Rapid7 Blog

Naveen Bibinagar  

AUTHOR STATS:

5

Gone Phishing: A Case Study on Conducting Internal Phishing Campaigns

To many, emails are boring. It’s been a long time since they were ‘cool,’ and they’re probably the slowest form of communication in an evolving fast-paced digital world. Nevertheless, there were 215 billion emails exchanged per day in 2016, and that number is…

To many, emails are boring. It’s been a long time since they were ‘cool,’ and they’re probably the slowest form of communication in an evolving fast-paced digital world. Nevertheless, there were 215 billion emails exchanged per day in 2016, and that number is growing at 3% annually. It's clear that emails aren’t going away anytime soon—and neither are their implications for security. According to the 2017 Verizon data breach investigations report (DBIR): “43% of all data breaches happened through social attacks or through social engineering. And of those social engineering attacks, phishing constitutes 93%.” Furthermore, nobody is immune to phishing—not even security companies. At this year’s UNITED Summit, I and several others on Rapid7’s IT and engineering teams will take our audience on a journey to explore the intricacies of conducting an internal phishing campaign. We’ll present a case study directly from the people who run internal phishing simulations at Rapid7, and we’ll talk about practical challenges and solutions when building an effective campaign. Among the questions we’ll address: How can we avoid spam filters in top email service providers like GSuite and Office365? How important is the reputation of your email to ensuring deliverability? What results did Rapid7’s security engineers see when they conducted internal phishing campaigns, and how did they change over time? And perhaps most important of all—how can you use this knowledge to improve security across your own organization? Email might be boring, but working on ways to better understand and combat phishing is endlessly interesting. Come hear about how Rapid7 solves security challenges both inside and outside its own walls—and if you haven’t yet signed up to join us at UNITED this year, register here. Want to know what other Rapid7 talks will headline at UNITED? Check out these teasers from threat intelligence lead Rebekah Brown, Metasploit's Brent Cook, and Research Director Tod Beardsley.

ControlsInsight: Server Controls - Single Critical role

NIST CM-7, Australian DSD Mitigation #24, SANS critical control 11-6 and PCI-DSS 2.2.1 suggest that servers deployed in a production environment must only be serving one critical role.For example, if we add another critical role like file services to a web server…

NIST CM-7, Australian DSD Mitigation #24, SANS critical control 11-6 and PCI-DSS 2.2.1 suggest that servers deployed in a production environment must only be serving one critical role.For example, if we add another critical role like file services to a web server then we increase the attack vectors on that server. Generally, web servers deployed in a production environment are open to public internet and are more susceptible to attacks. They require high maintenance with respect to installing security patches and making sure that they are up to date. If an attacker manages to hack into the web server then he gets an easy route to also hack into the file server leading to an additional problem of mitigating sensitive file system data. So it is a best practice in information security to isolate servers to serving only one critical role.Demonstration by example:For example, on a Windows 2008 operating system, the server manager supports adding multiple roles on a system. The different roles that can be added to the Windows 2008 server areActive Directory Certificate ServicesActive Directory Domain ServicesActive Directory Federation ServicesActive Directory Lightweight Directory ServicesActive Directory Rights Management ServicesApplication serverDHCP serverDNS serverFax serverFile servicesHyper-VNetwork policy and access servicesPrint and document servicesWeb server (IIS)Windows Deployment ServicesWindows Server Update ServicesOut of the above roles, ControlsInsight classifies the following as the critical roles. If we detect that any asset or a system has multiple critical roles installed then we flag the asset as Risky.Directory Services (Active Directory/LDAP/Kerberos)Mail Services (Exchange/POP3/SMTP)File ServerFTP ServerPrint Server/SpoolerHTTP ServerDatabase Server (MySQL/Microsoft SQL)In the below example,Asset1 is 10.4.26.26 and has two critical roles installed – File services and Web serverAsset2 is 10.4.27.214 and has single critical role installed – File servicesAsset1 showing two critical roles installedAsset2 showing only one critical role installedControlsInsight shows the findings on a per asset basis

ControlsInsight: A step-by-step approach to troubleshoot missing assets

ControlsInsight retrieves data from Nexpose, so it is important to make sure that the site is properly configured. In this blog post, we will go through a step-by-step procedure of setting up a site configuration that will enable ControlsInsight to report on all Windows assets.…

