All posts by Tom Caiazza

NEW RESEARCH: Artificial intelligence and Machine Learning Can Be Used to Stop DAST Attacks Before they Start

Post Syndicated from Tom Caiazza original

NEW RESEARCH: Artificial intelligence and Machine Learning Can Be Used to Stop DAST Attacks Before they Start

Within cloud security, one of the most prevalent tools is dynamic application security testing, or DAST. DAST is a critical component of a robust application security framework, identifying vulnerabilities in your cloud applications either pre or post deployment that can be remediated for a stronger security posture.

But what if the very tools you use to identify vulnerabilities in your own applications can be used by attackers to find those same vulnerabilities? Sadly, that’s the case with DASTs. The very same brute-force DAST techniques that alert security teams to vulnerabilities can be used by nefarious outfits for that exact purpose.

There is good news, however. A new research paper written by Rapid7’s Pojan Shahrivar and Dr. Stuart Millar and published by the Institute of Electrical and Electronics Engineers (IEEE) shows how artificial intelligence (AI) and machine learning (ML) can be used to thwart unwanted brute-force DAST attacks before they even begin. The paper Detecting Web Application DAST Attacks with Machine Learning was presented yesterday to the specialist AI/ML in Cybersecurity workshop at the 6th annual IEEE Dependable and Secure Computing conference, hosted this year at the University of Southern Florida (USF) in Tampa.

The team designed and evaluated AI and ML techniques to detect brute-force DAST attacks during the reconnaissance phase, effectively preventing 94% of DAST attacks and eliminating the entire kill-chain at the source. This presents security professionals with an automated way to stop DAST brute-force attacks before they even start. Essentially, AI and ML are being used to keep attackers from even casing the joint in advance of an attack.

This novel work is the first application of AI in cloud security to automatically detect brute-force DAST reconnaissance with a view to an attack. It shows the potential this technology has in preventing attacks from getting off the ground, plus it enables significant time savings for security administrators and lets them complete other high-value investigative work.

Here’s how it is done: Using a real-world dataset of millions of events from enterprise-grade apps, a random forest model is trained using tumbling windows of time to generate aggregated event features from source IPs. In this way the characteristics of a DAST attack related to, for example, the number of unique URLs visited per IP or payloads per session, is learned by the model. This avoids the conventional threshold approach, which is brittle and causes excessive false positives.

This is not the first time Millar and team have made major advances in the use of AI and ML to improve the effectiveness of cloud application security. Late last year, Millar published new research at AISec in Los Angeles, the leading venue for AI/ML cybersecurity innovations, into the use of AI/ML to triage vulnerability remediation, reducing false positives by 96%. The team was also delighted to win AISec’s highly coveted Best Paper Award, ahead of the likes of Apple and Microsoft.

A complimentary pre-print version of the paper Detecting Web Application DAST Attacks with Machine Learning is available on the Rapid7 website by clicking here.

Rapid7’s Mid-Year Threat Review

Post Syndicated from Tom Caiazza original

Rapid7’s Mid-Year Threat Review

It will come as little surprise to most people that cyber threats in 2023 have been rather prolific. From widely exploited vulnerabilities to high-profile ransomware and extortion campaigns, the first half of the year has seen more than its fair share of large-scale incidents.

Rapid7’s 2023 Mid-Year Threat Review aggregates data and analysis from our vulnerability intelligence, managed services, and threat analytics teams to provide a mid-year snapshot of the attack landscape and give organizations actionable guidance on protecting themselves from common threats.

From January to June 2023, our team tracked:

  • 1,500+ ransomware incidents
  • 79 attacks attributed to state-sponsored threat actors
  • More than a dozen new vulnerabilities that were exploited en masse
  • A significant uptick (69%) in incident response case volume

Exploitation of public-facing applications has been a popular initial access strategy so far this year, including for advanced persistent threat actors (APTs) and state-sponsored adversaries. APTs exploited both zero-day and known vulnerabilities in routers, security appliances, printer management software, Voice over Internet Protocol (VoIP) technologies, and more. Cyber espionage, cyber warfare, and financial gain were the main motives attributed to state-sponsored threat campaigns.

Our mid-year data also shows that basic security hygiene is still a challenge for many businesses — 39% of incidents our managed services teams responded to stemmed from either lax or lacking multi-factor authentication. As always, our mid-year report provides actionable guidance to help businesses improve their security posture, including tactics to mitigate the risk of data exfiltration.
For more findings and risk management strategies, read the full report here. An infographic of key takeaways is also available here.

The Japanese Technology and Media Attack Landscape

Post Syndicated from Tom Caiazza original

The Japanese Technology and Media Attack Landscape

Recently, we released a major report analyzing the threat landscape of Japan, the globe’s third largest economy. In that report we looked at the ways in which threat actors infiltrate Japanese companies (spoiler alert: it is often through foreign subsidiaries and affiliates) and some of the most pervasive threats those companies face such as ransomware and state-sponsored threat actors.

We also took a look at some of the hardest hit industries and it should come as no surprise that some of the most commonly attacked companies are in industries where Japan currently excels on a global scale. Think manufacturing and automotive, technology & media, and financial services.

In a series of blog posts we’re going to briefly discuss the findings for one of those industries, but rest assured, more information can be found in our one-page rundowns and the report itself.

When it comes to technology and media companies, personally identifiable information, or PII, is the name of the game. Often the companies themselves aren’t the actual targets, but the information they have on their customers very much are. For instance, the breach of one IT vendor yielded access information to their own customers’ customers. Some 10 other companies were made vulnerable and attackers were able to walk away with customer data for those companies. Similarly, an overseas subsidiary of a Japanese company was breached allowing for 62 other organizations to be compromised.

The gaming industry is also not immune to cyber attacks though, like the manufacturing industry, ransomware, not credential stealing, was the main goal. In July of 2022, a major gaming company was compromised through an overseas partner by the ransomware group, BlackCat.
For more detail on the threat landscape of the technology and media industries in Japan check out our report, or the handy one-page brief specifically looking at these industries.

The Japanese Financial Services Attack Landscape

Post Syndicated from Tom Caiazza original

The Japanese Financial Services Attack Landscape

Recently, we released a major report analyzing the threat landscape of Japan, the globe’s third largest economy. In that report we looked at the ways in which threat actors infiltrate Japanese companies (spoiler alert: it is often through foreign subsidiaries and affiliates) and some of the most pervasive threats those companies face such as ransomware and state-sponsored threat actors.

We also took a look at some of the hardest hit industries and it should come as no surprise that some of the most commonly attacked companies are in industries where Japan currently excels on a global scale. Think manufacturing and automotive, technology & media, and financial services.

In these blog posts we’re going to briefly discuss the findings for one of those industries, but rest assured, more information can be found in our one-page rundowns and the report itself.

Financial services companies are prime targets for attackers around the world but Japan’s robust and global financial industry makes it particularly attractive for cyber criminals and a major risk for millions of people. Attacks on financial services companies often come from two directions, seeking the personally identifiable information, or PII, of customers, and that of employees themselves.

When it comes to customer data, phishing was the most common way attackers sought to access it with 31% of all attacks coming in this form since 2021. Of note, English was the most frequently used language in these phishing attacks. The use of English rather than Japanese, a language that relatively few foreigners speak, highlights the degree to which language barriers impact the targeting of Japan.

Cryptocurrency exchanges were also major targets as cyber attackers, specifically those that are state-sponsored (more on that in the report) seek out crypto due to its ability to operate outside of traditional financial institutions.
For more detail on the threat landscape of the financial services industry in Japan check out our report, or the handy one-page brief specifically looking at this industry.

The Japanese Automotive Industry Attack Landscape

Post Syndicated from Tom Caiazza original

The Japanese Automotive Industry Attack Landscape

Recently, we released a major report analyzing the threat landscape of Japan, the globe’s third largest economy. In that report we looked at the ways in which threat actors infiltrate Japanese companies (spoiler alert: it is often through foreign subsidiaries and affiliates) and some of the most pervasive threats those companies face such as ransomware and state-sponsored threat actors.

We also took a look at some of the hardest hit industries and it should come as no surprise that some of the most commonly attacked companies are in industries where Japan currently excels on a global scale. Think manufacturing and automotive, technology & media, and financial services.

In these blog posts we’re going to briefly discuss the findings for one of those industries, but rest assured, more information can be found in our one-page rundowns and the report itself.

The Japanese automotive industry is massive in scale. Japanese car brands are ubiquitous the world over making them a major target for cyber criminals. The global nature of their business means many foreign entities affiliated with Japanese companies can be sources of infiltration by attackers. Product security is a major concern and car maker IP is valuable. Often these attacks come in the form of ransomware and they often impact the supply chain of automakers as foreign subsidiaries and partners are ripe targets. Vulnerabilities in product features such as keyless entry and diagnostic tools also make for lucrative bounties for ransomware groups.

