to update or patch to address the issue.

Disclosure Timeline

January, 2023: Issues discovered by Tony Porterfield of Rapid7
Tue, Jan 10, 2023: First contact to the vendor, opened ticket #00711217
Mon, Jan 30, 2023: Case opened with CERT/CC, VRF#23-01-NGZBZ
Fri, Feb 17, 2023: CERT/CC VINCE case VU#679276 opened
Fri, Mar 3, 2023: Report acknowledged by the vendor, clarifications provided
Wed, Mar 8, 2023: Details discussed with the vendor, extended disclosure time by approximately 30 days
Sat, Mar 18, 2023: Fixes deployed
Tue, Apr 11, 2023: This disclosure

Rapid7 Announces Partner of the Year Awards 2023 Winners

2023-03-30 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/03/30/rapid7-announces-partner-of-the-year-awards-2023-winners/

Rapid7 Announces Partner of the Year Awards 2023 Winners

It’s with immense pleasure that we announce today the winners of the Rapid7 Partner of the Year Awards 2023. All our category winners have achieved exceptional growth—demonstrating their dedication to, and collaboration with, the Rapid7 Partner Program throughout the year.

“We are incredibly honoured to accept the Rapid7 Partner of the Year Award. This recognition is a testament to the hard work and dedication of our entire team, as well as the strong partnership we have built with Rapid7,” said Tim Sank, Co-Founder of Cythera. “This award is not only a validation of our collective efforts but also a motivation to continue delivering best-in-class security solutions to help protect businesses across the APAC region. We are proud to be a Rapid7 partner and we look forward to many more years of success together.”

We’re very proud to share our complete list of winners. Please join us in congratulating them all.

APAC

Rapid7 APAC Partner of the Year: Cythera Pty Ltd
APAC Highest Customer Retention of the Year: The Missing Link
APAC Cloud Security Partner of the Year: DGplex Pty Ltd
APAC Detection & Response Partner of the Year: Blue Apache Pty Ltd
APAC Emerging Partner of the Year: Cyber Risk
APAC Vulnerability Management Partner of the Year: Datacom Group Ltd
APAC Managed Services Partner of the Year: Triskele Labs

EMEA

Rapid7 EMEA Partner of the Year: Softcat PLC
EMEA Best Customer Retention: Saepio Solutions Ltd
EMEA Cloud Security Partner of the Year: AllCloud
EMEA Detection & Response Partner of the Year: Switchpoint
EMEA Distributor of the Year: Infinigate Deutschland GmbH
EMEA Emerging Partner of the Year: Communication Systems GmbH
EMEA Fastest Growth Partner of the Year: Bytes Technology Group
EMEA Vulnerability Management Partner of the Year: Davinsi Labs
EMEA MSSP Partner of the Year: Integrity360

North America

Rapid7 North America Partner of the Year: CDW Corporation
North America Best Customer Retention: Insight
North America Cloud Security Partner of the Year: SHI International Corp.
North America Detection & Response Partner of the Year: Cyber Watch Systems
North America Distribution Partner of the Year: Liquid PC
North America Emerging Partner of the Year: Alchemy Technology Group, LLC
North America Fastest Growth Partner of the Year: Bird Rock Systems, Inc
North America Vulnerability Management Partner of the Year: Optiv Security Inc.
North America MSSP Partner of the Year: Acrisure Cyber Services

More about our partner program

The Rapid7 PACT Program is built to inspire our partners to grow with us and achieve mutual success through accountability, consistency, and transparency. By participating in the program, partners can offer powerful, industry-leading solutions to our joint customers, resulting in mutual success for all.

If you’re interested in becoming a Rapid7 partner, you can learn more here.

Congratulations again to all our winners!

Backdoored 3CXDesktopApp Installer Used in Active Threat Campaign

2023-03-30 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/03/30/backdoored-3cxdesktopapp-installer-used-in-active-threat-campaign/

Backdoored 3CXDesktopApp Installer Used in Active Threat Campaign

Emergent threats evolve quickly. We will update this blog with new information as it comes to light and we are able to verify it. Erick Galinkin, Ted Samuels, Zach Dayton, Caitlin Condon, Stephen Fewer, and Christiaan Beek all contributed to this blog.

On Wednesday, March 29, 2023, multiple security firms issued warnings about malicious activity coming from a legitimate, signed binary from communications technology company 3CX. The binary, 3CXDesktopApp, is popular video-conferencing software available for download on all major platforms. Several analyses have attributed the threat campaign to state-sponsored threat actors.

Rapid7’s threat research teams analyzed the 3CXDesktopApp Windows binary and confirmed that the 3CX MSI installer drops the following files: 3CXDesktopApp.exe, a benign file that loads the backdoored ffmpeg.dll, which reads an RC4-encrypted blob after the hexadecimal demarcation of fe ed fa ce in d3dcompiler.dll. The RC4-encrypted blob in d3dcompiler.dll is executable code that is reflectively loaded and retrieves .ico files with appended Base64-encoded strings from GitHub. The encoded strings appear to be command-and-control (C2) communications. There is a non-exhaustive list of indicators of compromise (IOCs) at the end of this blog.

Rapid7 reached out to GitHub’s security team the evening of March 29 about the GitHub repository being used as adversary infrastructure in this campaign. As of 9:40 PM ET, the malicious user has been suspended and the repository is no longer available.

Rapid7 Managed Detection and Response (MDR) has observed the backdoored 3CX installer and components in several customer environments as of March 29, 2023. Rapid7 MDR is in contact with customers that we believe may be impacted.

Mitigation Guidance

Official guidance from 3CX confirms that the Windows Electron client running update 7 is affected. However, security firm CrowdStrike indicated in a Reddit thread on March 29 that malicious activity has been observed on both Windows and Mac. Out of an abundance of caution, a conservative mitigation strategy would be to uninstall 3CXDesktopApp on all platforms and remove any artifacts left behind. Users should retroactively hunt for indicators of compromise and block known-bad domains. There is a non-exhaustive list of known-bad domains and malicious file hashes at the end of this blog.

3CX has a browser-based Progressive Web App (PWA) that does not require the user to download an executable file. Their CEO has suggested users leverage this PWA for the time being instead of downloadable clients.

Rapid7 customers

The following new rules have been added for Rapid7 InsightIDR and Managed Detection & Response (MDR) customers and will alert on known-bad hashes and file versions of the backdoored executable, as well as known-bad domains in WEB_PROXY and DNS logs:

Suspicious Web Request – 3CX Desktop Supply Chain Compromise
Suspicious DNS Request – 3CX Desktop Supply Chain Compromise
Suspicious Process – 3CX Desktop Supply Chain Compromise

InsightVM and Nexpose customers can use Query Builder or a Filtered Asset Search to find assets in their environment with 3CX installed using Software Name contains 3CX Desktop App.

A Velociraptor artifact is available here.

Indicators of compromise

A non-exhaustive list of known-bad domains is below. We advise blocking these immediately:

akamaicontainer[.]com
akamaitechcloudservices[.]com
azuredeploystore[.]com
azureonlinecloud[.]com
azureonlinestorage[.]com
convieneonline[.]com
dunamistrd[.]com
glcloudservice.[.]
journalide[.]org
msedgepackageinfo[.]com
msstorageazure[.]com
msstorageboxes[.]com
officeaddons[.]com
officestoragebox[.]com
pbxcloudeservices[.]com
pbxphonenetwork[.]com
pbxsources[.]com
qwepoi123098[.]com
sbmsa[.]wiki
sourceslabs[.]com
Soyoungjun[.]com
visualstudiofactory[.]com
zacharryblogs[.]com

More granular URLs our team has decrypted from C2 communications include:

hxxps[://]akamaitechcloudservices[.]com/v2/storage
hxxps[://]azuredeploystore[.]com/cloud/services
hxxps[://]azureonlinestorage[.]com/azure/storage
hxxps[://]glcloudservice[.]com/v1/console
hxxps[://]msedgepackageinfo[.]com/microsoft-edge
hxxps[://]msedgeupdate[.]net/Windows
hxxps[://]msstorageazure[.]com/window
hxxps[://]msstorageboxes[.]com/office
hxxps[://]officeaddons[.]com/technologies
hxxps[://]officestoragebox[.]com/api/session
hxxps[://]pbxcloudeservices[.]com/phonesystem
hxxps[://]pbxphonenetwork[.]com/voip
hxxps[://]pbxsources[.]com/exchange
hxxps[://]sourceslabs[.]com/downloads
hxxps[://]visualstudiofactory[.]com/workload
hxxps[://]www[.]3cx[.]com/blog/event-trainings/
hxxps[://]zacharryblogs[.]com/feed

