Rapid7 Blog

Breach Preparedness  

Australian Privacy Amendment (Notifiable Data Breaches) Bill 2016

Mandatory notification of data breaches is becoming more commonplace across the globe. Many financial institutions are now required to comply with NY DFS, any organization processing the personal data of EU citizens should be in the midst of their GDPR preparations, and now Australia has…

Mandatory notification of data breaches is becoming more commonplace across the globe. Many financial institutions are now required to comply with NY DFS, any organization processing the personal data of EU citizens should be in the midst of their GDPR preparations, and now Australia has announced that it will also be joining the party. The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed by the Australian Senate in February 2017, and comes into effect as of February 22, 2018. As with other compliance regulations, fines can be applied to those who are found to be breaking the rules. In this case, a civil penalty of up to AUD 1,800,000 can be added to the hefty financial impact of a breach. The bill applies to all Australia Privacy Principle (APP) entities, which includes many Australian Government agencies, and private sector organizations with an annual gross revenue of over AUD 3,000,000. It’s important to note that the bill also applies to organizations who hold tax file number information, certain credit providers and credit reporting bodies, and there are some other nuances depending on the type of business or services you provide. If you are unsure as to whether you are exempt from this bill, you can find out more here. Documented timeframes for reporting an eligible data breach are not as prescriptive as the 72-hour reporting window under GDPR, but instead require non-exempt organizations to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as is practicable. There is also a requirement to investigate suspect data breaches within 30 days, during which time you need to ascertain whether the breach occurred and assess whether it falls under the realm of eligibility for notification. Thirty days may seem like a decent amount of time to conduct such an investigation, but if you’ve spent any time doing incident response you’ll know that days and weeks can fly by pretty quickly. Time is a strange beast when the proverbial fan and excrement come together. If you’re looking for advice on next steps, the OAIC (whose website I really cannot praise highly enough) have put together a wealth of easily digestible information that will help you on your compliance journey. In particular, I’d recommend you start by reading these two guides: Guide to securing personal information Guide to developing a data breach response plan The latter is complementary to a much more in-depth document on handling personal information security breaches, which includes a section on preventing future breaches. When reviewing your current breach response measures you should use this advice as a benchmark. All too often, organizations heed this type of advice only after they’ve been subject to a critical incident, so take the opportunity now to learn from others who have lived through the pain of a breach. Need a helping hand? Our experts are here to help you. Rapid7’s IR services team come with a plethora of pedigrees and have many thousands of hours of incident response experience. We’ve got a range of incident response services that can fit your needs, whether those needs are assistance developing an IR program, concern about a potentially compromised environment, a second opinion on your organization's breach-readiness, or immediate help with a potential breach. And if you’re worried about not having the staff or expertise in-house to monitor your environment for threats and attackers (and let’s face it—not everyone has the luxury of having a 24x7x365 security operations centre at their disposal!), don’t panic: we’ve got your back. Rapid7’s Managed Detection and Response (MDR) can be your eyes and ears, and we include a compromise assessment and two incident escalation investigations per year as part of the package. You can learn more from one of our MDR customers, Bill Heinzen of NISC here. The Privacy Amendment (Notifiable Data Breaches) Bill 2016 isn’t just about sending some emails out to customers or putting a notice on your website after the horse has bolted. Prompt investigation and response are key for limiting the impact of a potential breach, and can make a world of difference to those whose data you hold.