But those are not the only data sets that attackers seek. Auto companies may have a great deal of personally identifiable information about their customers. This information can include customer addresses, names, email, and even VIN numbers. They can lead to increased identity theft by threat actors and even fraudulent financial actions.

Customers aren’t the only victims of identity theft as PII of employees at automotive industry companies is also prevalent. Business email attacks are common as these employees are high-valued targets. Phishing attacks can lead to fraudulent financial transactions framed as legitimate business practices.

For more detail on the threat landscape of the automotive industry in Japan check out our report, or the handy one-page brief specifically looking at this industry.

Rapid7 Solutions for Partners

Post Syndicated from Tom Caiazza original

Rapid7 Solutions for Partners

Central to our mission at Rapid7 is building long-term relationships with partners who deliver valuable security solutions to customers. As customers increasingly seek managed services to meet their security needs, we’ve eagerly expanded our partner ecosystem to support a rapidly growing body of Managed Security Service Provider (MSSP) partners.

As a unified security operations (SecOps) technology platform, Rapid7 makes it easy for MSSPs to build services around an array of solutions, including detection and response, vulnerability management, cloud security, external threat intelligence, and more.

Rapid7’s Insight platform is designed with an obsessive focus on the practitioner experience. This includes the following special considerations for the MSSP security operations center (SOC) analyst.


Multi-tenancy and customer data separation is foundational to the MSSP product experience. We understand there are strict regulatory requirements necessitating data separation across all end-customers. Ensuring partners leverage multi-tenancy across all core components of their portfolio is critical to optimal service delivery for end-customers.

Single Pane of Glass (Introducing Multi-Customer Investigations)

Whereas other vendors may require partners to individually manage investigations and security posture for each customer independently, we realize this is not an optimal experience for a partner who may have tens, hundreds, or even thousands of end-customers. Our solution offers a single pane of glass for aggregated data visibility across all customers in one place.

One example of this is our multi-customer investigations experience which we launched in April. With this capability, MSSPs are empowered to conduct investigations at scale across their customer bases. After a few months, feedback on this experience has been overwhelmingly positive. Early users of the capability say this has yielded up to a 20 percent decrease in time spent investigating workflows.

And this is just the beginning. The multi-customer investigations functionality represents just the first step in a larger cross-portfolio product strategy to unlock operational efficiencies for MSSPs – no matter where they are in their security journey.

Easy deployment

Whether a partner is more of a managed service provider (MSP) with emerging security workflows or a mature MSSP with an established way of working, we’ve heard a consistent message: Partners need fast time-to-value for end-customers. That’s why we’ve made it easy for MSSPs to rapidly deploy new customers across all solution offerings. We understand security solutions are most valuable when partners deliver value quickly, and that starts with speedy deployment across the Insight platform.

A dedicated support experience

When partners encounter issues, it’s critical they are resolved quickly. It’s equally important to easily generate cases, track tickets, and escalate as needed. That’s why we introduced an exclusive support experience. Partners can easily navigate to this new experience via a dedicated tile in the Rapid7 partner portal. From there, creating a case is easy and intuitive. Support staff has also been trained to handle partner-specific use cases—such as multi-customer investigations—to ensure issues are resolved efficiently.

One platform to support many service offerings

Our mission is to be the ideal SecOps platform of choice for partners. This means it needs to be easy to navigate the different solutions available for partners. Many partners have started their journeys with Rapid7 detection and response capabilities and, as their needs have grown, evolved into delivering a comprehensive security suite that includes forensic analysis, vulnerability management, cloud security, and threat intelligence solutions. API support also enables partners to integrate Rapid7 with their own technology stacks.

Today, partners leverage Rapid7’s detection, assessment, and response capabilities to service hundreds of end-customers with an eye towards scaling rapidly. We look forward to continually growing this program alongside our partners and their meaningful feedback. Learn more about becoming a partner.

The Japanese Threat Landscape: A Report on Cyber Threats in the Third Largest Economy on Earth

Post Syndicated from Tom Caiazza original

The Japanese Threat Landscape: A Report on Cyber Threats in the Third Largest Economy on Earth

The Japanese economy is massive, global, and varied. It is also a major target for cyber threat actors. As a hub for automotive, manufacturing, technology, and financial services, Japanese companies and organizations face significant cyber risk. There is nonetheless relatively little English-language coverage of Japan’s cyber threat landscape.  

In a new report released today by Rapid7, Principal Security Analyst, Paul Prudhomme, analyzes the threat landscape of the third-largest economy in the world and enumerates threats across Japan’s main industries as well as some of the largest cyber concerns affecting those companies, such as ransomware and cyber espionage.

Perhaps the most important takeaway from the report on Japanese cyber threats is that the biggest risk to Japanese companies may not even be the companies themselves. Overseas subsidiaries and affiliates offer softer targets for threat actors targeting global Japanese brands. In many of the most recent, large-scale, attacks on Japanese companies, attackers chose to compromise overseas subsidiaries or otherwise affiliated companies in other countries as a way into the networks of Japanese targets.

The report posits two potential explanations for why attackers chose to use the overseas affiliates and subsidiaries of Japanese companies as access vectors. One possible factor is the security culture in those countries and the subsidiaries themselves. Overseas affiliates may have less optimal security oversight than their Japanese counterparts. This discrepancy could be due to acquisition of overseas firms introducing existing security vulnerabilities into the parent company, or the development of separate hierarchies that are not in lock step with the security culture at a parent company. Regulatory environments vary, and business and technology habits could be different as well. There are a multitude of ways even the most secure Japanese company could be let down by their overseas affiliates.

Another reason why attackers aim to infiltrate Japanese companies through their overseas partners could be due to language barriers. There are many Japanese speakers in the world, though most are concentrated within Japan itself. Considered a challenging language to master, attackers often seek to operate within companies with a lower language threshold to clear and when access to the main target is still available through outside companies, the path of least language resistance could be ruling the day.


Rapid7’s research has found that ransomware is a particular threat for Japanese companies due to the large number of manufacturing and other technical companies based there. The nature of some of the data that many manufacturing organizations possess may make it harder to sell on criminal markets, making ransomware a more lucrative way to extract funds from a breached manufacturer. In fact, ransomware incidents have increased every six months between the back half of 2020—where just 21 incidents were reported—to the first six months of 2022 when 114 incidents were reported. Manufacturing is the hardest hit with one-third of ransomware attacks being focused on this one industry in the first half of 2022.

State-sponsored Threats

Japanese companies are also high-value targets for state-sponsored threat actors, with several of its neighbors posing significant threats. In fact, of the four most well-known state sponsors of cyber attacks (Russia, China, Iran, and North Korea), three of them are Japan’s neighbors and thus have reasons to target it.

Chinese cyber-espionage groups pose a significant threat to the IP of Japanese manufacturing and technology companies. As a regional competitor in these spaces, IP is a valuable resource and thus a valuable target. Chinese attackers also seem to be attempting to breach Japanese companies through their overseas affiliates and subsidiaries.

North Korean cyber criminal outfits, in contrast, prefer to steal Japanese cryptocurrency, as it is a funding source that is outside of traditional financial institutions. Cryptocurrency exchanges are not the only targets. In late 2021, a North Korean group impersonated a Japanese venture capital firm to steal cryptocurrency from individuals.

Targeted Industries

Japanese companies are major global players in the automotive, manufacturing, technology, and financial services industries. Those industries are thus among the top targets. As mentioned before, manufacturers, particularly automotive, can be subject to IP theft. Targeted data sets in the financial services industry include customer credentials and payment card details, personally identifiable information, and cryptocurrency. Technology companies are valuable targets in part because compromises of them can enable access to their customers, even including Japanese government and defense organizations.

If you’d like more information about these targeted industries check out the full report or one of our one-page briefs looking at the main points of the automotive, financial services, and technology industries.

Ultimately, Japan has a huge attack surface and is an incredibly important economy on the global stage. Its companies have global reach and are often market leaders outside of Japan. This puts Japanese companies at high risk for attacks. For more detail on what we’ve discussed in this blog (and way more detailed information about the attack surface of Japan) download the report here.

Three Takeaways from the Gartner® Market Guide for Managed Detection and Response Services

Post Syndicated from Tom Caiazza original

Three Takeaways from the Gartner® Market Guide for Managed Detection and Response Services

Not all MDR services are created equal, and in order for organizations to find the right partner for their managed detection and response needs, Gartner® has published a Market Guide report offering key insights for businesses of all sizes. At Rapid7, we are proud to offer this complimentary report and share our three key takeaways from it.

