Rapid7 Blog

Events  

UNITED Summit: Day 2

After a jam-packed day one of Rapid7’s UNITED Summit, the UNITED running club started the day bright and early yet again. The rest of us opened UNITED day two with a fireside chat hosted by Jen Ellis, Rapid7 VP of Community and Public Affairs,…

After a jam-packed day one of Rapid7’s UNITED Summit, the UNITED running club started the day bright and early yet again. The rest of us opened UNITED day two with a fireside chat hosted by Jen Ellis, Rapid7 VP of Community and Public Affairs, and a slew of prominent security commentators: Lares founder Chris Nickerson, Mach37 Cyber’s managing director Mary Beth Borgwing, Veracode CTO Chris Wysopal, and Josh Corman of the Atlantic Council and I Am The Cavalry. We skipped last year's on-stage drinking but kept the lively debate, which started with automation and moved swiftly through machine learning, theories on the future of software and security policy, and time frames for security’s being integrated into teams organization-wide. There was little wholesale agreement (that’d make for a boring debate, after all!) but much overlap in the group’s opinions and predictions: Yes, automation is important, and automating what everyone can do frees us as a community to focus on what we, uniquely, can do; machine learning isn’t magic and requires focus on the right problems and the right incentives; there’s plenty of need—and hope—for input and engagement on policy, even and especially when getting it right is difficult; reducing complexity and making it possible for everyone in organizations to do the every-day work of security is key. The panel wrapped up with a lighthearted question: What’s your #1 prediction for the future of infosec? Click through for the respective answers from Chris Nickerson, Josh Corman, Chris Wysopal, and Mary Beth Borgwing. There’s nothing like a fast-talking panel of smart people to get conference-goers geared up for a bunch of action-packed sessions, and that’s exactly what we had in store for UNITED attendees after our fireside chat concluded. Rapid7’s data science team talked about how Rapid7 builds and maintains internet-scale active and passive telemetry platforms (and what we learn from them) in the Research & Collaborate track. Folks listening to talks in the Assess & Remediate track got insight into how to talk to their boards about information security. Phish, Pwn, & Pivot attendees learned how to keep pen testers (and attackers!) out of their networks. And Rapid7’s transportation security director Craig Smith led a brilliant session on self-driving vehicles and their relationship to security. The afternoon was no less bountiful in information and engagement opportunities: the Detect & Respond track revealed the hidden value in log management, we dug into how organizations around the world can prepare for GDPR, and Rapid7 Threat Intelligence Lead Rebekah Brown and the DoJ’s Leonard Bailey discussed information exchange with the government. Research Director Tod Beardsley closed out the Research & Collaborate track with a succinct-yet-cheerful statement: “You’ve got 0-day! Here’s how to deal with it.” Before our phenomenal closing keynote, the Metasploit team awarded prizes for the first-ever UNITED CTF. Congrats to the persistent and talented winners! As the end of 2017’s UNITED Summit drew near, Chief Marketing Officer Carol Meyers took the stage to deliver thanks to Rapid7’s partners, speakers, and—of course—our incredible customers and community attendees. She then introduced Dan Geer, CISO of In-Q-Tel, iconic security futurist and commentator, and undeniable facial hair inspiration (though there’s no defeating Rapid7’s Deral Heiland). Geer invoked a litany of philosophers, scientists, public servants, and writers as he drove home some beautifully, impactfully-delivered points: The attack surface in the world is expanding, and it’s doing so faster than the security skill umbrella can match. What we do here, in this field and everything that touches it, isn’t so much a ‘profession’ as it is an occupation—or as some might have put it, a vocation. Geer referenced the lessons he’s learned in engineering and biostatistics, respectively: First, that getting the problem statement right is essential, and second, that correcting for data bias in an imperfect world will be, necessarily, imperfect. “My principal challenge,” he told the audience, “has been the balance between getting the problem statement right and choosing tolerable failure modes based on the data available...This hasn’t changed: You have to know what problem you’re trying to solve and which data you need to solve it.” This theme kept resurfacing as Geer took the UNITED audience through some of security and technology’s fundamental tensions, particularly when building models and thinking about the future: causality vs. control, optimization vs. resiliency, automation vs. sentience. Our problem statement, he said, is not cybersecurity itself, but rather the side effects of the pursuit of it. If the future is data-rich and the technologies acting upon all that data are dual-use, how do we ensure integrity of that data and the supply chain that underpins it? What, as an industry, are our ‘tolerable failure modes’—do we trust the data we have? Do we make and keep algorithms interrogatable? Do we keep humans in the loop as we move further and further toward automation? And is it a good thing when we do? Big questions deserve deeply-considered answers—your engagement at UNITED and beyond is critical to helping us at Rapid7 and the industry as a whole understand and address our proverbial problem statements. Rapid7 thanks all of you at UNITED for your much-valued participation and your continued attention to the big questions and the big problems that drive us. As Dan said in closing: “There’s never enough time. I thank you for yours.” You can find the full transcript of Geer's speech here. For a limited time, you can watch both UNITED’s fireside chat and Dan Geer’s closing keynote on-demand here. For more UNITED blog content, check out these posts.