The Legal Perspective of a Data Breach

The following is a guest post by Christopher Hart, an attorney at Foley Hoag and a member of Foley Hoag’s cybersecurity incident response team. This is not meant to constitute legal advice; instead, Chris offers helpful guidance for building an incident preparation and breach…

The following is a guest post by Christopher Hart, an attorney at Foley Hoag and a member of Foley Hoag’s cybersecurity incident response team. This is not meant to constitute legal advice; instead, Chris offers helpful guidance for building an incident preparation and breach response framework in your own organization. A data breach is a business crisis that requires both a quick and a careful response. From my perspective as a lawyer, I want to provide the best advice and assistance I possibly can to help minimize the costs (and stress) that arise from a security incident. When I get a call from someone saying that they think they’ve had a breach, the first thing I’m often asked is, “What do I do?” My response is often something like, “Investigate.” The point is that normally, before the legal questions can be answered and the legal response can be crafted, as full a scope of the incident as possible first needs to be understood. I typically think of data breaches as having three parts: Planning, managing, and responding. Planning is about policy-making and incident preparation. Sometimes, the calls that I get when there is a data breach involve conversations I’m having for the first time—that is, the client has not yet thought ahead of time about what would happen in a breach situation, and how she might need to respond. But sometimes, they come from clients with whom I have already worked to develop an incident response plan. In order to effectively plan for a breach, think about the following questions: What do you need to do to minimize the possibility of a breach? What would you need to do if and when a breach occurs? Developing a response plan allows you to identify members of a crisis management team—your forensic consultant, your legal counsel, your public relations expert—and create a system to take stock of your data management. I can’t emphasize enough how important this stage is. Often, clients still think of data breaches as technical, IT issues. But the trend I am seeing now, and the advice I often give, is to think of data security as a risk management issue. That means not confining the question of data security to the tech staff, but having key players throughout the organization weigh in, from the boardroom on down. Thinking about data security as a form of managing risk is a powerful way of preparing for and mitigating against the worst case scenario. Managing involves investigating the breach, patching it and restoring system security, notifying affected individuals, notifying law enforcement authorities as necessary and appropriate, and taking whatever other steps might be necessary to protect anyone affected. A good plan will lead to better management. When people call me (or anyone at my firm’s Cybersecurity Incident Response Team, a group of lawyers at Foley Hoag who specialize in data breach response) about data breaches, they are often calling me about how to manage this step. But this is only one part of a much broader and deeper picture of data breach response. Responding can involve investigation and litigation. If you’ve acted reasonably and used best practices to minimize the possibility of a breach; and if you’ve quickly and reasonably complied with your legal obligations; and if you’ve done all you can to protect consumers, then not only have you minimized the damage from a breach—which is good for your company and for the individuals affected by a breach—but you’ve also minimized your risks in possible litigation. In any event, this category involves responding to inquiries and investigation demands from state and federal authorities, responding to complaints from individuals and third parties, and generally engaging in litigation until the disputes have been resolved. This can be a frustratingly time-consuming and expensive process. This should give you a good overall picture of how I, or any lawyer, thinks about data security incidents. I hope it helps give you a framework for thinking about data security in your own organizations. Need assistance? Check out Rapid7's incident response services if you need assistance developing or implementing an incident response plan at your organization.

Deception Technology: Can It Detect Intruders Earlier in their Attack Chain?

Every infosec conference is chatting about the Attack Chain, a visual mapping of the steps an intruder must take to breach a network. If you can detect traces of an attack earlier, you not only have more time to respond, but can stop the unauthorized…