MDR services have skyrocketed over the past few years. In the report, Gartner says: “MDR is a high-growth, established market (see Market Share: Managed Security Services, Worldwide, 2021 where MDR is a distinct segment, the MDR market grew 48.9% from 2020 to 2021).”

Because of the high growth in the market, many managed security services use the term MDR. However, organizations looking for a true Managed Detection and Response partner, should look to the Gartner definition to identify the right vendor.

Gartner puts it this way: “MDR services provide customers with remotely delivered, humanled, turnkey, modern SOC functions; ultimately delivering threat disruption and containment.”

But choosing a strong MDR partner goes far beyond these high-level requirements. Below are our key takeaways from the report. Without further ado, let’s dive right in.

Takeaway 1: Beware Providers Mimicking MDR

The key to MDR lies as much in the human-centric nature of the service as the power of the technology behind it. Managed Detection and Response is just that… managed. It requires a human with expertise not only in understanding the detection and remediation of threats and breaches, but how these correlate to your business and its goals. Sadly, not all services claiming to be MDR lead with this human expertise.

Gartner shares: “Misnamed technology-centric offerings and vendor-delivered service wrappers (VDSW), that fail to deliver human-driven managed detection and response (MDR) services, are causing challenges for buyers looking to identify and select an outcome-driven provider.”

Human-analyzed context is critically important to the success of an MDR program and an organization’s outcomes in their security programs. Unfortunately, some providers are not living up to their own marketing materials. For instance, Gartner found that some “deliver a far less human-driven experience, depending on the technology for the bulk of the delivery. Although still valuable, these offerings are often promoted as being more engaged than they actually are and would be better described as managed EDR (MEDR).”

Takeaway 2: Context is King

This could be considered a corollary to the previous takeaway, but we acknowledge how important it is for an MDR provider to understand your organization’s unique environment, the context of threats, and how those threats have potential to impact your business. It is not enough to simply detect and remediate threats; an MDR SOC should understand which threats and types of threats will have the biggest impact on your company or organization.

The human-led nature of successful MDR programs means that a company can rest assured that their MDR SOC is able to provide insights that are actually useful to boost their customer’s outcomes.

Gartner has this to say on the subject: “MDR buyers must focus on the ability to provide context-driven insights that will directly impact their business objectives, as wide-scale collection of telemetry and automated analysis are insufficient when facing uncommon threats.”

We feel this has a direct relationship with the expertise of the MDR provider and the quality of the technology they are providing. Too much information without the context necessary to triage and prioritize could overwhelm any security team. Too little information and threats go unchecked. Finding the right balance between the tech and expertise is critical.

Takeaway 3: Threats Know No Boundaries

Ok, that subhead may be a little hyperbolic, but it should surprise no one that threat actors aren’t clocking out at 5pm on a Friday and taking holidays off. Your MDR SOC can’t either. Gartner recommends “Use MDR services to obtain 24/7, remotely delivered, human-led security operations capabilities when there are no existing internal capabilities, or when the organization needs to accelerate or augment existing security operations capabilities.”

So, what exactly does that mean? Essentially, any MDR SOC you choose should provide round-the-clock security that knows no geographical limitations, and has a team of experts actively detecting, assessing, and providing remediation recommendations for threats whenever they arise.

Gartner says: “Turnkey threat detection, investigation and response (TDIR) capabilities are a core requirement for buyers of MDR services who demand remotely delivered services deployed quickly and predictably.”

A follow-the-sun approach that puts highly competent security experts at your fingertips 24/7, 365, and that melds the human-centric nature of deep cybersecurity and business analysis with a powerful threat-detecting technology solution would make for a compelling MDR service option.

Choosing an MDR partner requires some serious due diligence and understanding of your organization’s priorities. This Market Guide helps MDR buyers understand the state of the market and what to look for in an effective MDR provider. Our three takeaways are in no way comprehensive; download the full report to learn more.

Gartner, “Market Guide for Managed Detection and Response Services” Pete Shoard, Al Price, Mitchell Schneider, Craig Lawson, Andrew Davies. 14 February 2023.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

A Shifting Attack Landscape: Rapid7’s 2022 Vulnerability Intelligence Report

Post Syndicated from Tom Caiazza original

A Shifting Attack Landscape: Rapid7’s 2022 Vulnerability Intelligence Report

Each year, the research team at Rapid7 analyzes thousands of vulnerabilities in order to identify their root causes, broaden understanding of attacker behavior, and provide actionable intelligence that guides security professionals at critical moments. Our annual Vulnerability Intelligence Report examines notable vulnerabilities and high-impact attacks from 2022 to highlight trends that drive significant risk for organizations of all sizes.

Today, we’re excited to release Rapid7’s 2022 Vulnerability Intelligence Report—a deep dive into 50 of the most notable vulnerabilities our research team investigated throughout the year. The report offers insight into critical vulnerabilities, widespread threats, prominent attack surface area, and changing exploitation trends.  

The threat landscape today is radically different than it was even a few years ago. Over the past three years, we’ve seen zero-day exploits and widespread attacks chart a meteoric rise that’s strained security teams to their breaking point and beyond. While 2022 saw a modest decline in zero-day and widespread exploitation from 2021’s record highs, the multi-year trend of rising attack speed and scale remains strikingly consistent overall.

Report findings include:

  • Widespread exploitation of new vulnerabilities decreased 15% year over year in 2022, but mass exploitation events were still the norm. Our 2022 vulnerability intelligence dataset tracks 28 net-new widespread threats, many of which were used to deploy webshells, cryptocurrency miners, botnet malware, and/or ransomware on target systems.
  • Zero-day exploitation remained a significant challenge for security teams, with 43% of widespread threats arising from a zero-day exploit.
  • Attackers are still developing and deploying exploits faster than ever before. More than half of the vulnerabilities in our report dataset were exploited within seven days of public disclosure—a 12% increase from 2021 and an 87% increase over 2020.
  • Vulnerabilities mapped definitively to ransomware operations dropped 33% year over year—a troubling trend that speaks more to evolving attacker behavior and lower industry visibility than to any actual reprieve for security practitioners. This year’s report explores the growing complexity of the cybercrime ecosystem, the rise of initial access brokers, and industry-wide ransomware reporting trends.  

How to manage risk from critical vulnerabilities

In today’s threat landscape, security teams are frequently forced into reactive positions, lowering security program efficacy and sustainability. Strong foundational security program components, including vulnerability and asset management processes, are essential to building resilience in a persistently elevated threat climate.

  • Have emergency patching procedures and incident response playbooks in place so that in the event of a widespread threat or breach, your team has a well-understood mechanism to drive immediate action.
  • Have a defined, regular patch cycle that includes prioritization of actively exploited CVEs, as well as network edge technologies like VPNs and firewalls. These network edge devices continue to be popular attack vectors and should adhere to a zero-day patch cycle wherever possible, meaning that updates and/or downtime should be scheduled as soon as new critical advisories are released.
  • Keep up with operating system-level and cumulative updates. Falling behind on these regular updates can make it difficult to install out-of-band security patches at critical moments.
  • Limit and monitor internet exposure of critical infrastructure and services, including domain controllers and management or administrative interfaces. The exploitation of many of the CVEs in this year’s report could be slowed down or prevented by taking management interfaces off the public internet.

2022 Vulnerability Intelligence Report

Read the report to see our full list of high-priority CVEs and learn more about attack trends from 2022.


Year in Review: Rapid7 Vulnerability Management

Post Syndicated from Tom Caiazza original

Year in Review: Rapid7 Vulnerability Management

For Rapid7’s vulnerability management team, 2022 began with a lot of introspection on how we can add more value and keep meeting our customer needs in the best possible ways.

Over the course of 2022, we launched many new features and improvements — some highly anticipated, many customer-requested. Log4J was difficult, but we learned from it, particularly when it comes to Emergent Threat Response.

Additionally, we recently refreshed our coordinated vulnerability disclosure (CVD) policy and philosophy. We found that we couldn’t treat every vulnerability equally and there was a need to be more agile with our CVD approach. So, we came up with six classes of vulnerabilities (and a meta-classification of “more than one”) and some broad strokes of what we intend to accomplish with our CVD for each of them.

We reimagined many of our internal processes and teams to drive better customer outcomes. For instance, we are making a significant investment in re-architecting the InsightVM/Nexpose database to ensure VM programs scale with the customers evolving IT environment.

We will continue to prioritize what really matters, even if it means making some hard decisions, and further improve communication with our customers. Here’s a snapshot of 2022 in InsightVM.

