Post Syndicated from Ed Montgomery original https://blog.rapid7.com/2025/05/23/mastering-emergent-threat-response-validation/

Cybersecurity is a team sport

In cybersecurity, no one fights alone. Defending against modern threats requires seamless collaboration, real-time intelligence, and precision execution—just like a well-coordinated sports team. That’s why Rapid7 Labs and our Vector Command team work together to stay ahead of adversaries, ensuring security teams have the insights and capabilities needed to respond effectively. While Rapid7 Labs uncovers emerging threats and delivers cutting-edge research, Vector Command puts that intelligence to work—validating response strategies, optimizing defenses, and ensuring organizations are ready when it matters most. Because in cybersecurity, the best defense is a well-prepared team.

What is an Emergent Threat Response?

Rapid7’s Emergent Threat Response (ETR) program from Rapid7 Labs delivers fast, expert analysis and first-rate security content for the highest-priority security threats to help both Rapid7 customers and the greater security community understand their exposure and act quickly to defend their networks against rising threats.

The Rapid7 Command Platform displays any emergent threats on our homepage, at the top of the screen, easily visible once you have logged in. Our expert researchers include a blog post to accompany each emergent threat.

We also notify all Managed Service customers after discovering new Common Vulnerabilities and Exposures (CVEs). This notification includes known information about the CVE, steps to protect your environment and updates on Rapid7’s response.

Why is ETR critical?

Emergent threat response validation is critical because cyber threats evolve at a relentless pace, often outpacing traditional security measures. Without continuous testing and refinement, even the most advanced security tools can fall short when faced with real-world attacks. By proactively validating threat response strategies, organizations can identify gaps, fine-tune automation, and ensure that security teams are ready to act with speed and precision. This not only minimizes downtime and damage but also strengthens overall resilience, enabling businesses to stay ahead of adversaries rather than scrambling to react after an incident has already occurred. In today’s threat landscape, preparedness isn’t optional—it’s the difference between containment and catastrophe.

How can Vector Command help?

This is the value of an always-on, managed red team service. We continuously test your defenses against the latest ETRs, to see if we can breach your network before threat actors do. If we’re successful, we’ll show you how—and provide actionable remediation guidance.

We’d love to highlight the many organizations that have benefited from this capability with Vector Command, however, we respect their privacy.

One example we can share: a global professional services firm adopted Vector Command for this exact use case. As a frequent target of advanced persistent threats, their security team recognized the value of proactive testing of their resilience.

DORA compliance was also a key driver for this client, given their customer footprint in the EU and the requirement to have reporting. DORA compliance reports demonstrate how financial entities meet regulatory expectations around ICT risk management, incident handling, and third-party oversight—ensuring operational resilience.

With Vector Command, we deliver ongoing external network penetration testing. For some customers, this alone is enough to demonstrate to auditors that they are actively validating their defenses in alignment with DORA.

CTEM and Validation

The leading industry analyst, Gartner®, has said, “security operations managers should go beyond vulnerability management and build a continuous threat exposure management program to more effectively scope and remediate exposures”.

Threat exposure management involves identifying, assessing, and mitigating exposures within an organization’s digital environment. CTEM has emerged as a dynamic program designed to help teams manage their expanding attack surface and maintain a consistent, actionable security posture.

The fourth phase of CTEM is the validation phase and this is where always on red teaming, like Vector Command becomes essential.

Rapid7 also supports the second, third and fifth phases of CTEM through our Exposure Command and Exposure Command Advanced, both launched in August 2024.

Take command of your attack surface

This is the fourth post in our deep dive blog series exploring key capabilities of Vector Command. We hope you’ve found it valuable—and if you have feedback or questions, we’d love to hear from you.

Rapid7 brings together world-class expertise –  from our Labs researchers and red teamers to the superstars who work across our multiple SOC’s.

If you missed our most recent virtual Take Command 2025 summit, the session, “Outpacing the adversary: Red teaming in a complex threat landscape” is still available on demand. You’ll hear firsthand from industry expert, Will Hunt and Rapid7 principal security consultant, Aaron Herndon.

