Rapid7 Blog

Christian Kirsch  

AUTHOR STATS:

123

IDC says 70% of successful breaches originate on the endpoint

This is part 2 of a blog post series on a new IDC infographic covering new data on compromised credentials and incident detection. Check out part 1 now if you missed it. Most organizations focus on their server infrastructure when thinking about security – a fact…

This is part 2 of a blog post series on a new IDC infographic covering new data on compromised credentials and incident detection. Check out part 1 now if you missed it. Most organizations focus on their server infrastructure when thinking about security – a fact we often see in our Nexpose user base where many companies only scan their servers. However, IDC finds that 70% of successful breaches originate on the endpoint. This does not necessarily imply insider threats, it is rather a sign that phishing is prevalent, cheap, and surprisingly effective in compromising machines. Given this compelling data, I strongly urge security professionals responsible for vulnerability management to consider scanning their endpoints to spot and remediate vulnerabilities in browsers, office packages and other typical endpoint software to reduce the risk of compromising endpoints. At the risk of over-emphasizing the point: the recent JP Morgan breach, which exposed half of U.S. households and millions of small businesses, started with a compromised endpoint. Incident detection must therefore also take endpoints into account. With Rapid7 InsightIDR, we detect endpoint compromises using an agentless scanning technology that is built on the fast, efficient, and proven technology of Rapid7 Nexpose, which has years of experience in this area. In addition, InsightIDR helps protect against phishing emails and detects post-compromise lateral movement on the network, giving you many chances to detect and respond to attackers as soon as they get access to your network. User credentials are the weakest link The number one attack vector for breaches remains credentials. These are often obtained through the following means: Social engineering the help desk Trying default passwords Guessing passwords Installing keylogging malware Phishing users Accessing orphaned accounts Protecting against these attack vectors is hard, but there are several ways to test if your environment is vulnerable. For example, Rapid7 Nexpose includes vulnerability checks that test for known default credentials, giving you visibility into your weakness, and enabling you to protect yourself. Rapid7 Metasploit has great, new functionality for testing for weak and reused credentials as part of a penetration test. This can highlight issues where passwords are shared across account types and trust zones. It also exposes common security issues such as the use of one local domain administrator account password across the entire organization, which helps our penetration testers own entire network in a heartbeat using pass the hash attacks. While prevention is necessary, no network is flawless, so detecting attackers using compromised credentials is quickly becoming a critical part of any security program. Compromised credentials are leveraged in three out of four breaches but they are hard to detect because attackers look like a bona fide user to most monitoring solutions. Rapid7 InsightIDR was built specifically to detect stealthy use of compromised credentials across your domain, local accounts, and in the cloud. It integrates with leading SIEMs and threat intelligence solutions such as Splunk, HP ArcSight ESM and FireEye TAP. IDC's recommendations on how to protect your organization IDS is making six recommendations to help protect against these risks: Re-allocate budget from prevention to detection: Nobody suggests that you should end your prevention efforts. Prevention continues to be necessary, but you now must also assume that you will be breached and expand your focus on detection and response. Monitor user behavior: Users are at the heart of your operation. They produce value to your organization, and are the origin of your productivity. This makes them a huge target for attackers, who know that they have they keys to the kingdom. Security analytics solutions such as Rapid7 InsightIDR can help you detect and investigate malicious user behavior, whether it's because of an insider threat or an attacker masking as an internal user. What's best: if you already have a SIEM, deploying this technology becomes even faster. Get visibility into unmanaged cloud applications: Whether your organization is an avid user of cloud services or not, your users probably are. Rapid7 InsightIDR customers are always surprised to discover how many of their users turn out to have cloud applications installed, even when it's against company policy. In organizations using enterprise-grade cloud services such as Salesforce.com or Amazon Web Services InsightIDR's direct integration with key cloud providers also helps you detect and correlate logon activities that don't originate from your network, dramatically improving detection capabilities and security visibility. Monitor endpoints (including mobile devices!): Monitoring endpoints is critical to detect local account compromises and other malicious activity, and the same is true for mobile devices. Rapid7 InsightIDR can detect compromises of mobile devices even in BYOD environments by integrating with key choke points, such as mail servers. Eliminate default passwords: Our penetration testers frequently get access to a network because someone forgot to change a default credential. While this is an easy mistake to make, this lack of basic security hygiene can have dire consequences. Rapid7 Nexpose can help you identify default passwords on all of your hosts so you can swap them out. Harden endpoints: Hardening your endpoints encompasses several things. Scan your endpoints for client-side vulnerabilities that could be leveraged in phishing attacks and remediate them. You should also look at deploying exploitation prevention toolkits, which are available for free for Windows and other platforms and ensure that your mass-malware endpoint solution is installed, active, and up to date. Rapid7 ControlsInsight is a great beacon to help you track how effective your endpoint and server controls are today and where you can get the biggest bang for your buck. It also helps you track progress in improving controls and to show your management the positive impact you have on your organization's security posture. If you'd like to check out some of the Rapid7 solutions we discussed in this blog post today, please fill in our contact us form. You can also download Nexpose and Metasploit directly, or request a free, guided InsightIDR demo on the Rapid7 website.

SANS Review of Rapid7 UserInsight (now InsightUBA) for User Behavior Analytics and Incident Response

Editor's Note - March 2016: Since this review, UserInsight has now become InsightUBA. Along with the name change comes a completely redesigned user interface, continuous endpoint detection, and another intruder trap to reliably detect attacker behavior outside of logs. We also launched InsightIDR, which combines…

Editor's Note - March 2016: Since this review, UserInsight has now become InsightUBA. Along with the name change comes a completely redesigned user interface, continuous endpoint detection, and another intruder trap to reliably detect attacker behavior outside of logs. We also launched InsightIDR, which combines the full power of InsightUBA with Endpoint Forensics, Machine Data Search, and Compliance Reporting into a single solution. Learn more about InsightIDR here. User behavior analytics (UBA) is a new space that is still unfamiliar to most security professionals. In this review, Jerry Shenk, Senior Analyst at the SANS Institute, does a thorough analysis of UserInsight, Rapid7's user behavior analytics and incident response solution. Compromised credentials are a leading cause in 3 out of 4 breaches, yet most organizations don't yet have a way to detect them. This is a topic user UserInsight and other behavior analytics solutions address head-on by detecting compromised domain credentials. However, a common attacker methodology is to use a pass-the-hash attack on local credentials to move laterally across the network. This is why UserInsight gives a unique visibility into the endpoints through an agentless scanning technology, enabling security professionals to detect compromised local credentials as well. Related Resource: Download our beginner's guide to User Behavior Analytics with UserInsight Toolkit Here's what Jerry Shenk, Senior Analyst at the SANS Institute, thought about UserInsight: “No security tool is capable of doing it all, but UserInsight does fill a big blind spot in many organizations by prioritizing the discovery of user-credential misuse. UserInsight shows good promise of becoming a valuable part of a network's security management portfolio. […] We found UserInsight to be useful for identifying compromised user accounts, providing alerts and enhancing visibility into the traffic and endpoint-related indicators of compromise.” Through the Metasploit Project, its penetration testing services, and HD Moore's Rapid7 Labs, Rapid7 has a unique insight into how attackers compromise organizations. One of the first steps attackers will take is to scan anetwork, for example by using nmap, to identify their attack surface. They may also try out short or commonly used passwords on several logins, so-called brute force or dictionary attacks. UserInsight can deploy honeypots on the network and honey users in the directory service to detect both network scans and password bruteforcing. Shank tried out honeypots, and here's what he had to say: “Honeypots have a reputation for being notoriously complicated and difficult to set up. By contrast, the UserInsight honeypot couldn't be simpler.” Learn how easy it is to get started with honeypots and honeyusers in UserInsight here. Get the full SANS Review of UserInsight on the Rapid7 website. Related resources: What is User Behavior Analytics?

