Rapid7 Blog

Skills  

You Need To Understand Lateral Movement To Detect More Attacks

Thanks to well-structured industry reports like the annual Verizon DBIR, Kaspersky "Carbanak APT" report, and annual "M-Trends" from FireEye, the realities of modern attacks are reaching a much broader audience. While a great deal of successful breaches were not the work…

Thanks to well-structured industry reports like the annual Verizon DBIR, Kaspersky "Carbanak APT" report, and annual "M-Trends" from FireEye, the realities of modern attacks are reaching a much broader audience. While a great deal of successful breaches were not the work of particularly sophisticated attackers, these reports make it very clear that the techniques once only known to espionage groups are now mainstream. Lateral movement technologies have crossed the chasm I have written before about the need for businesses to adopt disruptive technologies and have a plan to monitor them, but this is about the other side of the "war". The hacker community is the early adopter group who uses disruptive technologies in research, penetration tests, red teaming, and unfortunately due to a few "bad apples", to steal data. Every time a new technology is made available, and especially if it is widely distributed, our friends in this world start thinking about either exploiting it, using it for unintended purposes, or both. A lot of people fear this group and their unique perspective on technology, but we are hopeless to ever keep pace with attackers without these tinkerers and their good intentions. We have been hearing for a few years that the initial network compromise is the hardest part because moving from system to system undetected is, by comparison, rather simple. Many ignored this claim as something only possible for the highest tier of hackers with nation-state funding and espionage in their veins, but we just cannot ignore it anymore. The reports are surfacing with one consistent theme: lateral movement tools are being used by too many of the criminals now to accept our inability to detect them. Since the technology boom of the nineties, a required reading in a lot of business schools is Geoffrey Moore's "Crossing the Chasm." Its purpose is to help marketers focus on the group of people most likely to become customers at each phase of the technology adoption lifecycle, but it has significance outside of just marketing groups. The "chasm" of significance is the stage at which so many Betamaxes and HD DVDs fail, i.e. progressing from technology lovers buying them to mainstream adoption. The vast majority of technologies fail to get the momentum necessary to cross this chasm. While the technology here is not a traditionally marketed product, "hacker tools", such as mimikatz, PowerShell, and Windows Credential Editor, have crossed it and the momentum came from the consistency of those tools' undetected use in profitable breaches. Under 200 days before detection is not really an improvement Nowhere in the M-Trends reports has there been any celebration of the decreased number of days before breach detection from a median of 229 in 2013 to 205 in 2014 and 146 in 2015, but unfortunately some media coverage found solace in improving upon an unsettling anchor. Even if there were any indication we could keep this pace (which there isn't), we wouldn't get the median down to a few days until after 2020. This is why we need to pay more attention to the forensics teams and hacker community to understand the factors causing such a delay in detection. Obviously, some of the organizations getting breached will not have taken security seriously, but anyone looking to see that number drop precipitously needs to focus on incident detection and response. I explained reasons detection is so important previously, but it is more than just that. We need to stop telling ourselves that breached organizations had no chance because it was the work of undetectable, super-advanced malware or some elite group of super-spies. Malware developers will continue to get more creative and disruptive technologies will continue to go mainstream, so we need to continually challenge ourselves to develop new means of detection. Attackers are impersonating the people of authority The first major challenge in detecting the modern attacks is that humans are more interactively involved. Spear phishing may initially compromise a low-privilege user on the network, but that is just a stepping stone. Privileged accounts are a target, but not only because of systems to which they provide access: these accounts belong to your administrators and administrators behave in very interesting ways. When we get locked out of our machines, a desktop administrator can reset our passwords, remotely access the machine, or perform some other administrative change. When we are working remotely and some VPN issue prevents us from accessing an internal document, these administrators could theoretically add our home IP to a whitelist or provide another remote means of access. There are countless activities and tools our administrators need to do their jobs that are doubly valuable to intruders: They provide access to all network systems with permitted remote access tools It is rare for others in the organization to question their behavior at the moment it occurs This is what made the T-1000 so terrifying in "Terminator 2". It could replicate anyone we would trust, but it primarily impersonated prison guards and a police officer. Why did it do this? This behavior provided unquestioned access to the necessary tools and, when viewed in isolation, a great deal of its behavior (like carrying a weapon, chasing others, or commandeering cars) could be explained away by eyewitnesses. Sure, as we watch the movie and see the string of events it caused, it seems ridiculous to use this analogy, but amid the noise of a crime-ridden city of millions of people, the pattern would take a lot longer to understand than the killing spree of a Mr. Universe wearing a leather jacket and carrying a shotgun in the original "Terminator". Traditional classification of activity as black/white is ineffective here This impersonation and targeting of administrators and their tools is a major reason traditional monitoring solutions are so challenged today. If you blacklist and alert on every single administrative action that could be malicious, your team is going to be overwhelmed by alerts and become so numb to the onslaught that illegitimate behavior will be ignored because of experiences of previous time-wasting investigations. If you whitelist every administrator and every tool they use, attackers need only harvest a single administrator credential and use a whitelisted administrator tool and they can easily remain on your network, exploring the systems and stealing valuable data for 146 days or, in the worst case FireEye shared, over eight years. You need to blend the monitoring of all your users' and administrators' behavior with a recognition of how they leverage dual-purpose lateral movement tools to identify deviations from the norm. Combined with alerts for clearly malicious behavior, a series of traps for intruders to trip, and integrations to advanced malware detection, user behavior analytics can help your organization drastically improve your detection times now rather than in 2020. To learn more about InsightIDR and Rapid7's other solutions for detecting compromised credentials, check out our compromised credentials resource page and make sure to download our complimentary information toolkit.