Key Product Improvements

Agent-based policy assessment

A robust vulnerability management program should assess IT assets for misconfigurations along with vulnerabilities. That’s why we were thrilled to introduce Agent-Based Policy in InsightVM. Customers can now use Insight Agents to conduct configuration assessments of IT assets against widely used industry benchmarks from the Center for Internet Security (CIS) and the U.S. Defense Information Systems Agency (DISA) to help prevent breaches and ensure compliance.

Year in Review: Rapid7 Vulnerability Management

Remediation Project improvements

Remediation Projects help security teams collaborate and track progress of remediation work (often assigned to their IT ops counterparts). Here are our favorite updates:

  • Remediator Export – a new solution-based CSV export option, Remediator Export contains detailed information about the assets, vulnerabilities, proof data, and more for a given solution.
  • Better way to track project progress – The new metric that calculates progress for Remediation Projects will advance for each individual asset remediated within a “solution” group. This means customers no longer have to wait for all the affected assets to be remediated to see progress.
Year in Review: Rapid7 Vulnerability Management

Scan Assistant

Scan Assistant provides an innovative alternative to traditional credentialed scanning. Instead of account-based credentials, it uses digital certificates, which increases security and simplifies administration for authenticated scans.

  • Scan Assistant is now generally available for Linux
  • Automatic Scan Assistant credential generation – taking some more burden off the vulnerability management teams, customers can use the Shared Credentials management UI to automatically generate Scan Assistant credentials
  • Improved scalability – automated Scan Assistant software updates and digital certificate rotation for customers seeking to deploy and maintain a fleet of Scan Assistants.

Dashboards and reports

Customers like to use dashboards to visualize the impact of a specific vulnerability or vulnerabilities to their environment, and we made quite a few updates in that area:

  • New dashboard cards based on CVSS v3 severity – we expanded CVSS dashboard cards to include a version that sorts the vulnerabilities based on CVSS v3 scores (along with CVSS v2 scores).
  • Threat feed dashboard includes CISA’s KEV catalog – we extended the scope of vulnerabilities tracked to incorporate CISA’s KEV catalog in the InsightVM Threat Feed Dashboard to help customers prioritize faster.
  • 5 New Dashboard Cards – We launched a set of five new dashboard cards that utilize line charts to show trends in vulnerability severity and allow for easy comparison when reporting.
  • Distribute Reports via Email – Customers can now send InsightVM reports to their teammates through email.
Year in Review: Rapid7 Vulnerability Management

Agent improvements for virtual desktops

Pandemic fueled remote work and with it the use of virtual desktops. InsightVM can now identify agent-based assets that are Citrix VDI instances and correlate them to the user, enabling more accurate asset/instance tagging. This will create a smooth, streamlined experience for organizations that deploy and scan Citrix VDIs. Expect similar improvements for VMware Horizon VDIs in 2023.

Improved support

A new, opt-in feature eliminates the need for customers to attach logs to support cases and/or send logs manually, ensuring a faster, more intuitive support process.

Notable Emergent Threat Responses and Recurring Coverages

In 2022, we added support for enterprise systems like Windows Server 2022, AlmaLinux, VMware Horizon (server and client), and more to the recurring coverage list. Learn about the systems with recurring coverage.

Rapid7’s Emergent Threat Response (ETR) program is part of an ongoing process to deliver fast, expert analysis alongside first-rate security content for the highest-priority security threats. This year we flagged a number of critical vulnerabilities. To list a few:

That’s not all. We added over 21,000 new checks across close to 9000 CVEs to help customers understand their risk better and thus secure better.

Check out our past blogs – Q1, Q2, and Q3 – to get more information on product improvements and key vulnerability coverages.

Customer Stories and Resources

The past year, we had the privilege to share stories of how our customers are using Insight VM to secure their environment. Check out how your peers are leveraging InsightVM.Here’s what one customer had to say:

“That is one of the things we value most about InsightVM; it has the capacity to pinpoint actively-exploited vulnerabilities, so we can prioritize and direct our attention where it’s needed most.”

For customers looking to improve the utilization of the Vulnerability Management tool, check out this webcast series that covers the different phases of VM lifecycle – Discovery, Analyze, Communicate, and Remediate. Lastly, customers can always leverage Rapid7 Academy to participate in workshops and training to continue their learning journey.

Looking forward to 2023

We will maintain the customer-centricity in 2023 as we continue to deliver features and improvements in customers’ best interests. We will be holding a webinar on January 24 around configuration assessment in InsightVM agent-based policy. And, as always, be on the lookout for our annual vulnerability intelligence report coming soon to a Q1 near you (here’s last year’s)!

Year in Review: Rapid7 Cybersecurity Research

Post Syndicated from Tom Caiazza original

Year in Review: Rapid7 Cybersecurity Research

Welcome to 2023, a year that sounds so futuristic it is hard to believe it is real. But real it is, and make no mistake, threat actors are still out there, working hard to get into networks the world over. So, at the start of the new year, I am reminded of two particular phrases: Those who do not learn from their past are doomed to repeat it, and history doesn’t repeat itself, but it rhymes.

With those cautionary words in mind, let’s take a brief look back at a smattering of the research we conducted in 2022. Hopefully, you will find some overlooked lessons from the past to keep your organizations safe here <cue excessive reverb> in the future.

Some of Rapid7’s most important research is focused on the current state of cybersecurity and threat landscape. This research is designed to glean critical insights into threat actor tactics and how the security industry works to combat them. Below are four reports based on this type of research.

Vulnerability Intelligence Report

One of our most pored over reports, the Vulnerability Intelligence Report looks at threats that emerged in the previous year. This year, we identified many worrying (and some downright critical) trends in the vulnerability management space. For example, we found that widespread threats were up 130% from 202o and roughly half of them were zero-day exploits. Additionally, the time to known exploitation of vulnerabilities shrunk to under a week. It’s a sobering report, without a doubt.

Cloud Misconfigurations Report

Securing cloud instances has become a major part of keeping organizations safe from risk. That’s not exactly an earth-shattering statement. We all know how important cloud security is. However, our Cloud Misconfiguration Report found that even some of the world’s largest (and resource rich) organizations neglect to put some basic, common sense protections in place. So, clearly, there is still work to be done.

Pain Points: Ransomware Data Disclosure Trends

Ransomware has been on the rise for several years and continues to evolve as quickly as cybersecurity professionals find ways to combat it. One way it has evolved over the last few years is with the rise in double extortion. In this type of attack, threat actors exfiltrate an organization’s data before encrypting it. Then, they threaten to leak or sell that data unless a ransom is paid.

In this first of its kind report, we looked at data disclosures associated with double extortion campaigns and extracted some interesting trends including the industries most affected by these attacks, who is conducting them, and when they occur.

Good Passwords for Bad Bots

Passwords, we’ve all got them, but that doesn’t mean we are great at using them to their full potential. We cross referenced well-known password repositories with our own honeypots for SSH and RDP credentials to determine how well organizations use secure credentialing. The results were grim. This report details the results of our research and offers some tips on how to improve passwords (password managers to the front!).

All Cybersecurity is Local

Global trends are important, but keeping it local can help us understand the intricacies of security in our own neck of the woods. In this report, we took a deep dive into one geographical region to provide critical insights that improve security.

The ASX Attack Surface

We took a look at the ASX200, the stock market index of companies listed on the Australian Stock Exchange. We found that though there is always room for improvement, by and large, the ASX200 companies are on equal security footing as some of their larger counterparts around the globe. And to further dispel any lingering FUD, they’ve measurably improved since the last time we looked at this sector in 2021, so go on ya, Aussie infosec pros!

The Future of Cybersecurity

At Rapid7, we don’t just look at the current state of the cybersecurity industry, we actively strive to improve it. Often, that means deep research into the future of cybersecurity tools and practices. This year was no exception. We’re quite proud of these reports and the potential they have to make us all a little bit safer.

Optimising Vulnerability Triage in DAST with Deep Learning

This may sound like the title to a formal academic paper (and vaguely British) and that’s because it is. Rapid7 was honored to have a research paper on machine learning techniques to improve false positives in DAST solutions accepted by a journal published by the Association for Computing Machinery.

Our researchers created a machine learning technique that can reduce false positives in DAST solutions by 96% allowing security professionals more time to focus on triaging actual threats and remediating them, rather than heading on wild goose chases caused by false positives.

Delivering Enterprise IoT Solutions Securely: The Domino’s Pizza Story

Companies large and small struggle with securing their IoT infrastructure from attackers. So, when the opportunity came to observe (and dissect) one company that seems to be doing it right, we jumped at the chance. In this report we partnered with Domino’s Pizza to look at their IoT operation and they were gracious enough to allow our expert pentesters and code auditors to tear it apart and see how they do it. It’s an excellent read for anyone looking to see some of the best practices in IoT security in use today.