File hashes:

Compromised MSI: aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868 

3CXDesktopApp.exe: fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405
ffmpeg.dll: 7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896
d3dcompiler_47.dll: 11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03

The following file hashes have been reported as related and malicious by the community but not independently verified by Rapid7 analysts:

dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc
92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61
b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb

Executive Webinar: Confronting Security Fears to Control Cyber Risk, Part Three

2023-03-29 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/03/29/executive-webinar-confronting-security-fears-to-control-cyber-risk-part-three/

Executive Webinar: Confronting Security Fears to Control Cyber Risk, Part Three

In the final installment of our webinar “Confronting Security Fears to Control Cyber Risk,” Jason Hart, Rapid7’s Chief Technology Officer, EMEA, discusses how adopting a cyber target operating model can eliminate cybersecurity silos and increase the effectiveness of your cybersecurity program. If you haven’t already, watch parts one and two before delving into this final segment.

Part One: Cybersecurity Simplicity focused on how to encourage everyone associated with your organization to develop a cybersecurity mindset. To accomplish this, Hart recommends that CISOs decentralize cybersecurity to instill accountability and ownership across the entire business.

Part Two: Cybersecurity Elasticity focused on why organisations must develop the ability to adapt while being able to quickly revert to their original structure after times of great stress and impact.

In the presentation, Hart details how executives can create a Protection Level Agreement (PLA) between the security department and senior leadership team, ensuring everyone works to a common timeline and goals. Measuring success and identifying weaknesses in a PLA is also key. Cybersecurity tools that automate reporting on a wide variety of KPIs can help security teams communicate effectiveness to leadership.

Operationalising Cybersecurity

Part Three: Cybersecurity Tranquility offers practical and actionable advice on how to implement a target operating model that aligns with your business, reduces risks and enables a positive security culture.

In the presentation, Hart outlines a twelve step process to operationalise security:

Understand what an operating model is and map out key dependencies for scope, risk, PLA, and KPIs.
Document your current operating model.
Undertake mapping of scope and categorize business functions by impact.
Implement KPIs to track the effectiveness of your current operating model.
Use data from KPIs aligned to business functions to show the effectiveness of the current operating model.
Implement PLAs to align the business, process and technology to drive change.
Present monthly PLAs to stakeholders and business functions to measure effectiveness from current operating model to target operating model.
Enable automation of KPI data aligned to core foundations to feed into PLA.
Identify process and accountability challenges using PLAs underpinned by KPI data.
Use the PLA to explain and show the effectiveness of cybersecurity investment.
Apply the same process to the next business function.
Target operating model starts to form part of the business process.

Related assets:

Celebrating Women’s History Month at Rapid7

2023-03-22 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/03/22/celebrating-womens-history-month-at-rapid7/

Celebrating Women’s History Month at Rapid7

Each March, we reflect on the historical accomplishments and ongoing need to support women. This, of course, should be embraced all 12 months of the year, but Women’s History Month gives us a special opportunity to learn from, celebrate, and amplify the voices of women.

At Rapid7, we’re shining a light on women’s voices all month long with special events and panel discussions, while recommitting to the ongoing efforts that last all year long. Below you’ll find some highlights from our International Women’s Day panel, which focused equity, inclusion, and advocacy in the workplace.

Rapid7 International Women’s Day Panel

This year’s panel focused on the difference between equity and equality. While historically the focus has been on creating equal opportunities, it’s argued that focusing instead on equitable policies is more effective, as it takes into account the advantages and disadvantages of each individual’s circumstance.

“If we want to drive equitable processes to create an EQUAL playing field, we need to recognize the advantages and disadvantages that are out there today, and address them,” said Laura Ellis, Rapid7 Vice President of Data Engineering and Platform Analytics.

Creating equitable processes requires a dedicated effort and requires us to lean into hard conversations to address common stigmas. If organizations are committed to creating equitable policies and practices, having a culture that supports safe spaces is essential in getting to the most impactful solutions.

“Safety comes easy for a lot of our dominant groups or leaders with a certain title—but we should be aware that it’s not always there for our non-dominant groups,” said Nancy Li, Rapid7 Director of Engineering. “Be open to trying different forums where people can speak. Your loudest voices aren’t always representative of the whole population.”

So, what are some practices that we can take into the workplace to help create more equitable workplaces? Here are a few additional takeaways from the discussion.

Grow your teams with intention. If you are a hiring manager, or in a role where you influence hiring, slow down and partner with your Talent Acquisition team to ensure you’re seeking out a diverse candidate pool right from the start. Ask questions about where they are sourcing talent, what schools and universities they are historically partnering with, and see if there are opportunities to incorporate more diversity into the talent pipeline. It doesn’t stop once someone gets hired either—mentoring and providing support can help them gain the skills necessary to continue to advance their careers. Build out a multi dimensional team, and be open to the ways that each member’s different experiences can help fuel the innovation and creativity of the team.
Be an Upstander for One Another. Many women on the panel shared experiences of when another woman or a male ally stood up for them in the moment. What was shared was that once you feel the support of someone standing up for you by pointing out something that wasn’t right, it makes that person feel even more comfortable passing that support on and standing up for someone else. As stated by one group member, “After an upstander demonstrates how you should be treated—what a difference it makes in your confidence, and in your ability to be an upstander for someone else and pay that forward. Embrace it and then pass it on and use it to support someone else.”
Recognize that progress is fragile—we cannot lose focus. While women have made significant advancements in the workplace, the COVID-19 pandemic illustrated just how fragile this progress can be, especially when many women still bear the brunt of caregiving. While panelists observed progress being made and the gender diversity of the teams around them, they also pointed out that post pandemic, many women who left the workforce still have yet to return. In fact, the US Department of Labor reported that more than two years post-pandemic, women’s labor participation is still a full percentage point lower than what it was pre-pandemic. This means that roughly 1 million women are missing from the labor force. Flexible working policies provide a way to ensure that employees are able to balance their personal commitments and caregiving responsibilities with their work responsibilities. Offering this flexibility to both men and women in the workplace takes this one step further, as it was noted that even policies that are not exclusively for women, have the ability to impact women elsewhere as families are able to share responsibilities more equally.
We all have imposter syndrome. Imposter syndrome isn’t something that is limited to a specific pay band or job level. We are consistently our own toughest critic, and can sometimes feel like there is “someone else” who should be taking advantage of an opportunity or stepping up to take on a leadership role. To combat imposter syndrome, the panel recommended looking around the room to determine where your skills can add value, and not being afraid to share that. It was also mentioned that many women are quick to brush off compliments when they are recognized for their work. However, it takes a lot for someone to go out of their way and pay you a compliment, so when that happens, lean into it and really listen to that positive feedback. Those moments can really make an impact on what you believe you are capable of, and make it easier to overcome that feeling of imposter syndrome. Finally, the group stressed the importance of leveraging the resources available to you through your employer, whether it’s access to therapy services or an employee assistance program. Sometimes the key to overcoming imposter syndrome is having someone help us reframe the situation, and shift our perspective. There’s no shame in speaking with someone who is trained to help us navigate all stages of life and career.
Use your voice. Even if it shakes. When paving the path to a more equitable world, things aren’t going to be easy or comfortable the whole time. Continue to speak up and speak out – both for yourself, and for others.

This panel discussion took place on March 8th, and through the month our Women Impact Group will continue to partner with the business to host open and honest conversations and opportunities for reflection and education. This includes an allyship training session hosted by both our Women’s Impact Group and our PRIDE Impact Group, with guests from PFLAG.

