Rapid7 Blog

Reports  

[Cloud Security Research] Cross-Cloud Adversary Analytics

Introducing Project Heisenberg CloudProject Heisenberg Cloud is a Rapid7 Labs research project with a singular purpose: understand what attackers, researchers and organizations are doing in, across and against cloud environments. This research is based on data collected from a new, Rapid7-developed honeypot framework called Heisenberg…

Introducing Project Heisenberg CloudProject Heisenberg Cloud is a Rapid7 Labs research project with a singular purpose: understand what attackers, researchers and organizations are doing in, across and against cloud environments. This research is based on data collected from a new, Rapid7-developed honeypot framework called Heisenberg along with internet reconnaissance data from Rapid7's Project Sonar.Internet-scale reconnaissance with cloud-inspired automationHeisenberg honeypots are a modern take on the seminal attacker detection tool. Each Heisenberg node is a lightweight, highly configurable agent that is centrally deployed using well-tested tools, such as terraform, and controlled from a central administration portal. Virtually any honeypot code can be deployed to Heisenberg agents and all agents send back full packet captures for post-interaction analysis.One of the main goals of Heisenberg it to understand attacker methodology. All interaction and packet capture data is synchronized to a central collector and all real-time logs are fed directly into Rapid7's Logentries for live monitoring and historical data mining.Insights into cloud configs and attacker methodologyRapid7 and Microsoft deployed multiple Heisenberg honeypots in every "zone" of six major cloud providers: Amazon, Azure, Digital Ocean, Rackspace, Google and Softlayer, and examined the service diversity in each of these environments, the type of connection attackers, researchers and organizations are initiating within, against and across these environments.To paint a picture of the services offered in each cloud provider, the research teams used Sonar data collected during Rapid7's 2016 National Exposure study. Some highlights include:The six cloud providers in our study make up nearly 15% of available IPv4 addresses on the internet.22% of Softlayer nodes expose database services (MySQL & SQL Server) directly to the internet.Web services are prolific, with 53-80 of nodes in each provider exposing some type of web service.Digital Ocean and Google nodes expose shell (Telnet & SSH) services at a much higher rate - 86% and 74%, respectively - than the other four cloud providers in this study.A wide range of attacks were detected, including ShellShock, SQL Injection, PHP webshell injection and credentials attacks against ssh, Telnet and remote framebuffer (e.g. VNC, RDP & Citrix).Our honeypots caught "data mashup" businesses attempting to use the cloud to mask illegal content scraping activity.Read MoreFor more detail on our initial findings with Heisenberg Cloud, please click here to download our report or here for slides from our recent UNITED conference presentation. AcknowledgementsWe would like to thank Microsoft and Amazon for engaging with us through the initial stages of this research effort, and as indicated above, we hope they, and other cloud hosting providers will continue to do so as we move forward with the project.

Cyber security around the world - 8/5/14 - UK Information Security Breaches Survey

With so much happening in cyber security around the world lately, we're highlighting some of the interesting stories each week from across Europe, Middle East, Africa and Asia Pacific. This week we're in the United Kingdom where the 2014 Information Security Breaches Survey was launched…

With so much happening in cyber security around the world lately, we're highlighting some of the interesting stories each week from across Europe, Middle East, Africa and Asia Pacific. This week we're in the United Kingdom where the 2014 Information Security Breaches Survey was launched at InfoSecurity Europe…United KingdomThe UK government has published the Information Security Breaches Survey every year since the early 90s with the aim of increasing awareness of security risks. It's an interesting read and provides quantifiable insight into the current state of security across UK businesses.  This year's report found that over 80% of large organisations and 60% of small organisations had a security breach in the last year. What's more alarming is that breaches are costing twice as much as last year – the average cost of a breach to a large organisation is now £600k to £1.15m (US$1.0m to US$2.0m). This is predominantly driven by the costs of business disruption, incidence response, and lost assets and intellectual property.Given the high costs, it doesn't surprise anyone that security continues to be top of mind UK businesses.  Around 80% of senior management ranking it as a high or very high priority and almost the same percentage have briefed their board on security risks in the last year. Echoing the findings in the Verizon 2014 Data Breach Investigations Report, detection is where it all falls apart. The majority of breaches take longer than a day to detect, while 14% of organisations took longer than a month to detect a breach, up from 9% last year. A bit of a worry is that 1 in 10 organisations discovered they had been breached by accident – you have to wonder if there are many more breaches that have yet to be discovered.Other similar insights to the Verizon 2014 DBIR include the need to get the basics right…“Continuing the worrying trend we saw in 2013, many organisations still don't take patching seriously leaving themselves vulnerable to attack.”…and phishing as a dangerous attack vector:“The volume of such attacks is very concerning – 9% of the affected organisations have to deal with phishing attacks several times a day and 5% of them receive hundreds of attacks a day.”Finally, the report highlighted the changing IT environment; 5 in 6 UK businesses are now using some kind of cloud service, with the adoption of cloud storage growing the most since last year. Just over half of large organisations and three quarters of small organisations allow staff to bring their own device, with issuing a security policy being the most popular approach for mitigating the risk. While having a policy in place is important, it's essential to also have visibility of what your users are doing in order to enforce these policies. Rapid7 UserInsight was developed to give organisations visibility of user activity within the firewall, on mobile devices or cloud services. Try UserInsight for free here.

Stolen passwords - the no. 1 attack vector

The latest Verizon DBIR 2014 report published last week is clearly showing that the use of stolen credentials became the most common attack vector in 2013. In our upcoming webcast, Matt Hathaway and I will discuss how user-based attacks are becoming the no. 1 "threat…

The latest Verizon DBIR 2014 report published last week is clearly showing that the use of stolen credentials became the most common attack vector in 2013. In our upcoming webcast, Matt Hathaway and I will discuss how user-based attacks are becoming the no. 1 "threat action" (in Verizon's words) and how organizations can detect and investigate these attacks in a faster, more efficient way.Combined with phishing as the 3rd most used attack vector in 2013, we see a clear trend: an increasing amount of attackers break into the network by compromising users, either through stealing their credentials or by using social engineering methodologies:When looking at specific attack types, such as the now infamous compromise of POS machines, DBIR identifies the stolen password as the 2nd most common cause of POS compromises, accounting for 38% of these events (brute forcing into the POC device is still the no. 1 most common method of intrusion).  The sad stats of the DBIR clearly show how all of us security professionals lag behind the attackers when it compares the time taken to compromise a POS machine vs. the time it actually took to detect the intrusion. While machine compromise and data exfiltration happen in a brief moment (87% compromised POS occurred within seconds or minutes, and 88% of data exfiltration happened within minutes from the intrusion), only in 1% of the cases were the intrusions detected within days. In fact, detection will take weeks in 85% of these cases and, even worse, months in 13% of the cases. This is too late. Way too late.UserInsight was developed to detect compromised users at each stage of an attack: the leveraging of user credentials to break into the network, attacker movement inside the network and the access of critical assets, such as POS servers. You may try a free limited-features edition here.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now