Every infosec conference is chatting about the Attack Chain, a visual mapping of the steps an intruder must take to breach a network. If you can detect traces of an attack earlier, you not only have more time to respond, but can stop the unauthorized access to monetizable data and its exfiltration. Even as attackers and pen-testers continue to evolve their techniques, the Attack Chain continues to provide a great baseline framework to map out your security detection program. Many of today's detection solutions only alert on breach of critical assets or anomalous data exfiltration. At this point, the attacker is already at Mission Target, and the damage is likely already done. Similarly, it's dangerous to over-invest in a particular step – many organizations are focused on detecting malware, but once an attacker has internal access to the network, they have multiple ways to move from Infiltration & Persistence to Mission Target without using malware at all. This is where Deception Technology comes in. Justin Pagano, our information security lead, remarks in our latest Security Nation podcast, “Deception tech is a subset of detection that focuses on creating an illusion for attackers…for something they want, to make it easier for you to detect when they're going after it.” And that is the most powerful aspect of deception – it can uniquely detect behavior that is otherwise very hard to spot. Let's look at four techniques attackers use every day, and how deception can detect these stealthy behaviors. 1. Attacker has internal network access -> fires off a network scan (e.g. Nmap) to find next targets. One of the rare times an attacker is at a disadvantage is when he/she first lands on the network. This is because the attacker must learn more about the network infrastructure and where to move next. As these methods of gaining information continue to shift, they become increasingly difficult to detect by monitoring solutions today. This ranges from running a vulnerability or network scan to traffic collection and manipulation. Even comprehensive SIEM deployments struggle in detecting early reconnaissance, as it's challenging to identify by log and traffic analysis alone. A countermeasure is to deploy one or multiple Honeypots across the network, a decoy machine/server with no legitimate function for normal users that lurks and reports if it's been scanned, even if only on a single port. 2. Attacker queries Active Directory to see the full list of users on the network. Tries only 1-2 commonly used passwords (e.g. Fall2016!) across all of those accounts – this is referred to as a vertical brute force. How would you detect this today? In log files, this would appear as one, two failed authentications. There have been cases where an attacker tries a few combinations each week to stay under the radar. This particular attack vector can be detected by creating a dummy user in Active Directory, say, PatchAdmin. This tantalizing user should not have any business purpose or be associated with any employee. If you alert on any authentications to this account, it's a great way to detect that someone is up to no good. 3. Attacker has compromised an employee endpoint. Proceeds to dump credentials / hashes via MimiKatz or other tools. Uses pass-the-hash to continue laterally moving to other machines. There are a few challenges here. Hash extraction and privilege escalation can be performed using Windows Powershell, so no outside malware is required to be successful. That means the behavior can evade anti-virus and anti-malware defenses that rely on identifying “known-bad”. Further, most SIEM solutions don't have endpoint visibility, as it's challenging to setup log forwarding and can result in a lot of added data processing costs. Our Insight Agent [PDF] automatically injects a set of fake credentials onto each endpoint. If this credential is used anywhere else on the network, you'll receive an automatic alert. Of course, the fake credential doesn't grant access to any system, so they are safe to use. 4. Attacker has access to confidential materials and wants to move it off the network. Files in the folder get zipped and then copied elsewhere, often an external drop server or stolen cloud storage account. There's a layer of complexity here as the attacker might be impersonating a legitimate employee or is a malicious insider themselves. While data exfiltration is late in the attack chain, it's important to detect critical files being copied or modified. Wade Woolwine, director of breach detection and response notes, “Most of the time, we see command and control actions going over HTTP/HTTPS ports.” This makes exfiltration difficult to detect via firewalls or existing monitoring solutions. One way to tackle this is to create a dummy file (e.g. Q2-Financials.xls) and place it amongst high-value files. By monitoring all actions taken on this Honey File (opening, editing, copying), you can get file-level visibility without the effort of deploying a standalone File Integrity Monitoring solution. Most importantly, this trap needs to feed into a larger, defense-in-depth detection strategy. It's not hard to identify unauthorized access of critical assets; the challenge is figuring out the users involved, where else the attacker went, and the entire scope of the attack. InsightIDR, our incident detection and response solution, comes standard with this growing library of deception technology: Honeypots, Honey Users, Honey Credentials, and Honey Files. This is used in combination with our User Behavior Analytics and endpoint detection to find intruders earlier in the attack chain. To see our deception technology in action, check out the Solution Short below. Want more? Check out our latest webcast, “Demanding More from Your SIEM,” for a full demo of InsightIDR and to learn the top pain points in SIEM deployments today.

