Rapid7 Blog

Phishing  

Gone Phishing: A Case Study on Conducting Internal Phishing Campaigns

To many, emails are boring. It’s been a long time since they were ‘cool,’ and they’re probably the slowest form of communication in an evolving fast-paced digital world. Nevertheless, there were 215 billion emails exchanged per day in 2016, and that number is…

To many, emails are boring. It’s been a long time since they were ‘cool,’ and they’re probably the slowest form of communication in an evolving fast-paced digital world. Nevertheless, there were 215 billion emails exchanged per day in 2016, and that number is growing at 3% annually. It's clear that emails aren’t going away anytime soon—and neither are their implications for security. According to the 2017 Verizon data breach investigations report (DBIR): “43% of all data breaches happened through social attacks or through social engineering. And of those social engineering attacks, phishing constitutes 93%.” Furthermore, nobody is immune to phishing—not even security companies. At this year’s UNITED Summit, I and several others on Rapid7’s IT and engineering teams will take our audience on a journey to explore the intricacies of conducting an internal phishing campaign. We’ll present a case study directly from the people who run internal phishing simulations at Rapid7, and we’ll talk about practical challenges and solutions when building an effective campaign. Among the questions we’ll address: How can we avoid spam filters in top email service providers like GSuite and Office365? How important is the reputation of your email to ensuring deliverability? What results did Rapid7’s security engineers see when they conducted internal phishing campaigns, and how did they change over time? And perhaps most important of all—how can you use this knowledge to improve security across your own organization? Email might be boring, but working on ways to better understand and combat phishing is endlessly interesting. Come hear about how Rapid7 solves security challenges both inside and outside its own walls—and if you haven’t yet signed up to join us at UNITED this year, register here. Want to know what other Rapid7 talks will headline at UNITED? Check out these teasers from threat intelligence lead Rebekah Brown, Metasploit's Brent Cook, and Research Director Tod Beardsley.

The Twelve Pains of Infosec

One of my favorite Christmas carols is the 12 Days of Christmas. Back in the 90's, a satire of the song came out in the form of the 12 Pains of Christmas, which had me rolling on the floor in laughter, and still does. Now…

One of my favorite Christmas carols is the 12 Days of Christmas. Back in the 90's, a satire of the song came out in the form of the 12 Pains of Christmas, which had me rolling on the floor in laughter, and still does. Now that I am in information security, I decided it is time for a new satire, maybe this will start a new tradition, and so I am presenting, the 12 Pains of Infosec. The first thing in infosec that's such a pain to me is your password policy The second thing in infosec that's such a pain to me is default credentials, and your password policy The third thing in infosec that's such a pain to me is falling for phishing, default credentials, and your password policy The fourth thing in infosec that's such a pain to me is patch management, falling for phishing, default credentials, and your password policy The fifth thing in infosec that's such a pain to me is Windows XP, patch management, falling for phishing, default credentials, and your password policy The sixth thing in infosec that's such a pain to me is Lack of input filtering, Windows XP, patch management, falling for phishing, default credentials, and your password policy The seventh thing in infosec that's such a pain to me is no monitoring, lack of input filtering, Windows XP, patch management, falling for phishing, default credentials, and your password policy The eighth thing in infosec that's such a pain to me is users as local admins, no monitoring, Lack of input filtering, Windows XP, patch management, falling for phishing, default credentials, and your password policy The ninth thing in infosec that's such a pain to me is lack of management support, users as local admins, no monitoring, lack of input filtering, Windows XP, patch management, falling for phishing, default credentials, and your password policy The tenth thing in infosec that's such a pain to me is testing for compliance, lack of management support, users as local admins, no monitoring, lack of input filtering, Windows XP, patch management, falling for phishing, default credentials, and your password policy The eleventh thing in infosec that's such a pain to me is no asset management, testing for compliance, lack of management support, users as local admins, no monitoring, lack of input filtering, Windows XP, patch management, falling for phishing, default credentials, and your password policy The twelfth thing in infosec that's such a pain to me is trust in antivirus, no asset management, testing for compliance, lack of management support, users as local admins, no monitoring, Lack of input filtering, Windows XP, patch management, falling for phishing, default credentials, and your password policy The first thing in infosec that's such a pain to me is your password policy When I go into organizations for penetration tests, one of the easiest ways to get in is through password guessing. Most organizations use a password policy of 8 characters, complexity turned on, and change every 90 days. So, what do the users do? They come up with a simple to remember password that will never repeat. Yes, I am talking about the infamous Winter16 or variations of season and year. If they aren't using that password, then chances are it is something just as simple. Instead, set a longer password requirement (12 characters or more) and blacklist common words, such as password, seasons, months, and company name. The second thing in infosec that's such a pain to me is default credentials The next most common finding I see is the failure to change default credentials. It is such a simple mistake, but one that can cost your organization a ton! This doesn't just go for web apps like JBOSS and Tomcat, but also for embedded devices. Printers and other embedded devices are a great target since the default credentials aren't usually changed. They often hold credentials to other systems to help gain access or simply can be used as a pivot point to attack other systems. The third thing in infosec that's such a pain to me is falling for phishing Malicious actors go for the weakest link. Often this is the users. Sending a carefully crafted phishing email is almost 100% successful. In fact, even many security professionals fall victim to phishing emails. So, what can we do about it? Well, we must train our employees regularly to spot phishing attempts as well as encourage and reward them for alerting security on phishing attempts. Once reported, add the malicious URL to your blacklist, and redirect to a phishing education page. And for goodness sake, Security Department, please disable the links and remove any tags in the email before forwarding off as "education". The fourth thing in infosec that's such a pain to me is patch management There are so many systems out there. It can be hard to patch them all, but having a good patch management process is essential. Ensuring our systems are up to date with the latest patches will help protect those systems from known attacks. It is not just operating system patches that need to be applied, also for any software you have installed. The fifth thing in infosec that's such a pain to me is Windows XP Oh Windows XP, how I love and hate thee. Even though Windows XP support went the way of the dodo back in 2014, over 2.5 years later I still see it being used in corporate environments. While I called out Windows XP, it is not uncommon to see Windows 2000, Windows Server 2003, and other unsupported operating system software. While some of the issues with these operating systems have been mitigated, such as MS08_067, many places have not applied the patches or taken the mitigation tactics. That is not to mention what unknown security vulnerabilities that exist and will never be patched. Your best bet is to upgrade to a supported operating system. If you cannot for some reason (required software will not run on newer operating systems), segregate the network to prevent access to the unsupported systems. The sixth thing in infosec that's such a pain to me is lack of input filtering We all know and love the OWASP Top 10. Three of the top 10 is included in this pain. Cross-Site Scripting (XSS), SQL Injection (SQLi), HTML Injection, Command Injection, and HTML Redirects are all vulnerabilities that can be solved fully, or at least partially in the case with XSS, with input filtering. Web applications that perform input filtering will remove bad characters, allow only good characters, and perform the input filtering not at the client-side, but at the server-side. Then using output encoding/filtering, XSS is remediated as well. The seventh thing in infosec that's such a pain to me is no monitoring In 1974, Muhammad Ali said “His hands can't hit what his eyes can't see” referring to his upcoming fight with George Foreman. This quote bodes true in Infosec as well. You cannot defend what you cannot see. If you are not performing monitoring in your network, and centralized monitoring so you can collaborate the logs, you will miss attacks. As Dr. Eric Cole says “Prevention is ideal, but detection is critical.” This is also critical to REVIEW the logs, meaning you will need good people that know what they are looking for, not just good monitoring software. The eighth thing in infosec that's such a pain to me is users as local admins Though for years we have been suggesting to segregate user privileges, yet almost every penetration test I perform I find this to be an issue. Limiting use of accounts to only what is needed to do their job is very hard, but essential to secure your environment. This means not giving local administrator privileges to all users but also using separate accounts for managing the domain, limiting the number of privileged accounts, and monitoring the use of these accounts and group memberships. The ninth thing in infosec that's such a pain to me is lack of management support How often do I run into people who want to make a change or changes in their network, yet they do not get the support needed from upper management? A LOT! Sometimes an eye-opening penetration test works wonders. The tenth thing in infosec that's such a pain to me is testing for compliance I get it, certain industries require specific guidelines to show adequate security is in place, but when you test only for compliance sake, you are doing a disservice to your organization. When you attempt to limit the scope of the testing or firewall off the systems during the test, you are pulling a blinder over your eyes, and cannot hope to secure your data. Instead, use the need for testing to meet compliance a way to get more management support and enact real change in the organization. The eleventh thing in infosec that's such a pain to me is no asset management You can't protect what you don't know about. In this regard, employ an asset management system. Know what devices you have and where they are located. Know what software you have, and what patch levels they are at. I can't tell you how many times I have exploited a system and my customer says “What is that? I don't think that is ours”, only to find out that it was their system, they just didn't have good asset management in place. The twelfth thing in infosec that's such a pain to me is trust in antivirus A few years ago, I read that antivirus software was only about 30% effective, leading to headlines about the death of antivirus, yet it still is around. Does that mean it is effective in stopping infections on your computer? No. I am often asked “What is the best antivirus I should get for my computer?” My answer is usually to grab a free antivirus like Microsoft Security Essentials, but be careful where you surf on the internet and what you click on. Antivirus will catch the known threats, so I believe it still has some merit, especially on home computers for relatives who do not know better, but the best protection is being careful. Turn on “click to play” for Flash and Java (if you can't remove Java). Be careful what you click on. Turn on an ad blocker. There is no single “silver bullet” in security that is going to save you. It is a layering of technologies and awareness that will. I hope you enjoyed the song, and who knows, maybe someone will record a video singing it! (not me!) Whatever holiday you celebrate this season, have a great one. Here's to a more secure 2017 so I don't have to write a new song next year. Maybe “I'm dreaming of a secure IoT” would be appropriate.