In our internal communication channels, we’re spotlighting women in our organization who are making a considerable impact on our business and customers, shining an extra spotlight on the work and accomplishments of our own women at Rapid7. In a fireside chat, “Celebrating Women’s Voices”, leaders shared their own experiences in the workplace and the importance of sharing our journeys and building each other up. From parenting challenges to advocating for yourself and others, to moments of self doubt, these personal stories are shared to emphasize the importance of hard conversations and navigating challenges.

While we remain committed to uplifting the voices and representation of women in our industry throughout the year, we’re proud to have our Rapid Impact Groups driving these events in March that spark important conversations and provide real resources and opportunities for connection and community for our people.

Click here to learn more about our Rapid Impact Groups, and our ongoing commitment to diversity at Rapid7.

Practice Operations Manager Looks Back On First Five Months With Rapid7

2023-03-20 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/03/20/practice-operations-manager-looks-back-on-first-three-months-with-rapid7/

Practice Operations Manager Looks Back On First Five Months With Rapid7

Elianna Sfez is a Detection and Response Practice Operations Manager based in Rapid7’s Tel Aviv office. As she approaches her six month anniversary with the company, we sat down to chat about her new hire journey, initial impressions and experiences in her new role, Rapid7 culture, and more.

Tell me about your role at Rapid7.

I am the Threat Intelligence Practice Operations Manager. My main goal is to help our teams work more efficiently on cross functional projects, whether that’s within our specific practices or between practice teams. Most of the projects I deal with are aimed at supporting the customer experience and improving the customer journey. In my role, I look at everything from R&D to Customer Success and Product and look for ways to deliver the best experience and journey for our customers. Typically, that means identifying bottlenecks and looking for ways to make things better.

What made you excited to join Rapid7?

In my career, I’ve worked with a mix of true startups, as well as companies that were transitioning from the startup phase to a more mature corporation by way of acquisition. This specific type of growth is really interesting to me—seeing the transformation happen as they move from a small startup to a larger company. With Rapid7, I was excited about the challenge of the role. With the maturity of the company and its acquisition of IntSights, I was really excited to be part of navigating that change for the team and building out this new role in Tel Aviv.

What are the major differences you see between working in a startup environment vs. a more global corporation?

There are a lot of differences moving from a startup to a larger corporation, mostly in the way you work and the pressure of the environment. In a startup, you have to be very reactive and respond to challenges at any time—even if it means being up at 3:00 am to troubleshoot issues. There’s a ‘whatever it takes’ mentality and as you are trying to build something from the ground up. It’s important to get that momentum going and have the ability to wear a lot of different hats to solve challenges. The CTO is often right in the trenches with you, and everyone is working around the clock to keep the business moving forward.

As you get larger, you have to get better at being proactive and seeing that fire coming, and figuring out how to fix it before it becomes an issue. Cybersecurity is a field where this is really important because hackers are advancing every day. We’re challenging ourselves to anticipate what customers are going to need 6 months, a year, or two years from now, so we can continue to stay ahead. In a bigger company you have more resources and people who are able to be experts in their areas of focus. We have teams that we can rely on for their insights and expertise, and you aren’t on your own to solve problems. You have more of a support system to lean on and that also helps you grow and learn too.

How would you describe your onboarding experience?

My onboarding experience was interesting, mostly because I don’t have any team members locally in Israel. My manager is in the US and we’re truly a global team. Regardless, people were really welcoming and amazing each step of the way. It was nice to meet other new hires from around the world during the global onboarding sessions, and everyone in the local office was eager to learn more about what I do, and how they can help.

My manager created an onboarding project plan which was also really helpful. I got to see an overview of what my first week would look like, what my first month would look like, and felt confident knowing everything was set up already. There was a good mix of meetings on my calendar with people my manager wanted me to connect with, but I also had enough unscheduled time where I was encouraged to do my own outreach and determine who else I would want to connect with and learn from as well.

Having ownership in the process made it really exciting and gave me permission to ask questions and learn more about the business. My manager even asked me to think about three things I wanted to go and learn more about or become an expert in. That permission to grow and learn right from the start is really empowering in terms of creating your own career path.

What do you enjoy most about your role?

I enjoy the challenge of working with a global team to help build and improve on our customer experiences. I feel I am creating an impact, and that I have the support of the people around me. One thing I’ve found here is that even if someone doesn’t have an answer to your question, they are more than happy to help you find the right person or go find out and circle back with you. Everyone here has new ideas, and those ideas are really welcome. People are curious and ask the right questions to get to the root of a challenge, and there’s an appetite to keep trying new things to find solutions.

How would you describe R7 to someone outside the company?

Everyone has a shared goal of bringing more value to our customers. That alignment helps us all feel connected and committed to helping each other get to the best outcomes possible. It’s a big job and it takes a lot of work, but it also gives you an incredible opportunity to grow in a place where you are supported and encouraged to try new things.

How do the Rapid7 values influence workplace culture?

The company is really living their core values, it’s not just something that they promote externally. Everyone is expected to be transparent and open, and everyone is really supportive in helping you grow and do the best work possible.

When it comes to workplace flexibility, there’s a culture where everyone trusts one another to do what they need to do. As a mom, this means I’m able to leave early and pick up my son and then jump on after hours to wrap things up. I’m having my second child in April, and Rapid7 hired me while I was pregnant. All of my team members were so welcoming and wonderful about this. I’ve even recommended a friend to cover for my role while I’m on maternity leave.

I honestly can’t say enough good things about the culture of the company, the values they have, and the exciting and interesting work that’s being done. There’s an opportunity to do really incredible and impactful work, but also have that space to create balance in our lives without being judged or feeling guilty.

To learn more about opportunities available at Rapid7, visit: careers.rapid7.com.

Executive Webinar: Confronting Security Fears to Control Cyber Risk, Part Two

2023-03-14 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/03/14/executive-webinar-confronting-security-fears-to-control-cyber-risk-part-two/

Executive Webinar: Confronting Security Fears to Control Cyber Risk, Part Two

Part two of Confronting Security Fears to Control Cyber Risk was presented live on March 9th for EMEA and will be delivered on March 16th for APAC. The 40-minute session focuses on the importance of developing cybersecurity elasticity.

In the session, Jason Hart, Rapid7’s Chief Technology Officer, EMEA, will discuss how organisations can develop the ability to adapt while being able to quickly revert to their original structure after times of great stress and impact. To do so, organisations must first address some common cybersecurity challenges:

Alignment of ownership and accountability: Cybersecurity should be decentralised across the business–not just an IT security function
Scope on where to focus: Not all risks are equal and risk can compound based on business needs and transformation
Translation: The requirement to translate cybersecurity needs and requirements across the whole of a organisation

To accomplish these goals, Hart recommends focusing on:

Culture: Enable a culture that makes cybersecurity part of the business process and creates a culture of ownership and accountability
Measurement: Translating cybersecurity data to allow all organisational stakeholders and personas to understand the context and need
Direction: The creation of a Northstar “AKA” Cybersecurity Strategy that is clearly communicated and that has clearly defined objectives and outcomes

For many organizations, that strategy comes in the form of a Protection Level Agreement (PLA).

Cybersecurity Elasticity

A PLA is an agreement between two or more parties, where one is the business (stakeholders), and the others are protection provider(s) (Product Management, IT, 3rd Party Development). Both parties should be equally involved in creating and implementing the PLA, ensuring that expectations are realistic, needs are met, and all parties are bought in to the agreement.

In this session, Hart will detail how executives can create a PLA between the security department and senior leadership team, ensuring everyone works to a common timeline and goals. A well-designed PLA ensures teams are focused and efficient in responding to cybersecurity events. So, clearly defining who owns and is accountable for PLA responsibilities is essential.

Measuring success and identifying weaknesses in a PLA is also key. Cybersecurity tools that automate reporting on a wide variety of KPIs can help security teams communicate effectiveness to leadership.