When Hunting is the Right Choice for Your Security Team - and when it's not

The concept of hunting for threats is being hyped by media and vendors – creating a marketing smokescreen of confusion around what hunting is, how it works, and what value looks like when hunting is done effectively. Your security team's ability to hunt is primarily…

The concept of hunting for threats is being hyped by media and vendors – creating a marketing smokescreen of confusion around what hunting is, how it works, and what value looks like when hunting is done effectively. Your security team's ability to hunt is primarily affected by the maturity of your security program, your threat profile, and your resources.Hunting is searching for malice on your networkThe security lifecycle can be described in a number of ways, I think a good way of describing the cybersecurity framework might be “PREVENT-DETECT-CORRECT.”Hunting powers all three stages, by digging through mountains of data to detect and identify irregularities, in an effort to inform more effective correction and prevention. If we were to define hunting:“The act of using what you know about the network and what you know about attacker to identify anomalies indicating malice without any specific indicator or signature.”We want to make bad actors work harder to get in (informing prevention), get caught quickly (better instrument detection), and make it expensive for them to find their way back into the organization (correct or instrument the soft spots in the business where attackers now risk getting caught and held accountable.)Detecting known IOCs (indicators of compromise) isn't really huntingMany vendors claim they offer a hunting solution where what they're actually doing is basic signature detection. Here's an example: a vendor adds a newly published indicator of compromise, such as a file hash, from some random threat intelligence feed to a tool that searches for this indicator across the network.The act of identifying when a new IOC hits is not hunting, it is an alert. As alert validation takes place those indicators are tuned, and the signal-to-noise ratio tells the analyst whether the indicator is finding malice, or if they are wasting their time on a bad IOC.Hunting allows an analyst to identify evidence of malicious activity without existing threat intelligence signatures. By gathering large amounts of specific metadata throughout a network, analysts can perform techniques such as frequency analysis to determine the rarity of an artifact. These techniques may equip teams that are ready and able. For those that are not yet ready to hunt, we recommend partnering with experts to make this form of intelligence useful.Stated simply, lots of alerts do not mean lots of value… it often means lots of time (and money) wasted.Hunting is only part of threat prevention and detectionWhile this blog post is not a getting started guide, there is a bit of, “getting ready to do,” before you start hunting.We will assume you have all the minimum data sets ready for hunting to begin from the network (firewall, proxy, VPN and other sources … WITH XFF-headers enabled), server (Windows, Linux/UNIX, big iron, etc – Auth, event, security, configuration, etc), service (DNS, HTTP, SMTP, etc), and security (network and application scanning, malware, file integrity, endpoint configuration, IDS/IDP, honey traps, tarpits, etc) logs flowing somewhere easily queried.We will assume your program has all of the patching, hardening, scanning, vulnerability discovery, network segmentation, access control audits including employee add/remove/changes, strong authentication and other standard control sets.Before pursuing commodity intelligence offerings, there are some strategic conversations to be had:What are your key business challenges and concerns?Where are the soft targets in your organization?How success will be defined in your hunting program?Do you have buy-in from business partners (IT server/endpoint/browser/line of business application/email/chat) teams confirming investigations and corrective guidance will be implemented?For those doing this already, sorry for reinforcing the obvious. If these questions give you pause, we should probably talk.Hiring experienced threat analysts for hunting is harder than you thinkIt's extremely hard to hire quality threat analysts that are good hunters, and they come at a hefty price tag. Threat detection is growing faster than the market can supply specialists because it typically takes years of training and experience for an analyst to develop the experience through threat detection and response activities required to sniff out unknown threats. Even if they can afford the expense, many companies won't be able to offer analysts the environment and career path they are looking for. One way to get hunting expertise for your team without having to build a highly specialized team is to work with a security services provider who offers hunting as part of their threat analysis and incident response packages. Rapid7's Analytic Response Services are a great example of this type of service. You'll also get a cost advantage because the technology and staffing required to stand up a 24/7 SOC will be spread over many clients.Hunting primarily makes sense for high value target organizations and security vendorsBecause having an in-house hunting team is costly, it makes sense in specific situations:High value target organizations seeing attacks that nobody has ever seen before.Mature security organizations who want to augment for immature detection methodsSecurity monitoring vendors who are researching and adding unknown attacks to their detection methodsAt Rapid7, our team of highly skilled incident responders hunts both on our own internal network and those of the customers that hire us. This helps us augment gaps in existing monitoring tools and build new detection methods for Rapid7 UserInsight, our user behavior analytics solution.Invest in security initiatives that fits your capabilities and resourcesWhen you build out your security program, look for technology that is a good fit for your team's resource constraints and skill level. I see a lot of technologies in the market that require highly mature security teams that only exist in the largest enterprises and government agencies. Employing these in your organization will fail if your tools don't match your maturity, resources, and skills. Our Program Assessment and Development Services can help assess where you are, build a road map of the steps that fit your threat profile and resources, and help you sell the plan to the executives and the board.With Rapid7 UserInsight, we've focused on building a tool for companies that don't have large scale teams for incident response but need great detection and investigation to detect and investigate stealthy attacks such as phishing, credential theft, and lateral movement. And once your team's maturity grows, you can also use hunting techniques with UserInsight's investigations feature. If you're interested in learning more, check out the videos on the UserInsight page. Also related: what is user behavior analytics?