We’ve also created a self-guided product tour for Vector Command—available anytime for a hands-on look at the platform.

Vector Command: Request Demo ▶︎

Ready to see how continuous red team managed services can ensure your potential attack pathways are remediated before they can ever be exploited?

---

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Gartner, “How to Grow Vulnerability Management Into Exposure Management”, November 2024 (For Gartner subscribers only)

Post Syndicated from Ed Montgomery original https://blog.rapid7.com/2025/04/04/pentales-red-team-vs-n-day-and-how-we-won/

During a recent Vector Command operation, I had the chance to sit down with one of our red teamers to hear firsthand how they identified and exploited an N-Day vulnerability in a customer’s environment. It’s a clear example of how continuous red teaming can uncover and validate real-world risks before attackers do.

While the organization involved remains anonymous, the events described are real. This story reflects how our always-on testing approach closely mirrors the creativity and persistence of actual threat actors.

Initial Recon: Spotting an N-Day in the Wild

Vector Command engagements begin with one core question: If someone wanted to break in, where would they start? That’s the mindset our red team brings to every operation.

A red team is a group of security professionals who simulate real-world adversaries. Their goal isn’t to check boxes or run automated scans, but to think and act like attackers—uncovering weaknesses that traditional assessments often miss. They combine technical skill with creativity, adapting to the environment they’re targeting and exploring how far a real compromise could go.

In this case, as part of Vector Command’s continuous reconnaissance, the red team identified a subdomain hosting a vulnerable web application. The vulnerability, already publicly disclosed, classified the exposure as an N-Day. While the issue was known in the broader security community, it hadn’t yet been patched in this environment.

Using a publicly available proof-of-concept exploit, the team compromised the application and underlying host. From there, they found credentials stored in the file system, granting access to services deeper within the internal network.

From Exploit to Expansion: Breaching the Perimeter and Moving Laterally

As part of our recon, we zeroed in on a subdomain running a web app that was just begging to be poked. It was tied to a recently disclosed N-Day vulnerability—publicly known, actively discussed, and in this case, still unpatched.

We ran a proof-of-concept exploit and landed a shell. From there, we had access to the underlying host, and it didn’t take long to find something useful: credentials stashed away on the file system. Those creds gave us our next step into the internal network.

With the perimeter breached, we started exploring. There was little in the way of segmentation, which made internal discovery a breeze. We quickly found an internal SMTP server and realized we could send emails that appeared completely legit—from the inside, to the inside.

We used that to spin up a phishing campaign. The bait? A cloned version of the company’s actual login portal, hosted on the compromised subdomain. From the user’s perspective, everything looked familiar. The URL checked out. The branding was perfect. And people clicked.

We captured multiple sets of credentials, including an admin account. From there, we confirmed a misconfiguration on a critical internal system. That allowed us to escalate privileges and prepare for full domain takeover.

Classic attack chain: exploit, phish, pivot, escalate. All real. All tested safely under Vector Command.

From Attack Chain to Action Plan

You may be forgiven for thinking an organization would not be happy with this. However, it is exactly the opposite and our Vector Command customer was delighted we found and exploited this vulnerability. We proved the value of our continuous red teaming, mimicking what a real external threat actor would do to breach a network.

The sub-domain we compromised was prioritized for remediation and now has security controls in place. We then re-tested the customer’s environment to ensure their patches actually worked and this particular security gap was closed.

From PoC’s to Happy SOC’s

In our previous blogs, we’ve explored the human side of continuous red teaming—through opportunistic phishing stories, external network assessments, and a deep dive into the TTPs behind post-compromise simulations.

Security Operations Centers (SOCs) are often relieved—not rattled—when we uncover these risks. It gives them proof, insight, and time to act.

As part of Vector Command, this engagement was fully documented—summarized for executive stakeholders and detailed for security practitioners. Reports live in the Vector Command portal, accessible whenever teams need to revisit findings or track remediation progress.

Customers also have the opportunity to debrief directly with the red teamer behind the operation. Whether it’s to dig deeper into the attack chain or walk through lessons learned, we’re here to help strengthen defenses—because at the end of the day, we’re all working toward the same goal.