UNITED Summit: Day 1

Day one of Rapid7’s UNITED Summit is almost over! We kicked off this morning with welcome remarks from CEO Corey Thomas (after a very, ahem, colorful performance by the Blue Man Group!), who spoke on the need to de-silo data and teams in the…

Day one of Rapid7’s UNITED Summit is almost over! We kicked off this morning with welcome remarks from CEO Corey Thomas (after a very, ahem, colorful performance by the Blue Man Group!), who spoke on the need to de-silo data and teams in the interest of driving innovation and solving big problems. He made a point of calling out the cybersecurity industry’s tendency to believe that security teams can be successful independently of IT—a shackle, as Corey put it, that holds us back, often unnecessarily. One of Corey’s most powerful attributes as a speaker is the way he constantly evokes forward motion; at UNITED, he asked key questions for the security industry as a whole and for Rapid7 as a company: How can we harness our collective imagination to create a sense of optimism in our field and beyond? Are the organizational models of the past really serving us today? What areas of expertise will ensure our continued relevance and success in a changing world? Looking ahead with clarity and focus is a talent our CEO has in spades. We’re thrilled to be able to share Corey’s vision so intimately with our customers and the community! We chose a formidable speaker and technologist as UNITED’s opening keynote: Nicholas Negroponte spoke eloquently on everything from the breakdown of barriers between the natural and manmade worlds to the need for innovation and the inevitability of change. UNITED’s thematic notes resonated in the MIT Media Lab co-founder’s words—we in technology are both witness and driver to the crumbling walls of old models and distinctions, whether those borders lie between nation-states or between IT and security teams. As we look to package and deliver information in new ways (a car from a seed!), it’s urgent that we ask whether we’re developing new approaches to big problems. “When I wake up in the morning, I ask myself a question,” Negroponte told the UNITED audience. “‘Will normal market forces do what I’m doing today?’ If the answer is yes, I stop. They don’t need me.” Rapid7 Chief Product Officer Lee Weiner and Customer Success SVP Stephanie Furfaro offered smart, actionable answers to the morning’s big questions on the future of technology with a powerhouse presentation on customer-centered innovation. UNITED attendees got a close-up look at how the vision for Rapid7’s Insight platform informs and enhances individual product improvements—from fresh container security assessment functionality in InsightVM to uniting UBA and SIEM capabilities with InsightIDR. Much like Corey Thomas recognizes the pressing need for collaboration between IT and security teams, Lee and Stephanie put strong emphasis on synergy between product and customer success teams. As Stephanie said right off the bat, “Our customers are heroes….We want to be there when you need us.” A rousing round of applause for our three Rapid7 Customer Award winners marked the end of the morning presentations and the beginning of an afternoon that included talks on everything from automation and container security to the evolution of the CVE and cybersecurity for trade agreements. The Metasploit crew kicked off their exclusive UNITED CTF, Deral Heiland and Craig Smith led an IoT lab complete with hands-on demos, and a slew of different Rapid7 teams gave 1:1 expert consultations (at no cost!) for attendees. This afternoon we’ll host a series of industry roundtables so UNITED guests can share challenges and solutions with others in their industry. Want to gear up for tomorrow? Plan your day with the full agenda, and if you’re extra motivated, get up early to join the UNITED running club for a 5K jogging tour of Boston! Not here in person? Follow the #R7UNITED hashtag on Twitter and take advantage of the UNITED live stream showing tomorrow’s fireside chat and Dan Geer’s closing keynote. Thanks to everyone who made the trip out to Boston to join us this week, and to those of you watching at home! You’re all our heroes.

GDPR or GDP-argh? Find out at UNITED!

Contained within this post is a secret look into the talk-planning life of Samantha Humphries, Rapid7's senior manager for international solutions, and Katie Ledoux, a senior security analyst. Let's watch what happens. From: Caitlin Condon Sent: 16 August 2017 15:26 To: Samantha Humphries; Katie…

Contained within this post is a secret look into the talk-planning life of Samantha Humphries, Rapid7's senior manager for international solutions, and Katie Ledoux, a senior security analyst. Let's watch what happens. From: Caitlin Condon Sent: 16 August 2017 15:26 To: Samantha Humphries; Katie Ledoux Subject: Re: Blog post for your GDPR session at UNITED Sam! Katie! How would you two feel about writing a blog post on your UNITED session on GDPR and how it’s going to affect U.S.-based companies? It seems like some folks here think this is a Europe-only issue. Your session should debunk that myth. You game? From: Samantha Humphries Sent: 16 August 2017 16:26 To: Katie Ledoux Subject: Re: Blog post for your GDPR session at UNITED Hey Katie, I started writing about how to our session will help UNITED attendees understand what GDPR is, how they can prepare, and how our own governance team has addressed and overcome challenges...AND THEN I CHECKED OUT THE BLOODY AGENDA FOR UNITED. Have you seen the list of sessions that are running concurrently with ours?! Rajeev is talking about how bots are changing IT and security as we know it; Rebekah and the DoJ are speaking on cyber threat exchange with the government; and Leon’s session is on hacking with “flair”—I don’t even know what that means! Do you think he’ll have drones?! What if nobody comes to our session? I can’t even ask my mum to make up the numbers, because she lives here in the UK! Yours panickingly, Sam From: Katie Ledoux Sent: 16 August 2017 16:48 To: Samantha Humphries Subject: Re: Blog post for your GDPR session at UNITED Sam, calm down, I’m sure...WHOA, Leon told me he might have a light show to go with his ‘flair’ and I think he might be serious! We need costumes and vodka shots! Do you think we can have live animals on stage? From: Samantha Humphries Sent: 16 August 2017 17:33 To: Katie Ledoux Subject: Re: Blog post for your GDPR session at UNITED Right, how about this? http://www.argos.co.uk/product/3144114 Everyone loves hearing from Compliance Stormtroopers—it is known! I’ll see if Kyle’s got budget for them. Will report back in a mo. From: Samantha Humphries Sent: 16 August 2017 19:33 To: Katie Ledoux Subject: FW: Re: FW: Blog post for your GDPR session at UNITED Sigh. The boss said no...but he didn’t say anything about the vodka shots. From: Kyle Flaherty Sent: 16 August 2017 18:06 To: Samantha Humphries Subject: Re: FW: Blog post for your GDPR session at UNITED Sam, you know we don’t shell out for stormtrooper costumes unless it’s for a keynote talk. You and Katie have an awesome session planned—you don’t need gimmicks to talk about why GDPR applies to ANY organization in the world that holds personal data about EU citizens, regardless of vertical, company size, or geographic location. Attendees will want to learn about how they can prepare and why GDPR is a good thing! Take a breath. /kff DISCLAIMER: There is no commitment to provide vodka shots, live animals, or costumes at our GDPR or GDP-argh talk. You will get a full 568mls of GDPR goodness though, including some great insights into what GDPR is, how you need be preparing, and how we’re thinking about GDPR internally at Rapid7. We should also mention that if you come dressed as a Stormtrooper, you get extra points. See you there! (Here's how to register if you've not done so already!)