Compromised Credentials Have a High ROI for Attackers

Given that detecting the use of compromised credentials is at the core of user behavior analytics', and InsightIDR's, focus, I want to explain why compromised credentials are so valuable to attackers. To effectively understand any attacker tools and techniques, we have to put them into…

Given that detecting the use of compromised credentials is at the core of user behavior analytics', and InsightIDR's, focus, I want to explain why compromised credentials are so valuable to attackers. To effectively understand any attacker tools and techniques, we have to put them into the context of their challenges and goals the same way you would a business, or supply chain of businesses. Accordingly, I will use some common microeconomics terms to explain. Phishing has a high expected return While it may not be the only way to steal valid credentials, there have been various statistics published and they all show that roughly one out of every ten phishing emails will be successful. This could mean that your users open a malicious attachment, enter their corporate credentials into a phony site, or simply visit a website attempting to compromise them in some other way. This statistic is relatively broad, but you can be confident that a professional social engineer with a few days for reconnaissance can far exceed this success rate with targeted spear phishing. Stolen passwords offer simple and inexpensive distribution Once credentials are stolen from a user in your organization, those responsible for harvesting them have hundreds of ways to distribute them to potential buyers. Once a buyer is identified, most likely on an eBay rip-off focused on such criminal tools, the credentials can be distributed through any medium that accepts text. This means that individuals creative enough to avoid jail time and immoral enough to knowingly steal from others need only decide whether to insert the (username/password combination) text into a website, send it in an email, embed it in a PowerPoint slide deck, send over IRC, post in comments to a random article, tweet from a short-lived Twitter account, or transmit via any number of other ways. Comparatively, exploits and malware pose a much greater challenge around distribution because they run the risk of being discovered in transit and they are not the same simple text. Compromised credentials lower the cost of production Each phase of the attacker supply chain produces something different, but they all lead to the production of one type: monetizable information that belongs to someone else. For the attackers that are actively attempting to compromise systems in your organization, the approaches fall into two buckets: Take control of a company asset, either manually or through malware Use the credentials of a legitimate user to pose as someone that should have access to multiple company assets A major reason stolen credentials have become the weapon of choice is a few of their costs. It is inexpensive to purchase credentials, it is inexpensive to try using stolen credentials, and they have a low opportunity cost. Purchasing credentials is relatively straightforward: you can either buy them in bulk from someone who harvests them and puts them up for sale online or you can hire a black hat social engineer to harvest them for you. Using stolen credentials currently has a very low likelihood of being detected or traced back to the attacker, so while the attempted use might be complex, having a single access point makes it very easy and fast to test their validity. This makes it easy to discuss opportunity cost: while it is still very possible to take control of an organization's assets with exploits, a well-patched organization with a bevy of security controls in place means that you will likely need a very expensive zero-day exploit to reach the success rate and low likelihood of detection that come with compromised credentials. The cost of production for 0-days is massive because they require a great deal of both expertise and research to develop and their guarantee of success rapidly depreciates from the second they are used. Improved malware defenses have had a secondary economic impact on compromised credentials Starting with antivirus, then the detection of signatures in your network traffic, and more recently with sandboxing and the latest Endpoint Detection & Response (EDR) solutions, organizations have invested heavily in identifying and blocking malware before it is delivered, when it attempts to install itself, and when it starts performing malicious operations. While we will never see a 100% success rate, modern malware defenses have been very effective at achieving one goal: making it expensive to use malware alone to attack an organization. While this cost has increased, the cost of sourcing and using stolen credentials has stayed very low because they remain in the blind spot of these evolved detection solutions. Often, mass malware opens opportunities of chance in organizations that are not investing heavily in security, but more advanced, custom-built malware variants must be leveraged for a targeted attack, and even then, it is used with precision to only compromise systems that have been accessed (with stolen credentials) and deemed susceptible. The day-to-day system reconnaissance and lateral movement can be done with widely available tools, like Windows Credential Editor, and stolen passwords or hashes to evade detection. So, given these factors, if you are comfortable breaking international laws, stealing from other people, and working with other criminals who may be capable of even more, it is poor business management not to use compromised credentials. This is exactly why we built InsightIDR: to help diminish the return on stolen accounts by detecting their use. If you want to see more details on how we raise the cost for attackers, you can register for a free, guided demo of InsightIDR. I think you'll quickly see how we'll raise the cost to attack your organization. Not ready quite yet? Check out our resource page to learn more about our products and solutions that help you detect attacks leveraging compromised credentials here.