From Windows to Office 365: Detecting Intruder Behavior in Microsoft Infrastructures

Microsoft infrastructures have traditionally been on-premise. This is about to change as Microsoft is getting incredible traction with Office 365 deployments. As the corporate infrastructure is changing, many security professionals are concerned about security and transparency of their new strategic cloud services and need to…

Microsoft infrastructures have traditionally been on-premise. This is about to change as Microsoft is getting incredible traction with Office 365 deployments. As the corporate infrastructure is changing, many security professionals are concerned about security and transparency of their new strategic cloud services and need to change their incident detection and response programs. This blog post is a quick introduction to this topic. If you're interested in more info, check out our webcast Increasing Security and Transparency for Office 365.Related Resource: Download our beginner's guide to User Behavior Analytics with UserInsight ToolkitOffice 365 is now the most widely used cloud serviceThe following graph shows the rapid acceptance of Office 365 as a service, which now makes it the most-used cloud service in corporations ahead of Box.com and Salesforce.com, according to a recent Okta study:It's important to remember that Office 365 is more than just email and spreadsheets - it brings a lot of the mainstream IT services to the cloud, including file storage, user management, and collaboration:Lateral movement must also take cloud services into account This raises new questions around how intruders are attacking and moving laterally through your environment. For example, lateral movement should no longer be limited to domain and local user accounts but must take cloud services into account. These credentials don't have to be stolen from Windows endpoints but can also be obtained by phishing a user to log onto a fake Outlook 365 website (or Outlook Web Access, if you prefer an on-premise version) to obtain domain credentials and log onto the cloud services to access sensitive data.Leveraging Micosoft's new Office 365 Activity Feed API for incident detectionMicrosoft has recently made its new Office 365 Activity Feed API available for preview (MSDN documentation). In other words, Office 365 customers can now access this API to get a sneak peek of the functionality and benefit from it before it's publicly available. Earlier this year, Rapid7 announced its status as Microsoft Early Access Partner and Rapid7 UserInsight's integration with the new API. Now that it's available, UserInsight customers get transparency and security across their entire infrastructure, from the Windows endpoint to Office 365.Incident detection and investigation with UserInsightRapid7 UserInsight helps detect attacks through behavior analytics, investigate incidents faster with user context, and expose risky behavior from endpoint to cloud. The User and Entity Behavior Analytics solution complements your SIEM to identify stealthy attack methods, such as compromised credentials and lateral movement, with high confidence to eliminate alert fatigue. UserInsight accelerates investigations up to 20x through an investigations interface that enables your entire team to collaborate. Unlike other monitoring solutions that only look at network logs, UserInsight monitors endpoints, cloud services, and mobile devices and sets traps for intruders. Rapid7's unique understanding of attacker methodologies is the key for evolving highly accurate detection techniques.How UserInsight leverages Microsoft's new Office 365 APIIntegration with the new Microsoft API, allows Rapid7 to automatically collect data from Office 365, SharePoint, Azure Active Directory, and OneDrive and add to its comprehensive view of network and user behavior, giving organizations the ability to detect attacks across network, cloud, and mobile environments. UserInsight builds a baseline understanding of a user's behavior in order to identify changes that would indicate suspicious activity and help security professionals detect an attack. Because UserInsight uniquely collects, correlates and analyzes data across all users and assets, including cloud applications, it can identify suspicious behavior other solutions can't. Examples of potential threats detected within Office 365 include:Advanced Attacks: UserInsight automatically correlates user activity across network, cloud and mobile environments. UserInsight can detect advanced attacks such as lateral movement from the endpoint to the cloud, including Office365.Privileged user monitoring: Privileged users are often the ultimate target for intruders. UserInsight monitors Office 365 administrator accounts and alerts the security team of suspicious activity.Geographically impossible access: The key to protecting the environment is to be able to unify the network, mobile, and cloud environments. For example, a customer would receive an alert if an employee's cell phone synchronizes email via Office 365 from Brazil within an hour of the same user connecting to the corporate VPN from Paris -- clearly one of the connections cannot be legitimate.Account use after termination: UserInsight detects when a suspended or terminated employee accesses their Office 365 account, helping to stop stolen intellectual property and other business-critical information.Access to Office 365 from an anonymization service: UserInsight correlates a constantly-updated list of proxy sites and TOR nodes with an organization's Office 365 activity, detecting attackers that are trying to mask their identity and location.Once suspicious behavior is detected, security teams and incident responders can investigate the users and assets involved in context of various activity from the endpoint to the cloud, now including Microsoft Office 365 activity, and determine the magnitude and impact of the attack. Due to UserInsight's visual investigation capabilities, customers can combine asset and user data on a timeline to rapidly investigate and contain the incident.UserInsight covers more than just Microsoft infrastructuresNo network is a pure Microsoft environment, so UserInsight covers a whole lot more than just Microsoft technologies. The solution monitors Mac and Linux endpoints, integrates with infrastructure such as DNS and Firewalls and security components such as SIEMs and sandboxes. Beyond Office 365, UserInsight integrates with many strategic cloud services:Where to learn more about monitoring Office 365 with UserInsightIf you'd like to learn more about monitoring your Microsoft infrastructure, including Office 365, check out our webcast Increasing Security and Transparency for Office 365. If you are already a Rapid7 UserInsight customer and would like to integrate your Office 365 environment, check out our documentation "Preparing UserInsight to monitor Office 365".

UserInsight Ranks Users by Risky Behavior

UserInsight now ranks risky users through behavioral analytics. UserInsight, the User and Entity Behavior Analytics (UEBA) solution, spots user behavior such as unusual admin activity, authentications to new assets, and new user locations and highlights users that exhibit several such behaviors. The User Risk Ranking…

UserInsight now ranks risky users through behavioral analytics. UserInsight, the User and Entity Behavior Analytics (UEBA) solution, spots user behavior such as unusual admin activity, authentications to new assets, and new user locations and highlights users that exhibit several such behaviors. The User Risk Ranking augments UserInsight's low-noise incident alerts and enables administrators to get richer context around user behavior.Related Resource: Download our beginner's guide to User Behavior Analytics with UserInsight ToolkitHow User Risk Ranking WorksOn the UserInsight dashboard, you now see three new boxes:Top 5 Risky Users: This provides you with a mini-version of the user risk ranking overview page. After you have covered the incident alerts for the day, it may be worth scanning this list for unusual behaviors that may indicate higher user risk, including risky user behavior, user compromise, or insider threats.Total User Risk (Last 30 Days): This graph indicates the total behavioral risk for your organization. When you're on the dashboard, you'll see at a glance if your user risk has gone up suddenly. If so, it may be worth looking into what is affecting your risk posture.Recent Notable Behaviors: This is a running list of the latest behaviors UserInsight has observed across the entire user population.The User Risk Ranking PageOn the UserInsight dashboard, click on the bar chart labeled “Total User Risk (Last 30 Days)”, or follow this link (requires UserInsight account).You'll see the list of risky users below the bar chart. On the left, you'll see the filter section that indicates which behaviors contributed to putting users on the risky user list. In parentheses, you'll see which behaviors contributed how much to the risk ranking. You can fine-tune the list by disabling some of the filters.Click through any user to get more information. You'll see a line graph at the top of the page indicating when the behaviors took place and see a vertical timeline below, indicating behaviors and incidents. You can use the same filters on the right of the page to hide any behaviors. To check out other users, simply pick a risky user on the left menu.You don't have UserInsight yet? Read about how UserInsight helps you detect and investigate incidents and check out our short demo videos.