2023 Here We Come

These are just a few of the great research papers we released last year. It has long been our mission to not only provide the best security platform and services available, but to help the entire cybersecurity community close the security achievement gap.

Our research departments take that mission very seriously and you can bet that we will be entering 2023 with a big ol’ list of research papers looking at the latest in cybersecurity innovation and best practices. We are grateful that you joined us on our journey last year and hope that you’ll be along for the ride again this year.

The 2022 Naughty and Nice List

Post Syndicated from Tom Caiazza original

The 2022 Naughty and Nice List

It’s the holiday season when children all over the world cross their fingers in the hope that they don’t end up on a certain red-clad big man’s naughty list. Turns out, we at Rapid7 have a similar tradition, only we’re the ones making the list and there’s a whole lotta naughty going on (not like that, get your heads out of the gutter).

We’ve asked a few of our experts to share what in cybersecurity deserves to be on the naughty list, and what needs to be on the nice list. Some of these represent personal gripes, others are industry-wide, and still others are specific to certain aspects of what we do all day.

Obviously, we all lived through the many levels of Shell this year so we are taking that as the quintessential 2022 naughty entry. These are a few others that you may or may not have been tracking, but are worth thinking about as we put this year to bed.

Here, without further fan fare, is our non-exhaustive, thoroughly delightful, slightly deranged, 2022 Cybersecurity Naughty and Nice List. Enjoy.

The Naughty List

Virtual Private Nopes: I try, really hard, to take a charitable read on people’s motivations. So, normally, it takes a lot to get on my bad side. That said: I nominate the entire consumer VPN industry for this year’s Naughty List. This is based on a paper published by the University of Maryland titled, Investigating Influencer VPN Ads on YouTube, by Omer Akgul, Richard Roberts, Moses Namara, Dave Levin, and Michelle L. Mazurek.

Not to spoil the surprise, but the study shows that many consumer VPN influencer ads contain potentially misleading claims, including overpromises and exaggerations that could negatively influence viewers’ understanding of Internet safety. It also found that the ads’ presentation of information on complicated subjects of cryptography, networking, and cybersecurity in general is likely counterproductive and may make viewers resistant to learning true facts about these topics.

Naughty, naughty indeed. You can hear more about this on Security Nation, or if you’re feeling particularly ironic, on YouTube. – Tod Beardsley, Director of Research

When IoT Products Attack: There is a never ending flood of cheap white labeled IoT goods available for consumers to purchase online. Many of these devices have little or no security. Worse, most of these products don’t even have vendors backing them when vulnerabilities are found. As a result, many of the issues will never be fixed.

As this pile of garbage continues to grow, it seems we are just forced to wait and anticipate another Mirai-style botnet (or worse) to emerge and create havoc. – Deral Heiland, Principal Security Researcher, IoT

Ambulance Chasing in the Wake of the Uber breach: It is critical for cybersecurity vendors to react to cybersecurity events as quickly as possible and often in as close to real-time as we can get. From a marketing standpoint, this can be an opportunity to impart a timely, relevant message that showcases a security product in a positive light.

There’s nothing inherently wrong with that, but when vendors use it as an opportunity to tsk-tsk those who didn’t use their product they come off as unhelpful at best, and dangerously boastful at worst.

The Uber breach that hit headlines earlier this year is a good example of this where some of the most vocal vendors were also shown to be unable to stop the breach. Everyone should be proud of their products and their capabilities, but let’s stick to being helpful to the community rather than resorting to ambulance chasing and Monday morning quarterbacking. – Ryan Blanchard, Product Marketing Manager, InsightCloudSec

The Nice List

U.S. Government Agencies Pass New Cybersecurity Legislation: During 2022, the U.S. took some significant steps—in the form of regulation and legislation—to ensure proper disclosure of major cybersecurity incidents.

In March, President Biden signed new cybersecurity legislation mandating critical infrastructure operators report hacks to the Department of Homeland Security within 72 hours and within 24 hours of ransomware payments.

Additionally, the SEC voted to propose two new cybersecurity rules for publicly-traded companies. The first mandates reporting of material cybersecurity incidents in an 8-K form within four business days of the incident. The second requires companies disclose their policies for managing cybersecurity risks, including updates on previously reported material cybersecurity incidents.

In July, the House of Representatives passed two cybersecurity bills. The first requires the Federal Trade Commission to report cross-border complaints involving ransomware and other cybersecurity incidents. The second directs the Department of Energy to establish an energy cybersecurity university leadership program. – Ryan Blanchard, Product Marketing Manager, InsightCloudSec

Consumer Protections for IoT Devices: In October, the White House hosted a meeting with IoT industry leaders to start the process of developing an IoT Labeling system for consumers to help them identify products that meet a standard level of security.

Although this project will take time to complete, and the use of the labels will be voluntary for vendors, I do expect many vendors will embrace this labeling solution to help promote their products above their competitors. This project will be a major step forward for consumers, which will help them to make sound security decisions on what products to deploy in their homes. – Deral Heiland, Principal Security Researcher, IoT

Adventures in TOTP Token Extraction: I let backups for my phone lapse … for the entire pandemic. Oops. So, when my phone gave up the ghost, I lost the primary authentication device for 2FA (in addition to countless photos of my wife and I playing board games during lockdown). Oh no!

I was using a cloud-based TOTP token manager and was still authenticated and logged in on my desktop. So, “no problem,” says I, “I can just use the web UI to export these tokens to the new phone!” Well, not so fast—it turns out that it is super hard to grab these tokens and port them around. Which is infuriating.

Thankfully, Guillaume Boudreau published a completely hacky method to extract those TOTP tokens, which is totally nuts and also totally works. Yay! – Tod Beardsley, Director of Research, Rapid7

In Conclusion, We’ve Concluded

So, there you have it. A bit of naughty, a touch of nice, something about TOTP tokens, this blog post has it all. Thank you from the entire Rapid7 team for being with us throughout this wild year!

Webinar: 2023 Cybersecurity Industry Predictions

Post Syndicated from Tom Caiazza original

Webinar: 2023 Cybersecurity Industry Predictions

With 2022 rapidly coming to a close, this is the time of year where it makes sense to take a step back and look at the year in cybersecurity, and make a few critical predictions for what the industry could face in the year ahead.

In order to give the security community some insight into where we’ve been and where we are going, Rapid7 has put together a webinar featuring some of Rapid7’s leading thinkers on the subject — and an important voice from a valued customer — to discuss some of the lessons learned and give their take on what 2023 will look like.

Featured in the webinar are Jason Hart, Rapid7’s Chief Technology Officer for EMEA; Simon Goldsmith, InfoSec Director at OVO Energy, the United Kingdom’s third largest energy retailer; Raj Samani, Senior Vice President and Chief Scientist at Rapid7; and Rapid7’s Vice President of Sales for APAC, Rob Dooley.

2022 – “A Challenging Year”

It may seem like the pace of critical vulnerabilities has only increased in 2022, and to our panel, it feels that way because it has. Whereas in years past, the cybersecurity industry would deal with a major vulnerability once a quarter or so (Heartbleed came to mind for some on our panel), this year it seemed like those vulnerabilities were coming to the fore nearly every week. Many of those vulnerabilities appeared to be actively exploited, raising the urgency for security teams to address them as quickly as possible.

This puts the onus on security teams to not only sift through the noise to find the signal (a spot where automation can be key), it also requires expert analysis all at a pace that the industry really hasn’t seen before.

For some, the fast pace of these vulnerabilities were an opportunity to test the mettle of their security operations. Even if their organizations weren’t a victim of those attacks, they can serve as “a lesson learned” putting their incident response plans through their paces. This gives them the confidence to perform well during an actual attack and evangelizes the need for strong vulnerability management across their entire organization, not just within their security teams.

Prediction 1: Information Sharing and the Ever-Expanding Attack Landscape

To give some context for this first prediction, it is important to express that zero-day attacks are on the rise, the time to exploitation is getting shorter, and the social media giants — often a critical component of security community vulnerability information sharing — are becoming less and less reliable.

But the desire for the community to publish and share information about vulnerabilities is still strong. This form of asymmetry between threat actors and the security community has long existed and there is still the inherent risk of transparency on one side benefiting those who seek opacity on the other. Information sharing between the community will be as critical as ever, especially as the reliable avenues for sharing that information dwindle in the coming months.

The way to combat this is by operationalizing cybersecurity — moving away from the binary approach of “patch or don’t patch” — and instead incorporating stronger context through a better understanding of past attack trends in order to prioritize actions and cover your organization from the actual risks.