Catching Stealthy Attackers: Detecting Log Deletion and Brand New Phishing Domains

It should come as no surprise by now that attackers are doing their best ninja impressions when trying to monetize the data on your network, whether it be credit card data, intellectual property, health records, or something else entirely. The longer their presence remains unknown,…

It should come as no surprise by now that attackers are doing their best ninja impressions when trying to monetize the data on your network, whether it be credit card data, intellectual property, health records, or something else entirely. The longer their presence remains unknown, the more reconnaissance they can perform and valuable data they can access. Rapid7's InsightIDR team is constantly looking to detect behaviors that expose someone taking the slow, methodical approach to expanding their reach within your network. I previously blogged about some of the lateral movement, but here I want to cover two other examples: log deletion and rapid domain registrations, as always with 90's movies. Log Deletion The concept is simple: if you never want something you did to reach the Incident Response team in an organization, delete the system's logs that contain this information. You probably think that you know all possible movies this could draw to my mind: "Hackers" or "Sneakers" might make sense, but I think of the Keanu Reeves classic "Speed" (in which Keanu and Dennis Hopper simply play themselves). Remember how Keanu got everyone off the bus? Once he realized that Dennis had tapped into the bus's video feed to watch passengers, Keanu's team automagically looped the video feed for something like 90 seconds. Well, log deletion is similar because it theoretically could keep an attacker's activity secret forever, unless InsightIDR is there to alert you when someone deletes event logs on any asset accessible by our endpoint monitor. Why doesn't this violate our "don't be noisy" motto? I have yet to hear a legitimate reason for deleting these logs, unless you consider "none of your business" or "penetration test" as legitimate reasons. You should be alerted every time this rare activity occurs. Rapid Domain Registrations This second technique is a bit more complex: in order to avoid triggering alerts you currently have in place around domain or URL blacklists, attackers use the ease of registering a new domain to their advantage. Basically, the attackers know that we are tracking the domains they use and adding to our blacklists on a daily basis (if not faster), so they just make up new ones to stay off the blacklists. For those die-hard Adam Sandler fans out there, this is similar to how the Fonz finally turned the tables against his evil protege: stop using the plays in the stolen playbook and make up a new one every time. Okay, it is the same in "Varsity Blues" and "Little Giants" (and, really, any sports movie): make up a new play whenever the game is of enough importance. Similarly, if really valuable data is being exfiltrated or a high value user is being spearphished, attackers simply register a new domain and only use it for that sole purpose to ensure it is unknown to blacklists. Anyway, how does InsightIDR help? Thanks to the awesome Rapid7 Research team and their contributions to Project Sonar, we are constantly on top of domain registrations and will alert you when data is sent to newly registered ones. Is this a silver bullet? Of course not, but in combination with blacklists and other alerts, it makes it that much more challenging for the attackers to hide their activities... and we'll keep raising that bar, whether it is based on experience of our research team, penetrations testers, or elsewhere. If you want to better detect and investigate stealthy attackers on your network, please start here and contact us as soon as possible.

InsightIDR Detects Unknown Spear Phishing Attacks

Phishing continues to be one of the top attack vectors behind breaches, according to the latest Verizon Data Breach Investigations Report. Sending ten phishing emails to an organization yields a 90% chance that company credentials are compromised. Phishing is often the first step in the…

Phishing continues to be one of the top attack vectors behind breaches, according to the latest Verizon Data Breach Investigations Report. Sending ten phishing emails to an organization yields a 90% chance that company credentials are compromised. Phishing is often the first step in the attack chain, opening an organization to stealthy credential-based attacks that allow intruders to exfiltrate confidential data. InsightIDR now detects targeted spear phishing attacks, even ones that have never been seen before. This extends InsightIDR's existing ability to detect compromises throughout the attack chain. Targeted attacks often use phishing sites with domains that are spelling variations close to the target company's own domain (e.g. www.rapid7.com vs. www.rapld7.com). Embedded in the context of a seemingly legitimate business email, these are very difficult for busy end users to detect. A targeted spear phishing email can look as if it's coming from a trusted colleague, embedding a slightly misspelled link in the body that links to a malicious website. InsightIDR uses machine learning to identify these lookalike domains, and automatically alerts you if one of your users visits a suspicious, lookalike website. This also enables InsightIDR to detect phishing outside the scope of corporate e-mail, including social media (e.g. Facebook, Twitter), and chat programs (e.g. Skype, Slack). In addition to the spear phish detection, InsightIDR detects phishing emails through: Threat intelligence: InsightIDR screens emails for phishing links identified by open source and commercial threat intelligence feeds. Incident responders can add their own threat intelligence and share it with the InsightIDR community to help their peers detect new attacks. Identifying newly created domains: Attackers often register phishing domains shortly before an attack because domains quickly become blacklisted in threat intelligence feeds. Through the Insight Platform integration with Rapid7's Project Sonar, we monitor the registration of all new domains on the Internet and alert on any network activity to newly generated domains. Faster phishing attack investigation: InsightIDR accelerates incident scoping by showing every user that received the link. From the same solution, you can investigate whether intruders have successfully gained a foothold and moved laterally across your network. All of these phishing detections are available as a standard features in your InsightIDR or InsightUBA subscription. For more on how InsightIDR helps you detect top attack vectors behind breaches earlier in the attack chain, check out our 20-minute on-demand demo video!

Sometimes the simplest security works the best

The FBI this week posted an alert that showed wire transfer scams bled $2.3 Billion from “business email compromise” from October 2013 through February 2016.  A couple of news outlets picked this up, including Brian Krebs. When I was the head of security at…