UNITED Spotlight: Industry Roundtables

Rapid7’s annual UNITED Summit is fast approaching, on September 13th and 14th in Boston. As a past attendee (both as a customer and as a Moose), I can assure you that UNITED is a great opportunity to learn about emerging and ongoing cybersecurity and…

Rapid7’s annual UNITED Summit is fast approaching, on September 13th and 14th in Boston. As a past attendee (both as a customer and as a Moose), I can assure you that UNITED is a great opportunity to learn about emerging and ongoing cybersecurity and IT topics—from the Rapid7 team and from experts across many different industries. My favorite example of this is the Industry Roundtables, scheduled on Wednesday, September 13th. These roundtables will focus on the Retail, Finance, Software Technology & Communications, Government, Healthcare, Manufacturing, and Higher Education industries, so we hope there is something for everyone in attendance. The best part about these roundtables is that it’s an opportunity for you to connect with other people in your industry that likely share similar priorities and concerns. It’s a chance for you to share your experiences with your peers, get feedback from others on current or future initiatives, and make new connections within your industry. To ensure that we’ve created the right atmosphere for these roundtables, no media, industry analysts, or sales professionals are permitted to attend these sessions. Read more about the rules of engagement here. Last year’s roundtables covered topics such as budgetary constraints and how to work around them, industry specific regulations, the challenge of obtaining buy-in and support for security initiatives, and even interoffice politics. Some of the groups even stayed in touch after UNITED to keep the discussion going. Given that each industry has a unique set of cyber and IT challenges, these roundtables will offer you the opportunity to network with others who have similar environments. If you haven’t already done so, register for UNITED, and be sure to join the industry round tables while you’re there. Look for me in all of the Assess & Remediate track sessions. I look forward to seeing you soon in Boston!

Gone Phishing: A Case Study on Conducting Internal Phishing Campaigns

To many, emails are boring. It’s been a long time since they were ‘cool,’ and they’re probably the slowest form of communication in an evolving fast-paced digital world. Nevertheless, there were 215 billion emails exchanged per day in 2016, and that number is…

To many, emails are boring. It’s been a long time since they were ‘cool,’ and they’re probably the slowest form of communication in an evolving fast-paced digital world. Nevertheless, there were 215 billion emails exchanged per day in 2016, and that number is growing at 3% annually. It's clear that emails aren’t going away anytime soon—and neither are their implications for security. According to the 2017 Verizon data breach investigations report (DBIR): “43% of all data breaches happened through social attacks or through social engineering. And of those social engineering attacks, phishing constitutes 93%.” Furthermore, nobody is immune to phishing—not even security companies. At this year’s UNITED Summit, I and several others on Rapid7’s IT and engineering teams will take our audience on a journey to explore the intricacies of conducting an internal phishing campaign. We’ll present a case study directly from the people who run internal phishing simulations at Rapid7, and we’ll talk about practical challenges and solutions when building an effective campaign. Among the questions we’ll address: How can we avoid spam filters in top email service providers like GSuite and Office365? How important is the reputation of your email to ensuring deliverability? What results did Rapid7’s security engineers see when they conducted internal phishing campaigns, and how did they change over time? And perhaps most important of all—how can you use this knowledge to improve security across your own organization? Email might be boring, but working on ways to better understand and combat phishing is endlessly interesting. Come hear about how Rapid7 solves security challenges both inside and outside its own walls—and if you haven’t yet signed up to join us at UNITED this year, register here. Want to know what other Rapid7 talks will headline at UNITED? Check out these teasers from threat intelligence lead Rebekah Brown, Metasploit's Brent Cook, and Research Director Tod Beardsley.

Survival of the fastest: evolving defenders with broad security automation

If you’ve read the news at all lately, you know that we're having some struggles with information security. Everything from elections to hospitals to Westeros is considered a target, and adversaries continue to learn and innovate—often faster than the defense can respond. It’…

If you’ve read the news at all lately, you know that we're having some struggles with information security. Everything from elections to hospitals to Westeros is considered a target, and adversaries continue to learn and innovate—often faster than the defense can respond. It’s not that they have better tools or work harder than the defense, so what gives? If you're struggling with these issues and happen to be coming Rapid7's annual United Summit, swing by the Detection and Response track on Wednesday, September 13 and hear Justin Pagano and I talk about how we are working on solving these problems! Turns out, the status quo is kind of the worst. Defenders are trying to work against the clock, to go back in time to deal with issues we thought were resolved decades ago...and on top of that, there aren’t nearly enough defenders out there (yet!). So what can we do against these types of odds? The key is automation—but not just any old kind of automation. Limited, silo-ed approaches to automation have helped put us where we are now. To move forward, we need broad security automation based on our understanding of the adversaries: how they operate, how they've targeted us in the past, and how they're likely to target us in the future. And that brings us to why I'm involved in this talk in the first place—the combination of broad security automation and threat intelligence! We need to automate what we should, not just what we can. This won’t look the same for every organization because organizations are protecting different types of information, defending against different types of adversaries, have different resources and constraints. What our talk will offer isn't a magical, one-size-fits-all solution, but instead a new approach to security automation. We will cover broad automation’s dependencies (e.g., scripting/programming skills, APIs, time, money, motivation, and prioritization), as well as what it takes to have worthwhile threat intelligence (sources, timely analysis, and expertise). We'll wrap it up with how to combine the two and develop a program that focuses on real threats, helps prioritize non-automated responses, and frees up the time needed to innovate and learn as defenders. We hope to see you there! If you haven't registered yet, do so here.

