A lot of companies talk about how they "eat their own dogfood". For those of you unfamiliar with the colloquialism, it means that they use their own products to validate both value and quality. This is a much easier thing to do in high technology than at, well, a dog food manufacturer. I feel that I may have breezed over the fact when I mentioned in a previous UserInsight blog that we test out the noise of an alert by enabling it at Rapid7 (among other ways) before pushing it to our customer base, but Rapid7's products are widely used internally. This is why it doesn't feel strange having our VP of Security, josh, come to our customer gatherings: he made the conscious choice to be a customer of the entire product portfolio when he accepted his current role.

One of the most unfortunate realities of building products for the security market is that you can rarely give concrete examples of your solutions working. Case studies, references, and the standard sales tools are excellent, but they are often stripped of the gory details to avoid revealing any security gaps that the organizations may have. This is why I was so excited by a very short email chain to which I was privy because of the UserInsight "dogfooding" at Rapid7 and a few of us getting invaluable access to daily incident response activities.

ckirsch just published a blog on the many ways that we can help your organization with phishing attacks and this situation was only a very simple one, but I think we would all like to see these "quick wins" (employee names are changed to protect the truly innocent and well-behaved):

  • 11:45AM: We (IR and UserInsight teams) received the above email alert
  • 11:52AM: A proactive member of IT replied to the chain with a simple "I let her know not to click the link, she didn't"
  • 11:53AM: Josh replies to all: "Love it. "
  • Approximately noon: Everyone enjoys lunch.

The scariest thing about this phishing attack is that Rapid7 has multiple spam filters and other protective measures in place to prevent these emails from reaching us, the employees, but a few always manage to get through. This alert was raised when UserInsight spotted a suspicious link on our Exchange server that matched one of the threat feeds we consume. This means every filter and control at the perimeter was already bypassed.

If you want to get some of these quick wins on your Incident Response team, please contact us to schedule a UserInsight demo.