To learn more, register here:

Confronting Security Fears to Control Cyber Risk: Part Two

Cybersecurity Simplicity

Earlier this month, Rapid7 presented part one of a webinar called “Confronting Security Fears to Control Cyber Risk”. The webinar, available on demand, focused on cybersecurity simplicity and why everyone associated with your organization must develop a cybersecurity mindset. To do so, CISOs must decentralize cybersecurity and instil accountability and ownership across a business. If you haven’t already seen it, you can watch it below:

Target Operating Model KPIs

Implementing Protection Level Agreements

EMEA Executive Round Table

Insight VM Free Trial

Confronting Security Fears to Control Cyber Risk: Part Two

Executive Webinar: Confronting Security Fears to Control Cyber Risk

2023-02-28 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/02/28/executive-webinar-confronting-security-fears-to-control-cyber-risk/

Executive Webinar: Confronting Security Fears to Control Cyber Risk

Last week, Rapid7 presented part one of a webinar called “Confronting Security Fears to Control Cyber Risk”. The webinar, which is available on demand, focused on cybersecurity simplicity and why everyone associated with your organization must develop a cybersecurity mindset. To do so, CISOs must decentralize cybersecurity and instil accountability and ownership across a business.

In the session, which you can view below, Jason Hart, Rapid7’s Chief Technology Officer, EMEA, shared his experiences to help executives enhance their cyber mission and vision statements to create a positive cybersecurity culture that permeates the business.

Cybersecurity effectiveness

Historically, cybersecurity was seen as a very technical discipline, and as a result, it was siloed as a department. Today, cybersecurity has become a responsibility of the entire organization, and as a result, mindsets within organizations need to change to reflect this shift.

Additionally, many organizations have good ideas and intentions when it comes to cybersecurity, but poor execution results in under-utilized security stacks. Stakeholders and other executives assume CISOs know what they are doing and trust them to get on with it. Meanwhile, CISOs, coming from a very technical background, need more business transformation experience and communicate their vision. This must change to encourage cybersecurity effectiveness.

“As an industry, we have an amazing ability to overcomplicate cybersecurity,” Hart said. “With this presentation, I want to enable organizations to execute an effective cyber security target operating model that reduces risk.”

Operating model for cybersecurity

Organizations need an operating model that works with its technology platform to decentralize cybersecurity. The operating model should translate the technical aspects of cybersecurity into something more digestible for stakeholders.

It is critical that the operating model takes a top-down approach. To be effective, accountability for security measures should be led by teams at the top. It doesn’t stop there, however. Roles and responsibilities must be defined across the entire organization – every single individual needs to be part of the cybersecurity process. A successful operating model for cybersecurity empowers everyone within the business to think about security. By involving every individual, organizations can increase their cybersecurity effectiveness and share accountability across the business.

Additionally, the operating model should include tools to measure outcomes and effectiveness, so organizations can understand which processes are working. This ensures technology is fully utilized to deliver the best possible outcomes and ROI. You can watch part one of our presentation below that discusses these points in greater detail:

Related assets:

Cybersecurity elasticity

Part two of Confronting Security Fears to Control Cyber Risk will be presented live on March 9th for EMEA and March 16th for APAC.

In this session, you’ll learn why modern organizations need to develop the ability to adapt while being able to quickly revert to their original structure after times of great stress and impact. Hart will also detail how executives can create a Protection Level Agreement (PLA) with the security department, ensuring everyone works to a common timeline and goals.

Confronting Security Fears to Control Cyber Risk: Part Two

SAVE YOUR SEAT

Rapid7 CEO Corey E. Thomas Appointed To National Security Telecommunications Advisory Committee

2023-02-16 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/02/16/rapid7-ceo-corey-e-thomas-appointed-to-national-security-telecommunications-advisory-committee/

Rapid7 CEO Corey E. Thomas Appointed To National Security Telecommunications Advisory Committee

President Biden has announced his intent to appoint a group of highly qualified and diverse industry leaders, including Rapid7 chairman & CEO Corey E. Thomas, to the President’s National Security Telecommunications Advisory Committee (NSTAC).

NSTAC’s mission is to to provide the best possible technical information and policy advice to assist the President and other stakeholders responsible for critical national security and emergency preparedness (NS/EP) services. The committee advises the White House on the reliability, security, and preparedness of vital communications and information infrastructure. It is focused on five key themes:

Strengthening national security
Enhancing cybersecurity
Maintaining the global communications infrastructure
Assuring communications for disaster response
Addressing critical infrastructure interdependencies and dependencies

Thomas joins a talented group of telecommunications and security executives from companies such as AT&T, Microsoft, Cisco, Lockheed Martin, T-Mobile, and Verizon. These executives bring diverse perspectives backed by years of unique industry experience.

“It is an extreme honor and privilege to be named to the President’s National Security Telecommunications Advisory Committee,” said Thomas. “I look forward to the remarkable opportunity to provide cybersecurity guidance to the President’s administration and to work alongside and learn from this talented group of individuals, many of whom I’ve admired throughout my career.”

Rapid7 and USF: Building a diverse cybersecurity workforce is not optional

2023-02-13 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/02/13/rapid7-and-usf-building-a-diverse-cybersecurity-workforce-is-not-optional/

Rapid7 and USF: Building a diverse cybersecurity workforce is not optional

By Raj Samani and Peter Kaes

Today marks an important day for Rapid7, for the state of Florida, and if we may be so bold, for the future of our industry. The announcement of a joint research lab between Rapid7 and the University of South Florida (USF) reaffirms our commitment to driving a deeper understanding of the challenges we face in protecting our shared digital space, while ushering in new talent to ensure that the cyber workforce of tomorrow is as diverse as the individuals who create the shared digital space we set out to protect.

With the Rapid7 Cybersecurity Foundation, we are proud to announce the opening of the Rapid7 Cyber Threat Intelligence Lab in Tampa, at USF. We intend for the lab to be an integral component in real-time threat tracking by leveraging our extensive network of sensors, and incorporating this intelligence not only into our products and customers, but to make actionable indicators available to the wider community. This project also reaffirms our commitment to making cybersecurity more accessible to everyone through our support of research, disclosure, and open source, including projects such as Metasploit, Recog, and Velociraptor to name a few.

We believe that providing USF faculty and students this breadth of intelligence will not only support their journey in learning, but fundamentally provide a clearer path in determining areas to focus in their careers. We are hopeful that working side by side with Rapid7 analysts can help propel this journey, and enhance the meaningful research developed by the university.

As part of the commitment for this investment—and consistent with the guiding principles of the Rapid7 Cybersecurity Foundation—we intend to promote diversity within the cybersecurity workforce. In particular, we plan on opening doors to individuals from historically underrepresented groups within the cybersecurity workforce. With the objective to ensure that research projects are inclusive of those from all backgrounds, we are optimistic that not only will this introduce hands-on technical content to those who may not otherwise have such opportunities, but also, in the longer term, encourage greater diversity within the cybersecurity industry as a whole. We remain steadfast in our commitment to broadening the opportunities within cybersecurity to all those with a passion for creating a more secure and prosperous digital future.

We are deeply thankful to USF for their shared vision, and look forward to a partnership that benefits all students and faculty while producing actionable intelligence that can support the entire internet and the broader industry. Ultimately, the threatscape is such that we recognise no one organization can stop attackers on their own. This partnership remains part of our commitment to establish the relationships between private industry and partners that include academia.

Evasion Techniques Uncovered: An Analysis of APT Methods

2023-02-09 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/02/09/evasion-techniques-uncovered-an-analysis-of-apt-methods/

Evasion Techniques Uncovered: An Analysis of APT Methods

By Christiaan Beek, with special thanks to Matt Green

DLL search order hijacking is a technique used by attackers to elevate privileges on the compromised system, evade restrictions, and/or establish persistence on the system. The Windows operating system uses a common method to look for required dynamic link libraries (DLLs) to load into a program. Attackers can hijack this search order to get their malicious payload executed.

DLL sideloading is similar to the above mentioned technique; however, instead of manipulating the search order, attackers place their payload alongside the victim’s application or a trusted third-party application. Abusing trusted applications to load their payload may bypass restrictions and evade endpoint security detections since they are loaded into a trusted process.

Attribution remains a topic of significant subjectivity, especially when attempting to connect an attack to a nation state. A common approach in determining the source has been to evaluate the techniques used by the perpetrator(s). DLL search order hijacking (T1574.001) or DLL sideloading (T1574.002) are common approaches used by nation state sponsored attackers.

PlugX

The PlugX malware family, which has been around for more than a decade, is famous for using both techniques to bypass endpoint security and inject itself into trusted third party applications. PlugX is a remote access trojan with modular plugins. It is frequently updated with new functionalities and plugins.