Underestimating Attackers Gives Them an Advantage

All too often, the media reaction to data breaches is to tout the incredible sophistication of responsible parties, as if it is a shock that technological developments have made these events increasingly easier. There are some very key areas in which we need to stop…

All too often, the media reaction to data breaches is to tout the incredible sophistication of responsible parties, as if it is a shock that technological developments have made these events increasingly easier. There are some very key areas in which we need to stop underestimating the average attacker's abilities if we are going to slow down the growth of massive breaches and detect intruders more effectively. The term 'APT' distracts organizations from rational concerns When people first started describing "Advanced Persistent Threats" nearly ten years ago, it was to describe a previously unseen level of sophistication in cyber attackers. This classification was used almost exclusively to describe nation state-sponsored groups with unlimited resources and an endgame that supported their country's national interests, be they intellectual property theft or long-term monitoring of communications. The point of using this description was to explain that your traditional defenses were insufficient because this grade of attacker is highly-skilled and will continue to target your organization for as long as it takes to succeed. The excellent analysis of the APT1 group from Mandiant (now FireEye) revealed a shining example of an APT in early 2013. This group likely has only a handful of equals for both capabilities and total resources among those willing to ignore moral code and laws, like the behind-the-keyboard equivalents of Thomas Crown [but likely not as charming]. The problem is that this term is now dropped into conversations to describe any threat that was not detected. Zero-day exploits can be purchased rather easily and anyone on the internet can obtain some hacker tools or converted IT-management applications, but whenever a previously unseen version of malware is used or an attacker steals credentials and moves through a network undetected, the breach is labeled as the work of an APT group. Many people take this as an opportunity to say "there's nothing they could have done", which is the frightening part. No matter the result or intent, we need to recognize that there are thousands of malicious parties with internet access and the legitimate ability to compromise a poorly protected organization. These are not the techniques available only to the groups like APT1 or Thomas Crown; most pen-testers learn these tools when they are still practicing on their home networks. Attackers use the latest technology and understand yours One advantage attackers have is not needing to justify the use of new technologies. They quickly adopted cloud services and used them for everything from phishing attacks and hosting malware to exfiltrating large files to a Mega account. Although cyber criminals are performing cost-benefit analyses with their tools, they can adjust very rapidly when they find cheaper or more effective options. They aren't all the highly skilled super-thief who orchestrates and performs the entire job because they don't have to be. These attackers more closely resemble Danny Ocean who has always "got a guy" for each task. Increasingly affordable computing power and worldwide connectivity have provided them access to pre-built toolkits complete with user guides and video walkthroughs. The ability to hire specialists allows them to adjust their plan based on the defenses of their chosen target organization. Another way malicious parties continue to succeed is by studying the security solutions on the market and identifying gaps they can use to their advantage. I am not even speaking to the level of sophistication necessary to develop an EMET-bypass, but rather the many stealthy activities like limited network scans and reusing local credentials once they have gotten through the perimeter because of the low risk this will be spotted in the noisy network traffic. Similarly, they spend the majority of their time on endpoints because so many companies have a blindspot for detecting anything other than malware on their most frequently used systems, such as the stealing credentials, manually running DLLs, or dumping information from memory. When these groups have "got a guy", you can be sure that the specialist knows that a high percentage of companies are only monitoring the perimeter. We can no longer underestimate their creativity One thing we have seen from the ongoing battle between malware developers and anti-malware solutions is that the developers are very good at finding low-effort ways to get around our defenses. Your anti-virus spots known malicious processes? The process they launch at startup creates a randomly named process each time. Your detection is successfully spotting bad signatures? They will tweak and re-compile the code before using it the next time. You are putting too much trust in your sandbox detection? They create sandbox evasion techniques to remain docile while in the sandbox. These are very simplistic examples, but they show the ingenuity and adaptive nature of attackers. If you look beyond malware, as most organizations fail to do, you find more evidence of this creativity in some of the largest breaches. Both Target and Home Depot were initially compromised when attackers stole credentials from trusted third parties like HVAC maintenance firms. This has led companies to look a lot closer at the risk posed by the external organizations accessing their network, as it should, but if we focus too much attention on this potential weakness, we will once again be surprised when the attackers pivot their approach and get a different "guy" with a new edge case. At Rapid7, we focus on never underestimating the attackers, and all of the user behavior analytics detection the InsightIDR team builds is aimed at learning from the legitimate behavior of your user population to distinguish concerning changes and common attacker behaviors. No one indicator is going to detect the attackers in every attempted compromise, so we continually develop new detection across the many different layers from your perimeter through your endpoints, servers, and cloud services. To learn more about InsightIDR and Rapid7's other solutions for detecting compromised credentials, check out our compromised credentials resource page and make sure to download our complimentary information toolkit. You'll see how our approach is to never underestimate the attacker.