If you or your security team want to explore how continuous red teaming can support your program, let’s talk.

Ready for Your Own Red Team Reality Check?

If you’re curious what an attacker might find in your environment, Vector Command can help you find out before someone else does.

Post Syndicated from Ed Montgomery original https://blog.rapid7.com/2025/03/27/unpacking-a-post-compromise-breach-simulation-with-vector-command/

The reality of modern cyber threats

In today’s evolving cyber landscape, breaches are not a matter of if, but when. Attackers continue to refine their techniques, using stealthy post-compromise tactics to maintain persistence, escalate privileges, and move laterally across networks. The key to staying ahead is not just preventing attacks, but building resilience to withstand and respond to them effectively.

This concept of resilience aligns with Continuous Threat Exposure Management (CTEM), a proactive approach to security validation. According to Gartner, CTEM consists of five pillars:

When we look at the five pillars, described by Gartner:

1. Scope of your organization’s attack surface;
2. Discover your attack surface;
3. Prioritize your vulnerabilities;
4. Validate security controls and finally;
5. Mobilize people and processes to operationalize the CTEM findings.

Vector Command plays a critical role in the fourth pillar, continuously testing security defenses through post-compromise breach simulations that replicate real-world adversary tactics.

How Vector Command tests resilience

This blog is the third in our Vector Command series, where we explore the tactics, techniques, and procedures (TTPs) leveraged by Rapid7’s expert red team. Today, we’re focusing on post-compromise breach simulations—a critical capability in assessing an organization’s ability to detect and respond to a persistent adversary.

TTP mapping to the MITRE ATT&CK framework

Once an attacker gains access—whether through phishing or external exploitation—the real damage begins. As part of our post-compromise breach simulation, Vector Command emulates the tactics and techniques adversaries use once they’re inside, leveraging the MITRE ATT&CK® frameworks as a guide.

Our red team stages command and control payloads and executes a series of proven attacker behaviors to test your resilience across the most common post-compromise scenarios:

• Configure host persistence – Attackers work to maintain their foothold across reboots and user sessions by modifying startup tasks, hijacking processes, or introducing malicious code. We simulate these tactics to test your defenses against long-term compromise.
• Attempt host privilege escalation – Gaining initial access is just the beginning. Adversaries often exploit misconfigurations or unpatched vulnerabilities to escalate privileges from standard user accounts to full admin control—enabling deeper access into your environment.
• Query Active Directory for hosts accessible with compromised credentials – With valid credentials in hand—often obtained through phishing—we test whether an attacker could identify and access other systems or sensitive services using tools that mimic common enumeration techniques.
• Attempt lateral movement on the network – We simulate how attackers move through your environment by pivoting between systems using native tools and compromised credentials. This reveals how far a real threat actor could go—and how quickly they’d reach your most critical assets.
• Attempt domain privilege escalation using common misconfigurations – During breach simulations, our red team frequently tests for domain privilege escalation using misconfigurations that are surprisingly common in real-world environments. These include:
• Local administrator accounts
• Users with admin-like access
• Standard users with elevated access to specific systems or sensitive functions

These misconfigurations often intersect with persistence techniques, as attackers take advantage of elevated contexts to maintain long-term access.

Want to see how exposed your organization might be? Surface Command can help identify admin users without multi-factor authentication (MFA), offering a quick view into high-risk accounts and helping fulfill the “Discover” step of Exposure Management.(See our Surface Command Admin users without MFA use case

• Initial access payloads and internal breach playbooks – Every simulation is guided by detailed internal breach playbooks. These help test your incident response readiness and ensure alignment with known attacker workflows, including phishing payload delivery and post-access exploitation.

Each of these steps represents a real-world risk. By simulating them in a controlled environment, Vector Command helps organizations identify blind spots, validate security controls, and improve detection and response capabilities.

Beyond simulation: Actionable reporting & remediation with Vector Command

Security testing is only as valuable as the insights it delivers. With Vector Command, organizations receive tailored reports designed for both executive leadership and security practitioners:

• Executive-Level Report: A high-level summary of key findings, business risks, and prioritized remediation steps, written in plain language for strategic decision-making.
• Technical Report: A detailed breakdown of attack simulations, including timestamps, screenshots, and step-by-step execution logs for the security team to analyze and act on.