Get Off the Hook: Ten Phishing Countermeasures to Protect Your Organization

The Internet is full of articles for how to tell if an email is phishing but there seems to be a lack of concise checklists how to prepare an organization against phishing attacks, so here you go. Because phishing attacks humans and systems alike, the…

The Internet is full of articles for how to tell if an email is phishing but there seems to be a lack of concise checklists how to prepare an organization against phishing attacks, so here you go. Because phishing attacks humans and systems alike, the defense should also cover both aspects. None of the following steps is bullet proof, so layering your defenses is important – and having an incident response plan in case someone does get through. Here are my recommendations on how to defend against phishing attacks: 1. Filter emails for phishing threats It's important that you filter your emails for malicious URLs and attachments to prevent phishing emails making it to your users in the first place. Sandboxing can detect a lot of the malware in emails, but make sure that you have a follow up plan in place if you're deploying this technology in detection rather than blocking mode – otherwise the malware is still live on your systems. Use security analytics to filter out malicious URLs. Rapid7 UserInsight uses threat feeds to detect known malicious URLs and security analytics to alert on unknown ones. It also integrates with sandboxing solutions, such as FireEye NX Series and PaloAlto WildFire, to enable quick and easy incident investigation of malware alerts. 2. Update client-side operating systems, software, and plug-ins Some phishing emails include URLs to exploit vulnerabilities in the browsers and its plug-ins, such as Flash and Java; others send file attachments that try to exploit applications like Adobe Acrobat or Microsoft Office. That's why it's important to patch vulnerabilities on your endpoints as well. Many organizations already have a vulnerability management program in place but only scan servers. Make sure you extend coverage to your endpoints and patch operating systems, software, and plug-ins. This not only protects you from phishing emails but also drive-by attacks. Rapid7 Nexpose can help you manage vulnerabilities on your endpoints, and much more. 3. Harden Your Clients Lock down your clients as much as possible. This includes things like not making your users local administrators and deploying mitigation tools like Microsoft EMET (check out this Whiteboard Wednesday on EMET on how to deploy this free tool). Rapid7 Nexpose Ultimate includes Controls Effectiveness Testing, which helps you scan your clients and guides you through the steps to harden them against phishing and other attacks. 4. Block Internet-bound SMB and Kerberos traffic One of our penetration testing team's favorites is to use an SMB authentication attack. In this scenario, the attacker sets up an SMB service on the Internet and sends a phishing email with a URL or Word document that references an image through file:// rather than http://. This tricks the computer to authenticate with the domain credentials to the SMB service, providing the attacker with a user name and password hash. The hash can then be cracked or used in pass the hash attacks. To defend against SMB and Kerberos attacks, you should block TCP ports 88, 135, 139, 445 and UDP ports 88, 137, 138 for non-RFC 1918 IP addresses, both on the perimeter and the host-based firewalls. You'll want to have a process in place to detect compromised credentials, for example Rapid7 UserInsight, which leads us to the next item on our checklist. 5. Detect malware on endpoints Many phishing attacks involve malware that steal your data or passwords. You should have technology in place to detect malware on the endpoint. Regular anti-virus is great for catching commodity malware, which is likely the bulk of what you will see used against you. There are also many new endpoint detection vendors out there that have great alternative technologies. Rapid7 UserInsight uses its agentless endpoint monitor to collect process hashes from all machines on your network to highlight known malicious processes based on the output of 57 anti-virus scanners; it also looks for rare/unique unsigned processes that may indicate malware. 6. Detect compromised credentials and lateral movement Even with all of these protections in place, your users may still fall prey to credential harvesting attacks. A common phishing attack is leading users to a fake Outlook Web Access page and asking them to enter their domain credentials to log on, but there are many variations. Once the attackers have the passwords, they can impersonate users. Rapid7 UserInsight can detect compromised credentials, both on your network and in cloud services, such as Office 365, Salesforce.com and Box.com. It detects lateral movement to other users, assets, or to the cloud, so you'll be able to trace intruders even if they break out of the context of the originally compromised user. 7. Implement 2-factor authentication Add 2-factor authentication (2FA) to any externally-facing system to stop attackers from using stolen passwords. While Rapid7 doesn't offer a solution in this space, check out our partners Okta and Duo Security. All systems protected with Okta (Rapid7/Okto Integration Brief) or Duo Security can be monitored with Rapid7 UserInsight to help detect any attempts to use compromised credentials. 8. Enable SPF and DKIM There are two standards that help determine if an email actually came from the sender domain it claims to detect email spoofing. The first one is the Sender Policy Framework (SPF), which adds an list to your DNS records that includes all servers that are authorized to send mail on your behalf. The second standard is DomainKeys Identified Mail (DKIM), which is a way for an email server to digitally sign all outgoing mail, proving that an email came from a specific domain and was not altered during transportation. Together, they raise the confidence in the authenticity of the sender and email content by the recipient. To help improve security hygiene, check that your systems have both SPF and DKIM enabled on your outgoing email. For incoming email, you should check if a the sender domain has SPF set up and the email came from an authorized server, and that DKIM signed emails have not been tampered with. While these protections are not bullet proof against targeted attacks that register look-alike domains, they can help filter out a lot of mass phishing. 9. Train your employees on security awareness While even educated users won't catch everything, they are worth investing in. Train your users about how to detect phishing emails and send them simulated phishing campaigns to test their knowledge. Use the carrot, not the stick: Offer prizes for those that detect phishing emails to create a positive security-aware culture – and extend the bounty from simulated to real phishing emails. Whenever you see new phishing emails targeting your company, alert your employees about them using sample screenshots of the emails with phishy features highlighted. Encourage your users to use secure browsers – I put Google Chrome (64-bit version) on the top of my list for security and usability. Here at Rapid7, we offer Security Awareness Trainings; you can also send phishing simulations with Rapid7 Metasploit Pro that track click-throughs so you can report on user awareness. 10. Have an incident response plan Even if you put all of these protections in place, some phishing emails will get through, especially if they are targeted against your organization and tailored to the individual. It's not whether these emails will get through but how well you are prepared to respond to intruders on the network. Rapid7 UserInsight enables you to detect compromised users and investigate intruders that entered the network through a phishing attack. This helps you shorten your time-to-detection and time-to-contain, reducing the impact of a phishing attack on your organization. In addition, Rapid7 offers incident response services and can help you develop an incident response program. While these areas cover the most important counter-phishing measures, I'd love to hear if you've implemented anything else that you found to be effective - just post your experience in the comments section. If you're looking at defending against phishing attacks, you may also enjoy my related webcast "You've Been Phished: Detecting and Investigating Phishing Attacks” – register now to save a seat to ask questions during the live session.