Evasion Techniques Uncovered: An Analysis of APT Methods — *Example of PlugX builder*

In recent years, MITRE ATT&CK, CISA, and others have associated the PlugX family with various Chinese actors. Builders of the PlugX malware have been leaked to the public and can be used by other actors having access to the builders.

In January 2023, we observed activity from a China-based group called Mustang Panda using PlugX in one of their campaigns. In this particular case, they used a virtual hard disk (VHD) file, to hide the malicious files from antivirus detection. The VHD, which automatically mounted when opened contained a single archive file (RAR) that extracted the typical three files associated with PlugX:

Trusted binary (executable .exe)
Hijacked driver (DLL file)
Encrypted payload file (often a DAT file)

The trusted binary ranged from compromised AV vendor files, operating system files, and third-party vendor files. These files are signed and therefore most of the time trusted by endpoint technology.

This approach is known as a Mark-of-the-Web bypass or MOTW (T1553.005). In short, container files that are downloaded from the Internet are marked with MOTW, but the files within do not inherit the MOTW after the container files are extracted and/or mounted. When files are marked with the MOTW, if they are not trusted or downloaded from the Internet, they will not be executed.

While we observed Mustang Panda using aVHD file to hide malicious files, it is worth noting that ISO files may also be used, as they are also automatically mounted.

Hunting with Velociraptor

Since PlugX is injecting itself into a trusted process, abusing a trusted executable, this threat is often detected when the outgoing Command & Control Server (C2) traffic is being discovered (usually by accident or that someone flagged the IP address as being malicious). One classic mistake I’ve observed over the years is that when companies see in their AV logs that malware has been removed, they often don’t look further into what type of malware it is, its capabilities, and whether it is nation-state related or cybercrime related. However, the appropriate incident response handling differs in approach for each.

Many nation-state actors want to be long term persistent into a network and have established ways of staying inside, even if a few of their open doors are being closed (think about valid accounts added, webshells, other backdoors, etc.). A dead C2 server can indicate this, as the actor may have used it as a first entry to the network.

For example, we recently observed what appeared to be an incident where some suspicious password dumping tools were discovered. Although the security team removed the tools, they seemed to come back into the network.

After meeting with the team and reviewing some of the logs of the incidents, it was time to grab one of my favorite (and free) tools: Velociraptor. Velociraptor is Rapid7’s advanced open-source endpoint monitoring, digital forensic and cyber response platform. It enables users to effectively respond to a wide range of digital forensic and cyber incident response investigations and data breaches.

With a ton of forensic options and hunting possibilities, the first thing was to acquire live collections of data to investigate.

After investigating the initial memory dumps, remnants were discovered where a process was talking to an outside IP address. The process itself was using a DLL that was not located in a standard location on disk. After retrieving the folder from the victim’s machine and reversing the process, it became clear: PlugX was discovered.

There are several ways Velociraptor can be used to hunt for DLL search order hijacking or sideloading. In this particular case, we’ll discuss the approach for PlugX malware.

We could hunt for:

Process / Mutex
Lnk Files
Disk
Memory
Network traffic / C2 URL/IP-address

Using the YARA toolset, we created rules for malicious or suspicious binaries and/or memory patterns. Velociraptor can use these rules to scan a bulk of data or process memory or raw memory using the ‘yara()’ or ‘proc_yara’ options.

Based on recent PlugX samples (end of 2022, beginning 2023), the we created the following rule (which can be downloaded from my Github page):

Using this rule, which is based on code patterns from the DLL component used in PlugX, Velociraptor will hunt for these DLL files and detect them. Once detected, you can look at the systems impacted, make a memory-dump, process dumps, etc., and investigate the system for suspicious activity. The directory where the DLL is stored will most likely also have the payload and trusted binary included, all written to disk at the same time.

Recently my colleague Matt Green released a repository on Github called DetectRaptor to share publicly available Velociraptor detection content. It provides you with easy-to-consume detection content to hunt for suspicious activity. One of the libraries Matt is importing is from https://hijacklibs.net/, a list of files and locations that are indicators of DLL hijacking (including PlugX). If you look at the non-Microsoft entries in the ‘hijacklibs.csv’, several instances are related to PlugX incidents reported by multiple vendors.

After importing the content, Velociraptor can start hunting and detecting possible signs of DLL hijacking and, for example, PlugX.

Happy Hunting!

Rapid7 Recognized on Bloomberg Gender Equality Index, Continues Commitments to Support DEI

2023-02-07 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/02/07/rapid7-recognized-on-bloomberg-gender-equality-index-continues-commitments-to-support-dei/

Rapid7 Recognized on Bloomberg Gender Equality Index, Continues Commitments to Support DEI

For the fifth year in a row, Rapid7 is pleased to share that we’ve been included in the Bloomberg Gender Equality Index. The Gender Equality Index (GEI) recognizes publicly traded companies for being transparent in their commitment to gender equality. This includes how they score in areas such as talent pipeline and leadership, equal pay and gender pay parity, inclusive culture, anti-harassment policies, and more. Inclusion in the GEI for 2023 recognizes our commitment to transparency while building a workplace that enables every person to have the career experience of a lifetime.

Diversity, Equity, and Inclusion at Rapid7

We know that diversity of backgrounds and mindsets help us close gaps in experience and spark innovation. A deep commitment to Diversity, Equity, and Inclusion is core to the strength and success of our business. It empowers communities, makes our company healthier, and makes our customers more secure. It’s also, quite simply, the right thing to do.

Bring You is an initiative that builds on the focused efforts we started in 2018 to ensure that every employee—regardless of their ethnicity, gender, religion, or background—has the opportunity to thrive in their career and feel a sense of belonging within our community. More than just a set of goals, Bring You is using targeted investments to cultivate an increasingly diverse workforce as we continue to grow. While that overarching mission speaks to the essence of inclusion, Bring You highlights our focus on continuing to strengthen our gender and racial diversity in the organization in a measurable, impactful way.

In 2022, we celebrated the addition of three new employee resource groups, while bringing additional structure and resources to the existing three. The resource groups, referred to as our Rapid Impact Groups, are entirely driven by employees who serve as local leads, while being supported by the business. Today, these Rapid Impact Groups include:

Rapid7 Women: Supporting and advocating for women and female identifying individuals
Moose Mosaic: Supporting and advocating for our AAPI community
Moose Vets: Supporting and advocating for our veterans and former military community
Rapid7 Diversability and Neurodiversity: Aims to level the playing field by making the day-to-day experience of ALL employees equivalent in challenge level regardless of disability or neurodivergence
Rapid7 Pride: Supporting and advocating for our LGBTQIA+ community
Rapid7 Vibranium: Supporting and advocating for our Black and LatinX community

Click here to learn more about Diversity, Equity, and Inclusion at Rapid7, including our latest social good report.

Looking Ahead

One of our core values is: Never Done. We will continue to be transparent about progress and push forward to create more inclusive environments, build a workforce that reflects all communities present in the world, and create a culture committed to educating ourselves to better empathize and support one another.

In 2023, we will continue to challenge ourselves, leaning into additional programming, creating new ways for employees to build cultural competency and investing in more tools so we can continue to build teams that are dynamic, innovative, and more effective in driving positive customer outcomes.

We value visibility and being included in surveys such as the Bloomberg Gender Equality Index, as it allows us to measure the progress on our journey and be accountable, as a responsible leader in the Cybersecurity space.

Rapid7 Recognized on Bloomberg Gender Equality Index, Continues Commitments to Support DEI

A Customer Success Manager’s Journey to Cybersecurity

2023-01-31 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/01/31/a-customer-success-managers-journey-to-cybersecurity/

A Customer Success Manager’s Journey to Cybersecurity

Originally planning to pursue a career in sports journalism, Blake Walters joined Rapid7 ready to roll up his sleeves and learn about an entirely new field—cybersecurity. Walters always had an interest in computer engineering. However, he craved the ability to connect with people and build relationships instead of working deep within coding.

Walters is a learner by nature and is not afraid to take on new challenges or face new risks. Living by the mindset, “If I don’t know, I will work to figure it out,” he began his journey as a recruiter in the technology space. This gave him a great opportunity to learn more about how software is built, which eventually led him to Customer Success, where he could build relationships with customers and help others.