Leverage Attackers Need To Explore For Detection

When you examine the sanitized forensic analyses, threat briefings, and aggregated annual reports, there are a two basic facts that emerge: There are a lot of different attacker groups with access to the same Internet as baby boomers and short-term contractors. Most of them are…

When you examine the sanitized forensic analyses, threat briefings, and aggregated annual reports, there are a two basic facts that emerge: There are a lot of different attacker groups with access to the same Internet as baby boomers and short-term contractors. Most of them are proficient at user impersonation once on the network to remain undetected for months. In this reality, our organizations need to do more than just build defenses and sit in waiting until known signatures are identified on our systems. If we are outnumbered, we should embrace it While we will never know exactly how many attackers there are, it is fair to assume there are more people, both sophisticated and not, trying to steal from your organization than are currently employed to defend its data. This view gives some security professionals a feeling of misery, but others are embracing it. Recognizing you are defending against a larger force can change the way you think and operate. It gives you the opportunity to align your team mentality to the wolverines from Red Dawn (I only acknowledge the Swayze original), and we should all be looking for more chances to do that. What did the wolverines do? They made life so difficult for the invaders they were forced to go elsewhere. In this scenario, you need to change the rules Since attackers are not following any rule book, we should evaluate the process to defend our organizations. Unlike them, we do have rules (and laws) we need to follow, such as ensuring our organizations can effectively meet their own goals, but making our users' lives easier doesn't require us to make intruders' lives easy. If intruders are going to use legitimate tools and systems in a malicious manner, you cannot simply block the tools because that would hinder your organization's ability to conduct important business. Nowhere in the rules (or laws) does it state that your team has to serve your systems and credentials to all who ask in a pristine condition. Your user population should not know every asset on the network, just the systems they need to accomplish their goals. You can be truthful with your employees and contractors, while also omitting some truths and blatantly lying to outsiders. When you cannot change legitimate user behavior, find ways to lure the illegitimate There are some manners in which employees in our companies regularly behave that introduce unwanted risk. Actions like installing unsigned applications or clicking email links without thinking are behaviors we all want to stop in our legitimate users. We can block some of it, but intruders use this unintentional risky behavior to hide their intentional malicious behavior with stolen credentials and compromised systems. Detecting behavioral changes and unnecessary risk are core to what we do, but we can never get overconfident that we can spot 100% of it. We can also trick intruders into exposing themselves. Since they are deceptively using legitimate accounts and administrative tools to evade detection while exploring our networks, we can use their goals and needs against them. Their goal is to obtain valuable data from your network and sell it to others. To reach this goal undetected, they need to access more credentials and systems to gradually move to the important systems, so you can give them systems and credentials to steal. If only your security team knows of these decoys, only intruders and your unnecessarily curious insiders are going to interact with them. Traps need to be a tool in your effort to see more You need to set traps in your organization for both intruders and malicious insiders to trip. You can set all kinds of them, just like the laser beams, pressure plates, and heat sensors the characters in your favorite heist movies have to navigate to reach the valuables without triggering the alarms. Unless you're making the layout of your traps public knowledge, attackers will have to trip them before they can distinguish the decoys from the legitimate, just as spraying aerosol on laser beams would likely trigger them in the real world. Every InsightIDR customer has the option to deploy an unlimited number of honeypots, honey users, and honey credentials. These traps require so little maintenance that our customers often forget they have them deployed until a legitimate user starts poking around on the network where they shouldn't or a system is improperly configured and starts broadcasting to every system in the company. We plan to continually add more in this area because in combination with the identification of changes in user behavior analytics, these make it extremely difficult to hide on your network, so the intruders will go elsewhere. Learn more about honeypots, honey users, and honey credentials in our InsightIDR product. To learn more about these traps and other Rapid7 Incident Detection and Response solutions, check out our new solutions page which includes our Incident Response Services.

