Posts by Christian Kirsch

3 min Incident Detection

More Efficient Incident Detection and Investigation Saves $400,000 per Year, Says IDC

IDC just published an infographic on how credentials are abused by cyber criminals. These are interesting and important statistics: * 80% of companies will suffer at least one successful attack causing serious harm that requires remediation * 33% will not be able to prevent over half of the attacks These stats explain why many security experts are advising companies to shift their security spending to detection mechanisms instead of relying too heavily on prevention. Measuring incident c

3 min Incident Detection

UserInsight Speeds Investigations with New Interactive Incident Timeline

Rapid7 UserInsight features a new interactive incident timeline, which enables you to quickly understand the context of an incident, determine what happened, and prioritize the appropriate response. With the new capabilities, incident responders can identify indicators of compromise and map a possible attack by correlating events such as authentications, IPS alerts, and vulnerabilities across users, assets and IP addresses. UserInsight is the only user behavior analytics solution [https://www.ra

3 min Antivirus

UserInsight's New User Statistics Provide Great Visibility for Incident Responders

Nate Silver made statistics sexy, and we're riding that wave. But seriously, breaking down some of the more noisy alerts on the network by users and showing you spikes can really help you detect and investigate unusual activity. That's why we've built a new UserInsight feature that shows you anti-virus alerts, vulnerabilities, firewall activity, IDS/IPS alerts, and authentications by users that show the most activity and enable you to dig in deeper by filtering by user. You can get to the new st

4 min Phishing

Phishing: How UserInsight Helps You Get Off The Hook Using Security Analytics

Phishing is one of the primary ways attackers steal credentials. For example, they can set up a fake Outlook Web Access page to harvest Windows domain credentials that enable them to access the network via VPN, to read emails, or to send highly credible phishing emails from an internal address by replying to existing email threads. UserInsight has some great features to help you assess and mitigate the risk of getting compromised through a phishing attack: * Understand your risk through phishi

2 min Incident Detection

UserInsight Integrates with LogRhythm SIEM to Accelerate Incident Detection and Response

Rapid7 UserInsight finds the attacks you're missing by detecting and investigating indications of compromised users from the endpoint to the cloud. UserInsight [http://www.rapid7.com/products/user-insight/] now integrates with LogRhythm, a leading Gartner-rated SIEMs in the industry. If you have already integrated all of your data sources with LogRhythm, you can now configure UserInsight to consume its data through LogRhythm, significantly simplifying your UserInsight deployment. UserInsight

2 min Authentication

Protect Your Service Accounts: Detecting Service Accounts Authenticating from a New Host

IT professionals set up service accounts to enable automated processes, such as backup services and network scans. In UserInsight, we can give you quick visibility into service accounts by detecting which accounts do not have password expiration enabled. Many UserInsight subscribers love this simple feature, which is available the instant they have integrated their LDAP directory with UserInsight. In addition, UserInsight has several new ways to detect compromised service accounts. To do their

2 min SIEM

Get HP ArcSight Alerts on Compromised Credentials, Phishing Attacks and Suspicious Behavior

If you're using HP ArcSight ESM as your SIEM, you can now add user-based incident detection and response to your bag of tricks. Rapid7 is releasing a new integration between Rapid7 UserInsight [http://www.rapid7.com/products/user-insight/] and HP ArcSight ESM [http://www8.hp.com/us/en/software-solutions/arcsight-esm-enterprise-security-management/] , which enables you to detect, investigate and respond to security threats targeting a company's users more quickly and effectively. HP ArcSight is

2 min Vulnerability Disclosure

UserInsight Gets the All-Clear for ShellShock and Helps Detect Attackers on Your Network

If you're in security, you've likely already heard about the ShellShock vulnerability [http://www.rapid7.com/resources/bashbug.jsp] (aka Bash Bug, CVE-2014-6271, and CVE-204-7169). We have reviewed how ShellShock is being exploited, and the disclosed vectors are not applicable to our UserInsight deployment, yet we're following the security community's lead around patching all of our systems. In case other systems on your network have been compromised, you should be extra vigilant about suspicio