Hammertoss Demonstrates Need for Applying Attacker Knowledge to Behavior Analytics

A recent report on a new type of malware dubbed “Hammertoss” highlights the importance of applying knowledge of attacker methodologies to behavior analytics. As an industry, we get very fixated on the latest intruder tools. The risk here is that we can't see the forest…

A recent report on a new type of malware dubbed “Hammertoss” highlights the importance of applying knowledge of attacker methodologies to behavior analytics. As an industry, we get very fixated on the latest intruder tools. The risk here is that we can't see the forest for the trees. To effectively detect intruders, we must look at the entire attack chain and the methods attackers will always use to complete their mission. Hammertoss is an example of a backdoor that is reportedly deployed at a late stage of an attack, using a variety of tactical methods. You can only be effective in the game if you have broad detection for the methods that intruders will use regardless of tools, using approaches including traditional threat intelligence, intruder analytics, and endpoint detection. While interesting on many levels, Hammertoss caught my eye because it tries to mimic regular user behavior to avoid detection, albeit in a fairly crude way: It can be configured to operate during normal working hours to blend into regular network traffic It gets commands from and exfiltrates to mainstream cloud services, such as Twitter and GitHub Attackers changing their methods means behavior analytics is working Attackers are making economic decisions: They don't change their methods unless their methods start becoming ineffective. The fact that Hammertoss built in ways to avoid anomaly behavior detection shows that these methods have caused attackers some pain. However, the evasion techniques are very basic steps to avoid the simplest User and Entity Behavior Analytics (UEBA) solutions because they rely only on baselining work hours and cloud usage without context. Behavior analytics must take attacker methodologies into account When Rapid7 started out researching behavior analytics solutions, we quickly realized that “pure math” could not solve the problem. Looking for outliers such as unusual times to log in quickly lead to an unsurpassable mountain of false positive alerts. The fact is: people do unpredictable things for legitimate reasons. I may have a report due that forces me to work late or on weekends. One approach we continually find effective in detecting bad actors is to take behavior analytics and pair it with our knowledge of attacker methodologies. We're taking this knowledge from many sources: The Metasploit project, Rapid7 Labs' primary research, and our offensive security and incident response services teams. Related Resource: Download our beginner's guide to User Behavior Analytics with UserInsight Toolkit Detection must occur throughout the attack chain It's also interesting to note that the Hammertoss malware is reportedly used late in the attack chain. It is a backdoor that enables attackers who have gained access to a network to maintain persistence over the long term. The communication methods are low, slow, and obfuscated to avoid detection. Rapid7 recommends detecting attacks throughout the kill chain by detecting phishing, use of compromised credentials, lateral movement and other attacker activity, which is where Rapid7 UserInsight focuses its detection. That said, UserInsight can detect and investigate incidents related to Hammertoss in the following ways: Detecting malicious Hammertoss processes running on the network through agentless endpoint monitoring Honey pot alerts as Hammertoss runs reconnaissance operations on network Spotting lateral movement on the network, which Hammertoss issues through PowerShell commands Investigation of data exfiltration as Hammertoss uploads data to cloud services If you're interested in learning more about how Rapid7 can help you detect intruders on your network and give them the boot, talk to us about the UserInsight intruder analytics solution and Rapid7's incident response services. Related Resources: What is User Behavior Analytics? Image courtesy of RiverArt.net: Journey across Russia: swimming against the tides

UserInsight Integrates with Microsoft's New Office 365 API to Detect Intruders

If you are at the RSA Conference this week, you may have seen Microsoft's keynote announcing the new Office 365 Activity Feed API this morning. In case you missed it, Microsoft summarized the announcement in today's blog post. The new Management Activity API is a…

If you are at the RSA Conference this week, you may have seen Microsoft's keynote announcing the new Office 365 Activity Feed API this morning. In case you missed it, Microsoft summarized the announcement in today's blog post. The new Management Activity API is a RESTful API that provides an unprecedented level of visibility into all user and admin transactions within Office 365.Rapid7 got early access to this technology through Microsoft Technology Adoption Program and is one of the first companies to integrate with Microsoft's new Office 365 Management Activity API. As a result, Rapid7 UserInsight already fully integrates with Microsoft Office 365, enabling incident response professionals to detect and investigate incidents from endpoint to cloud, providing security and transparency for cloud services such as Office 365.Unlike the monitoring solutions that look exclusively at network data for malicious traffic, UserInsight monitors endpoints, networks, cloud services, and mobile devices, setting traps for intruders, detecting attacks automatically and enabling fast investigation to mitigate the risks posed by compromised accounts. Integration with the new Microsoft API, allows Rapid7 to automatically collect data from Office 365, SharePoint, Azure Active Directory, and OneDrive and add to its comprehensive view of network and user behavior, giving organizations the ability to detect attacks across network, cloud, and mobile environments.Lateral Movement Extends Beyond the Perimeter and Into the CloudResearch shows that the use of stolen credentials is still the most common threat action. What's most concerning is that intrusions often go undetected for more than six months because they move laterally across company systems, collecting more and more credentials to gain persistence.A common misconception is that lateral movement ends with the perimeter. However, with modern enterprise systems extending to cloud services, defenders need to think broader and include cloud services. Once they have compromised the credentials, attackers no longer have to be connected to the corporate network to access documents or email services.Organizations need to understand user behavior across multiple environments in order to discover and investigate security incidents quickly. The new Microsoft API is a big step forward to arm security professionals with the tools they need to protect their environments and detect malicious behavior as ecosystems expand to the cloud. In enables UserInsight customers to run analytics across their entire ecosystem, within the perimeter and in the cloud.How UserInsight leverages Microsoft's new Office 365 APIUserInsight builds a baseline understanding of a user's behavior in order to identify changes that would indicate suspicious activity and help security professionals detect an attack. Because UserInsight uniquely collects, correlates and analyzes data across all users and assets, including cloud applications, it can identify suspicious behavior other solutions can't. Examples of potential threats detected within Office 365 include:Advanced Attacks: UserInsight automatically correlates user activity across network, cloud and mobile environments.  UserInsight can detect advanced attacks such as lateral movement from the endpoint to the cloud, including Office365.Privileged user monitoring: Privileged users are often the ultimate target for intruders. UserInsight monitors Office 365 administrator accounts and alerts the security team of suspicious activity.Geographically impossible access: The key to protecting the environment is to be able to unify the network, mobile, and cloud environments. For example, a customer would receive an alert if an employee's cell phone synchronizes email via Office 365 from Brazil within an hour of the same user connecting to the corporate VPN from Paris -- clearly one of the connections cannot be legitimate.Account use after termination: UserInsight detects when a suspended or terminated employee accesses their Office 365 account, helping to stop stolen intellectual property and other business-critical information.Access to Office 365 from an anonymization service: UserInsight correlates a constantly-updated list of proxy sites and TOR nodes with an organization's Office 365 activity, detecting attackers that are trying to mask their identity and location.Once suspicious behavior is detected, security teams and incident responders can investigate the users and assets involved in context of various activity from the endpoint to the cloud, now including Microsoft Office 365 activity, and determine the magnitude and impact of the attack. Due to UserInsight's visual investigation capabilities, customers can combine asset and user data on a timeline to rapidly investigate and contain the incident.Learn more about UserInsight's new capability to detect intruders in Office 365The integration is available immediately to Microsoft Office 365 customers who have signed up for the API preview. Rapid7 will showcase the solution this week at the RSA Conference in San Francisco. Visit Rapid7's booth, located at North Expo #N3335, to learn more or request a personal demo online.