You Need To Understand Lateral Movement To Detect More Attacks

Thanks to well-structured industry reports like the annual Verizon DBIR, Kaspersky "Carbanak APT" report, and annual "M-Trends" from FireEye, the realities of modern attacks are reaching a much broader audience. While a great deal of successful breaches were not the work…

Thanks to well-structured industry reports like the annual Verizon DBIR, Kaspersky "Carbanak APT" report, and annual "M-Trends" from FireEye, the realities of modern attacks are reaching a much broader audience. While a great deal of successful breaches were not the work of particularly sophisticated attackers, these reports make it very clear that the techniques once only known to espionage groups are now mainstream. Lateral movement technologies have crossed the chasm I have written before about the need for businesses to adopt disruptive technologies and have a plan to monitor them, but this is about the other side of the "war". The hacker community is the early adopter group who uses disruptive technologies in research, penetration tests, red teaming, and unfortunately due to a few "bad apples", to steal data. Every time a new technology is made available, and especially if it is widely distributed, our friends in this world start thinking about either exploiting it, using it for unintended purposes, or both. A lot of people fear this group and their unique perspective on technology, but we are hopeless to ever keep pace with attackers without these tinkerers and their good intentions. We have been hearing for a few years that the initial network compromise is the hardest part because moving from system to system undetected is, by comparison, rather simple. Many ignored this claim as something only possible for the highest tier of hackers with nation-state funding and espionage in their veins, but we just cannot ignore it anymore. The reports are surfacing with one consistent theme: lateral movement tools are being used by too many of the criminals now to accept our inability to detect them. Since the technology boom of the nineties, a required reading in a lot of business schools is Geoffrey Moore's "Crossing the Chasm." Its purpose is to help marketers focus on the group of people most likely to become customers at each phase of the technology adoption lifecycle, but it has significance outside of just marketing groups. The "chasm" of significance is the stage at which so many Betamaxes and HD DVDs fail, i.e. progressing from technology lovers buying them to mainstream adoption. The vast majority of technologies fail to get the momentum necessary to cross this chasm. While the technology here is not a traditionally marketed product, "hacker tools", such as mimikatz, PowerShell, and Windows Credential Editor, have crossed it and the momentum came from the consistency of those tools' undetected use in profitable breaches. Under 200 days before detection is not really an improvement Nowhere in the M-Trends reports has there been any celebration of the decreased number of days before breach detection from a median of 229 in 2013 to 205 in 2014 and 146 in 2015, but unfortunately some media coverage found solace in improving upon an unsettling anchor. Even if there were any indication we could keep this pace (which there isn't), we wouldn't get the median down to a few days until after 2020. This is why we need to pay more attention to the forensics teams and hacker community to understand the factors causing such a delay in detection. Obviously, some of the organizations getting breached will not have taken security seriously, but anyone looking to see that number drop precipitously needs to focus on incident detection and response. I explained reasons detection is so important previously, but