Metasploit: The New Shiny

It's been a while since I've written a blog post about new stuff in Metasploit (and I'm not sure if the editors will let me top the innuendo of the last one). But I'm privileged to announce that I'm speaking about Metasploit twice next month:…

It's been a while since I've written a blog post about new stuff in Metasploit (and I'm not sure if the editors will let me top the innuendo of the last one). But I'm privileged to announce that I'm speaking about Metasploit twice next month: once at the FSec 17 Conference in Varaždīn, Croatia September 7-8, and a second time at UNITED 2017, Rapid7's annual security conference in Boston September 11-14. The talk should be a wild ride through some of the interesting new features that Metasploit has gained over the past year, as well as amazing stuff we have underway for the next major version of Metasploit. With a project so large and varied, it can be challenging keeping it fresh and relevant. Amazing new open-source security projects pop up almost as fast as CVE allocations. Metasploit is definitely seeing a generational shift, with new developers coming in and older ones moving to new projects. As a result, we have done a lot of work this year moving Metasploit Framework to the next level, while preserving the things people love about it the most. Our 2017 Roadmap was just the beginning—we have a lot of interesting work on the horizon that will change how you think about Metasploit. I'm also helping with the Metasploitable3 CTF at the UNITED conference and helping run some Metasploit training. So if you have any questions about Metasploit, past, present, or future, this is your chance to get expert advice, either from me or from the five other Metasploit developers who will also be attending. It should be fun and educational, if not a little exhausting! Hope to see you there! Haven't yet signed up to join us at UNITED this year? Register here, or read more about some of the talks and features of this year's summit.

You've Got 0-Day!

Hey all, it feels like it's been forever since I wrote a blog post that wasn't about some specific disaster currently consuming the Internet, so I just wanted to drop a note here about how I'll be speaking at UNITED 2017, Rapid7's annual security summit…

Hey all, it feels like it's been forever since I wrote a blog post that wasn't about some specific disaster currently consuming the Internet, so I just wanted to drop a note here about how I'll be speaking at UNITED 2017, Rapid7's annual security summit in Boston September 11-14. Specifically, I'll be closing out the Research and Collaborate track at UNITED on a topic near and dear to my heart: the vagaries of vulnerability disclosure. Vuln disclosure is a funny business; when you're on the receiving side, it's at best some unwelcome news about some bug in your product that's putting your customers at risk. If you're on the giving side, it's pretty much an invitation for angry letters from CTOs and their attorneys. So why bother? Turns out, despite all the emotional pain associated with it, reasonable vulnerability disclosure is pretty much the most effective tool we have to make the internet-connected products and services we produce and use that much stronger in the face of an increasingly hostile public network. We need vuln disclosure conversations in order to get better at what we do, since it's literally impossible to write, assemble, package, and deliver software of any complexity completely vulnerability-free on the first try. So, the goal of this talk is to share some stories about my experiences in vuln handling from both sides. As director of research here at Rapid7, I'm often the first point of contact for software and technology vendors when one of our researchers uncovers a vulnerability. On the flip side, I also get notifications about Rapid7 product bugs from security@rapid7.com, so I spend a fraction of my work life helping to get those bits of nastiness resolved. If you're looking for tips and advice on how to handle vulnerability disclosures—either as a discoverer, or as someone responsible for patching shipping software—then I hope my experiences will give you some insight into how this surprisingly emotion-driven business of disclosure works. Haven't yet signed up to join us at UNITED this year? Register here.

Top Reasons for Graduate Students to Attend UNITED

The countdown is on to Rapid7's annual UNITED Summit in Boston on September 13-14. Rapid7 has partnered with top universities all over the globe to provide students with industry-leading security solutions as part of their coursework, equipping them with hands-on knowledge as they head into…

The countdown is on to Rapid7's annual UNITED Summit in Boston on September 13-14. Rapid7 has partnered with top universities all over the globe to provide students with industry-leading security solutions as part of their coursework, equipping them with hands-on knowledge as they head into the workforce. This year, for the first time, Rapid7 is expanding its Higher Education Program and providing scholarships to allow select graduate students in cybersecurity Master's and PhD programs to attend UNITED. Read on for what students stand to gain from joining us at UNITED (or just skip down to the bottom and apply now!). Top Reasons for Students to Attend UNITED We can think of a lot more reasons to attend UNITED's inaugural year of student programming, but for the sake of time, we've narrowed this list down to the top three: UNITED is a great place to network with other students, cybersecurity practitioners, and thought leaders. We'll have pen testers, incident responders, and other practitioners eager to share their knowledge (not to mention Metasploit developers!). Whether you're looking for a job or just aiming to hone your skills, networking and learning opportunities abound at UNITED. Local to Boston? We're always looking for great talent. Rapid7 is fueled by research. Whether it's through our Heisenberg project, threat intelligence, Project Sonar, or one of the many other research and open source projects we support, we're constantly thinking about how we can inform and advance the community. At UNITED, you'll be able to attend workshops that explore the data and philosophies behind these projects. Brainstorm with our researchers or have a deep-dive discussion with our data scientists—there will be plenty of time to seek out people who are leading their fields in security research and beyond. Want to meet and learn from the Metasploit team? UNITED is your perfect chance: In addition to talking shop with the people who make the world's de facto framework for penetration testing, Metasploit is hosting an exclusive CTF (Capture the Flag) competition at UNITED. Learn how to hack with the best, and win prizes doing it. I want to attend! How do I get in on this? For more information and to confirm eligibility, contact us here with your name, school, the degree program in which you're enrolled, and what you're hoping to gain from attending. Want to learn more about our Higher Education Program? We are committed to solving the information security talent gap and training the next generation of cybersecurity professionals. Learn more here. Not a student but still want to attend UNITED? See the full agenda and register here!