The FBI this week posted an alert that showed wire transfer scams bled $2.3 Billion from “business email compromise” from October 2013 through February 2016.  A couple of news outlets picked this up, including Brian Krebs. When I was the head of security at a multi-national corporation, this was an issue that came up regularly. There were instances of very aggressive behavior, such as someone calling the call center pretending to be the CEO of one of the countries and demanding a $1 million dollar transfer. That was a very bold and very obvious fraud that the call center was able to handle. However, very often these requests came though email, just like the FBI reported. When this happens, normally the scammer uses either a forged email domain very similar to the corporate one. If your user uses a browser without a fixed width font, they might get tricked into see the domain as legitimate, i.e.  rnicrosoft.com vs microsoft.com (look closely), or a use of a sub domain that looks very similar, i.e. yourcom.panyname.com. Then the header is simply forged. In simple mail clients, like Gmail, you have to take extra steps to see the actual sender domain. The emails are usually pretty short, lacking detail, such as : I need you to immediately produce a wire transfer for $13,000 and sent to the bank listed. I will follow up with you later. Regards, CEO NAME And you might have a pdf attachment with banking details. Oddly enough, the PDFs I encountered were never malicious. They had legitimate account details so the wire transfers could be received. Now you might think this is too simple and shouldn't work. But obviously, it does, to the tune of $2.3 billion. You might ask yourself why, and if you aren't, I'll ask it for you. Self, why does this work? Well consider that you might have a multibillion dollar corporation located in many countries. If you do business in certain countries, wire transfers are the norm. So wire transfers become part of a normal process for that company. And when someone asks for $13,000, or even as much as $75,000, for a company that posts $4.3 billion in revenue, they would not even blink an eye at this. Scammers do a little recon, ask for an amount that is small to the company, and it gets processed. Little risk, high reward. How would you protect against this? The simplest method is verification of the request. The FBI suggests that a telephone call be placed to verify the request, which is a good practice. They also suggest two factor authentication for email, and limit social media activities, as scammers will do reconnaissance and determine if CEOs are traveling. Krebs points out that some experts rely on technological controls such as DKIM and SPF. While these are things we recommend in our consultancy, they are complex for low maturity organizations and do require some effort and support. At the end of the day, they don't actually solve the problem, because we are socially engineering human beings. While all of these technology controls are good, we are dealing with humans. The best way to prevent this fraud from occurring is creating simple business processes that are enforced. In security terms, we would call this segregation of duties. The simplest security Simply put, segregation of duties says that no one person or one role should be allowed to execute a business process from start to finish. In the case of wire transfer fraud, for example, one person/role should not be able to create the wire transfer, approve it and execute it. Dividing these duties between two or more persons/roles means more eyes on the situation, and a potential to catch the fraud. A simple process map might look like: Ensure that Role A and Role B have proper documentation (evidence) for each step of the request and approval, and you now have a specific security control that easily integrates into a business process. The key to enforcement: making sure every single request follows the chain every single time. No exceptions. Now let me tell you about the one that almost made it. There was one instance I dealt with which was one mouse click away from being executed. An email (very similar to the example above) was sent to a director of finance, purportedly from the CEO. The director was busy that day, and filed the email away for processing later. By 4:55 pm or so, they realized they had not acted on the request. As it was almost end of day, and wire transfers are not processed by most banks after banking hours, she hurriedly forwarded the email to the wire transfer processor, marked with urgency, and made a call to ensure it was processed immediately. By the time it was picked up and put into the process, banks were closed. So they agreed it would execute first thing tomorrow morning. That evening, a series of emails went back and forth between the approver, who was a simple finance analyst who held very firm to the process, and the requester. Though it had urgency, and people were shouting that it was a request from the CEO, the process prevailed. All this time no one thought to actually verify the request, and this was not part of the process at that time. But because the approver was uncooperative with the request, it was escalated to the CFO, because the CEO was traveling, and he suspected it was fraudulent, and contacted me. We determined almost immediately it was fake, just by looking at email headers. There were other indicators too. I immediately praised everyone involved, and bought them gifts for sticking to the process. The director might have felt ashamed, but I went to her as well and explained that these scams are successful because they count on stress and distraction to occur. These are normal human behaviors, and they sometimes cause us to act erratically. But because we had a firm process that was adhered to, all we lost was time. There's actually much more to this story, but I'll save that for future posts. Regardless of your organizations size or structure, you too can put this in place. If you are unsure these processes exist, start asking around. Begin with your controllers or comptrollers, or anyone in finance. Ask if you have a process for wire transfers, and if so what the process is. Get involved, understand how your business does business. This will benefit you in many ways. Other things you can do: Join Infragard, the FBI and civilian alliance, which will get you in depth resources and information. You can also report fraud to the IC3, The Internet Crime Complaint Center. Ensure you have a separation of duties policy that is enforced Periodically train / update awareness of these issues with the people involved All these are free, requiring only a time investment, and will go a long way toward avoiding the kind of wire transfer fraud scam the FBI is warning about.

The Topology of Malicious Activity on IPv4

by Suchin Gururangan & Bob Rudis At Rapid7, we are committed to engaging in research to help defenders understand, detect and defeat attackers. We conduct internet-scale research to gain insight into the volatile threat landscape and share data with the community via initiatives like Project…