Another key component is instituting better security hygiene across the organization. What Simon Goldsmith called “controlling the controllables.” This also includes tech stack modernization and the other infrastructural improvements organizations can take to put them in a better position to repel and ultimately respond to an ever more present threat across their networks.

Prediction 2: Cybersecurity Budgets and the Security Talent Shortage

At the same time that threat actors are making it harder on security teams across nearly every industry, the stakes are getting higher for those that are caught up in a breach. Governments are levying hefty fines for organizations that suffer data breaches and there is a real shortage of well-rounded security talent in the newest generation of security professionals.

In some cases this is due to an increase in specialization, but to harken back to the previous prediction, there is some level of “controlling the controllables” at play wherein organizations need to better nurture security talent. There are perennial components to the talent churn and shortfalls (i.e., reduced budgets, a lack of buy-in across the organization, etc.). However, there are more ways in which organizations can bolster their security teams.  

Focusing on diversity and inclusion within your security team is one way to improve not only the morale of your security team, but the efficacy that comes from having wide-ranging viewpoints and expertise present on a team all working together.

Another way to strengthen your team is to help them get out of the cybersecurity bubble. Finding ways to work across teams will not only increase the amount of expertise thrown at a particular problem, but will open avenues for innovation that may not have been considered by a completely siloed infosec team. This means opening up communication with engineering or development teams, and often bringing in a managed services partner to help boost the number of smart voices singing together.

Finally, move beyond the search for the mythical unicorn and acknowledge that experience and expertise count just as much or more than having the right certifications on paper. This should mean fostering career development for more junior team members, engaging current teammates in ways that make the work they do more of a passion and less of a grind, and also ensuring that your team’s culture is an asset working to bring everyone together.

Prediction 3: Operationalizing Security

The gap between technical stakeholders and the business leaders within organizations is getting wider, and will continue to do so, if changes aren’t made to the ways in which the two sides of the house understand each other.

Part of this disconnect comes from the question of “whether or not we’re safe.” In cybersecurity, there are no absolutes; despite compliance with all best practices, there will always be some level of risk. And security operations can often fall into the trap of asking for more funding to better identify more risk, identifying that risk, and then asking for more money to address it. This is not a sustainable approach to closing the understanding gap.

Stakeholders outside of the SOC should understand the ways in which security teams reduce risk through clear metrics and KPIs that demonstrate just how much improvement is being made in infosec, thus justifying the investment. This operationalization of security — the demonstration of improvements — is critical.

Another component of this disconnect lies in which parts of the organization are responsible for different security actions and ensuring they are working together clearly, cohesively, and most importantly, predictably. Protection Level Agreements can go a long way in ensuring that vulnerabilities are handled within a certain amount of time. This requires security teams to provide the relevant information about the vulnerability and how to remediate it to other stakeholders within a predictable window after the vulnerability is identified, so that team can take the steps necessary to remediate it.

Conclusion: Uniting Cybersecurity

It may seem that this blog post (and its sister webinar) offer up doom, gloom, and tons of FUD. And while that’s not entirely untrue, there is a silver lining. The commonality between all three of these predictions is the concept of uniting cybersecurity. Security is integrated within every component of an organization and each group should understand what goals the security operation is striving for, how they will get there, how they themselves are accountable for moving that goal forward, and how that success will ultimately be measured. The cybersecurity community has an opportunity, and maybe even a mandate, to help bring these changes to their organizations as it will be one of the most critical components of a safer, cybersecurity operation.  

All of these points (and so many more) are eloquently made on the webinar available here.

New Research: Optimizing DAST Vulnerability Triage with Deep Learning

Post Syndicated from Tom Caiazza original

New Research: Optimizing DAST Vulnerability Triage with Deep Learning

On November 11th 2022, Rapid7 will for the first time publish and present state-of-the-art machine learning (ML) research at AISec, the leading venue for AI/ML cybersecurity innovations. Led by Dr. Stuart Millar, Senior Data Scientist, Rapid7’s multi-disciplinary ML group has designed a novel deep learning model to automatically prioritize application security vulnerabilities and reduce false positive friction. Partnering with The Centre for Secure Information Technologies (CSIT) at Queen’s University Belfast, this is the first deep learning system to optimize DAST vulnerability triage in application security. CSIT is the UK’s Innovation and Knowledge Centre for cybersecurity, recognised by GCHQ and EPSRC as a Centre of Excellence for cybersecurity research.

Security teams struggle tremendously with prioritizing risk and managing a high level of false positive alerts, while the rise of the cloud post-Covid means web application security is more crucial than ever. Web attacks continue to be the most common type of compromise; however, high levels of false positives generated by vulnerability scanners have become an industry-wide challenge. To combat this, Rapid7’s innovative ML architecture optimizes vulnerability triage by utilizing the structure of traffic exchanges between a DAST scanner and a given web application. Leveraging convolutional neural networks and natural language processing, we designed a deep learning system that encapsulates internal representations of request and response HTTP traffic before fusing them together to make a prediction of a verified vulnerability or a false positive. This system learns from historical triage carried out by our industry-leading SMEs in Rapid7’s Managed Services division.

Given the skillset, time, and cognitive effort required to review high volumes of DAST results by hand, the addition of this deep learning capability to a scanner creates a hybrid system that enables application security analysts to rank scan results, deprioritise false positives, and concentrate on likely real vulnerabilities. With the system able to make hundreds of predictions per second, productivity is improved and remediation time reduced, resulting in stronger customer security postures. A rigorous evaluation of this machine learning architecture across multiple customers shows that 96% of false positives on average can automatically be detected and filtered out.

Rapid7’s deep learning model uses convolutional neural networks and natural language processing to represent the structure of client-server web traffic. Neither the model nor the scanner require source code access — with this hybrid approach first finding potential vulnerabilities using a scan engine, followed by the model predicting those findings as real vulnerabilities or false positives. The resultant solution enables the augmentation of triage decisions by deprioritizing false positives. These time savings are essential to reduce exposure and harden security postures — considering the average time to detect a web breach can be several months, the sooner a vulnerability can be discovered, verified and remediated, the smaller the window of opportunity for an attacker.

Now recognized as state-of-the-art research after expert peer review, Rapid7 will introduce the work at AISec on Nov 11th 2022 at the Omni Los Angeles Hotel at California Plaza. Watch this space for further developments, and download a copy of the pre-print publication here.

The 2022 SANS Top New Attacks and Threats Report Is In, and It’s Required Reading

Post Syndicated from Tom Caiazza original

The 2022 SANS Top New Attacks and Threats Report Is In, and It's Required Reading

The latest Top New Attacks and Threat Report from the cybersecurity experts at SANS is here — and the findings around cyberthreats, attacks, and best practices to defend against them are as critical for security teams as they’ve ever been.

If you’re unfamiliar with the SysAdmin, Audit, Network, and Security Institute, or SANS, they’re among the leading cybersecurity research organizations in the world, and their annual Top New Attacks and Threat Report is required reading for every security professional operating today.

What’s new for 2022

This year’s report is a little different from previous years. Rather than focusing on threat statistics from the year before (i.e., 2021 data for the 2022 report), SANS opted to focus on data from the first quarter of 2022, providing a more recent snapshot of the state of play in the threat landscape. The reason for this is probably something you could have guessed: the pandemic.

Typically, the TNAT report (we love coming up with acronyms!) is built out of a highly anticipated presentation from SANS experts at the annual RSA conference. Since the pandemic delayed the start of the RSA event this year, the folks at SANS thought it better to focus on more up-to-the-minute data for their report.

What they found is interesting — if a little concerning.

Smaller breaches, bigger risks?

In the first quarter of 2022, the average breach size was down one-third from the overall breach size in 2021 (even adjusted for seasonal shifts in breach sizes). What’s more, there are signs of a trend in breach size decline, as 2021’s overall breach size average was 5% lower than that of 2020. SANS believes this is indicative of attackers focusing on smaller targets than in previous years, particularly in the healthcare sector and in state and local government agencies.

A lower average breach size is good news, no doubt, but what it says about the intentions of attackers should have many on edge. Going after smaller — but potentially more vulnerable — organizations means those groups are less likely to have the resources to repel those attackers that larger groups would, and they pose dangers as partner organizations.

The SANS experts suggest shoring up supplier compliance by following two well-established security frameworks: the Supply Chain Risk Management Reporting Framework provided by the American Institute of Certified Public Accountants (AICPA), and the National Institute of Standards and Technology’s (NIST’s) updated SP 800-161 Supply Chain Risk Framework.