These insights are not just reports—they are action plans to help teams fortify their defenses against real adversary behaviors.

Take command of your attack surface

Cyber resilience is about understanding your adversary’s tactics before they use them against you. Vector Command delivers an always-on red teaming service that helps organizations stay ahead of attackers by continuously validating defenses and improving response strategies.

Want to learn more? Join us at our upcoming Take Command virtual summit, where we’ll explore how red teaming is evolving to outpace modern threats.

Register here.

Post Syndicated from Ed Montgomery original https://blog.rapid7.com/2025/03/12/explaining-external-network-assessment-with-vector-command/

Learn how external network assessment works within Vector Command, Rapid7’s continuous red team managed service.

Understanding threat exposure management

Let’s start by providing some context around where Vector Command fits into a security program and more specifically Continuous Threat Exposure Management (CTEM). Threat exposure management involves identifying, assessing, and mitigating exposures within an organization’s digital environment CTEM has emerged as a dynamic program designed to address this expanding footprint and help organizations achieve a consistent and actionable security posture.

According to Gartner, some of the different technologies that can support a wider CTEM program can be organized into three distinct pillars:

“Your ‘always on’ red team”

Vector Command sits within the validation pillar, your ‘always on’ red team – validating results from technologies or services as well as validating that the controls in place are working as anticipated.

Explaining an external network assessment

An “external network assessment” refers to evaluating the security posture of an organization’s publicly accessible network perimeter. This essentially simulates a hacker’s perspective to identify vulnerabilities on systems and services directly reachable from the internet. This will include web servers, email servers, and exposed ports, to assess potential risks and weaknesses that could be exploited by malicious actors.

Goals of an external network assessment:

• Our red team is looking to discover potential entry points for attackers.
• Identify misconfigurations and weak security practices on exposed systems.
• Evaluate the overall security posture of the external network perimeter.

Rapid7’s Vector Command red team testing approach

Our Vector Command red team experts conduct comprehensive security assessments using a multi-faceted approach:

Initial discovery and assessment

We begin by leveraging EASM-discovered assets and IVM scan results to map your approved attack surface. Our experts validate IVM findings and conduct service discovery to ensure complete coverage.

Vulnerability identification

Our team searches for common web misconfigurations through directory testing, reviews exposed administrative functions, and checks for unauthenticated access to sensitive areas. We also conduct limited, non-intrusive password testing against services like email, IAM, and VPNs using information gathered during EASM scanning.

Continuous monitoring and testing

As an always-on managed service, we:

• Perform vulnerability scans using InsightVM
• Validate potentially exploitable findings before publishing them to your portal
• Monitor Rapid7’s Emergent Threat Response channels for new critical vulnerabilities
• Evaluate and test public Proof of Concept exploits when applicable
• Execute payloads to demonstrate successful breaches
• Assess credentials obtained through phishing campaigns
• Continuously retest your environment to ensure ongoing security

Throughout this process, we build comprehensive documentation of your attack landscape to inform future security assessments.

Take command of your attack surface

Rapid7 strengthens your organization’s security strategy through Vector Command, delivering comprehensive CTEM alongside our other exposure management solutions.

With Vector Command, customers can now have a team of experts continuously assess their external attack surface. This includes identifying any security gaps, and receiving remediation guidance on an ongoing basis.

Our series of Vector Command blog posts will continue and next up we will cover the TTP Post-Compromise Breach Simulation.

If you would like to hear more about the world of red teaming from one of our experts behind Vector Command, Rapid7 is running a virtual session at our 2025 Take Command Summit, find out more about it here.

Post Syndicated from Ed Montgomery original https://blog.rapid7.com/2025/02/07/vector-command-opportunistic-phishing-blog/

Gone Phishing with Vector Command

During one of our customer engagements, our red team will continuously attack your network to see if we can exploit a vulnerability. One of the tactics, techniques and procedures (TTPs) we use is “Opportunistic Phishing”. First, let’s share a quick reminder about what Vector Command is.