UserInsight Detects Attacks Using Intruder Tools to Steal Credentials

Attackers will always gravitate to the cheapest and most effective way to get into a network. According to the latest Verizon Data Breach Investigations Report, compromised credentials have been the top attacker methodology for two years in a row now. Credentials enable attackers to move…

Attackers will always gravitate to the cheapest and most effective way to get into a network. According to the latest Verizon Data Breach Investigations Report, compromised credentials have been the top attacker methodology for two years in a row now. Credentials enable attackers to move through the network undetected because most companies still have no way to detect them, so attackers enjoy excellent economics.UserInsight has always focused on detecting compromised credentials, but most people don't realize we also to detect credential theft early in the attack chain by detecting intruder tools. A great example of an intruder tool is Mimikatz, an interactive attack software that helps attackers extract credentials from the memory of machines they have compromised. Attackers then use the compromised credentials for lateral movement and to gain persistence on the network.Detecting intruder tools on endpoints without the need for an agentUserInsight's solution's endpoint monitoring provides visibility into activity on endpoints without requiring the deployment of a software agent. The ability to detect intruder tools expands on UserInsight's capabilities to detect attacks across an organization's ecosystem, from the endpoint to the cloud.Once attackers have stolen credentials from the endpoint, they move laterally across networks and cloud services, collecting more and more credentials to gain access to other machines. UserInsight already detects the use of compromised credentials and lateral movement from the endpoint to the cloud. Detecting intruder tools increases the number of places UserInsight spots intruders in the attack chain, making it harder for them to remain undetected.UserInsight detects intruder tools in two ways: UserInsight checks all processes running on an endpoint against a list of 'known bad' executables. If attackers use anti-virus evasion routines to obfuscate the malware, UserInsight will flag them by highlighting rare and unique processes on the network to the intruders.Bringing the context of malware to compromised credentials, users, and assetsUserInsight has several other capabilities to investigate malware alerts. Through its integrations with third-party endpoint protection and advanced malware sandboxing solutions, such as FireEye NX Series and Palo Alto Wildfire, UserInsight consumes malware alerts and puts them in the context of the user and indicators of attack, such as compromised credentials and lateral movement, to accelerate investigations. In addition, UserInsight natively detects other known malware by comparing all running processes in an organization to a database of known malicious software. It also alerts on attacks using custom backdoors or obfuscated malware using anti-virus evasion techniques by detecting rare and unique processes on the network.To learn how UserInsight detects intruders from the endpoint to the cloud, schedule a guided demo with one of our specialists.

UserInsight Detects Malicious Processes on Endpoints without Deploying an Agent

Compromised credentials and malware are the top two attacker methodologies according to the 2014 Verizon Data Breach Investigations Report. While UserInsight focuses primarily on detecting compromised credentials, a huge gap in most security programs, UserInsight now helps detect malware on endpoints in your entire organization…

Compromised credentials and malware are the top two attacker methodologies according to the 2014 Verizon Data Breach Investigations Report. While UserInsight focuses primarily on detecting compromised credentials, a huge gap in most security programs, UserInsight now helps detect malware on endpoints in your entire organization Ð without having to deploy any software to the endpoints.Protect your endpoints with the wisdom of 50 virus scanners and the footprint of noneUserInsight checks each process against a database of malware scanning results of over 50 virus scanners and alerts if the process is reported to be malicious. While individual anti-virus scanners will always have blind spots, installing several scanners on the endpoint is not an option because they would conflict with each other and grind performance to a halt. UserInsight leverages the wisdom of more than 50 virus scanners by checking processes against a database of previous scanning results, protecting UserInsight subscribers against malware as soon as malware vendors detect a new piece of malware.UserInsight customers who have piloted this new functionality have already reported successes. They detected mass malware on their endpoints that had previously remained undetected by their existing virus scanners.Individual virus scanners not only have blind spots but also false positives. This is why UserInsight enables organizations to set thresholds of how many virus scanners must flag a process as malicious before it is being reported as an alert, helping us reduce the false positive rate and alert fatigue.Some types of malware run under the names of legitimate processes to avoid detection. UserInsight takes a hash of the process to help detect these kinds of malware as well.The endpoint monitoring does not require the deployment or management of a software agent to the endpoints, which can be a burden for overworked IT organizations. UserInsight achieves this through credentialed scanning of endpoints, greatly reducing the amount of overhead for monitoring endpoints. The new endpoint malware detection works with both Windows and Mac operating systems.New endpoint malware detection builds on existing malware functionalityThe new endpoint malware detection methods build on UserInsight's existing capability to detect malicious processes.Rare and unique processes: While the new functionality extends the detection to known mass malware, UserInsight already gave customers visibility of malware that uses polymorphism or malware that was customized for a targeted attack. Custom or obfuscated malware stands out as an anomaly when compared to other processes that run in an organization. For example, an office application would be present on thousands of machines in an organization, while a piece of malware would only show on one or two. In addition, legitimate processes are often digitally signed by an organization. UserInsight detects unsigned rare and unique processes in an organization to help incident responders detect these types of targeted attacks. User context for advanced malware: Advanced malware solutions use sandboxes to scrutinize executables and files for malicious behavior. Because organizations are afraid of false positive alerts impacting the productivity of their users, most IT security teams deploy advanced malware solutions only in detection mode without blocking emails or web access. As a result, alerts must be closely monitored and investigated. However, it can be difficult to investigate an attack given only the IP address of a machine that caused an alert, especially in environments with dynamic IP addresses. UserInsight has existing integrations with FireEye NX Series and Palo Alto Wildfire to help incident responders easily identify the user connected to an alert and provides the full context of activities of that user to accelerate the investigation. Adding alerts from endpoint protection platforms to investigations: Endpoint protection platforms are typically set up to quarantine malware, so they are rarely centrally monitored because there is no follow-up required. UserInsight provides malware alerts from endpoint protection platforms to provide more context in incident investigations. For example, let's assume an intruder tries three times to phish a user Ð the first two attempts are blocked by the virus scanner, but the third attempt goes through. In an investigation, the endpoint protection platform would report the first two blocked attempts, providing useful context about the initial attack vector.How to set up UserInsight to detect malware on endpointsUsing the malware endpoint detection with UserInsight is very easy. If you are already using the endpoint monitoring, you will see 'MALICIOUS PROCESS ON ASSET' alerts showing up in your incident alerts. If you don't have endpoint monitoring set up yet, here is how you do it:Go to the Collectors page in UserInsight.Click on 'Rapid7' in the event sources list on the left.Click the sign on the collector for the location where you'd like to add endpoint scanning.Select 'Rapid7 Endpoint Monitor' for Windows or 'Rapid7 Mac Endpoint Monitor' for Mac endpoints and ensure that you activate the dissolvable agent.The new functionality to detect malicious processes is available immediately. If you'd like to test it out, please contact us to schedule a 1:1 demo or talk about evaluating UserInsight.