The SANS report also provided telling and important data around the ways in which attackers enter your environment (phishing was the root of 51% of all breaches), as well as the success rate of multi-factor authentication — 99% — in combating phishing attacks.

The RSA panel discussion (and the subsequent report we’re sharing) also look into specific trends and best practices from some of SANS’s experts. In years past, they’ve looked at some key takeaways from the SolarWinds breach, ransomware, and machine learning vulnerabilities. This year, they’ve turned their attention to multi-factor authentication, stalkerware, and the evolution of “living off the land” attacks as they pertain to cloud infrastructure. Each of these sections is worth reading in its own right and can provide some thought-provoking resources as your security team continues to grapple with what comes next in the cloud and attacker spaces.

One space where the SANS experts chose to focus has particular importance to those seeking to mitigate ransomware: attacks on backups. Backups have long been considered your best defense against ransomware attacks because they allow your organization to securely resume use of your data should your environment become compromised (and your data be locked down). However, as backup infrastructure moves into the cloud, SANS experts believe unique attacks against these backups will become more common, because backup solutions are often quite complex and are vulnerable to specific types of threats, such as living-off-the-land attacks.

The annual SANS report is a reliable and instrumental resource for security teams which is why we are proud to be a sponsor of it (and offer it to the security community). You can dive into the full report here.

Additional reading:


Get the latest stories, expertise, and news about security today.

To Maze and Beyond: How the Ransomware Double Extortion Space Has Evolved

Post Syndicated from Tom Caiazza original

To Maze and Beyond: How the Ransomware Double Extortion Space Has Evolved

We’re here with the final installment in our Pain Points: Ransomware Data Disclosure Trends report blog series, and today we’re looking at a unique aspect of the report that clarifies not just what ransomware actors choose to disclose, but who discloses what, and how the ransomware landscape has changed over the last two years.

Firstly, we should tell you that our research centered around the concept of double extortion. Unlike traditional ransomware attacks, where bad actors take over a victim’s network and hold the data hostage for ransom, double extortion takes it a step further and extorts the victim for more money with the threat (and, in some cases, execution) of the release of sensitive data. So not only does a victim experience a ransomware attack, they also experience a data breach, and the additional risk of that data becoming publicly available if they do not pay.

According to our research, there have been a handful of major players in the double extortion field starting in April 2020, when our data begins, and February 2022. Double extortion itself was in many ways pioneered by the Maze ransomware group, so it should not surprise anyone that we will focus on them first.

The rise and fall of Maze and the splintering of ransomware double extortion

Maze’s influence on the current state of ransomware should not be understated. Prior to the group’s pioneering of double extortion, many ransomware actors intended to sell the data they encrypted to other criminal entities. Maze, however, popularized another revenue stream for these bad actors, leaning on the victims themselves for more money. Using coercive pressure, Maze did an end run around one of the most important safeguards organizations can take against ransomware: having safely secured and regularly updated backups of their important data.

Throughout most of 2020 Maze was the leader of the double extortion tactic among ransomware groups, accounting for 30% of the 94 reported cases of double extortion between April and December of 2020. This is even more remarkable given the fact that Maze itself was shut down in November of 2020.

Other top ransomware groups also accounted for large percentages of data disclosures. For instance, in that same year, REvil/Sodinokibi accounted for 19%, Conti accounted for 14%, and NetWalker 12%. To give some indication of just how big Maze’s influence was and offer explanation for what happened after they were shut down, Maze and REvil/Sodinokibi accounted for nearly half of all double extortion attacks that year.

However, once Maze was out of the way, double extortion still continued, just with far more players taking smaller pieces of the pie. Conti and REvil/Sodinokibi were still major players in 2021, but their combined market share barely ticked up, making up just 35% of the market even without Maze dominating the space. Conti accounted for 19%, and REvil/Sodinokibi dropped to 16%.

But other smaller players saw increases in 2021. CL0P’s market share rose to 9%, making it the third most active group. Darkside and RansomEXX both went from 2% in 2020 to 6% in 2021. There were 16 other groups who came onto the scene, but none of them took more than 5% market share. Essentially, with Maze out of the way, the ransomware market splintered with even the big groups from the year before being unable to step in and fill Maze’s shoes.

What they steal depends on who they are

Even ransomware groups have their own preferred types of data to steal, release, and hold hostage. REvil/Sodinokibi focused heavily on releasing customer and patient data (present in 55% of their disclosures), finance and accounting data (present in 55% of their disclosures), employee PII and HR data (present in 52% of their disclosures), and sales and marketing data (present in 48% of their disclosures).

CL0P on the other hand was far more focused on Employee PII & HR data with that type of information present in 70% of their disclosures, more than double any other type of data. Conti overwhelmingly focused on Finance and Accounting data (present in 81% of their disclosures) whereas Customer & Patient Data was just 42% and Employee PII & HR data at just 27%.

Ultimately, these organizations have their own unique interests in the type of data they choose to steal and release during the double extortion layer of their ransomware attacks. They can act as calling cards for the different groups that help illuminate the inner workings of the ransomware ecosystem.

Thank you for joining us on this unprecedented dive into the world of double extortion as told through the data disclosures themselves. To dive even deeper into the data, download the full report.

Additional reading:


Get the latest stories, expertise, and news about security today.

Deploy tCell More Easily With the New AWS AMI Agent

Post Syndicated from Tom Caiazza original

Deploy tCell More Easily With the New AWS AMI Agent

Rapid7’s tCell is a powerful tool that allows you to monitor risk and protect web applications and APIs in real time. Great! It’s a fundamental part of our push to make web application security as strong and comprehensive as it needs to be in an age when web application attacks account for roughly 70% of cybersecurity incidents.

But with that power comes complexity, and we know that not every customer has the same resources available both in-house or externally to leverage tCell in all its glory right out of the box. With our newest agent addition, we’re hoping to make that experience a little bit easier.

AWS AMI Agent for tCell

We’ve introduced the AWS AMI Agent for tCell, which makes it easier to deploy tCell into your software development life cycle (SDLC) without the need to manually configure tCell. If you aren’t as familiar with deploying web apps and need help getting tCell up and running, you can now deploy tCell with ease and get runtime protection on your apps within minutes.

If you use Amazon Web Services (AWS), you can now quickly launch a tCell agent with NGINX as a reverse proxy. This is placed in front of your existing web app without having to make development or code changes. To make things even easier, the new AWS AMI Agent even comes pre-equipped with a helper utility (with the NGINX agent pre-installed) that allows you to configure your tCell agent in a single command.

Shift left seamlessly

So why is this such an important new deployment method for tCell customers? Simply put, it’s a way to better utilize and understand tCell before making a case to your team of developers. To get the most out of tCell, it’s best to get buy-in from your developers, as deployment efforts traditionally can require bringing the dev team into the fold in a significant way.

With the AWS AMI Agent, your security team can utilize tCell right away, with limited technical knowledge, and use those learnings (and security improvements) to make the case that a full deployment of the tCell agent is in your dev team’s best interest. We’ve seen this barrier with some existing customers and with the overall shift-left approach within the web application community at large.

This new deployment offering is a way for your security team to get comfortable with the benefits (and there are many) of securing your web applications with tCell. They will better understand how to secure AWS-hosted web apps and how the two products work together seamlessly.

If you’d like to give it a spin, we recommend heading over to the docs to find out more.

The AWS AMI Agent is available to all existing tCell customers right now.

Additional reading:


Get the latest stories, expertise, and news about security today.

It’s the Summer of AppSec: Q2 Improvements to Our Industry-Leading DAST and WAAP

Post Syndicated from Tom Caiazza original

It’s the Summer of AppSec: Q2 Improvements to Our Industry-Leading DAST and WAAP

Summer is in full swing, and that means soaring temperatures, backyard grill-outs, and the latest roundup of Q2 application security improvements from Rapid7. Yes, we know you’ve been waiting for this moment with more anticipation than Season 4 of Stranger Things. So let’s start running up that hill, not beat around the bush (see what we did there?), and dive right in.

OWASP Top 10 for application security

Way, way back in September of 2021 (it feels like it was yesterday), the Open Web Application Security Project (OWASP) released its top 10 list of critical web application security risks. Naturally, we were all over it, as OWASP is one of the most trusted voices in cybersecurity, and their Top 10 lists are excellent places to start understanding where and how threat actors could be coming for your applications. We released a ton of material to help our customers better understand and implement the recommendations from OWASP.

This quarter, we were able to take those protections another big step forward by providing an OWASP 2021 Attack Template and Report for InsightAppSec. With this new feature, your security team can work closely with development teams to discover and remediate vulnerabilities in ways that jive with security best practice. It also helps to focus your AppSec program around the updated categories provided by OWASP (which we highly suggest you do).