it is more than just that. We need to stop telling ourselves that breached organizations had no chance because it was the work of undetectable, super-advanced malware or some elite group of super-spies. Malware developers will continue to get more creative and disruptive technologies will continue to go mainstream, so we need to continually challenge ourselves to develop new means of detection. Attackers are impersonating the people of authority The first major challenge in detecting the modern attacks is that humans are more interactively involved. Spear phishing may initially compromise a low-privilege user on the network, but that is just a stepping stone. Privileged accounts are a target, but not only because of systems to which they provide access: these accounts belong to your administrators and administrators behave in very interesting ways. When we get locked out of our machines, a desktop administrator can reset our passwords, remotely access the machine, or perform some other administrative change. When we are working remotely and some VPN issue prevents us from accessing an internal document, these administrators could theoretically add our home IP to a whitelist or provide another remote means of access. There are countless activities and tools our administrators need to do their jobs that are doubly valuable to intruders: They provide access to all network systems with permitted remote access tools It is rare for others in the organization to question their behavior at the moment it occurs This is what made the T-1000 so terrifying in "Terminator 2". It could replicate anyone we would trust, but it primarily impersonated prison guards and a police officer. Why did it do this? This behavior provided unquestioned access to the necessary tools and, when viewed in isolation, a great deal of its behavior (like carrying a weapon, chasing others, or commandeering cars) could be explained away by eyewitnesses. Sure, as we watch the movie and see the string of events it caused, it seems ridiculous to use this analogy, but amid the noise of a crime-ridden city of millions of people, the pattern would take a lot longer to understand than the killing spree of a Mr. Universe wearing a leather jacket and carrying a shotgun in the original "Terminator". Traditional classification of activity as black/white is ineffective here This impersonation and targeting of administrators and their tools is a major reason traditional monitoring solutions are so challenged today. If you blacklist and alert on every single administrative action that could be malicious, your team is going to be overwhelmed by alerts and become so numb to the onslaught that illegitimate behavior will be ignored because of experiences of previous time-wasting investigations. If you whitelist every administrator and every tool they use, attackers need only harvest a single administrator credential and use a whitelisted administrator tool and they can easily remain on your network, exploring the systems and stealing valuable data for 146 days or, in the worst case FireEye shared, over eight years. You need to blend the monitoring of all your users' and administrators' behavior with a recognition of how they leverage dual-purpose lateral movement tools to identify deviations from the norm. Combined with alerts for clearly malicious behavior, a series of traps for intruders to trip, and integrations to advanced malware detection, user behavior analytics can help your organization drastically improve your detection times now rather than in 2020. To learn more about InsightIDR and Rapid7's other solutions for detecting compromised credentials, check out our compromised credentials resource page and make sure to download our complimentary information toolkit.