by Suchin Gururangan & Bob Rudis At Rapid7, we are committed to engaging in research to help defenders understand, detect and defeat attackers. We conduct internet-scale research to gain insight into the volatile threat landscape and share data with the community via initiatives like Project Sonar1 and Heisenberg2. As we crunch this data, we have a better idea of the global exposure to common vulnerabilities and can see emerging patterns in offensive attacks. We also use this data to add intelligence to our products and services. We're developing machine learning models that use this daily internet telemetry to identify phishing sites and find classify devices through their certificate and site configurations. We have recently focused our research on how these tools can work together to provide unique insight on the state of the internet. Looking at the internet as a whole can help researchers identify stable, macro level trends in the individual attacks between IP addresses. In this post, we'll give you window into these explorations. IPv4 Topology First, a quick primer on IPv4, the fourth version of the Internet Protocol. The topology of IPv4 is characterized by three levels of hierarchy, from smallest to largest: IP addresses, subnets, and autonomous systems (ASes). IP addresses on IPv4 are 32-bit sequences that identify hosts or network interfaces. Subnets are groups of IP addresses, and ASes are blocks of subnets managed by public institutions and private enterprises. IPv4 is divided into about 65,000 ASes, at least 30M subnets, and 232 IP addresses. Malicious ASes There has been a great deal of academic and industry focus on identifying malicious activity in-and-across autonomous systems3,4,5,6, and for good reasons. Well over 50% of “good” internet traffic comes from a small subset of large, well-defined ocean-like ASes pushing content from Netflix, Google, Facebook, Apple and Amazon. Despite this centralization “cloud” content, we'll show that the internet has become substantially more fragmented over time, enabling those with malicious intent to stake their claim in less friendly waters. In fact, our longitudinal data on phishing activity across IPv4 presented an interesting trend: a small subset of autonomous systems have regularly hosted a disproportionate amount of malicious activity. In particular, 200 ASes hosted 70% of phishing activity from 2007 to 2015 (data: cleanmx archives7). We wanted to understand what makes some autonomous systems more likely to host malicious activity. IPv4 Fragmentation We gathered historical data on the mapping between IP addresses and ASes from 2007 to 2015 to generate a longitudinal map of IPv4. This map clearly suggested IPv4 has been fragmenting. In fact, the total number of ASes has grown 60% in the past decade. During the same period, there has been a rise in the number of small ASes and a decline in the number of large ones. These results make sense given that IPV4 address space has been exhausted. This means that growth in IPv4 access requires the reallocation of existing address space into smaller and smaller independent blocks. AS Fragmentation Digging deeper into the Internet hierarchy, we analyzed the composition, size, and fragmentation of malicious ASes. ARIN, one of the primary registrars of ASes, categorizes subnets based on the number of IP addresses they contain. We found that the smallest subnets available made up on average 56±3.0 percent of a malicious AS. We inferred the the size of an AS by calculating its maximum amount of addressable space. Malicious ASes were in the 80-90th percentile in size across IPv4. To compute fragmentation, subnets observed in ASes overtime were organized into trees based on parent-child relationships (Figure 3). We then calculated the ratio of the number of root subnets, which have no parents, to the number of subsequent child subnets across the lifetime of the AS. We found that malicious ASes were 10-20% more fragmented than other ASes in IPv4. These results suggest that malicious ASes are large and deeply fragmented into small subnets. ARIN fee schedules8 showed that smaller subnets are significantly less expensive to purchase; and, the inexpensive nature of small subnets may allow malicious registrars to purchase many IP blocks for traffic redirection or host proxy servers to better float under the radar. Future Work Further work is required to characterize the exact cost structure of buying subnets, registering IP blocks, and setting up infrastructure in malicious ASes. We'd also like to understand the network and system characteristics that cause attackers to choose to co-opt a specific autonomous system over another. For example, we used Sonar's historical forwardDNS service and our phishing detection algorithms to characterize all domains that have mapped to these ASes in the past two years. Domains hosted in malicious ASes had features that suggested deliberate use of specific infrastructure. For example, 'wordpress' sites were over-represented in some malicious ASes (like (like AS4808), and GoDaddy was by far the most popular registrar for malicious sites across the board. We can also use our SSL Certificate classifier to understand the distribution of devices hosted in ASes across IPv4, as seen in the chart below: Each square above shows the probability distribution (a fancier, prettier histogram) of device counts of a particular type. Most ASes host fewer than 100 devices across a majority of categories. Are there skews in the presence of specific devices to propagate phishing attacks from these malicious ASes? Conclusion Our research presents the following results: A small subset of ASes continue to host a disproportionate amount of malicious activity. Smaller subnets and ASes are becoming more ubiquitous in IPv4. Malicious ASes are deeply fragmented There is a concentrated use of specific infrastructure in malicious ASes Attackers both co-opt existing devices and stand up their own infrastructure within ASes (a gut-check would suggest this is obvious, but having data to back it up also makes it science). Further work is required to characterize the exact cost structure of buying subnets, registering IP blocks, and setting up infrastructure in malicious ASes along with what network and system characteristics cause attackers to choose to co-opt one device in one autonomous system over another. This research represents an example of how Internet-scale data science can provide valuable insight on the threat landscape. We hope similar macro level research is inspired by these explorations and will be bringing you more insights from Project Sonar & Heisenberg over the coming year. Sonar intro Heisenberg intro G. C. M. Moura, R. Sadre and A. Pras, _Internet Bad Neighborhoods: The spam case,“_ Network and Service Management (CNSM), 2011 7th International Conference on, Paris, 2011, pp. 1-8. B. Stone-Gross, C. Kruegel, K. Almeroth, A. Moser and E. Kirda, “FIRE: FInding Rogue nEtworks”; doi: 10.1109/ACSAC.2009.29 C. A. Shue, A. J. Kalafut and M. Gupta, “Abnormally Malicious Autonomous Systems and Their Internet Connectivity,”; doi: 10.1109/TNET.2011.2157699 A. J. Kalafut, C. A. Shue and M. Gupta, “Malicious Hubs: Detecting Abnormally Malicious Autonomous Systems,”; doi: 10.1109/INFCOM.2010.5462220 Cleanmx archive ARIN Fee Schedule

Top 3 Takeaways from the "How to Make your Workplace Cyber-Safe" Webcast

In the first of four Cyber Security Awareness Month webcasts, a panel of security experts, including Bob Lord, CISO in Residence at Rapid7, Ed Adams, President and CEO at Security Innovation, Chris Secrest, Information Security Manager at MetaBank, and Josh Feinblum, VP of Information Security…

In the first of four Cyber Security Awareness Month webcasts, a panel of security experts, including Bob Lord, CISO in Residence at Rapid7, Ed Adams, President and CEO at Security Innovation, Chris Secrest, Information Security Manager at MetaBank, and Josh Feinblum, VP of Information Security at Rapid7, came together to discuss, "How to Make your Workplace Cyber-Safe". They touched upon how to create a security-centric culture, combating common threats targeted at users, characteristics of an effective security awareness program, and best practices for managing passwords and devices. Read on to learn the top 3 takeaways from this webinar:1. Security should be a reflex – A strong sign that an organization has successfully created a security-centric culture is if secure actions are reflexes for users across the organization. For example – has it become second nature for employees to know how to treat sensitive data, when it's okay to share information, and how to spot phishing attacks? If employees aren't sure about something, do they ask security or just click? If users are asking before acting, it's a pretty good indicator that a security-centric culture has successfully started to spread.2. It takes 2 Factor Authentication – Every user can be a pathway in. Any given user may not be the most impactful entry point – but they can be the first step to lateral movement within an environment. Be skeptical of all user activity, and use 2 factor authentication to remove risky users from the equation. Don't let one mistake from a risky user impact your organization. A successful hack is substantially more difficult when 2 factor authentication is in play, and can make the act just challenging enough that the attacker may move on to an easier target.3. Security is a Team Sport – Teach users at your organization to be more skeptical. Hiring more security professionals isn't enough to improve security – you need security-smart eyes and ears all over the organization. Plus, you'll benefit from less hostile, more understanding relationships between security and other business units. Build bridges not walls! Integrate security into your culture, and groups around the organization will start to recognize the need to bring security into projects earlier. Don't just give users rules to blindly follow – teach them how attackers work and think, and empower users to make decisions when the security team is not around. To listen to the full discussion: view the on-demand webcast now. Learn more and register for additional sessions in our Cyber Security Awareness Month Webcast Series.

Get Off the Hook: Ten Phishing Countermeasures to Protect Your Organization

The Internet is full of articles for how to tell if an email is phishing but there seems to be a lack of concise checklists how to prepare an organization against phishing attacks, so here you go. Because phishing attacks humans and systems alike, the…