The new attack template includes all the relevant attacks included in the updated OWASP Top 10 list which means you can focus on the most important vulnerabilities to remediate, rather than be overwhelmed by too many vulnerabilities and not focusing on the right ones. Once the vulns are discovered, InsightAppSec helps your development team to remediate the issues in several different ways, including a new OWASP Top 10 report and the ability to let developers confirm vulnerabilities and fixes with Attack Replay.

Scan engine and attack enhancements

Product support for OWASP 2021 wasn’t the only improvement we made to our industry-leading DAST this quarter. In fact, we’ve been quite busy adding additional attack coverage and making scan engine improvements to increase coverage and accuracy for our customers. Here are just a few.

Spring4Shell attacks and protections with InsightAppSec and tCell

We instituted a pair of improvements to InsightAppSec and tCell meant to identify and block the now-infamous Spring4Shell vulnerability. We now have included a default RCE attack module specifically to test for the Spring4Shell vulnerability with InsightAppSec. That feature is available to all InsightAppSec customers right now, and we highly recommend using it to prevent this major vulnerability from impacting your applications.

Additionally, for those customers leveraging tCell to protect their apps, we’ve added new detections and the ability to block Spring4Shell attacks against your web applications. In addition, we’ve added Spring4Shell coverage for our Runtime SCA capability. Check out more here on both of these new enhancements.

New out-of-band attack module

We’ve added a new out-of-band SQL injection module similar to Log4Shell, except it leverages the DNS protocol, which is typically less restricted and used by the adversary. It’s included in the “All Attacks” attack template and can be added to any customer attack template.

Improved scanning for session detection

We have made improvements to our scan engine on InsightAppSec to better detect unwanted logouts. When configuring authentication, the step-by-step instructions will guide you through configuring this process for your web applications.

Making it easier for our customers

This wouldn’t be a quarterly feature update if we didn’t mention ways we are making InsightAppSec and tCell even easier and more efficient for our customers. In the last few months, we have moved the “Manage Columns” function into “Vulnerabilities” in InsightAppSec to make it even more customizable. You can now also hide columns, drag and drop them where you would like, and change the order in ways that meet your needs.

We’ve also released an AWS AMI of the tCell nginx agent to make it easier for current customers to deploy tCell. This is perfect for those who are familiar with AWS and want to get up and running with tCell fast. Customers who also want a basic understanding of how tCell works and want to share tCell’s value with their dev teams will find this new AWS AMI to provide insight fast.

Summer may be a time to take it easy and enjoy the sunshine, but we’re going to be just as hard at work making improvements to InsightAppSec and tCell over the next three months as we were in the last three. With a break for a hot dog and some fireworks in there somewhere. Stay tuned for more from us and have a great summer.

Additional reading:


Get the latest stories, expertise, and news about security today.

For Finserv Ransomware Attacks, Obtaining Customer Data Is the Focus

Post Syndicated from Tom Caiazza original

For Finserv Ransomware Attacks, Obtaining Customer Data Is the Focus

Welcome back to the third installment of Rapid7’s Pain Points: Ransomware Data Disclosure Trends blog series, where we’re distilling the key highlights of our ransomware data disclosure research paper one industry at a time. This week, we’ll be focusing on the financial services industry, one of the most most highly regulated — and frequently attacked — industries we looked at.

Rapid7’s threat intelligence platform (TIP) scans the clear, deep, and dark web for data on threats, and operationalizes that data automatically with our Threat Command product. We used that data to conduct unique research into the types of data threat actors disclose about their victims. The data points in this research come from the threat actors themselves, making it a rare glimpse into their actions, motivations, and preferences.

Last week, we discussed how the healthcare and pharmaceutical industries are particularly impacted by double extortion in ransomware. We found that threat actors target and release specific types of data to coerce victims into paying the ransom. In this case, it was internal financial information (71%), which was somewhat surprising, considering financial information is not the focus of these two industries. Less surprising, but certainly not less impactful, were the disclosure of customer or patient information (58%) and the unusually strong emphasis on intellectual property in the pharmaceuticals sector of this vertical (43%).

Customer data is the prime target for finserv ransomware

But when we looked at financial services, something interesting did stand out: Customer data was found in the overwhelming majority of data disclosures (82%), not necessarily the company’s internal financial information. It seems threat actors were more interested in leveraging the public’s implied trust in financial services companies to keep their personal financial information private than they were in exposing the company’s own financial information.

Since much of the damage done by ransomware attacks — or really any cybersecurity incident — lies in the erosion of trust in that institution, it appears threat actors are seeking to hasten that erosion with their initial data disclosures. The financial services industry is one of the most highly regulated industries in the market entirely because it holds the financial health of millions of people in their hands. Breaches at these institutions tend to have outsized impacts.

Employee info is also at risk

The next most commonly disclosed form of data in the financial services industry was personally identifiable information (PII) and HR data. This is personal data of those who work in the financial industry and can include identifying information like Social Security numbers and the like. Some 59% of disclosures from this sector included this kind of information.

This appears to indicate that threat actors want to undermine the company’s ability to keep their own employees’ data safe, and that can be corroborated by another data point: In some 29% of cases, data disclosure pointed to reconnaissance for future IT attacks as the motive. Threat actors want financial services companies and their employees to know that they are and will always be a major target. Other criminals can use information from these disclosures, such as credentials and network maps, to facilitate future attacks.

As with the healthcare and pharmaceutical sectors, our data showed some interesting and unique motivations from threat actors, as well as confirmed some suspicions we already had about why they choose the data they choose to disclose. Next time, we’ll be taking a look at some of the threat actors themselves and the ways they’ve impacted the overall ransomware “market” over the last two years.

Additional reading:


Get the latest stories, expertise, and news about security today.

For Ransomware Double-Extorters, It’s All About the Benjamins — and Data From Healthcare and Pharma

Post Syndicated from Tom Caiazza original

For Ransomware Double-Extorters, It's All About the Benjamins — and Data From Healthcare and Pharma

Welcome to the second installment in our series looking at the latest ransomware research from Rapid7. Two weeks ago, we launched “Pain Points: Ransomware Data Disclosure Trends”, our first-of-its-kind look into the practice of double extortion, what kinds of data get disclosed, and how the ransomware “market” has shifted in the two years since double extortion became a particularly nasty evolution to the practice.

Today, we’re going to talk a little more about the healthcare and pharmaceutical industry data and analysis from the report, highlighting how these two industries differ from some of the other hardest-hit industries and how they relate to each other (or don’t in some cases).

But first, let’s recap what “Pain Points” is actually analyzing. Rapid7’s threat intelligence platform (TIP) scans the clear, deep, and dark web for data on threats and operationalizes that data automatically with our Threat Command product. This means we have at our disposal large amounts of data pertaining to ransomware double extortion that we were able to analyze to determine some interesting trends like never before. Check out the full paper for more detail, and view some well redacted real-world examples of data breaches while you’re at it.

For healthcare and pharma, the risks are heightened

When it comes to the healthcare and pharmaceutical industries, there are some notable similarities that set them apart from other verticals. For instance, internal finance and accounting files showed up most often in initial ransomware data disclosures for healthcare and pharma than for any other industry (71%), including financial services (where you would think financial information would be the most common).

After that, customer and patient data showed up more than 58% of the time — still very high, indicating that ransomware attackers value these data from these industries in particular. This is likely due to the relative amount of damage (legal and regulatory) these kinds of disclosures could have on such a highly regulated field (particularly healthcare).

For Ransomware Double-Extorters, It's All About the Benjamins — and Data From Healthcare and Pharma

All eyes on IP and patient data

Where the healthcare and pharmaceutical differed were in the prevalence of intellectual property (IP) disclosures. The healthcare industry focuses mostly on patients, so it makes sense that one of their biggest data disclosure areas would be personal information. But the pharma industry focuses much more on research and development than it does on the personal information of people. In pharma-related disclosures, IP made up 43% of all disclosures. Again, the predilection on the part of ransomware attackers to “hit ’em where it hurts the most” is on full display here.

Finally, different ransomware groups favor different types of data disclosures, as our data indicated. When it comes to the data most often disclosed from healthcare and pharma victims, REvil and Cl0p were the only who did it (10% and 20% respectively). For customer and patient data, REvil took the top spot with 55% of disclosures, with Darkside behind them at 50%. Conti and Cl0p followed with 42% and 40%, respectively.

So there you have it: When it comes to the healthcare and pharmaceutical industries, financial data, customer data, and intellectual property are the most frequently used data to impose double extortion on ransomware victims.

Ready to dive further into the data? Check out the full report.

Additional reading:


Get the latest stories, expertise, and news about security today.