Hack with Metasploit: Announcing the UNITED 2017 CTF

Got mad skillz? Want mad skillz? This year at Rapid7's annual UNITED Summit, we're hosting a first-of-its-kind Capture the Flag (CTF) competition. Whether you're a noob to hacking or a grizzled pro, you'll emerge from our 25-hour CTF with more knowledge and serious bragging rights.…

Got mad skillz? Want mad skillz? This year at Rapid7's annual UNITED Summit, we're hosting a first-of-its-kind Capture the Flag (CTF) competition. Whether you're a noob to hacking or a grizzled pro, you'll emerge from our 25-hour CTF with more knowledge and serious bragging rights. Show off your 1337 abilities by competing for top prizes, or learn how to capture your first ever flag. Read on for details, and if you haven't already done so, register for UNITED! Our UNITED competition isn't your average CTF. Why? Because this CTF is designed and hosted by the Metasploit team. That means two things: First, if you need a hand learning the ropes or help reverse-engineering an exceptionally tricky flag, you'll have access to the foremost experts in the offensive security field. Second, you'll be the first members of the public to test out the brand new Metasploitable3 Linux vulnerable machine. The Metasploit team has been waiting to debut a Linux version of Metasploitable, and we can't think of a better opportunity than UNITED to do it. Details The competition will kick off September 13, 2017 at 1:15 PM EDT at the inaugural workshop in UNITED's Phish, Pwn, and Pivot track: A Hands-on Introduction to Capture the Flag (CTF) Competitions Using Metasploitable (aptly named). Flag-capturing will end at 2:15 PM September 14, when we'll present awards and host discussion on advanced tactics for all the future CTFs you'll be able to dominate. New to CTF competitions? Be sure to attend the hands-on introduction. Already captured, like, a million flags in your career? You don't need to attend sessions to participate—just connect to the competition infrastructure and get to work! Metasploit experts will be available to all participants during the conference, both in and outside of the sessions. OK, what can I win? Prizes will be awarded to the top three competitors. Top prize: Two complimentary passes to UNITED 2018, a HAK5 ESSENTIALS FIELD KIT, and a T-shirt. Second place: A HAK5 WIFI PINEAPPLE (NANO Basic) and a T-shirt Third place: A HAK5 USB RUBBER DUCKY and a T-shirt What do I need to participate? A desire to learn, perseverance, and a laptop with WiFi capabilities. You will need to generate an SSH key pair and connect to the competition infrastructure via SSH. To generate your keys, follow these tutorials: Windows: https://www.ssh.com/ssh/putty/windows/puttygen Ubuntu and OS X: https://www.ssh.com/ssh/keygen/ Never generated an SSH key pair before? We can help you when you arrive! If you are using Windows please download PuTTY and PuTTYgen in advance. We look forward to seeing you at UNITED 2017 for what's basically guaranteed to be the coolest CTF in the history of flags and competitions. Haven't yet registered for UNITED? Fix that here—or contact your Rapid7 Account Executive or Customer Success Manager. You can explore more of UNITED 2017's lineup of speakers, trainings, and track sessions here.

We want YOU...to speak at UNITED 2017!

Are you an IT or security professional who secretly dreams of speaking to a group of passionate people facing the same challenges and celebrating the same victories as you? Dream no more: For the next three weeks, we're accepting submissions for presentations at UNITED 2017…

Are you an IT or security professional who secretly dreams of speaking to a group of passionate people facing the same challenges and celebrating the same victories as you? Dream no more: For the next three weeks, we're accepting submissions for presentations at UNITED 2017 (September 13-14 in Boston). This is a golden opportunity to submit a talk on something you're excited about—or struggling with, or interested in exploring with other security practitioners and Rapid7 customers. About UNITED UNITED is Rapid7's annual summit for IT and security professionals. We pack dozens of targeted talks, hands-on trainings, and roundtable discussions into just two days to give you the insight necessary to move your security program forward. This is an unparalleled chance to learn from and brainstorm with peers and security leaders: UNITED is collaborative, intimate, and low-stress. No industry-wide cattle calls here—this is about exchanging ideas and building networks, not packing 10,000 bodies into a room full of competing branding. What should I talk about? We're glad you asked. UNITED presentations can be about anything related to your use of Rapid7's products, your practical IT and security knowledge, and your successes (or challenges!) in this space. Maybe you've got an important story to share about building and scaling your organization's security program, or the operational challenges of a highly regulated business environment, or an awesome customization you built in InsightVM that might help other Rapid7 customers. Don't be afraid to dig deep into details and share screenshots or step-by-step guides. We look for lessons learned, compelling use cases, and cool technical talks. The bottom line is this: If you have actionable knowledge to share, UNITED attendees want to hear about it, regardless of your organization's size or the maturity of your company's security program. Cybersecurity is an incredibly fast-paced, complex field, and UNITED is a chance to learn from each other's wins and losses. Need more inspiration? Take a look at this year's conference tracks: Monitor, Ask & Respond: approaches and technologies for monitoring operational performance, detecting suspicious activity, and responding to critical events. Assess & Remediate: strategies and techniques to measure and manage your network and application security risk, from identifying vulns to prioritizing remediation and implementing changes Offensive Security: technical tips and tricks on taking a proactive approach to protecting your network, systems, and teams from attackers Research & Collaborate: insight into Rapid7's research projects, ways to apply them in your own enterprise, and discussion about the open communities that make our security intelligence world-class. How to submit a presentation Three easy steps: Fill out this form. Click “Submit.” Give yourself a high five. UNITED track chairs will evaluate submissions and get back to you by early July. The deadline to submit a presentation is June 26, 2017. Don't wait! Never spoken at a conference before? No worries. Our entire team works together to help speakers polish their presentations. You'll have access to: Dedicated track chairs to help provide oversight and guidance on your topic Complimentary 1:1 preparation sessions with our speaking coach, who's trained hundreds of speakers, from previous UNITED presenters to TED speakers Help punching up visuals and tips on making your slides pop from Rapid7's rock star Creative Services team If your presentation is selected, we'll cover your conference pass and two nights' hotel stay. We're also known to offer some pretty sweet speaker swag—but you'll have to wait to find out what it is this year! Questions? Reach out to us here. Want to see what conference attendees have spoken about in the past? You can explore last year's UNITED agenda here. Sharing is caring Don't miss out on a shot to share what you know with peers who can use that knowledge. Submit your presentation by June 26, 2017 and join an elite group of dedicated IT and security pros at UNITED. We can't wait to see you there!

