Every modern organization understands the importance of cybersecurity, but the ever-evolving, increasingly complex threat landscape makes it hard to keep up with where to focus your efforts. A tool that effectively defended your assets last year can quickly become obsolete without new data on attacker behaviors and strategies.
Rapid7’s vulnerability scanner, InsightVM is backed by multiple large-scale research projects that keep it on the leading edge of vulnerability risk management. The following ongoing projects bolster the security capabilities of InsightVM—and, if you’ll let us toot our own horn—the greater cybersecurity community.
Metasploit is the most widely used penetration testing tool in the world. That puts Rapid7, the maintainer of Metasploit for over a decade, in a unique position to leverage its wealth of data. Metasploit Framework is open source and has over 200,000 global users and contributors.
The knowledge gained from this collaboration is key to the way InsightVM prioritizes risk in users’ environments. The Real Risk score in InsightVM takes into consideration the latest information from Metasploit Framework, which includes attacker tactics and the availability of exploit kits. In addition to the data from the Metasploit Framework, the Real Risk score also factors in CVSS, vulnerability age, the skill level required to exploit the vulnerability, and criticality tags that you can add based on your unique business priorities.
The Metasploit Framework community also helps us quickly discover and pounce on new vulnerabilities, vastly expanding our coverage of zero-days.
Launched in 2013, Project Sonar is a security research project by Rapid7 that conducts internet-wide scans across different services and protocols to gain insight into global exposure to common vulnerabilities and attacks. It covers SSL, DNS, and HTTP enumeration, as well as the scanning of all sorts of other TCP and UDP services. The vast scale of this project is unparalleled by similar research efforts.
As with our other research, Rapid7 integrates Project Sonar information into InsightVM. Attack Surface Monitoring with Project Sonar in InsightVM allows organizations to identify their internet-facing assets, known and unknown, and to bring those assets into the fold of their vulnerability management programs.
This is especially useful when assets are unknown. For example, say a department in your organization spins up a web server without going through the proper channels. Or maybe you’re unaware of assets that you inherited through mergers and acquisitions. With Project Sonar, your organization can identify those assets and then assess them within InsightVM.
Project Heisenberg began in 2014 with the goal of understanding what attackers, researchers, and organizations were doing in cloud environments. It does this by deploying low-interaction honeypots—or computers that do not solicit services—globally to record telemetry about connections and incoming attacks. The Project Heisenberg global honeypot network currently spans five continents and includes over 150 honeypots.
The data from Project Heisenberg is used to inform InsightVM users when their assets are accepting credentials that are commonly used by attackers. Consider an opportunistic attacker who stumbles upon one of Project Heisenberg’s honeypots, looking for low-hanging fruit. Instead of being surgical about their process, the attacker runs all of their exploits and tries all their credential pairs. The credential pairs are collected by Project Heisenberg, and can then be checked against customers’ assets in InsightVM. Customers are notified if their assets are accepting credential pairs that are being used in the wild, necessitating those credentials be changed.
Industry reports and threat intelligence feeds
While we use the results of our research to enhance our Rapid7 products, we also make the information available in several public reports. We believe that security is the responsibility of all technology users and that collaboration is the only way to achieve long-term change, so we openly share our findings. This is especially true given our unique position of having a pulse on the whole internet.
The three reports every security pro should know? The Industry Cyber-Exposure Report, the National Exposure Index Report, and the Rapid7 Threat Report. These reports go beyond the scope of just Rapid7 customers.
The National Exposure Index and the Industry Cyber-Exposure Reports provide a better understanding of the nature of internet exposure and how exposure levels look around the globe. They are ongoing investigations into the risk of passive eavesdropping and active attack on the internet. The National Exposure Index Report looks at basically the whole world, while the Industry Cyber-Exposure Reports cover exposure in specific industries and verticals in specific regions; so far, we have ICERs for the United States, the United Kingdom, Australia, and Japan.
The Rapid7 Threat Report is released quarterly. This report uses intelligence gathered from our products, our managed services, and the research projects mentioned above. Information from all our sources is gathered together to provide you with a clear picture of the threats that you face within your unique industry and how those threats change throughout the year.
In addition to being the driving force behind these data-rich reports, Rapid7’s research is also used to populate the complimentary Threat Feed in InsightVM. This feed shows which vulnerabilities are being actively targeted in the wild and, therefore, are the most critical to remediate.
Today's security landscape is dynamic and volatile, and new threats seem to regularly emerge. While this makes our jobs as security professionals more challenging, it also offers opportunities to collaborate and share learnings to become more secure as a community. We take pride in our dedication to ongoing security research, so it's a win-win when our research finally meets our roadmap.