Walters had his first personal brush with cybersecurity when a client he was working with, a small hospital, got hit with Wannacry ransomware in 2017. He became even more curious about cybersecurity as he witnessed firsthand the impact it had on his client.

A Customer Success Manager’s Journey to Cybersecurity

“You know what cybersecurity is and you know people get hacked all the time, but unless you are in it, you don’t realize the ins and outs of what that impact is,” he said. “There were 4-5 weeks where they couldn’t access hospital records, patient information, company files, ANYTHING. That’s a big challenge for a small hospital, or any company.”

From there, the stars aligned, and Walters was approached with an opportunity to join Rapid7. He noted that during his interview there was less emphasis on having a vast amount of cybersecurity knowledge. Instead, the focus was on his ability to build relationships and proactively use the resources provided by Rapid7 to build the industry knowledge needed to be successful in the role.

According to Walters, joining Rapid7 felt like he had finally found a place where he could do what he loved, while being supported in continuing to learn a new industry and grow his career.

“With cybersecurity, it doesn’t matter what you did yesterday. Hackers are changing all the time. If we aren’t also helping our customers evolve and improve their security over time, we are doing them a disservice,” he said. “That’s why Customer Success is so important. It doesn’t matter how good you’ve been in the past, it’s about how good you’re going to be moving forward. That is an exciting and motivating mindset to have.”

One of the biggest misconceptions about cybersecurity is that you need to have specific knowledge to break into the field. According to Walters, that was not his experience.

“Everyone has a day 1. You don’t wake up with knowledge of cybersecurity products,” he said. “If you are trying to break into the field, just start reading. There is plenty of information out there. Learn the basics, and then as you’re looking at companies and jobs, start tailoring your understanding of what that company does.”

In an environment where things change so rapidly, it is integral to have an open mind and willingness to adapt. In regard to Rapid7 specifically, Walters believes diversity is key to the company’s success.

“Having different types of people and backgrounds in an organization has a huge impact. It keeps you out of groupthink and lets people collaborate for a common good,” he said. “At Rapid7, that stood out to me early in the interview process. Everyone is challenging one another to be better. That’s what I was looking for in a company regardless of what industry or business it was.”

Overall, Walters wants others out there thinking about entering the cybersecurity space to know that with some effort, you can make it happen. Even without a technical background.

“Don’t be afraid to push yourself outside your comfort zone. I came into this with no cyber experience. It shows the ability of Rapid7 to take a risk on people who are willing to come in, devote themselves to learning and growth, put in the work, and make an impact,” he said. “It’s not about just finding a job, it’s about finding a home.”

To learn more about opportunities available at Rapid7, visit: careers.rapid7.com

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer Malware

2023-01-31 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/01/31/rapid7-observes-use-of-microsoft-onenote-to-spread-redline-infostealer-malware/

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer Malware

Author: Thomas Elkins
Contributors: Andrew Iwamaye, Matt Green, James Dunne, and Hernan Diaz

Rapid7 routinely conducts research into the wide range of techniques that threat actors use to conduct malicious activity. One objective of this research is to discover new techniques being used in the wild, so we can develop new detection and response capabilities.

Recently, we (Rapid7) observed malicious actors using OneNote files to deliver malicious code. We identified a specific technique that used OneNote files containing batch scripts, which upon execution started an instance of a renamed PowerShell process to decrypt and execute a base64 encoded binary. The base64 encoded binary subsequently decrypted a final payload, which we have identified to be either Redline Infostealer or AsyncRat.

This blog post walks through analysis of a OneNote file that delivered a Redline Infostealer payload.

Analysis of OneNote File

The attack vector began when a user was sent a OneNote file via a phishing email. Once the OneNote file was opened, the user was presented with the option to “Double Click to View File” as seen in Figure 1.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer Malware Figure 1 – OneNote file "Remittance" displaying the button “Double Click to View File”

We determined that the button “Double Click to View File” was moveable. Hidden underneath the button, we observed five shortcuts to a batch script, nudm1.bat. The hidden placement of the shortcuts ensured that the user double-clicked on one of the shortcuts when interacting with the “Double Click to View File” button.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer Malware Figure 2 – Copy of Batch script nudm1.bat revealed after moving “Double Click to View File” button

Once the user double clicked the button “Double Click to View File”, the batch script nudm1.bat executed in the background without the user’s knowledge.

Analysis of Batch Script

In a controlled environment, we analyzed the batch script nudm1.bat and observed variables storing values.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer Malware Figure 3 – Beginning contents of nudm1.bat

Near the middle of the script, we observed a large section of base64 encoded data, suggesting at some point, the data would be decoded by the batch script.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer Malware Figure 4 – Base64 encoded data contained within nudm1.bat

At the bottom of the batch script, we observed the declared variables being concatenated. To easily determine what the script was doing, we placed echo commands in front of the concatenations. The addition of the echo commands allowed for the batch script to deobfuscate itself for us upon execution.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer Malware Figure 5 – echo command placed in front of concatenated variables

We executed the batch file and piped the deobfuscated result to a text file. The text file contained a PowerShell script that was executed with a renamed PowerShell binary, nudm1.bat.exe.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer Malware Figure 6 – Output after using echo reveals PowerShell script

We determined the script performed the following:

Base64 decoded the data stored after :: within nudm1.bat, shown in Figure 4
AES Decrypted the base64 decoded data using the base64 Key 4O2hMB9pMchU0WZqwOxI/4wg3/QsmYElktiAnwD4Lqw= and base64 IV of TFfxPAVmUJXw1j++dcSfsQ==
Decompressed the decrypted contents using gunzip
Reflectively loaded the decrypted and decompressed contents into memory

Using CyberChef, we replicated the identified decryption method to obtain a decrypted executable file.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer Malware Figure 7 – AES decryption via Cyberchef reveals MZ header

We determined the decrypted file was a 32-bit .NET executable and analyzed the executable using dnSpy.

Analysis of .NET 32-bit Executable

In dnSpy we observed the original file name was tmpFBF7. We also observed that the file contained a resource named payload.exe.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer Malware Figure 8 – dnSpy reveals name of original program tmpFBF7 and a payload.exe resource

We navigated to the entry point of the file and observed base64 encoded strings. The base64 encoded strings were passed through a function SRwvjAcHapOsRJfNBFxi. The function SRwvjAcHapOsRJfNBFxi utilized AES decryption to decrypt data passed as argument.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer Malware Figure 9 – AES Decrypt Function SRwvjAcHapOsRJfNBFxi

As seen in Figure 9, the function SRwvjAcHapOsRJfNBFxi took in 3 arguments: input, key and iv.

We replicated the decryption process from the function SRwvjAcHapOsRJfNBFxi using CyberChef to decrypt the values of the base64 encoded strings. Figure 9 shows an example of the decryption process of the base64 encoded string vYhBhJfROLULmQk1P9jbiqyIcg6RWlONx2FLYpdRzZA= from line 30 of Figure 7 to reveal a decoded and decrypted string of CheckRemoteDebuggerPresent.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer Malware Figure 10 – Using Cyberchef to replicate decryption of function SRwvjAcHapOsRJfNBFxi

Repeating the decryption of the other base64 encoded strings revealed some anti-analysis and anti-AV checks performed by the executable:

IsDebuggerPresent CheckRemoteDuggerPresent AmsiScanBuffer

Other base64 encoded strings include:

EtwEventWrite /c choice /c y /n /d y /t 1 & attrib -h -s

After passing the anti-analysis and anti-AV checks, the executable called upon the payload.exe resource in line 94 of the code. We determined that the payload.exe resource was saved into the variable @string.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer Malware Figure 11 – @string storing payload.exe

On line 113, the variable @string was passed into a new function, aBTlNnlczOuWxksGYYqb, as well as the AES decryption function SRwvjAcHapOsRJfNBFxi.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer Malware Figure 12 – @string being passed through function hDMeRrMMQVtybxerYkHW

The function aBTlNnlczOuWxksGYYqb decompressed content passed to it using Gunzip.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer Malware Figure 13 – Function aBTlNnlczOuWxksGYYqb decompresses content using Gzip

Using CyberChef, we decrypted and decompressed the payload.exe resource to obtain another 32-bit .NET executable, which we named payload2.bin. Using Yara, we scanned payload2.bin and determined it was related to the Redline Infostealer malware family.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer Malware Figure 14 – Yara Signature identifying payload2.bin as Redline Infostealer

We also analyzed payload2.bin in dnSpy.