Enterprise Account Takeover: The Moment Intruders Become Insiders

Every time an attacker successfully breaches an organization, there is a flurry of articles and tweets attempting to explain exactly what happened so information security teams worldwide are able to either a) sleep at night because they have mitigated the vector or b) lose only…

Every time an attacker successfully breaches an organization, there is a flurry of articles and tweets attempting to explain exactly what happened so information security teams worldwide are able to either a) sleep at night because they have mitigated the vector or b) lose only one night of sleep mitigating it. Here's the problem: every breach is complex and involves a great deal more malicious actions than are published on your chosen 24-hour news website. The least detected action is the use of compromised credentials, or account takeover. It is completely unpredictable when account takeover will take place in an attack; the most predictable aspect of this action is that it will occur in the vast majority. Every breach has some group of articles explaining that it "used stolen passwords" In the hundreds of articles that follow each data breach, a few of them always mention that "hackers used stolen passwords". The reason for this consistency is that compromised credentials can be used in so many different ways and are so often used in conjunction with malware or other hacker tools. To highlight some very recent examples, compromised credentials can be used to: Initially access a server lacking 2-factor authentication after having stolen them through a phishing campaign (JPMorgan Chase) Directly access a number of systems containing personal information of customers after spearphishing employees (ICANN and eBay) Access a vendor web application as a trusted third party to then move deeper into the network via exploits (Target and Home Depot) Laterally move from system to system via harvested password hashes before discovering an administrator account (Sony, all of the above) Use a harvested privileged account to access restricted systems for data to be exfiltrated (all of the above) The major challenge in interpreting these reports is that everyone wants to boil down each attack to a single cause. Much like major catastrophes in other types of complex systems, it is rarely a single point of failure but rather a combination of vulnerable systems and compromised credentials. If you want to blame the initial point of entry as the cause of the breach in an organization taking the "defense in depth" approach, you are neglecting the many other layers that needed to be navigated to successfully move through the network, steal data, and get it to an external server. Many of these intruder actions look a great deal like a malicious insider when viewed in hindsight, but only because legitimate accounts are so heavily used. Detecting account takeover is difficult because you need to identify subtle changes. At any stage of the attack, identifying the moment when a legitimate account has been taken over by intruders is both very challenging and integral to identifying an incident early in modern attacks. You must have monitoring in place that has established behavior baselines for the user population on your network. Without knowledge of the activity that is both typical and permitted, spotting the nuance in a user's gradual change in behavior is impossible. It is similar to the way the average person walking down the street in "The Matrix" trilogy would suddenly get taken over by an "agent". For anyone not actively monitoring the matrix, this takeover would go unnoticed, but the "operators" could see it happen and immediately notify the others. If you want to detect account takeovers on your network prior to the attacker having explored a significant portion of it, you need to understand how users are behaving on your endpoints because that's where the majority of all attacker actions are going to take place. Even if you are collecting the logs from all endpoints (which very few organizations are), if your solution is not attributing all legitimate activity to its responsible users, you can only baseline activity by IP address. This means that a lot of the less common activity for your organization will look more prevalent because of a few individuals that access multiple systems and work from multiple locations. Given only the data and IP addresses in a separate SIEM, most user behavior analytics solutions will identify a great deal of false positives because they lack the context necessary to truly understand what the humans were doing on your network. The InsightIDR team is obsessively focused on finding ways to identify that moment when intruders start using compromised credentials to move around the network as stealthily as a technically-savvy malicious insider. This is no longer a capability of only the most sophisticated attackers; it is disturbing to see that a moderately skilled individual with a grudge can take a single compromised system or account and move around a network with ease. It is impossible to differentiate every malicious action an account makes from the legitimate operations, so we enrich the data around the legitimate activity for search, alert only when we are fairly certain something is awry (rather than on every anomalous action), and help you backtrack through all notable behavior for a user once they are determined to be a part of an incident. If you want to see how Rapid7 solutions can help you detect attacks leveraging compromised credentials, check out this resource page and make sure to download our complimentary toolkit filled with relevant resources. You'll see just how much we obsess over detecting that moment.

