3 min
Endpoint Security
IDC: 70% of Successful Breaches Originate on the Endpoint
Most organizations focus on their server infrastructure when thinking about
security – a fact we often see in our Nexpose
[https://www.rapid7.com/products/nexpose/] user base where many companies only
scan their servers. However, IDC finds that 70% of successful breaches originate
on the endpoint.
This does not necessarily imply insider threats, it is rather a sign that
phishing is prevalent, cheap, and surprisingly effective in compromising
machines. Given this compelling data, I strongly urge
1 min
Incident Response
SANS Review of Rapid7 UserInsight (now InsightUBA) for User Behavior Analytics and Incident Response
Editor's Note - March 2016: Since this review, UserInsight has now become
InsightUBA. Along with the name change comes a completely redesigned user
interface, continuous endpoint detection, and another intruder trap to reliably
detect attacker behavior outside of logs. We also launched InsightIDR, which
combines the full power of InsightUBA with Endpoint Forensics, Machine Data
Search, and Compliance Reporting into a single solution.
User behavior analytics (UBA) is a new space that is still un
2 min
UserInsight Ranks Users by Risky Behavior
UserInsight now ranks risky users through behavioral analytics. UserInsight,
the
User and Entity Behavior Analytics (UEBA) solution
[https://www.rapid7.com/products/userinsight/user-behavior-analytics-user-activity-monitoring.jsp]
, spots user behavior such as unusual admin activity, authentications to new
assets, and new user locations and highlights users that exhibit several such
behaviors. The User Risk Ranking augments UserInsight's low-noise incident
alerts and enables administrators to g
5 min
Phishing
10 Phishing Countermeasures to Protect Your Organization
The Internet is full of articles for how to tell if an email is phishing but
there seems to be a lack of concise checklists how to prepare an organization
against phishing attacks [https://www.rapid7.com/fundamentals/phishing-attacks/]
, so here you go.
Because phishing attacks humans and systems alike, the defense should also cover
both aspects. None of the following steps is bullet proof, so layering your
defenses is important – and having an incident response plan in case someone
does get th
3 min
Cloud Infrastructure
Securing the Shadow IT: How to Enable Secure Cloud Services for Your Business
You may fear that cloud services jeopardize your organization's security. Yet,
your business relies on cloud services to increase its productivity. Introducing
a policy to forbid these cloud services may not be a viable option. The better
option is to get visibility into your shadow IT and to enable your business to
use it securely to increase productivity and keep up with the market.
Step one: Find out which cloud services your organization is using
First, you'll want to figure out what is act
3 min
User Behavior Analytics
Detecting Compromised Amazon Web Services (AWS) Accounts
As you move more of your critical assets to Amazon Web Services (AWS), you'll
need to ensure that only authorized users have access. Three out of four
breaches use compromised credentials, yet many companies struggle to detect
their use. UserInsight enables organizations to detect compromised credentials,
from the endpoint to the cloud. Through its AWS integration, Rapid7 UserInsight
monitors all administrator access to Amazon Web Services, so you can detect
compromised credentials before they t
2 min
Incident Detection
UserInsight Integrates with LogRhythm SIEM to Accelerate Incident Detection and Response
Rapid7 UserInsight finds the attacks you're missing by detecting and
investigating indications of compromised users from the endpoint to the cloud.
UserInsight [http://www.rapid7.com/products/user-insight/] now integrates with
LogRhythm, a leading Gartner-rated SIEMs in the industry. If you have already
integrated all of your data sources with LogRhythm, you can now configure
UserInsight to consume its data through LogRhythm, significantly simplifying
your UserInsight deployment.
UserInsight
2 min
Authentication
Protect Your Service Accounts: Detecting Service Accounts Authenticating from a New Host
IT professionals set up service accounts to enable automated processes, such as
backup services and network scans. In UserInsight, we can give you quick
visibility into service accounts by detecting which accounts do not have
password expiration enabled. Many UserInsight subscribers love this simple
feature, which is available the instant they have integrated their LDAP
directory with UserInsight. In addition, UserInsight has several new ways to
detect compromised service accounts.