Analysis of Redline Infostealer

We observed that the original final name of payload2.bin was Footstools and that a class labeled Arguments contained the variables IP and Key. The variable IP stored a base64 encoded value GTwMCik+IV89NmBYISBRLSU7PlMZEiYJKwVVUg==.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer Malware Figure 15 – Global variable IP set as Base64 encoded string

The variable Key stored a UTF8 value of Those.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer Malware Figure 16 – Global variable Key set with value Those

We identified that the variable IP was called into a function, WriteLine(), which passed the variables IP and Key into a String.Decrypt function as arguments.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer Malware Figure 17 – String.Decrypt being passed arguments IP and Key

The function String.Decrypt was a simple function that XOR’ed input data with the value of Key.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer Malware Figure 18 – StringDecrypt utilizing XOR decryption

Using Cyberchef, we replicated the String.Decrypt function for the ‘IP’ variable by XORing the base64 value shown in Figure 13 with the value of Key shown in Figure 16 to obtain the decrypted value for the IP variable, 172.245.45[.]213:3235.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer Malware Figure 19 – Using XOR in Cyberchef to reveal value of argument IP

Redline Info Stealer has the capability to steal credentials related to Cryptocurrency wallets, Discord data, as well as web browser data including cached cookies. Figure 19 shows functionality in Redline Infostealer that searches for known Cryptocurrency wallets.

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer Malware Figure 20 – Redline Infostealer parsing for known Cryptocurrency wallet locations

Rapid7 Protection

Rapid7 has existing rules that detect the behavior observed within customers environments using our Insight Agent including:

Suspicious Process – Renamed PowerShell

OneNote Embedded File Parser

Rapid7 has also developed a OneNote file parser and detection artifact for Velociraptor. This artifact can be used to detect or extract malicious payloads like the one discussed in this post.
https://docs.velociraptor.app/exchange/artifacts/pages/onenote/

Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer Malware

IOCs

Filename – SHA1 HASH
Rem Adv.one – 61F9DBE256052D6315361119C7B7330880899D4C
Nudm1.bat – ADCE7CA8C1860E513FB70BCC384237DAE4BC9D26
tmpFBF7.tmp – F6F1C1AB9743E267AC5E998336AF917632D2F8ED
Footstools.exe – 6c404f19ec17609ad3ab375b613ea429e802f063
IP Address – 172.245.45[.]213

MITRE Attack Techniques

TA0002 – Execution

T1047 – Windows Management Instrumentation

TA0005 – Defense Evasion

TA0006 – Credential Access

T1003 – OS Credential Dumping

TA0007 – Discovery

TA0009 – Collection

T1005 – Data from Local System

TA0011 – Command and Control

T1071 – Application Layer Protocol

Mitigations

Block .one attachments at the network perimeter or with an antiphishing solution if .one files are not business-critical
User awareness training
If possible, implement signatures to search for PowerShell scripts containing reverse strings such as gnirtS46esaBmorF
Watch out for OneNote as the parent process of cmd.exe executing a .bat file

The High Cost of Human Error In OT Systems

2023-01-26 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/01/26/the-high-cost-of-human-error-in-ot-systems/

The High Cost of Human Error In OT Systems

In baseball, a mistake made by a player that could have easily been avoided is sometimes called an “unforced error.” An unforced error is not an official error (that is, they are not reflected in statistics), however, they can result in additional runs being scored, runners getting on base, and even games being lost. This applies in cyber security, as well. Threat actors use all sorts of nefarious tactics to target your networks, but they usually can’t succeed without some mistakes from your team.

Rapid7’s partner SCADAfence recently commissioned a survey of 3500 OT professionals. Among the findings, nearly 80% of respondents believe that human error presents the greatest risk for compromise to operational technology (OT) control systems. The survey also found that 83% of respondents believe that there is a significant shortfall in the number of skilled workers. This could contribute to the problem, since under-qualified or improperly trained security workers are more likely to make preventable errors.

Still, many organizations continue to ignore the extremely high potential costs of human error.

Real World Consequences

Last year, SCADAfence argued that an explosion at the Freeport LNG natural gas plant, which a Russian group claimed responsibility for, was actually caused by human error. The timing of the explosion, less than two months after a major maintenance upgrade, and several other factors appear to indicate that improper procedures and a lapse in adherence to company policies were the cause. This was later confirmed by the U.S. Pipeline and Hazardous Materials Safety Administration (PHMSA).

Another example is the Oldsmar Water Facility Attack in 2021. According to reports, human error played a large factor in the attack—in which hackers gained unauthorized access to the water facility’s industrial control system (ICS) network and increased sodium hydroxide content in drinking water to poisonous levels. The Oldsmar facility was using Windows 7, even though Microsoft had stopped supporting it a year earlier. All of Oldsmar’s employees shared the same password to access TeamViewer, a remote access software. And, the facility was connected directly to the internet without any type of firewall protection installed. All of these easily preventable factors contributed to the attacker’s ability to gain access to the facility.

Human error in OT systems can take different forms. As stated above, weak, outdated or duplicated passwords have led to any number of cyber security breaches. Firewalls, which are relied on to provide a first line of OT cyber security defense, are frequently misconfigured or improperly deployed by IT staff members. Finally, phishing attacks, a form of social engineering used by malicious actors to gain information from unwitting victims which is then used to access secure systems, are a major starting point for attacks on critical infrastructure.

Rapid7’s Advice

The number one way to prevent human error from leading to costly cyber attacks is training. OT and IT staff should be regularly trained on company security policies and should understand the importance of always following protocol. Also, teams need to work closely together to ensure that proper protections are in place across the network.

There are a number of best practices that have been shown to reduce the frequency and severity of cyber attacks in OT and ICS networks. Organizations should:

Require secure passwords that are changed on a regular schedule. Never allow team members to share passwords or access IDs to systems. Each employee that requires access to a system or device should have a unique user name and account.
Reduced access privilege access
Keep your network updated with important patches and upgrades
Make sure the tools your teams rely on are reliable, effective, and up to date.
Stay on top of news and information about newly discovered vulnerabilities, and potential threats relevant to your organization.

Finally, if your team lacks bandwidth or necessary skills, consider using managed services to gain insights and relevant threat information about your network.

This article was written in partnership with SCADAfence.

Rapid7 Now Available Through Carahsoft’s NASPO ValuePoint

2023-01-24 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/01/24/rapid7-now-available-through-carahsofts-naspo-valuepoint/

Rapid7 Now Available Through Carahsoft’s NASPO ValuePoint

We are happy to announce that Rapid7’s solutions have been added to the NASPO ValuePoint Cloud Solutions contract held by Carahsoft Technology Corp. The addition of this contract enables Carahsoft and its reseller partners to provide Rapid7’s Insight platform to participating States, Local Governments, and Educational (SLED) institutions.

“Rapid7’s Insight platform goes beyond threat detection by enabling organizations to quickly respond to attacks with intelligent automation,” said Alex Whitworth, Sales Director who leads the Rapid7 Team at Carahsoft.

“We are thrilled to work with Rapid7 and our reseller partners to deliver these advanced cloud risk management and threat detection solutions to NASPO members to further protect IT environments across the SLED space.”

NASPO ValuePoint is a cooperative purchasing program facilitating public procurement solicitations and agreements using a lead-state model. The program provides the highest standard of excellence in public cooperative contracting. By leveraging the leadership and expertise of all states and the purchasing power of their public entities, NASPO ValuePoint delivers the highest valued, reliable and competitively sourced contracts, offering public entities outstanding prices.

“In partnership with Carahsoft and their reseller partners, we look forward to providing broader availability of the Insight platform to help security teams better protect their organizations from an increasingly complex and volatile threat landscape,” said Damon Cabanillas, Vice President of Public Sector Sales at Rapid7.