Insider Threat or Intruder: Effective Detection Doesn't Care

For various reasons, I have recently had a lot of conversations about insider threats. What is the best solution for them? How can they be detected? Does InsightIDR detect them? Rather than answering these questions with more questions, here is what I say: when you…

For various reasons, I have recently had a lot of conversations about insider threats. What is the best solution for them? How can they be detected? Does InsightIDR detect them? Rather than answering these questions with more questions, here is what I say: when you are detecting the malicious activity properly, the precise actor is unimportant. It is extremely important for the follow-up investigation and response that you know whether the person with hostile intentions is a legitimate member of your organization or someone that manipulated his way through the perimeter via social engineering or other commonly-used tactics, but detecting the indicator of compromise should only focus on the actor when determining if more intelligent analysis is needed to cover them all. Let me break down the similarities and differences of these two types of actors to explain my point a bit (with the help of a couple of my favorite 90s movies): Intruders Despite what we all learned from Trinity in "The Matrix", intruders are not going to ride a motorcycle into your organization's building and shoot everyone on a direct path to the central computer. I think that behavior might raise enough suspicion within your physical security team to send a brief note over to the incident response group. Typically, real world attackers will use stolen credentials as a way into an organization, either through a combination of LinkedIn research and spearphishing or buying compromised credentials from the type of black market website where such purchases are widely available. However, once Trinity was at the keyboard of the "master computer", she did use nmap to scan the network to determine her next move. This realistic reconnaissance of the network needs to be detected if you want to spot an attack in its infancy. An intruder's next move is to continue stealthily moving to different systems using whatever legitimate passwords (or hashes) she has obtained along the way. Eventually, some privileged stolen credentials will enable access to an important system where monetizable data resides. Insider Threats Now, "Office Space" has both the most depressing representation of the product manager role and the campiest example of malicious insiders of any movie in my mental catalog, but if Peter, Michael, and Samir were going to manipulate their organization's financial accounts today, they would not simply walk into the server room and run an executable from a 3.5" floppy disk. Even the newly-promoted Peter would not have the ability to run an application on that well-guarded system. They would instead need to gain access to the accounts with privileges to access these kinds of critical systems. To find these accounts, they would start accessing other endpoints and servers on the network where the privileged users may have authenticated, just as an intruder would. This also assumes that your insider threat has a preexisting knowledge of (a) the actual systems with valuable data, (b) the users that would have access to them, and (c) the standard evasion tactics and the kinds of tools necessary to obtain and reuse credentials. In reality, the vast majority of insiders disgruntled enough to seek retribution or accept a bribe are going to be poking around in the dark with much less sophistication than an experienced attacker, i.e. broadly scanning the network, crawling every page on a wiki site, or locking themselves out of systems by misusing credentials. As you can see, once inside the organization, intruders behave very much like a malicious insider. Outsiders will generally explore the network more to learn where the valuable data is, but the vast majority of malicious insiders also do not know where the valuable data resides. In both cases, the malicious actor du jour needs to use someone else's credentials in a manner that differs from the norm. Despite being physically located in vastly different places, the intruder and the insider are both accessing privileged accounts or critical systems from internal assets and accounts. If you are focused on spotting the point when a legitimate user starts to do things that are out of character and concerning, you will detect both. I highly suggest that you test the user behavior analytics in InsightIDR against both scenarios, as we have, and take a look for yourself. To get the process started, please visit our solution page. I'm confident that you will see how we will help you detect both types of malicious actors. P.S. Please accept my apologies for failing to use any references to "Superman III" or "Real Genius".

Are You Enabling Corporate Espionage?

While I was flipping through some news stories the other day, a small headline appeared that piqued my interest.The headline reads: Former St. Louis Cardinals Exec Pleads Guilty To Cyber Espionage ChargesCyber espionage… in baseball? That was too intriguing to pass up!It…