To do their
2 min
SIEM
Get HP ArcSight Alerts on Compromised Credentials, Phishing Attacks and Suspicious Behavior
If you're using HP ArcSight ESM as your SIEM, you can now add user-based
incident detection and response to your bag of tricks. Rapid7 is releasing a new
integration between Rapid7 UserInsight
[http://www.rapid7.com/products/user-insight/] and HP ArcSight ESM
[http://www8.hp.com/us/en/software-solutions/arcsight-esm-enterprise-security-management/]
, which enables you to detect, investigate and respond to security threats
targeting a company's users more quickly and effectively.
HP ArcSight is
2 min
Vulnerability Disclosure
UserInsight Gets the All-Clear for ShellShock and Helps Detect Attackers on Your Network
If you're in security, you've likely already heard about the ShellShock
vulnerability [http://www.rapid7.com/resources/bashbug.jsp] (aka Bash Bug,
CVE-2014-6271, and CVE-204-7169). We have reviewed how ShellShock is being
exploited, and the disclosed vectors are not applicable to our UserInsight
deployment, yet we're following the security community's lead around patching
all of our systems.
In case other systems on your network have been compromised, you should be extra
vigilant about suspicio
2 min
Metasploit
Feedback on Rapid7's Tech Preview Process and Metasploit Pro 4.10
By guest blogger Sean Duffy, IS Team Lead, TriNet
Rapid7 invited me to participate in pre-release testing of Metasploit 4.10, a
process they call Tech Preview. They asked me to openly share my thoughts with
the community.
Preparation and Logistics
I always enjoy working with Rapid7. Preparatory meetings and documentation made
the installation and testing process a breeze. Rapid7 was also kind enough to
extend my testing and feedback sessions when work so rudely intruded on the fun.
Zero comp
4 min
Metasploit
Hunting for Credentials: How Metasploit Pro Beat Me on the Command Line
By guest blogger Robert Jones, Information Security Manager, City of Corpus
Christi
I had the opportunity to participate in a tech preview of Metasploit Pro's new
credentials features. In our shop, we use Metasploit Pro, Nexpose, UserInsight
and ControlsInsight, all by Rapid7. I certainly wish I could spend the majority
of my time pentesting, but instead I often times I find myself using Metasploit
to educate users by showing them how I can compromise their machines. It is
incredibly compelli
2 min
Metasploit
Metasploit Pro's New Credentials Features Save Us Time in Workflows
By guest blogger Dustin Heywood, Manager, Security Assurance, ATB Financial
Recently I was invited to participate in Metasploit Pro's Tech Preview Program,
where customers are given early access to new product releases. I've taken part
in this program before and I have always loved the experience.
For those of you who haven't been involved in a Rapid7 Tech Preview program: It
starts out with a call with the customer engagement manager and the product
management team, who gave me an overview
2 min
Metasploit
Hacker's Dome: An Online Capture-the-Flag (CTF) Competition on May 17
Many folks ask me how you can get started as a penetration tester. Save for a
real-life penetration test, capture-the-flag (CTF) competitions are probably the
most effective ways for you to hone your offensive security skills. What's best:
they're a ton of fun, even for experienced pentesters. The folks over at
CTF365.com [http://www.ctf365.com/] have put together a one-off CTF called
Hacker's Dome, which will start on May 17th and run for 48 hours, so save the
date.
Hacker's Dome - First Bloo
4 min
Metasploit
Security Advisory: OpenSSL Heartbleed Vulnerability (CVE-2014-0160) in Metasploit (Updated 4/11/14 2:20pm EDT)
Metasploit 4.9.0 and earlier vulnerable to Heartbleed, update 4.9.1 addresses
critical cases
The Metasploit editions Metasploit Pro, Metasploit Express, and Metasploit
Community in versions 4.9.0 or earlier are vulnerable to the OpenSSL Heartbleed
Vulnerability (CVE-2014-0160). Please update to version 4.9.1 to remediate
critical vulnerabilities. See below for remediation instructions.
Metasploit Framework itself is not affected, but it has dependencies on other
components that may need to be u