The Internet is full of articles for how to tell if an email is phishing but there seems to be a lack of concise checklists how to prepare an organization against phishing attacks, so here you go. Because phishing attacks humans and systems alike, the defense should also cover both aspects. None of the following steps is bullet proof, so layering your defenses is important – and having an incident response plan in case someone does get through. Here are my recommendations on how to defend against phishing attacks: 1. Filter emails for phishing threats It's important that you filter your emails for malicious URLs and attachments to prevent phishing emails making it to your users in the first place. Sandboxing can detect a lot of the malware in emails, but make sure that you have a follow up plan in place if you're deploying this technology in detection rather than blocking mode – otherwise the malware is still live on your systems. Use security analytics to filter out malicious URLs. Rapid7 UserInsight uses threat feeds to detect known malicious URLs and security analytics to alert on unknown ones. It also integrates with sandboxing solutions, such as FireEye NX Series and PaloAlto WildFire, to enable quick and easy incident investigation of malware alerts. 2. Update client-side operating systems, software, and plug-ins Some phishing emails include URLs to exploit vulnerabilities in the browsers and its plug-ins, such as Flash and Java; others send file attachments that try to exploit applications like Adobe Acrobat or Microsoft Office. That's why it's important to patch vulnerabilities on your endpoints as well. Many organizations already have a vulnerability management program in place but only scan servers. Make sure you extend coverage to your endpoints and patch operating systems, software, and plug-ins. This not only protects you from phishing emails but also drive-by attacks. Rapid7 Nexpose can help you manage vulnerabilities on your endpoints, and much more. 3. Harden Your Clients Lock down your clients as much as possible. This includes things like not making your users local administrators and deploying mitigation tools like Microsoft EMET (check out this Whiteboard Wednesday on EMET on how to deploy this free tool). Rapid7 Nexpose Ultimate includes Controls Effectiveness Testing, which helps you scan your clients and guides you through the steps to harden them against phishing and other attacks. 4. Block Internet-bound SMB and Kerberos traffic One of our penetration testing team's favorites is to use an SMB authentication attack. In this scenario, the attacker sets up an SMB service on the Internet and sends a phishing email with a URL or Word document that references an image through file:// rather than http://. This tricks the computer to authenticate with the domain credentials to the SMB service, providing the attacker with a user name and password hash. The hash can then be cracked or used in pass the hash attacks. To defend against SMB and Kerberos attacks, you should block TCP ports 88, 135, 139, 445 and UDP ports 88, 137, 138 for non-RFC 1918 IP addresses, both on the perimeter and the host-based firewalls. You'll want to have a process in place to detect compromised credentials, for example Rapid7 UserInsight, which leads us to the next item on our checklist. 5. Detect malware on endpoints Many phishing attacks involve malware that steal your data or passwords. You should have technology in place to detect malware on the endpoint. Regular anti-virus is great for catching commodity malware, which is likely the bulk of what you will see used against you. There are also many new endpoint detection vendors out there that have great alternative technologies. Rapid7 UserInsight uses its agentless endpoint monitor to collect process hashes from all machines on your network to highlight known malicious processes based on the output of 57 anti-virus scanners; it also looks for rare/unique unsigned processes that may indicate malware. 6. Detect compromised credentials and lateral movement Even with all of these protections in place, your users may still fall prey to credential harvesting attacks. A common phishing attack is leading users to a fake Outlook Web Access page and asking them to enter their domain credentials to log on, but there are many variations. Once the attackers have the passwords, they can impersonate users. Rapid7 UserInsight can detect compromised credentials, both on your network and in cloud services, such as Office 365, Salesforce.com and Box.com. It detects lateral movement to other users, assets, or to the cloud, so you'll be able to trace intruders even if they break out of the context of the originally compromised user. 7. Implement 2-factor authentication Add 2-factor authentication (2FA) to any externally-facing system to stop attackers from using stolen passwords. While Rapid7 doesn't offer a solution in this space, check out our partners Okta and Duo Security. All systems protected with Okta (Rapid7/Okto Integration Brief) or Duo Security can be monitored with Rapid7 UserInsight to help detect any attempts to use compromised credentials. 8. Enable SPF and DKIM There are two standards that help determine if an email actually came from the sender domain it claims to detect email spoofing. The first one is the Sender Policy Framework (SPF), which adds an list to your DNS records that includes all servers that are authorized to send mail on your behalf. The second standard is DomainKeys Identified Mail (DKIM), which is a way for an email server to digitally sign all outgoing mail, proving that an email came from a specific domain and was not altered during transportation. Together, they raise the confidence in the authenticity of the sender and email content by the recipient. To help improve security hygiene, check that your systems have both SPF and DKIM enabled on your outgoing email. For incoming email, you should check if a the sender domain has SPF set up and the email came from an authorized server, and that DKIM signed emails have not been tampered with. While these protections are not bullet proof against targeted attacks that register look-alike domains, they can help filter out a lot of mass phishing. 9. Train your employees on security awareness While even educated users won't catch everything, they are worth investing in. Train your users about how to detect phishing emails and send them simulated phishing campaigns to test their knowledge. Use the carrot, not the stick: Offer prizes for those that detect phishing emails to create a positive security-aware culture – and extend the bounty from simulated to real phishing emails. Whenever you see new phishing emails targeting your company, alert your employees about them using sample screenshots of the emails with phishy features highlighted. Encourage your users to use secure browsers – I put Google Chrome (64-bit version) on the top of my list for security and usability. Here at Rapid7, we offer Security Awareness Trainings; you can also send phishing simulations with Rapid7 Metasploit Pro that track click-throughs so you can report on user awareness. 10. Have an incident response plan Even if you put all of these protections in place, some phishing emails will get through, especially if they are targeted against your organization and tailored to the individual. It's not whether these emails will get through but how well you are prepared to respond to intruders on the network. Rapid7 UserInsight enables you to detect compromised users and investigate intruders that entered the network through a phishing attack. This helps you shorten your time-to-detection and time-to-contain, reducing the impact of a phishing attack on your organization. In addition, Rapid7 offers incident response services and can help you develop an incident response program. While these areas cover the most important counter-phishing measures, I'd love to hear if you've implemented anything else that you found to be effective - just post your experience in the comments section. If you're looking at defending against phishing attacks, you may also enjoy my related webcast "You've Been Phished: Detecting and Investigating Phishing Attacks” – register now to save a seat to ask questions during the live session.

[5 Min Demo] Investigate Security Incidents Faster with User Context

Investigating incidents is a tough challenge. It's like solving a 100 piece jigsaw puzzle with a million unarranged pieces on the table. We must first identify what's relevant, and only then start to piece the disparate information together into a coherent picture. This requires a…

Investigating incidents is a tough challenge. It's like solving a 100 piece jigsaw puzzle with a million unarranged pieces on the table. We must first identify what's relevant, and only then start to piece the disparate information together into a coherent picture. This requires a combination of technical expertise and the fortitude to parse often tedious logs, putting strain on the security team. Want to see how we've helped customers speed up incident investigation... by an order of magnitude? Watch this 5-minute demo video of a simulated attack and the resulting UserInsight investigation. It follows the tale of Nellie Gregory, Directory of Engineering, as her credentials are stolen via phishing, the resulting lateral movement, privilege escalation, and exfiltration via cloud service. Click to see Nellie's bad day: Related Resource: Download our beginner's guide to User Behavior Analytics with UserInsight Toolkit UserInsight not only accelerates incident investigation, but helps you: Detect Stealthy Attacks through Behavior Analytics: The top three attack vectors behind breaches: compromised credentials, malicious processes, and phishing1. UserInsight automatically detects all three. Investigate Incidents Faster with User Context: Spend less time retracing user activity across IP's, assets, and services, or digging through disparate log files. Expose Risky User Behavior from Endpoint to Cloud: Shed visibility on your network ecosystem, including negligent internal behavior and insider threat. If you'd like to learn how UserInsight integrates directly with your existing security systems, network infrastructure, and cloud services, join us for a free guided demo! 1. 2013, 2014, 2015 Verizon Data Breach Investigations Report (DBIR)