RSA Conference 2017 Exhibits - Is Your Artificial Intelligence Only 1.0?

If you walked the RSA Conference floor(s) in San Francisco this year, you probably needed to sit down a few times in passing the 680 vendors - not because of the distance or construction as much as from the sensory overload and Rubik's cube…

If you walked the RSA Conference floor(s) in San Francisco this year, you probably needed to sit down a few times in passing the 680 vendors - not because of the distance or construction as much as from the sensory overload and Rubik's cube challenge of matching vendors with the problems they address. Since Anton Chuvakin already stole my thunder by declaring there was no theme with such effective snark it made me jealous, I want to talk about the attention-grabbing claims intended to make solutions stand out in the Times Square-like atmosphere, but instead led to difficulty for any new attendees wanting to make sense of it all. “Buy this technology! It is a silver bullet.” I was mistakenly convinced that we, as a security industry, had finally moved away from the notion that one solution could solve every security problem. Blame it on fresh-faced marketing teams or true startup believers who've poured their heart into a solution and cannot stand the thought of missing payroll. Whatever the cause, the 42,000 attendees were assaulted with promises such as “…prevents all device compromise, stops all ongoing attacks…” and “stop all attacks – remove AV”. Layered defense doesn't sound sexy and it is often ridiculed as “expense-in-depth”, but it is still unfortunately a reality that no single security vendor can meet all of your needs across the triad of people, process, and technology. The other half of the “so this technology is all I'll ever need?” inference is your sudden explosion of options if you want our future machine overlords to defeat the inferior human attackers. Yes, I'm talking about “artificial intelligence” - but it didn't stop there - one vendor had both AI and “swarm intelligence”. This is where marketing has started to go too far – at best, these solutions have some supervised machine learning algorithms and a data science team regularly using feedback to tune them [which is awesome, but not AI]; at worst, these solutions have unsupervised machine learning spewing out pointless anomalies in datasets unrelated to any realistic attacker behavior. While I loved the drone swarm responsible for the Super Bowl light show, humans were controlling those. If a single endpoint agent can discover a new malicious behavior and immediately communicate it back to the rest of the Borg-like swarm without any human assistance, they had better not quietly announce it for the first time at a conference hall. “You want hunting, so we built automated, self-healing hunting agents!” I noticed more vendors offering hunting services, even once as “hunting human attackers” [which caught my eye because of its clarity], and I'm not surprised given the significant barrier to small teams acquiring this advanced skill for detecting unknown threats. However, it's already been fused with the legitimate demand for more automation in the incident response workflow to bring us a bevy of “automated hunting” and “automating the hunt” technologies, which would be oxymorons if they weren't just pure contradictions of terms. “Automated hunting” sounds like the built-in indicators inherent to every detection solution I've seen, while “automating the hunt” can only be done by an advanced analyst who is scheduling hunts to occur and provide deltas for follow-up analysis, not by a piece of software looking for known indicators and unusual events. Sure, technology simplifies this process by revealing rare and unusual behavior, but detecting known IOCs is not hunting. In a similar vein, I read about “self-healing endpoints” throughout downtown San Francisco and it brought up a lot more questions than answers. Are the deployed agents healing themselves when disabled? Will it heal my Windows 10 laptop after finding malware on it? Does it automatically restore any encrypted data from a ransomware attack? Can it administer virtual aspirin if it gets an artificial intelligence headache? Obviously, I could have visited a booth and asked these questions, but something tells me the answers would disappoint me. “Re-imagined! ∞.0! Next-next-gen!” After the Next-gen Firewall revolution, it seems like everybody is touting SIEM 2.0 and Next-gen AV, and it's understandable when the available technologies for software development and data processing make leaps forward to enable a redesign of decade-old architectures, but the pace has now quickened. I ran across “deception 2.0” just two years after I first saw TrapX at RSA Conference and only a few months after I heard “deception technology” coined as a term for the niche. At this pace, we'll be talking about Next-gen Deception and Swarm Intelligence 2.0 by Black Hat. As a general rule, if visitors to your booth have to ask “what is technology ‘x'?”, it's too soon to start defining your company's approach to it as 2.0. As another reimagining of security, I'm enough of a geek to think virtual reality in a SOC sounds cool, but after seeing what it's like to “bring VR to IR”, I felt like it's adding to the skills an analyst needs to develop in addition to the list so long that specialization is key. Then, I remembered how often I see analysts resort to command line interfaces and the novelty wore off. There are a lot of innovative approaches to the information security problems we face and I even saw some on display at RSA Conference. I just wish it weren't such an exhausting fight through the noise to find them.

Losing My Hair at RSA Conference – On Purpose and For a Great Cause!