While I was flipping through some news stories the other day, a small headline appeared that piqued my interest.The headline reads: Former St. Louis Cardinals Exec Pleads Guilty To Cyber Espionage ChargesCyber espionage… in baseball? That was too intriguing to pass up!It essentially describes this: employees from one club, the St Louis Cardinals, left to join another club, the Houston Astros. During their previous tenure with the Cardinals, they had built databases of scouting and talent reports. When the employees joined the Astros, a very similar database got constructed.The Cardinals are now concerned that their intellectual property has been misappropriated. So they used a list of “master passwords” that were in use at the time their databases were built, and use those, or variants of those, to break into the Astros databases.The Department Of Justice says that's a violation of the Computer Fraud and Abuse Act. The news article also posts an excerpt from the DOJ release:In one instance, Correa was able to obtain an Astros employee's password because that employee has previously been employed by the Cardinals. When he left the Cardinals organization, the employee had to turn over his Cardinals-owned laptop to Correa – along with the laptop's password. Having that information, Correa was able to access the now-Astros employee's Ground Control and e-mail accounts using a variation of the password he used while with the Cardinals.There are a few things are going on as described in the release. Let's examine them.The employee obviously reused passwords, or close variants, and in this case carried them over from one organization to another. This very common practice by humans lends us to believe that security awareness training was not conducted well or not enforced.The databases were presumably web-enabled applications from the descriptions. It does not appear that proper account control was used, such as restricted loginsFrom the DOJ release at least four intrusions occurred before the Astros required all users to change their passwords to something more complex. Was monitoring being done, or was this a lucky break?However … when they reset the passwords, they emailed the default passwords out to the users …which were intercepted because email accounts were in control of the attacker. Very common security gaffe made by operational teams.Several more intrusions happened before the intruder was finally caught & identified.The intruder was finally charged with five counts of unauthorized access of a protected computer. Each conviction carries a maximum possible sentence of five years in federal prison and a possible $250,000 fine. Sentencing is set for April 11.Espionage is not just a cloak and dagger drama played out by three letter agencies. It can happen in the unlikeliest of places, even baseball. It stands to reason that you and your organization are just as exposed.The question then is: are you enabling corporate espionage by not having real, enforceable security controls for your organization?To answer that question, you need to look at how you are managing security in your organization. Let's just look at the points mentioned above.Security AwarenessSecurity awareness training is an important, but often overlooked and underfunded tool that builds good security behaviors into your organization.Security awareness is recognized in several control frameworks as an essential element to your security program. NIST 800-53 (AT, SA & PM), HIPAA 164.308(a)(5), PCI 3.0 (12.6), ISO27000-2013 (A.7.2.2) and CIS Critical Control 17 all refer to security awareness training.NIST 800-53 has security awareness guidance, in control AT-2. The control states the organization provides basic security awareness training to information systems users as part of initial changes, when required by information system changes, and on an organizational defined frequency thereafter.The common mistake with frequency is that organizations choose annual or bi-annual timeframes. If you want a behavior to become habitual, you need to reinforce it as often as possible. Awareness education also needs to be fresh. You don't have to spend a lot of money or resources on this. It can be in the form of reminders newsletters, or stories around the water cooler like this one from current events to help describe desired behaviors.Account Monitoring and ControlProper account monitoring and controls, especially for web-exposed applications are extremely important, as attackers will frequently impersonate legitimate users. NIST 800-53 (AC), HIPAA 164.308 and 164.312, PCI 3.0 (7.1 – 7.3 and 8.7 – 8.8), ISO 27000-2013 (A.9.xx) and CIS Critical Controls number 16 all reference account monitoring and control.The first step is to ensure accounts which cannot be associated to a business process and owner are disabled. Then sweep all old accounts and remove them. Attackers will take advantage of dormant accounts to get into a network. All user accounts should have expirations.Monitoring account activity is also required to spot suspicious activity. A SIEM can spot patterns of use that might trigger an alert (such as logging into a system after business hours), or a login from a restricted IP can be flagged. As Yogi Berra once said, “you can observe a lot by watching.”Default Password HandlingFrom a process perspective, default passwords should never be emailed. All default passwords should require some form of authentication of the user. This could be a call into support, or a visit to the desk. Attackers can gain control of a users email account, and when passwords are set or reset, the attacker will have access to the account. Human to human interaction for default passwords, with a proper authentication step, is the safest way to distribute passwords.The situation that happened to the Astros could have been prevented or discovered early, and the damage might have been reduced. Take a close look at your account control policies and practices, your web-enabled applications security, and your fraudulent activity monitoring. When was the last time these controls were validated? Do they even exist? As for user awareness, when was the last time they were told about bad passwords and the dangers of re-use? This baseball story is one you can use to illustrate why re-use behavior is bad.I don't always agree with the famous quote by Eldrige Cleaver, but in this case it's very appropriate: “You are either part of the solution or part of the problem.”And to quote the famous Yogi Berra, “It ain't over ‘til it's over!”