Vector Command is Rapid7’s new continuous red teaming managed service, designed to  assess your external attack surface and identify gaps in the security defenses on an ongoing basis. Vector Command continues the expansion of our Exposure Management solutions for our customers. While external attack surface management (EASM) tools offer visibility, they often fall short in validation, generating lengthy lists of potential exposures for security teams to sift through. Traditional penetration testing can help validate vulnerabilities, but its point-in-time nature risks leaving critical exposures undetected for extended periods. With Vector Command, our red team will continuously look for exploitable vulnerabilities.

Hacking the Human

Social engineering attacks are based on the exploitation of someone’s personality and can be referred to as “hacking the human”.

Security professionals often comment how the employee can often be the weakest link in a company’s security posture. From end-of-day tiredness, to our more relaxed nature during a quick lunch break and even our predisposed trusting tendencies towards those causes we care deeply about, can be exploited by threat actors. This is the “social” aspect in “Social Engineering”. Humans can be manipulated into making mistakes through psychological means and giving our login credentials away or other sensitive information.

Opportunistic Phishing – The Human Touch

Opportunistic Phishing, also known as “untargeted attacks” may have no warning signs and is often deployed spontaneously, without a specific target. Rapid7’s red team will use this technique to see what information they can get from a customer engagement.

Let’s take the hypothetical example of a former IT contractor who was employed by a company. The off-boarding policy has not yet been completed. The IT contractor had elevated access to one business application containing personally identifiable information (PII). Our red team, once they identify this former contracted employee, could use their access rights to gain entry to sensitive PII and services on the corporate network.

When an opportunistic attempt is executed by a threat actor, it is most commonly conducted via malware or phishing over email.

In this specific technique, an attacker will send out fraudulent messages, taking care to design the emails to look like the actual organization, often using similar logos, fonts, and signatures. Inside the body of the message will be a URL, typically with a misspelled domain name or extra subdomain. If the recipient is not savvy enough to recognise the fake web address from the real one and clicks on the link, this is when the malware is activated as an executable file and downloaded to the device. The payload often  includes keylogging software, used to collect keystrokes, including your passwords, which now gives the threat actor access to your company network.

By deploying this tactic, Rapid7’s red team, think, act and behave like a threat actor, but without the malicious consequences for your organization. Using opportunistic phishing, we will find and identify where your security gaps are, with respect to technology (through different configuration types for campaigns) and people, helping you to act and respond. Our advanced Vector Command reporting even gives a detailed outline of the situation, including remediation recommendations for your IT and Security teams.

What should you be on the lookout for?

Let’s explore some typical phishing examples that frequently target organizations.

• Invoices for companies that you do not have a supplier agreement with.
• Shipping notifications from large retailers, both online and the high street.
• Password reset requests for your email, or other online account e.g. Amazon, or PayPal.
• Tax refund emails either at the time of needing to submit your tax return (when it is time sensitive) or months away from when it needs to be completed (anomalous behavior).
• Can you spot poor grammar, or spelling errors in the subject, or within the body of the email, that would indicate it is not from a reputable source?
• Does the email have a sense of urgency – “Act now”?
• Generic greetings like “Dear Customer” as opposed to a more personalized one.
• Surveys from third-parties or workplace experience coordinators that are out-of-place.
• Suspicious login alerts from common applications sourcing from an untrusted sender.
• Password reset requests for your email, or other online account e.g. Amazon, or PayPal.
• Employee benefit emails either at the time of needing to submit your elections (when it is time sensitive) or months away from when it needs to be completed (anomalous behavior).
• Shared documents and calendar invitations from third-parties you do not commonly interact with.
• Browser extensions, software updates, and installation requests via email or phone.
• Verify unexpected phone calls through internal communication applications such as Teams, or Slack.

Take Command of your Attack Surface

Stay tuned as we continue to share insights of other TTPs employed by Rapid7’s expert  red team to test your cyber resilience.

We have created a self-guided product tour for Vector Command which you can check out at your leisure.

Vector Command: Request Demo ▶︎

Ready to see how continuous red team managed services can ensure your potential attack pathways are remediated before they can ever be exploited?