I'm excited to be shaving my head at Shaves that Save at the RSA Conference US 2017—the second annual event where information security professionals go bald to raise money to fund a cure for childhood cancer and the St Baldrick's Foundation.  I…

I'm excited to be shaving my head at Shaves that Save at the RSA Conference US 2017—the second annual event where information security professionals go bald to raise money to fund a cure for childhood cancer and the St Baldrick's Foundation.  I hope you can join us a for a whole lot of fun—head shaving, a great DJ, a bar to benefit St Baldrick's, and an appearance by Stormtroopers and other Star Wars characters from the 501st Legion. And while we'll have a lot of fun, the bigger goal is to raise money for research that will help save kids' lives.The event is on Wednesday, February 15th from 6-7:30 PM in the Viewing Room across from the South Expo hall.  You don't need to register for the event, but you do need an RSA pass. (An expo pass is fine.  Don't have one?  You can register for an Expo Pass.We already have 12 shavees signed up from across the InfoSec industry!  I'm honored to join Josh Corman (Atlantic Council), Diana Kelley (IBM), Pete Lindstrom (IDC), Ed Moyle (ISACA), Rich Mogull (Securosis), Chris Nickerson (LARES), Michael Nickle (CA), Nick Selby (Secure Ideas Incident Response Team) and others in InfoSec to stand in solidarity with kids who typically lose their hair while undergoing treatment for cancer, and to help fund critical research.I've been supporting St Baldrick's for a number of years, and this is the third time I'm shaving my head. I was introduced to the foundation through a corporate partnership with NetApp who is a large St Baldrick's supporter.  Since then, I've gotten to know a number of kids and families impact by cancer, and seen that they deserve better.  I've met kids who ultimately lost their battle.  I've seen kids who have taken chemo for over a 1000 days in treatment.  Thankfully I've seen a bunch where the treatment has worked, but many live in fear of a reoccurrence or long-term side effects from chemotherapy. These kids just want to be kids, and I've learned so much from their amazing attitudes as they persevere through treatment.Unfortunately for these kids, only 4% of US Federal funding for cancer research is solely dedicated to childhood cancer, and St. Baldrick's Foundation helps fill the funding gap as the largest non-government funder of childhood cancer research grants.  St. Baldrick's research has helped more of them survive, and provides hope for a cure for others.  No child should have to fight cancer or suffer the effects of treatment.How can you help?At the RSA Conference?  Come cheer on the shavees!  We have a number of people shaving their head for the first time, and your energy makes it even better!Donate to the St Baldrick's Foundation (a U.S. non-profit 501 (c)3 organization) to support critical research.  You can donate from the event page.Shave with us?  We have space left for a few more people if you want to join us.Promote #ShavesThatSave on social media to help get the word out about the event.I'd like the thank all the volunteers making this event a success:  Rapid7's Event Management Team for bringing the event to life, DJ Ka'nete for donating his services, MIS Training Institute, Entrust Datacard, the 501st Legion, Golden Gate Garrison, co-organizers Nick Selby and Davin Baker, and all the other volunteers and shavees.

Set Up for Success at BSidesLV's Proving Ground

One of the most nerve-wrecking things a person can do is give a talk to a group of people. As a matter of fact, approximately 3 out of 4 people suffer from speech anxiety. This is further exacerbated in an industry and community like ours…

One of the most nerve-wrecking things a person can do is give a talk to a group of people. As a matter of fact, approximately 3 out of 4 people suffer from speech anxiety. This is further exacerbated in an industry and community like ours where many of us are introverts and/or suffer from "imposter syndrome". We think we aren't as smart or good at something as we actually are. We often feel like someone else has done a better job explaining a theory or area in information security than we ever could. We also often feel like we have nothing new or interesting to contribute, but that isn't true! The people who make up our community have a diverse skill set. Each of us has experiences and a pool of knowledge that are unique to us, even when they may seem similar to someone else's. We each have a unique voice, way of thinking, and ways of processing information. This is why the Security BSides Las Vegas' Proving Grounds track is so near and dear to me. For those who are unfamiliar with what we do, Proving Grounds gives a platform for folks who have never spoken at a nation conference (DEF CON, RSA, DerbyCon) to give their first talk in a "safe" environment. We pair them with a mentor, who is someone established in the community who has experience at presenting. They work together so the first-time speakers can take their submitted outline and abstract and turn it into a well thought-out talk. The mentors help with everything from how the presentation looks, the flow of the information being shared, to presenting tips and tricks. The mentors are there the day of their partner's talk for moral support, and we also offer new presenters a chance to practice in the room they'll present in before the days of the con. For the past four years, I have worked together with SecurityMoey as the co-director of this track. I leapt at the opportunity to work with him because I wished that there were something like this when I was preparing for my first talk. I'm an extremely nervous and anxious presenter—so much so, that I usually spend the 10 minutes or so before my talk in the bathroom trying to calm down and pump myself up. I also had a problem when I first started to submit CFPs where I didn't know what information was relevant to the review board, what was too much or too little, or how to tailor a talk to an audience. I more or less winged it for a couple of years until I had watched enough talks and gotten enough peer feedback that I felt comfortable with how I wanted to present my information. It was a lot more work than it could have been, which is another benefit of the Proving Grounds track. I can easily go on about how passionate I am about this program and how important mentoring is to our community. In fact, Moey and I presented on this at DerbyCon a few years ago. What it all boils down to is this: We have an awesome community, and we need to continue to grow by welcoming new people and ideas to our conferences. Deadline for submission is February 15th, so submit soon! To submit your talk proposal, go here: https://bsideslv.org/openconf/openconf.php Link to the talk Moey and I did at DerbyCon: http://www.irongeek.com/i.php?page=videos/derbycon5/teach-me04-learning-through- mentorship-michael-ortega-magen-wu

UNITEDSummit 2016: An attendee's perspective

Editor's Note: This is a guest post from Mike Perez, Implementation Engineer for Cryptzone. Since my initial introduction to Rapid7's UNITED Summit customer conference in 2015, I had been looking forward to the opportunity to attend again. The conference is a mixture of good fun,…