Top 3 Takeaways from the "Storming the Breach, Part 1: Initial Infection Vector" Webcast

In the recent Rapid7 webcast, “Storming the Breach, Part 1: Initial Infection Vector”, Incident Response experts Wade Woolwine and Mike Scutt had a technical discussion on investigation methodologies for the 3 most common breach scenarios: spear phishing, browser exploitation, and web server compromise. Their discussion…

In the recent Rapid7 webcast, “Storming the Breach, Part 1: Initial Infection Vector”, Incident Response experts Wade Woolwine and Mike Scutt had a technical discussion on investigation methodologies for the 3 most common breach scenarios: spear phishing, browser exploitation, and web server compromise. Their discussion was packed with details and expert tips for investigating these scenarios, so it's definitely worth the watch, but in the meantime, here are the top 3 takeaways from their discussion: Time lining is Everything – During an investigation, building out a timeline is crucial.  By building out the chain of attack that was used, you will start to get a better understanding of what may be happening in your environment. The best way to get a good footing is to start from a pivot point, whether that be something like the date an email was sent, in the case of spear phishing, or any piece of data or time stamp that can give a rough idea of when a browser exploitation occurred. If you don't have this initial pivot point, use some techniques to reduce noise and locate one, like finding malware and working your way back. Use whatever data you can find to piece together what happened right before, during, and after the malware was dropped. Tools are your friend – There are many tools that can help during an investigation to make your job easier and faster, whether you're analyzing malware or in the mitigation stage. (Specific tools that help during an investigation are recommended throughout the on-demand webinar.) There are also tools and systems that you can have in place to help prevent and detect attacks on your network. IPS/IDS systems are vital for helping to protect endpoints. Further, make sure to sandbox critical applications known to be targets of attacks, such as email clients, flash, java, adobe acrobat, web browsers, etc., so that if they're infected by malware, it can't entrench itself in your system beyond that application. Limit Admin Access – You can save yourself a lot of headaches, time, money, and more, by limiting user access. Do not allow all users to have admin privileges. There is no reason for the average user to have local admin on their box, and you can easily ensure that users contact a help desk if they need to install additional software. Make sure your users only have the privileges they need to accomplish their job on a day to day basis. Attackers are getting really smart and constantly finding new and interesting ways of hiding themselves, so make sure you're doing everything in your power to make your systems and users more difficult to attack. View the on-demand webinar now to get the detailed picture of how experts begin to investigate a breach. Register for the follow up of this technical discussion, "Storming the Breach, Part 2: Uncovering Attacker Tracks", by visiting the webcast fire pit at Rapid7's free Security Summer Camp.

Join us at Camp Rapid7: Free Security Learnings All Summer Long

This summer, Rapid7 is hosting a ton of free, educational security content at the Rapid7 Security Summer Camp. Camp Rapid7 is a place where security professionals of all ages (Girls AND Boys Allowed!) can gain knowledge and skill in incident detection and response, cloud security,…

This summer, Rapid7 is hosting a ton of free, educational security content at the Rapid7 Security Summer Camp. Camp Rapid7 is a place where security professionals of all ages (Girls AND Boys Allowed!) can gain knowledge and skill in incident detection and response, cloud security, phishing, threat exposure management, and more. A few of the exciting activities for visitors at Camp Rapid7 – Take a load off at the Webcast Fire Pit and listen to the Counselors (Security Experts!) share on “Campfire Horror Stories: 5 Most Common Findings in Pen Tests”, “Detecting the Bear in Camp: How to Find your True Vulnerabilities”, “Storming the Breach: Uncovering Attacker Tracks” and more in live broadcasts throughout the summer! Scale Security Maturity Mountain for resources on how to ensure your security program is strong and measuring up Hit the beach and learn how to monitor for Phishing out on the water, and how to discover even more threats from the Incident Detection Lifeguard Hut Gaze into the skies to up your Cloud Security knowledge Stop by the CISO's Cabin to learn how to transform your organization's security program to be relevant, actionable, and sustainable Start Exploring the Rapid7 Security Summer Camp Today!

Top 3 Takeaways from the "Getting One Step Ahead of the Attacker: How to Turn the Tables" Webcast

For too long, attackers have been one step (or leaps) ahead of security teams. They study existing security solutions in the market and identify gaps they can use to their advantage. They use attack methods that are low cost and high return like stolen credentials…

For too long, attackers have been one step (or leaps) ahead of security teams. They study existing security solutions in the market and identify gaps they can use to their advantage. They use attack methods that are low cost and high return like stolen credentials and phishing, which works more often than not. They bank on security teams being too overwhelmed by security alerts to be able to sift through the noise to detect their presence. In this week's webcast, Matt Hathaway explored what security professionals need to do to get ahead of attackers whether by increasing the cost of attacks, catching attackers in their favorite hiding spots, or knowing how to recognize tools and techniques all attackers use. Read on for the top 3 takeaways from “Getting One Step Ahead of the Attacker: How to Turn the Tables”: 1) Attackers Have Gotten Creative – Defenders have progressed malware detection to the point where even newer and more innovative malware can get detected and blocked with a high success rate, which is great. However, success in this area pushes attackers to adopt more stealthy and creative tactics, often involving social engineering and user impersonation. Attackers study their targets, and will use spear phishing to get a foothold on an organization's network through its users. Once in, they can move from system to system by continuing to impersonate user activity. Attackers also understand things like how the average network is laid out, gaps they may be able to take advantage of, and where people generally have monitoring in place. Attackers don't even necessarily have to be too sophisticated to be successful, sometimes persistence will be enough. 2) Anomalous Activity is the Answer – Alliteration aside, it really is crucial for security professionals to be able to recognize what kind of user activity on their network is normal, and what is not. How many systems should and does each individual usually access? What data is typically transmitted internally and externally from different groups in your organization? Have a baseline, simple measurement of what constitutes normal access for the average user. The ability to access and review all the data for an individual, account, or system is also important for when something abnormal occurs and you need more context to determine whether the alert is valid. If you aren't monitoring for anomalous user behavior, it becomes harder and harder to detect an attack early enough to prevent data loss. 3) Don't Neglect Endpoints Nor The Cloud – The majority of user activity is happening on endpoints and in the cloud, and often this information isn't getting logged in a centralized place. The cloud provides a lot of convenience and productivity, but making things easier for users introduces more opportunities for attackers. If you don't know what cloud services your company is using or what people are doing in them, attackers have a way to get data out of an organization without even reaching the network. You must analyze behavior across cloud services and your endpoints so you don't miss any suspicious changes. Failure to monitor user behavior on endpoints and in the cloud creates major blind spots for security professionals. Sometimes an indication of attack will tend towards the obvious, for example a vulnerability getting exploited or a port scan. However, a great deal of attacker behavior will be much more nuanced and stealthy. For the more in-depth discussion of how to spot attacker behavior and increase the cost of attacks to reduce risk: view the on-demand webcast now.

