In 2019, the number of new vulnerabilities published was more than double what we saw in 2016. 2020 is on track to break that record for a fourth year in a row, and more than ever, defenders and business leaders require the right tools and knowledge to make informed, time-critical decisions about the best strategies to reduce risk across their environments. Yet it’s also increasingly difficult to separate signal from noise in service of effective vulnerability risk management.
Red teams and offensive security researchers face a complementary set of challenges: How can we communicate effectively to clients and readers that the newest hotness—the niche attack targets and genuinely cool (but perhaps not high attack value) research—doesn’t supersede the importance of attending to older, less exciting types of risk?
Not all vulnerabilities are created equal
Earlier this year, Rapid7’s offensive security team wrote about a closed beta program for AttackerKB, a new resource that highlights diverse perspectives on which vulnerabilities make the most appealing targets for attackers. Over the last few months, beta users have shared their personal experiences, in-depth technical analyses, expert opinions, and mitigation advice, with particular attention to the qualities that make emergent vulnerabilities high-value for attackers and high-impact for defenders.
Knowledge is most powerful when it’s shared, so today we’re making AttackerKB available to the broader security community as an open beta. Rapid7’s internal research and development teams have commented in the past on the lack of a community-driven venue for discussing, analyzing, and prioritizing threats. Instead of continuing to lament that gap, we simply decided to fill it. We’re excited to collaborate with folks from every part of this industry to boost signal, stomp out noise, and highlight the hot takes and measured technical assessments that, together, do the necessary (and sometimes messy!) work of moving this industry forward.
AttackerKB is still in development, so expect frequent change and lots of discussion. We value extensibility and bake it into our work wherever possible. To this end, AttackerKB includes an open API (read-only for now) to enable users to experiment with vulnerability assessment data and tooling implementation themselves.
AttackerKB’s beta contributors voiced a fundamental truth we’ve heard (and felt) many times before: The process of monitoring and triaging new vulnerabilities is so time-consuming and effort-intensive that it often detracts from defenders’ ability to mitigate risk quickly and decisively. When security practitioners raise the alarm to stakeholders, they must be confident in their understanding of a threat and its potential business impact. Similarly, penetration testers expressed their frustration at the lack of a centralized place to chronicle the insights and the data they’ve amassed over years of client engagements. That experience is hard-won, and they want to know that telling those stories makes a difference.
At Rapid7, we invest in vulnerability and offensive research to continue building upon the deep expertise that security practitioners need and expect from us—expertise we employ to serve both our customers and the communities to which we are proud to belong. We believe in the power of sharing in all its many forms, from collaboration with open-source contributors on Metasploit Framework to the research we publish on vulnerability trends, threats, and exposure. AttackerKB joins Rapid7’s other open research and development projects in giving back to and trading insights with security practitioners around the world.
Community is a verb, and many heads are better than a few. Perhaps more than ever, we must come together to build knowledge and effect change where it’s most needed, irrespective of the depth of our pockets or the size of our board rooms. We are exceedingly proud to be in a position to create something new with smart people who care about advancing security for everyone.