Attackers Have Luck On Their Side - Prevention Is Not Enough

Some security professionals mistake the "assume breach" mentality to be a statement that people are giving up on trying to prevent cyber attacks. To the contrary, many of us believe that you need to do everything in your power to incapacitate intruders, yet…

Some security professionals mistake the "assume breach" mentality to be a statement that people are giving up on trying to prevent cyber attacks. To the contrary, many of us believe that you need to do everything in your power to incapacitate intruders, yet it is impossible to stop 100% of malicious actors from finding entry. There is solid logic behind this, and I want to use some (pre-Disney) Star Wars examples to illustrate. I apologize to any true fans out there - I have only watched the trilogy a couple of dozen times. Data breaches were not as predictable as they appear in the news The colloquial phrase states that "hindsight is 20/20", but there is a great deal of experimental evidence to explain our natural inclination to think an event was more predictable than it actually was. Post-mortem analyses of nuclear meltdowns and terrorist attacks frequently make the result look predictably obvious when judged in a scenario when only the relevant events are under examination because they neglect the massive impact of (both good and bad) luck. Data breaches are no different: we have reached a time when consumers view retailers as having been myopic for not watching their partner portal accounts more closely or for not recognizing the important one percent of their alerts that corresponded to a sizable theft of data. This is actually the same point that Family Guy made about the design flaw found within the first Death Star's schematics. Once it was successfully destroyed, it appeared to have been obvious that a single, tiny opening would be the fortress's undoing, but we are talking about a two-meter wide weakness in a defended battle station the size of a moon. That equates to an extremely unpredictable occurrence and its designer agrees. The most frightening aspect of this plot device is that it is even more optimistic than modern environments. Despite being very focused on accomplishing our company goals (acquiring revenue efficiently, responding to rapid changes in the market), the security professionals in our organizations need to eliminate every single weakness without disrupting business. All they need to find is one way into your environment If eliminating every single known vulnerability doesn't sound impossible enough for your organization, we can all be comforted by the fact that zero-day vulns are available on the miscreant equivalent of eBay. To make our efforts to protect our data from theft even more difficult, cyber attackers have shifted to using the impersonation of legitimate users as their favorite vector of attack. The JP Morgan Chase breach in 2014 was publicly disclosed to have occurred because a single public-facing server (out of thousands) lacked the demand for two-factor authentication to gain access. This is the disturbing part of hindsight bias: security-minded organizations with excellent plans and a history of solid execution are scrutinized for missing an edge case covering less than 0.01% of all entry points. Stories that never find their way into the press include the thousands of squashed cyber attacks targeted at businesses every day. The ability for these cyber guerillas to remain undetected while trying every affordable exploit, quick phishing email, and external scan they can imagine significantly increases their likelihood of success. The Rebel Alliance did not have the luxury of testing the first (or second) Death Star's defenses before mounting the successful attack; the realities of modern environments and their evolution from the traditional network infrastructure to include mobile and cloud make it even less imaginable to reduce our attack surface to zero. We need to protect every entry point while maintaining a business Even the most security-conscious business needs to continually make IT trade-offs to keep succeeding in the market in which it competes. You may adopt the cloud to be more efficient; you probably allow employees to work through the evening by sending email from their phones; you likely need to share large files and sensitive information with your trusted business partners. Having a security policy, security reviews, and clear implementation plans that involve the security team are extremely important for securing your organization and can get you over 99% secured, but we all know it won't ever reach 100% secure. This risk asymptote is the bane of our existence and is not going away. If we are going to provide access to our workforce, partners, and customers, there will always be a way for others to fraudulently gain the same level of access. If the challenge to secure our every-changing environments weren't a large enough challenge, we are blessed with the frequent flow of new vulnerabilities within the technology already in place. These discoveries are frequently made by researchers, attackers, and, once in a while, children. We don't have the benefit of a single architect having built our entire networked environment from the first plan and line of code, like the Empire did. We need to purchase hardware and software from others and integrate it all in a secure fashion, so attackers do not need to steal a single, highly confidential set of data tapes and examine them for a "design flaw". They can look to hundreds of ubiquitous technologies to find a design flaw to attack, be it a software vulnerability, server using only one factor for authentication, or hijacking a root certificate designed to force ads into your browser. To tie this back to the Star Wars analogy, posing as storm troopers to infiltrate the Death Star or taking down the defenses at their source on a nearby moon are a lot more like a modern intruder getting onto your network. The criminals are crafty and learning through trial and error. Assume some attackers will get in or they'll have free rein when they do All of this is leading to the greater point: some intruders will get in. The only unknown is exactly how they will get into your network. It does not mean all is lost. Quite the contrary, once you accept this, you can ensure that your organization has a plan to detect these intruders who have successfully found an entry point. InsightIDR is designed to help you with the attackers who get inside. Just as Luke and Han were unable to remain undetected for long when they infiltrated the Death Star, you can set traps, monitor typical user behavior, and watch areas of restricted access more closely to find intruders and shut down their access before they steal anything of value. To learn more about InsightIDR and Rapid7's other solutions for detecting compromised credentials, check out our compromised credentials resource page and make sure to download our complimentary information toolkit. We will show you how we can detect the crafty intruders who get inside.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now