Dogfooding at Rapid7: How UserInsight Saved Us from Getting Phished

A lot of companies talk about how they "eat their own dogfood". For those of you unfamiliar with the colloquialism, it means that they use their own products to validate both value and quality. This is a much easier thing to do in…

A lot of companies talk about how they "eat their own dogfood". For those of you unfamiliar with the colloquialism, it means that they use their own products to validate both value and quality. This is a much easier thing to do in high technology than at, well, a dog food manufacturer. I feel that I may have breezed over the fact when I mentioned in a previous UserInsight blog that we test out the noise of an alert by enabling it at Rapid7 (among other ways) before pushing it to our customer base, but Rapid7's products are widely used internally. This is why it doesn't feel strange having our VP of Security, josh, come to our customer gatherings: he made the conscious choice to be a customer of the entire product portfolio when he accepted his current role. One of the most unfortunate realities of building products for the security market is that you can rarely give concrete examples of your solutions working. Case studies, references, and the standard sales tools are excellent, but they are often stripped of the gory details to avoid revealing any security gaps that the organizations may have. This is why I was so excited by a very short email chain to which I was privy because of the UserInsight "dogfooding" at Rapid7 and a few of us getting invaluable access to daily incident response activities. ckirsch just published a blog on the many ways that we can help your organization with phishing attacks and this situation was only a very simple one, but I think we would all like to see these "quick wins" (employee names are changed to protect the truly innocent and well-behaved): 11:45AM: We (IR and UserInsight teams) received the above email alert 11:52AM: A proactive member of IT replied to the chain with a simple "I let her know not to click the link, she didn't" 11:53AM: Josh replies to all: "Love it. " Approximately noon: Everyone enjoys lunch. The scariest thing about this phishing attack is that Rapid7 has multiple spam filters and other protective measures in place to prevent these emails from reaching us, the employees, but a few always manage to get through. This alert was raised when UserInsight spotted a suspicious link on our Exchange server that matched one of the threat feeds we consume. This means every filter and control at the perimeter was already bypassed. If you want to get some of these quick wins on your Incident Response team, please contact us to schedule a UserInsight demo.

Phishing: How UserInsight Helps You Get Off The Hook Using Security Analytics

Phishing is one of the primary ways attackers steal credentials. For example, they can set up a fake Outlook Web Access page to harvest Windows domain credentials that enable them to access the network via VPN, to read emails, or to send highly credible phishing…

Phishing is one of the primary ways attackers steal credentials. For example, they can set up a fake Outlook Web Access page to harvest Windows domain credentials that enable them to access the network via VPN, to read emails, or to send highly credible phishing emails from an internal address by replying to existing email threads. UserInsight has some great features to help you assess and mitigate the risk of getting compromised through a phishing attack:Understand your risk through phishing simulations: Through its integration with Metasploit Pro, UserInsight can understand each user's susceptibility to phishing attacks. To do this, send out a benign phishing campaign with Metasploit Pro, measure user click-through and submission of passwords on a fake page, and pull the results into UserInsight to have each user's risk and trending at your fingertips as you're investigating an incident. The screenshot on the right shows a user's susceptibility to phishing attacks over time.Detect known threats in email: UserInsight consumes various threat feeds and screens your users' inboxes for emails containing known malicious URLs. When it finds a match, it alerts the incident responder that a user is at risk. Together with the knowledge of how susceptible a user is from your previous phishing simulations, you can get a first gut feel about how likely it is that they clicked on the link.Highlighting newly registered domains as a threat: Known threats will be flagged through threat feeds, but many attackers constantly register new domains to avoid getting flagged by blacklists. In other words, phishing URLs are usually either on a blacklist or a newly registered domain. Rapid7 gathers lists of newly registered domains through Project Sonar, a community effort led by Rapid7, to improve security through the active analysis of public networks. A user reaching out to a newly registered domain will be shown as an alert in UserInsight.See vulnerabilities by user: If you are using Nexpose to scan your network, UserInsight can display which vulnerabilities are present on the user's assets, both on their laptop and their mobile devices, to see how likely it was that a phishing email exploited a client-side vulnerability. This ability to instantly connect vulnerabilities with a user, not with an IP address, is a key advantage of UserInsight when investigating attacks. Otherwise, DHCP makes it very difficult to research which user had which IP address at what time.Gain quick visibility into malware alerts by user: UserInsight integrates with endpoint protection platforms to correlate malware alerts to users. If you suspect a phishing attack, you can quickly see if known malware has been detected on the endpoint to inform your incident response. View who else received a particular phishing email: You can quickly and easily search for other users who have received the a particular malicious URL to determine which other users may have been affected.Contact users to follow up: UserInsight gives you the user name, department, office, and the name of the user's manager to quickly enable you to follow up with a user currently under attack to warn them or have them help you contain the attack, e.g. by undocking their laptop and switching off WiFi. It sounds simple, but speed is key!Detect scanning from an infected machine: Before moving from one machine to another, attackers typically run a ping or port scan on the network to detect what other machines they can get access to. UserInsight offers production honeypots that you can easily deploy as virtual machines on your network to detect attackers planning their next step. Once deployed, honeypots require zero maintenance and update themselves.Detect lateral movement: Phishing is often the first step of a larger attacks. If an endpoint has been compromised with a payload, attackers will typically steal credentials and move laterally across the network, for example by taking the local domain administrator's password hash and using a pass-the-hash attack to gain control over other machines on the network. UserInsight will detect these type of attacks, and gives you a clear picture which other machines an attacker may have spread to. Local credentials will leave no trace in Active Directory logs, so getting endpoint logs is critical. UserInsight leverage's Nexpose's proven endpoint scanning technology to collect this information without requiring an endpoint agent (or a Nexpose license). This screenshot shows which assets authenticated to a particular machine, where it authenticated to, and highlights suspicious authentications to certain machines (red circles).Here are some other Rapid7 solutions that can help you combat phishing:Nexpose EnterpriseScan endpoints to detect client-side vulnerabilities in your Browser, plug-ins, and Office applicationsIntegrate with UserInsight to display vulnerabilities by user to help with incident investigationControlsInsightGet visibility and detailed advice about how to harden your endpoints, and track your progressMetasploit ProRun phishing simulations to gauge user risk and test the effectiveness of security awareness trainingsDeliver training to end-users during a "teachable moment", right after having fallen for a phishing emailIntegrate with UserInsight to take a user's phishing risk into account as part of an incident investigationRun client-side exploits to test whether your systems are sufficiently hardenedMany large breaches have started through phishing attacks. One of the most memorable examples is the RSA breach a few years ago, which disrupted not only the company itself but also its customers. With UserInsight, Rapid7 applied its knowledge of the attacker through its leadership of the Metasploit project and penetration testing expertise to constantly add new types of detection. By detecting phishing attacks early, you can contain them and reduce damage.If you are interested in finding out more about how to better detect and investigate incidents on your network, please contact us to schedule a UserInsight demo.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now