Rapid7 UserInsight Brings User Context to Palo Alto WildFire Alerts

According to the Ponemon Institute's 2014 Industry Report, 74% of security professionals claim incident investigation solutions lack integration with existing security products. UserInsight, our intruder analytics solution, now integrates with Palo Alto WildFire to provide user context and investigative tools to their advanced malware alerts.…

According to the Ponemon Institute's 2014 Industry Report, 74% of security professionals claim incident investigation solutions lack integration with existing security products. UserInsight, our intruder analytics solution, now integrates with Palo Alto WildFire to provide user context and investigative tools to their advanced malware alerts. What does user context mean? For incident alerts, monitoring solutions often provide the IP addresses or assets affected. However, as users connect to the corporate LAN, WiFi, and VPN, they are assigned many different IP addresses throughout a regular work day, and IP addresses are recycled regularly for other users. This means when investigating an advanced malware alert, security streams often struggle with which person in the organization to follow up with. When retracing a single day of network activity often takes four hours of concentrated, sometimes painful effort, cutting right to a user-centric viewport means a much happier security team. Our investigation tools combine with WildFire malware detection to quickly visualize the attacker's steps on the network. This includes intruders switching user identities, password guessing attempts, and suspicious access to critical assets, cloud services, or applications. If you have UserInsight and WildFire setup, head to the UserInsight Collector page. As WildFire is primarily a software add-on, click Firewall Sources and make sure Palo Alto Networks Firewall is configured. As long as you are forwarding everything from the firewall, we will automatically parse the WildFire data. In addition to the malware alerts provided by WildFire, UserInsight provides detection of compromised credentials, so you're armed with all-round incident detection. You're done! This integration is available now. If you have Palo Alto WildFire and are interested in learning more, join us for a Guided Demo or contact us. In case you're at the Palo Alto Ignite conference this week, please find us in the vendor area for a demo.

New Rapid7 Higher Education Program Supports Universities Around the World With Free Licenses, Trainings, and Certifications

40% of security positions will remain unfilled in 2014, according to a recent study by the Ponemon Institute. The inability to find skilled staff to grow security programs remains one of the key challenges for the industry. By contrast, criminal hacking teams seem to be…

40% of security positions will remain unfilled in 2014, according to a recent study by the Ponemon Institute. The inability to find skilled staff to grow security programs remains one of the key challenges for the industry. By contrast, criminal hacking teams seem to be fully staffed. We've all seen the outcome of this inequality in the high profile breaches of 2014.Universities are doing the best they can to educate the next generation of security professionals. One big challenge they face is that their teaching lab budgets are not funded to replicate an enterprise network with all of its security solutions.Rapid7 partners with universities to reduce the global shortage of skilled professionalsAbout half a year ago, a few folks here at Rapid7 reached out to some universities to see how we could help. We were encouraged and inspired by our conversations with faculty and got buy-in from the executives at Rapid7 to stand up a Higher Education Program. Now, we've got all the pieces in place to launch it.As part of the program, eligible universities will receive the following benefits:Free licenses of Nexpose Enterprise and Metasploit Pro for teaching labsFree training and certifications for facultyTeaching materials for faculty to leverageManuals on how to build a lab for vulnerability management and penetration testingVirtual machines for the labsProfessional certifications for Rapid7 Nexpose Enterprise and Rapid7 Metasploit Pro at great rates for studentsCommunity-driven technical supportProgram already piloted with dozens of universities around the worldWe've already piloted this program with a number of universities, as far as Germany, Singapore, Australia, and Bosnia and Herzegovina. We thought we'd share their feedback with you:“Students have been requesting more hands-on ‘real world' experiences for several semesters and the academic licenses helped provide them that experience which they felt was 'awesome'. One student has been hired by a security firm doing junior level penetration testing because of his exposure to Nexpose Enterprise and Metasploit Pro. It was the main difference that set him apart from other recent college graduates that also had similar experience in penetration testing.”Gaelan Adams, University of Central Florida, USA“Free Metasploit Pro and Nexpose Enterprise licenses enabled my students to have hands on experience with the best and most current penetration testing software and see its full potential. They were able to discover and exploit various vulnerabilities with such an ease that it was really an eye-opening experience. Now, they know that security is a serious issue and are familiar with tools that can help them.”Sasa Mrdovic, Associate Professor, University of Sarajevo, Bosnia and Herzegovina“My goal is to expose our students to the industry leading tools, like those published by Rapid7, so that they will be immediately marketable upon graduation.”Dr. Shannon McMurtrey, Senior Instructor, Missouri State University, USA“I believe that exposure to enterprise security tools is critical for the next generation of InfoSec Professionals. “Jim Furstenberg, Cyber Security Professor, Ferris State University, USAEligible universities can sign up nowIf you are a faculty that teaches a cyber-security course that touches on vulnerability management or penetration testing, you can apply to be included in the program. Licenses may only be used for teaching purposes, not for the protection of the university network or commercial work. If you are a student, please let your faculty member know about the Rapid7 Higher Education Program.