2 min Metasploit

Switching Sides: Goodbye Metasploit, Hello UserInsight

Like a double agent who's been turned, I switched from the offensive to the defensive side this week. After four years of working on Metasploit simulating attackers, I'll now be hunting them with UserInsight, Rapid7's new incident detection and response solution [http://www.rapid7.com/products/user-insight/] that helps organizations detect intruders on their network. Working on Metasploit for the past four years definitely taught me a lot about attacker methodologies and the attacker mindset. I

2 min Metasploit

Feedback on Rapid7's Tech Preview Process and Metasploit Pro 4.10

By guest blogger Sean Duffy, IS Team Lead, TriNet Rapid7 invited me to participate in pre-release testing of Metasploit 4.10, a process they call Tech Preview. They asked me to openly share my thoughts with the community. Preparation and Logistics I always enjoy working with Rapid7. Preparatory meetings and documentation made the installation and testing process a breeze. Rapid7 was also kind enough to extend my testing and feedback sessions when work so rudely intruded on the fun. Zero compla

4 min Metasploit

Hunting for Credentials: How Metasploit Pro Beat Me on the Command Line

By guest blogger Robert Jones, Information Security Manager, City of Corpus Christi I had the opportunity to participate in a tech preview of Metasploit Pro's new credentials features. In our shop, we use Metasploit Pro, Nexpose, UserInsight and ControlsInsight, all by Rapid7. I certainly wish I could spend the majority of my time pentesting, but instead I often times I find myself using Metasploit to educate users by showing them how I can compromise their machines. It is incredibly compelling

2 min Metasploit

Metasploit Pro's New Credentials Features Save Us Time in Workflows

By guest blogger Dustin Heywood, Manager, Security Assurance, ATB Financial Recently I was invited to participate in Metasploit Pro's Tech Preview Program, where customers are given early access to new product releases.  I've taken part in this program before and I have always loved the experience. For those of you who haven't been involved in a Rapid7 Tech Preview program: It starts out with a call with the customer engagement manager and the product management team, who gave me an overview o

10 min Metasploit

New Metasploit 4.10: Credentials Are the New Exploits

We've given credentials a new boost with Metasploit 4.10. It's now easier to manage, reuse and report on credentials as part of a penetration test. Pentesters are shifting from exploits to credentials There was one common theme that we heard from a lot of penetration testers we talked to over the past few months: You're using more and more credentials on penetration tests. We even surveyed the Metasploit user base to make sure we didn't ask a biased sample: 59% of you said that you use credenti

3 min Metasploit

Security Advisory: OpenSSL Vulnerabilities CVE-2014-0224 and CVE-2014-0221 in Metasploit (Updated 6/6/14, 2pm EST)

Metasploit 4.9.2 and earlier vulnerable to OpenSSL vulnerabilities The OpenSSL team today published a security advisory [http://www.openssl.org/news/secadv_20140605.txt] containing several critical vulnerabilities. The Metasploit editions Metasploit Pro, Metasploit Express, Metasploit Community and Metasploit Framework in versions 4.9.2 or earlier are vulnerable to these OpenSSL vulnerabilities, most notably CVE-2014-0224 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224] and CVE-2014

3 min Antivirus

Is AV dead? Why Symantec's executive is only half right about the state of anti-virus software

This week, a Symantec executive proclaimed that anti-virus is dead [http://www.slate.com/blogs/future_tense/2014/05/06/symantec_s_vp_for_information_security_brian_dye_says_that_antivirus_is.html] . Given the company's position in the AV market, it may be the most discussed comment coming from Symantec for some time; though in and of itself, I'm not sure the statement would elicit much of an argument from most security professionals.  Oh, except for the other AV vendors of course. For our own p