Editor's Note: This is a guest post from Mike Perez, Implementation Engineer for Cryptzone. Since my initial introduction to Rapid7's UNITED Summit customer conference in 2015, I had been looking forward to the opportunity to attend again. The conference is a mixture of good fun, great food, and excellent content in my hometown of Boston at a vibrant venue (the Seaport Hotel).  The event covers Rapid7's product line and how the offerings can help their customers.  However, in my opinion, Rapid7 does a decent job of ensuring that the conference is not a straight product pitch but provides insight into relevant topics affecting the information security professional; topics such as: crisis communications management, incident response strategies, and bug bounty participation considerations, to highlight a few from this year. The event starts off with a chaotic free for all that's open to the general public: Rapid Fire, which might be described as part InfoSec security buzzword bingo, part drinking game and part serious discussion.  Deliberately controversial or hyper pertinent infosec topics are chosen by a moderator and argued by the panelists pro or con, regardless of their actual viewpoints, with the loser (by audience applause), taking a drink.  With Josh Corman, Dave Kennedy, Chris Wysopal and Chris Nickerson as panelists and Jen Ellis moderating, the 60 minutes went too quick with winning argument gems like “Bug Bounties are the equivalent of walking into a bar and offering $100 to anyone who can perform open heart surgery on me with a buck knife.” The theme of the conference this year was Empowered, which was highlighted by the conference talks as well as by the opening and closing keynotes.  General McChrystal was a great speaker with a message that he indicated was hard won after many setbacks in the field: Leadership can no longer be the old model of one individual taking information, analyzing and then providing direction.  This model proved to be too slow during his campaigns and according to the General, was taken advantage of by his adversaries.  The new model needs to be more like a gardener: planting, weeding, caring, and feeding to allow subordinates sufficient autonomy to further the institutional goals. He indicated operations could not have a top down structure anymore - but rather, a team of teams with distributed knowledge is needed. The conference itself had three tracks - Threat Exposure Management (TEM), Incident Detection & Response (IDR) and Research.  There's too much to cover in each track so I'll only be hitting some of the highlights from my perspective. In the IDR track, I was drawn to “An Analytic Response to Advanced Threats & Malware (Threat Hunting)” by Tim Stiller.  Threat Hunting is assuming that there has been or there is an ongoing intrusion or malicious activity, then looking for signs of the activity by searching for anomalies.  Tim spoke about three components: User, Host, & Processes (“UHP”) and needing to know their normal states so that anomalies stand out.  Example considerations for each respective domain are: USERS - What users are on the network? What are “normal” login dates, times, locations, etc? HOSTS - What hosts are they accessing?  How often are these hosts accessed? PROCESSES - What processes are users running on those hosts? How often are these processes accessed? Using the UHP model, Tim took us through an example event where a user was logging in from outside of the United States for the first time.  While this event in and of itself would raise the profile of the event, the Incident Response team would look at the Hosts being accessed and what kind of Processes and the classification of data being accessed.  In other words, UHP looks at the totality of the event and does not rely on one factor for Incident Response reaction to an event. In the Research track, Katie Moussouris' “When Bug Bounties Attack!” was a cautionary but ultimately encouraging discussion of the considerations and preparations needed before participating in a bug bounty program. Katie discussed the three categories of preparedness for companies: Basic, Advanced and Expert.  Some of the characteristics Katie indicated exhibited by each stage of preparedness are below. BASIC - Executive support at a minimum is needed, with a defined method to receive vulnerability reports, and an established internal bug database to track fixes to resolution.  This group has the ability to receive vulnerability reports in a verifiable format (webpage or signed email).  Incentives which might be appropriate at this level: SWAG, with a promise of no legal action for bug bounty submitters. ADVANCED -  This stage has an established policy and process for addressing vulnerabilities according to ISO29147 and ISO30111, with dedicated security tracking.  Tailored, repeatable communications strategy for each audience, including partners, customers and media.  At this level, organizations use root cause analysis to feed into their software development lifecycle.  Incentives which might be appropriate at this level: Organization actually pays for serious vulnerabilities. EXPERT - This group uses vulnerabilities and root cause analysis, ISO 27034 as well as the characteristics of the Advanced group.  They have structured information sharing programs with coordinated distribution of remediation methods.  For example, Microsoft has a partner network with antivirus members to notify them of patches and bug signatures.  Real time tracking telemetry of active development is evident.  An understanding of their adversaries and the ability to create a disruptive market for them for bug purchases.  At this level to keep your developers, don't create perverse incentives by overpaying for bounties. For the closing keynote, Chris Nickerson waxed philosophical about leadership, freedom of choice, and recognizing one's own influence and attitude on how one handles difficult situations.  Regarding influencing one's own attitude towards an unpleasant situation, Chris gave the example of taking a walk thru a torrential rainstorm with a friend who was getting increasingly agitated at getting soaked.  Instead of lecturing his friend to lighten up, Chris simply asked him ‘Is it the rain that's hurting you and making you mad, or is it just you?'.  On the topic of leadership, Chris emphasized that the purpose of the powerful is to give power to the powerless.  This means that leaders should allow subordinates to take information, digest and then have the freedom to choose the corresponding action, without being “bullied” into a decision by datasets or co-workers.  Chris called it “decisions vs. freedom of choice”, where leaders should empower co-workers to make decisions counter to possibly bad data. The above is just a small sliver of the presentations and topics offered at UNITED Summit.  I've helped organize various conferences across the U.S. and can appreciate the hard work that goes into ensuring an event has great content, opportunities to network (“hallwaycon”) and runs smoothly. UNITED Summit does a great job in all of these aspects. Mike Perez is an Implementation Engineer for Cryptzone, a global provider of dynamic, context aware network, application and content security solutions and is a board member of OWASP Boston. He has experience in organizing conferences in four different states and two countries and has taught ‘Offensive Countermeasures: The Art of Active Defense' at Black Hat Europe. For more information on UNITED Summit, or to register for UNITED 2017, visit https://www.unitedsummit.org/.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Upcoming Event

UNITED 2017

Rapid7's annual security summit is taking place September 12-14, 2017 in Boston, MA. Join industry peers for candid talks, focused trainings, and roundtable discussions that accelerate innovation, reduce risk, and advance your business.

Register Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now