Securing DevOps: Monitoring Development Access to Production Environments

A big factor for securing DevOps environment is that engineers should not have access to the production environment. This is especially true if the production environment contains sensitive data, such as payment card data, protected health information, or personally identifiable information because compromised engineering credentials…

A big factor for securing DevOps environment is that engineers should not have access to the production environment. This is especially true if the production environment contains sensitive data, such as payment card data, protected health information, or personally identifiable information because compromised engineering credentials could expose sensitive data and lead to a breach. While this requirement is a security best practice and has found its way into many compliance regulations, it can be hard to enforce the strict division of church and state when you are running a high velocity operation with many releases per day and frequent changes to code and systems. Set up alerts for zone policy violations One way to help manage this risk is to set up zone policies and monitor if they are being violated. For example, you define a certain zone as the production zone and then create a network policy that the engineering team is not authorized to access this part of the network. Implementing this may be challenging in some environments, but it's actually very easy in UserInsight, Rapid7's user behavior analytics and incident response solution. How to monitor for zone policy violations in UserInsight Setting up a network zone policy in UserInsight is very easy. From the UserInsight dashboard, choose Settings in the top menu and then select Network Zones in the left menu. Click the Add Zone button and define the zone you'd like to monitor. Next, click on Network Policies in the left menu. Enter the name of the Active Directory group for your developers and define that they cannot access the production environment zone. If anyone violates this rule, you'll be alerted on the UserInsight dashboard, on the Incidents page, and you'll receive a notification by email. In this example, we see that user vgonzales violated this policy 100 times. Simply click on this incident alert or on the name to dig in deeper and get more context around this user. If you'd like to get a personal, guided demo of UserInsight or set up a proof of concept in your environment, please provide your details on the demo request page.

Securing the Shadow IT: How to Enable Secure Cloud Services for Your Business

You may fear that cloud services jeopardize your organization's security. Yet, your business relies on cloud services to increase its productivity. Introducing a policy to forbid these cloud services may not be a viable option. The better option is to get visibility into your shadow…

You may fear that cloud services jeopardize your organization's security. Yet, your business relies on cloud services to increase its productivity. Introducing a policy to forbid these cloud services may not be a viable option. The better option is to get visibility into your shadow IT and to enable your business to use it securely to increase productivity and keep up with the market.Step one: Find out which cloud services your organization is usingFirst, you'll want to figure out what is actually in use in your organization. Most IT departments we talk to underestimate how many cloud services are being used by a factor of 10. That's shocking. The easiest way to detect what services are commonly in use is by leveraging Rapid7 UserInsight, a solution for detecting and investigating security incidents from the endpoint to the cloud. For this step, UserInsight analyzes your web proxy, DNS, and firewall logs to outline exactly what services are in use and which users are subscribing to them. This is much easier than sifting through raw log files and identifying which cloud service may be behind a certain entry.Step two: Have a conversation with employees using these servicesKnowing who uses which services enables you to identify the users and have a conversation with them about why they use the service and what data is shared with this service. UserInsight makes it easy to correlate web proxy, DNS, and firewall activity to a user because it keeps track of which user had which IP address on the corporate LAN, WiFi, and VPN, All of this information is just one click away.Based on this information, you can:Move the users to a comparable but more secure service (e.g. from Dropbox to Box.com), Talk with users about why a certain service is not suitable for use on the corporate network (e.g. eDonkey), andEnable higher security on existing services by consolidating accounts under corporate ownership and enabling stronger monitoringStep three: Detect compromised accounts through geolocation of cloud and on-premise accountsCompromised credentials are leveraged in three out of four breaches, yet many organizations have no way to detect how credentials are being used. UserInsight can detect credential compromise in on-premise systems and in the cloud. One way to do this is through geolocation. If a user's mobile device accesses email in New York and then a cloud service is accessed from Germany within a time span of 20 minutes, this indicates a security incident that should be investigated.UserInsight integrates with dozens of cloud services, including Salesforce.com, Box.com, and Google Apps to geolocate authentications even if they happen outside of the corporate network. The solution correlates not only cloud-to-cloud authentications but also cloud-to-on-premise authentications, giving you much faster and higher quality detection of compromised credentials. With Amazon Web Services (AWS), UserInsight can even detect advanced changes, such as changed passwords, changes to groups, and removed user policies. Read more about UserInsight's ability to detect compromises of AWS accounts.Step four: Investigate potential exfiltration to cloud servicesIf attackers compromise your corporate network, they often use cloud storage services to exfiltrate information, even if the company is not even using a particular service. When investigating an incident that involves a certain compromised user, you can review that user's transmission volume to figure out if and how much data was exfiltrated this way. UserInsight makes this exceedingly easy, breaking volume down by user and enabling you to see the volume on a timeline.If you would like to learn more about how UserInsight can help you get more visibility into your organization's cloud service usage, enabling productive conversations and better cloud security, sign up for a free, guided UserInsight demo on the Rapid7 website.

Detecting Compromised Amazon Web Services (AWS) Accounts

As you move more of your critical assets to Amazon Web Services (AWS), you'll need to ensure that only authorized users have access. Three out of four breaches use compromised credentials, yet many companies struggle to detect their use. UserInsight enables organizations to detect compromised…

As you move more of your critical assets to Amazon Web Services (AWS), you'll need to ensure that only authorized users have access. Three out of four breaches use compromised credentials, yet many companies struggle to detect their use. UserInsight enables organizations to detect compromised credentials, from the endpoint to the cloud. Through its AWS integration, Rapid7 UserInsight monitors all administrator access to Amazon Web Services, so you can detect compromised credentials before they turn into a data breach.Specifically, UserInsight helps you detect these security incidents:Geolocating AWS authentications with other user authentications to detect compromised credentialsUserInsight tracks from where in the world your AWS administrators are logging in, even when they are outside the corporate network. You will be alerted when a user is logging in from two locations in a short period of time, indicating a compromised account. This even works when only one of the authentications is to AWS. For example, it will tell you if Maria logs into Amazon Web Services from Beijing within only 20 minutes of logging onto the VPN from New York.Alerting on AWS access by users whose corporate accounts have been disabledMost companies have great processes for deprovisioning Windows accounts if a user leaves the organization, but cloud accounts are often overlooked. UserInsight alerts you if a user whose LDAP account has been disabled still logs into Amazon Web Services, even if the AWS account is accessed from outside your corporate network.Visbility into users with administrative privileges, whether on-premise or in the cloudKeeping track on which employees have administrative privileges can be a challenge. UserInsight keeps a running list of any user who has administrative privileges. If users log into AWS, they are automatically added to the administrators' list, giving you full visibility.Full logging of all AWS administrative activityUserInsight monitors all administrative access changes to your AWS account, including adding or removing a user from a group, creating or changing passwords, modifying or removing a user policy, and deleting access keys. You can correlate this activity on a graph and zoom into periods that show suspicious activities.Detecting which employees use AWS accounts not provisioned by ITKeeping track of shadow IT is tough. UserInsight gives you instant visibility into which users use which web service, including AWS accounts. This enables you to quickly and easily identify non-sanctioned accounts, helping you to consolidate AWS activities. This not only helps your security posture but also enables you to get volume pricing instead of paying list prices for smaller pockets across the organization.Amazon Web Services is only one of more than a hundred cloud applications for which UserInsight detects compromises. If you'd like to hear more about how Rapid7 UserInsight can detect incidents from the endpoint to the cloud, visit us at Amazon re:invent in Vegas, Booth #637 in Sands Expo Hall C, or request a free guided UserInsight demo on the Rapid7 website.Not ready? See how Rapid7 products and services help you detect attacks leveraging compromised credentials here.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now