ControlsInsight retrieves data from Nexpose, so it is important to make sure that the site is properly configured. In this blog post, we will go through a step-by-step procedure of setting up a site configuration that will enable ControlsInsight to report on all Windows assets. We will also go through a scenario to troubleshoot why an asset did not make it into ControlsInsight.Step 1: Things we needThe list of assets to be scanned either by IP range or hostnamesControlsInsight currently supports windows desktop operating systems like Windows XP, Vista, Windows 7 and Windows 8. Make sure to note the appropriate count of these assets for book keeping.Administrator credentialsScan template – Full Audit Scan Without Web SpiderStep 2: Nexpose site creationCreate a new site on Nexpose with the following details:Name: LA SystemsAssets: 10.4.27.138, 10.4.31.174Scan Template: Full audit without web spiderScan Engine: Keep the default – Local Scan Engine (if you have bought a complete engine and console license)Credentials: Make sure to add the domain, username and password detailsIt is also important to do a verification by entering the IP address and verifying that the credentials succeed.Step 3: Kick off ScanAs shown in the screenshot, kick off the scan and wait for the scan to complete.Step 4: ControlsInsight home pageNavigate to ControlsInsight by clicking on the “R7” link in the top right corner of NexposeLogin to ControlsInsight with either Nexpose global admin or ControlsInsight-only user credentialsGo to “Management” page and make sure “LA systems” site is selected as shown in the screenshot. It doesn't matter if the other sites are also selected, but for simplicity, in this example only one site is selected.Navigate to the Threats page by clicking on the “Threats” link on the left hand side top cornerClicking on the “Assets” tab shows that there is only one asset listed. Now, let's figure out why we are not able to see the other asset.Step 5: Troubleshooting the missing asset in ControlsInsightIn the previous section, we found out that there is only one asset “10.4.31.174” present in ControlsInsight. The asset with IP 10.4.27.138 is missing from the asset table as shown in the below screenshot:Currently, Nexpose is the only data source for ControlsInsight so let's navigate to Nexpose and look at the details of the site and the assets.Go to Nexpose and click on the site “LA Systems”. As shown in the screenshot, the asset with IP 10.4.27.138 has 4 vulnerabilities found where as the 10.4.31.174 has lot more. This gives us an indication that something is messy with asset 10.4.27.138.Digging further, we click on the asset 10.4.27.138 and are now at the asset detail page. Enable “fingerprint listing section” by clicking on the link on the top right corner as shown in the snapshot:Going to the bottom of the page, we will find that the fingerprint listing shows that the highest certainty it reached was 0.85. ControlsInsight will only pull in assets when the certainty is 1.0.When we navigate to the asset detail for 10.4.31.174 we see that the fingerprint certainty is 1.0 so we were able to get that asset in ControlsInsight.To solve this issue, we need to add the right credentials during site creation. We can change or add more credentials by going through the “manage site” process. This time let's make sure to do the credential verification by using the asset 10.4.27.138ControlsInsight depends on the data collected from Nexpose to assess controls coverage and provide prioritized guidance.  Validating proper site configuration will help ensure that all assets are being accurately assessed.

Customer triggered assessments

In 2013 Q4, ControlsInsight is going to enable customers to reassess their sites based on the changes on the site-import screen.Currently, when customers need to generate a new assessment based on the newly selected or deselected sites, they need to perform a scan on…

In 2013 Q4, ControlsInsight is going to enable customers to reassess their sites based on the changes on the site-import screen.Currently, when customers need to generate a new assessment based on the newly selected or deselected sites, they need to perform a scan on Nexpose.  But with this new feature, when customer clicks on “save” after new selections a new assessment is triggered on ControlsInsight.Use Case: Customer would like to generate new assessments based on new site selectionsBy default, ControlsInsight imports all sites, so when a customer has two sites “Site1 ad Site2” both of them are selected as shown in the screenshot belowIf the customer wants to perform a new assessment based on just “Site2” then he/she has to deselect Site1 and click on “Save” button as shown in the screenshot belowClicking the “Save” button triggers an assessment. The button is greyed out till the assessment completes. Once the assessment is complete, the customer can go to the “threats” page to look at the new assessment.Note: If the customer happens to navigate to “threats” page when the “save” button is still greyed out, he has to refresh the threats page to get the new assessment.

Asset search: assets cannot hide anymore!

As ControlsInsight starts reporting on 100's and 1000's of assets, it becomes a tedious task to locate few assets that were recently managed by the IT admins. To make life easier, ControlsInsight provides a search box on the top right side that let you search…

As ControlsInsight starts reporting on 100's and 1000's of assets, it becomes a tedious task to locate few assets that were recently managed by the IT admins. To make life easier, ControlsInsight provides a search box on the top right side that let you search for assets. The cool thing about ControlsInsight is that it performs an universal search matching the search string with all the available parameters including IP, asset name, user and system.Search by IPAssets can be searched either by entering a full IP with all 4 octets to find the exact asset or enter a partial IP and find all the assets that match the given sequence. For e.g. in the below example to find all the exact match, enter the IP address 10.102.1.56 and click on search button, as shown below – To search for assets that match first three octets - 10.4.28Search by "Asset name"ControlsInsight can also search for assets based on the NETBIOS or the HOSTNAME of the assets. For e.g. as shown below, the below example displays all the assets with the name containing “NORTON”Search by "Last logged-on user"Another interesting way to search for an asset is by using the username that last logged into that asset. For e.g. in a scenario where an IT administrator with user id as “user” (a very dumb username) recently logged into some assets and applied few security guidance's. The easiest way to search for those would be using the username “user” as shown below. Because the search is universal, if the asset name contains a string "user" it will also be shown -Search by "Operating system"Yet another cool way to search for assets is by using the operating system name. Let's say the IT administrator recently upgraded some assets to windows 8 and would like to monitor the deployment of controls, then all the admin had to do is to enter “windows 8” in the search box and click on search. The below screenshot shows the result - Things to rememberThe searches are case in-sensitiveRegular expression search strings are not supportedIPv6 searches are not supportedIP search using CIDR notation is not supported

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Upcoming Event

UNITED 2017

Rapid7's annual security summit is taking place September 12-14, 2017 in Boston, MA. Join industry peers for candid talks, focused trainings, and roundtable discussions that accelerate innovation, reduce risk, and advance your business.

Register Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now