The Rapid7 Insight platform is available through Carahsoft’s NASPO ValuePoint Master Agreement #AR2472. For more information, visit https://www.carahsoft.com/rapid7/contracts.

Rapid7 Added to Carahsoft GSA Schedule Contract

2023-01-24 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/01/24/rapid7-added-to-carahsoft-gsa-schedule-contract/

Rapid7 Added to Carahsoft GSA Schedule Contract

We are happy to announce that Rapid7 has been added to Carahsoft’s GSA Schedule contract, making our suite of comprehensive security solutions widely available to Federal, State, and Local agencies through Carahsoft and its reseller partners.

“With the ever-evolving threat landscape, it is important that the public sector has the resources to defend against sophisticated cyber attacks and vulnerabilities,” said Alex Whitworth, Sales Director who leads the Rapid7 Team at Carahsoft.

“The addition of Rapid7’s cloud risk management and threat detection solutions to our GSA Schedule gives Government customers and our reseller partners expansive access to the tools necessary to protect their critical infrastructure.”

With the GSA contract award, Rapid7 is able to significantly expand its availability to Federal, State, Local, and Government markets. In addition to GSA, Rapid7 was recently added to the Department of Homeland Security (DHS) Continuous Diagnostics Mitigation’s Approved Products List.

“As the attack surface continues to increase in size and complexity, it’s imperative that all organizations have access to the tools and services they need to monitor risk across their environments,” said Damon Cabanillas, Vice President of Public Sector Sales at Rapid7.

“This contract award is a massive step forward for Rapid7 as we work to further serve the public sector.”

Rapid7 is available through Carahsoft’s GSA Schedule No. 47QSWA18D008F. For more information on Rapid7’s products and services, contact the Rapid7 team at Carahsoft at [email protected].

Cloud Security and Compliance Best Practices: Highlights From The CSA Cloud Controls Matrix

2022-12-22 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/12/22/cloud-security-and-compliance-best-practices-highlights-from-the-csa-cloud-controls-matrix/

Cloud Security and Compliance Best Practices: Highlights From The CSA Cloud Controls Matrix

In a recent blog post, we highlighted the release of an InsightCloudSec compliance pack, that helps organizations establish and adhere to AWS Foundational Security Best Practices. While that’s a great pack for those who have standardized on AWS and are looking for a trusted set of controls to harden their environment, we know that’s not always the case.

In fact, depending on what report you read, the percentage of organizations that have adopted multiple cloud platforms has soared and continues to rise exponentially. According to Gartner, by 2026 more than 90% of enterprises will extend their capabilities to multi-cloud environments, up from 76% in 2020.

It can be a time- and labor-intensive process to establish and enforce compliance standards across single cloud environments, but this becomes especially challenging in multi-cloud environments. First, the number of required checks and guardrails are multiplied, and second, because each platform is unique, proper hygiene and security measures aren’t consistent across the various clouds. The general approaches and philosophies are fairly similar, but the way controls are implemented and the way policies are written can be significantly different.

For this post, we’ll dive into one of the most commonly-used cloud security standards for large, multi-cloud environments: the CSA Cloud Controls Matrix (CCM).

What is the CSA Cloud Controls Matrix?

In the unlikely event you’re unfamiliar, Cloud Security Alliance (CSA) is a non-profit organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA brings together a community of cloud security experts, industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products.

The Cloud Controls Matrix is a comprehensive cybersecurity control framework for cloud computing developed and maintained by CSA. It is widely-used as a systematic assessment of a cloud implementation and provides guidance on which security controls should be implemented within the cloud supply chain. The controls framework is aligned to the CSA Security Guidance for Cloud Computing and is considered a de-facto standard for cloud security assurance and compliance.

Five CSA CCM Principles and Why They’re Important

The CCM consists of many controls and best practices, which means we can’t cover them all in a single blog post. That said, we’ve outlined 5 major principles that logically group the various controls and why they’re important to implement in your cloud environment. Of course, the CCM provides a comprehensive set of specific and actionable directions that, when adopted, simplify the process of adhering to these principles—and many others.

Ensure consistent and proper management of audit logs
Audit logs record the occurrence of an event along with supporting metadata about the event, including the time at which it occurred, the responsible user or service, and the impacted entity or entities. By reviewing audit logs, security teams can investigate breaches and ensure compliance with regulatory requirements. Within CCM, there are a variety of controls focused on ensuring that you’ve got a process in place to collect, retain and analyze logs as well as limiting access and the ability to edit or delete such logs to only those who need it.

Ensure consistent data encryption and proper key management
Ensuring that data is properly encrypted, both at rest and in transit, is a critical step to protect your organization and customer data from unauthorized access. There are a variety of controls within the CCM that are centered around ensuring that data encryption is used consistently and that encryption keys are maintained properly—including regular rotation of keys as applicable.

Effectively manage IAM permissions and abide by Least Privilege Access (LPA)
In modern cloud environments, every user and resource is assigned a unique identity and a set of access permissions and privileges. This can be a challenge to keep track of, especially at scale, which can result in improper access, either from internal users or external malicious actors. To combat this, the CCM provides guidance around establishing processes and mechanisms to manage, track and enforce permissions across the organization. Further, the framework suggests employing the Least Privilege Access (LPA) principle to ensure users only have access to the systems and data that they absolutely need.

Establish and follow a process for managing vulnerabilities
There are a number of controls focused on establishing, implementing and evaluating processes, procedures and technical measures for detecting and remediating vulnerabilities. The CCM has dedicated controls for application vulnerabilities, external library vulnerabilities and host-level vulnerabilities. It is important to regularly scan your cloud environments for known vulnerabilities, and evaluate the processes and methodologies you use to do so, as well.

Define a process to proactively roll back changes to a previous state of good
In traditional, on-premises environments, patching and fixing existing resources is the proper course of action when an error or security concern is discovered. Conversely, when things go awry in cloud environments, remediation steps typically involve reverting back to a previous state of good. To this end, the CCM guides organizations to proactively establish and implement a process that allows them to easily roll back changes to a previously known good state—whether manually or via automation.

How InsightCloudSec Helps Implement and Enforce CCM

InsightCloudSec allows security teams to establish and continuously measure compliance against organizational policies, whether they’re based on common industry frameworks or customized to specific business needs. This is accomplished through the use of compliance packs.

A compliance pack within InsightCloudSec is a set of checks that can be used to continuously assess your cloud environments for compliance with a given regulatory framework or industry best practices. The platform comes out-of-the-box with 30+ compliance packs, and also offers the ability to build custom compliance packs that are completely tailored to your business’ specific needs.

Whenever a non-compliant resource is created, or when a change is made to an existing resource’s configuration or permissions, InsightCloudSec will detect it within minutes. If you so choose, you can make use of the platform’s native, no-code automation to remediate the issue—either via deletion or by adjusting the configuration and/or permissions—without any human intervention.

If you’re interested in learning more about how InsightCloudSec can help implement and enforce security and compliance standards across your organization, be sure to check out a free demo!

James Alaniz and Ryan Blanchard contributed to this article.

Attack Surface

Email Security

Web Server Security

Product description

Credit

Exploitation

Impact

Remediation

Disclosure Timeline

APAC

EMEA

North America

More about our partner program

Mitigation Guidance

Rapid7 customers

Indicators of compromise

Operationalising Cybersecurity

Rapid7 International Women’s Day Panel

Cybersecurity Elasticity

Confronting Security Fears to Control Cyber Risk: Part Two

Cybersecurity Simplicity

Confronting Security Fears to Control Cyber Risk: Part Two

Cybersecurity effectiveness

Operating model for cybersecurity

Cybersecurity elasticity

Confronting Security Fears to Control Cyber Risk: Part Two

PlugX

Hunting with Velociraptor

Analysis of OneNote File

Analysis of Batch Script

Analysis of .NET 32-bit Executable

Analysis of Redline Infostealer

Rapid7 Protection

OneNote Embedded File Parser

IOCs

MITRE Attack Techniques

Mitigations

Real World Consequences

Rapid7’s Advice

What is the CSA Cloud Controls Matrix?

Five CSA CCM Principles and Why They’re Important

How InsightCloudSec Helps Implement and Enforce CCM

The collective thoughts of the interwebz