12 Days of HaXmas: Rapid7 Gives to You... Free Professional Media Training (Pear Tree Not Included)

Ho ho ho, Merry HaXmas! For those of you new to this series, every year we mark the 12 days of HaXmas with 12 blog posts on hacking-related topics and roundups from the year. This year we're kicking the series off with something not altogether…

Ho ho ho, Merry HaXmas! For those of you new to this series, every year we mark the 12 days of HaXmas with 12 blog posts on hacking-related topics and roundups from the year. This year we're kicking the series off with something not altogether hackery, but it's a gift, see, so very appropriate for the season. For the past couple of years, I've provided free media training at various security conferences, often as part of an I Am The Cavalry track, and often with the assistance of a reporter. Big thank yous and lots of adoration for SantaJen's helpers: Steve Ragan - my most frequent partner in crime - Paul Roberts, and Jim Finkle.  In the spirit of giving that is synonymous with HaXmas, the purpose of this blog is to make that training freely available to anyone that's interested. Why are we doing this? It's pretty simple really: I believe security professionals have important information to share, which can help individuals and organizations understand how they are at risk, and what they need to do to protect themselves. You could say that's a gift, and I reckon it's pretty valuable. The media can be a fantastic way of disseminating information broadly, and the good thing is that a lot of publications have dedicated security reporters these days. Unfortunately that doesn't mean it's all smooth sailing. The challenge comes in the details. Security pros are typically dealing with a pretty complex and nuanced subject matter.  Media is driven by attention-grabbing headlines and a need to feed the attention-spans and limited knowledge of readers.  As a reporter, you have to cater to people with a range of familiarity, understanding, and interest in the subject matter, even if you write for a specialist security title. There can be a vast distance between the deep technical knowledge of a security pro, and the will-my-editor-like-it need of reporters, and that provides much opportunity for misunderstanding, misreporting, or oversharing. NB: One thing I want to flag here is that my media training isn't about an adversarial relationship between spokesperson and reporter; it's about optimizing the engagement for a better result all the way around. We don't train people on this because we believe reporters are evilly conspiring against us. In fact, part of the reason I try to train with a reporter is to help build a greater understanding of their world, including their motivations, pressures and challenges. The training does talk about how to navigate certain reporter "techniques," but often these actions arise unintentionally, or for valid reasons (eg. a reporter going quiet on a call to catch up with their notes). You won't always encounter these techniques anyway, but if you do (and regardless of why they are used), you are better off knowing how to handle them. So in a nutshell, the media training I deliver is designed to help security pros share the information they have in as impactful, non-FUDy, and helpful way as possible. My goal is that we'll get better at making security relevant beyond our echo chamber, and in turn we'll help people understand it and protect themselves. Oh, and it probably doesn't hurt that getting good at briefing press helps our industry, and helps you as an individual build your career. So what am I actually giving you? Having received several requests for my slides, I created a deck designed for people to “self-teach,” which you can download here. And yes, people have been known to pay me to media train their spokespeople, so this is free professional training, as promised in the title. The presentation is licensed for use under the Creative Commons BY 4.0 license, so you can feel free to share it. If you end up using to it to build an amazing career as a media trainer, I'd appreciate a cut of your newfound riches . [If you feel that this is not hackery enough to be considered an appropriate gift for HaXmas, you can think of it as me teaching you how to “hack the media for fame and profit,” which is the title I sometimes present under at cons.] Want more? For those that want even more advice, Steve Ragan and Violet Blue have both written posts on interacting with media at conferences: http://www.csoonline.com/article/2952395/security-awareness/a-primer-on-dealing- with-the-media-as-a-hacker-and-dealing-with-hackers-as-the-media.html https://blog.rapid7.com/2015/07/22/the-black-hat-attendee-guide-guest-post-talking-to-the-media-press/ If you have specific questions, drop them into the comments section and I will try to answer them. If you have examples of putting the training into practice, I love to hear about it – let me know! Merry HaXmas! ~@infosecjen

Tis the season! For user outreach

As we prepare to move into the end of the year holiday season, organizations tend to enter into one of two modes: they are either winding down end of the year activities in preparation to close their books, or they are sprinting to get things…

As we prepare to move into the end of the year holiday season, organizations tend to enter into one of two modes: they are either winding down end of the year activities in preparation to close their books, or they are sprinting to get things done before the end of the year. Sometimes it's a mixture of both these things. One common theme no matter what mode you are in, is your users will be distracted by the holidays. And if they are distracted, they are more prone to error, which means more vulnerable to attack and fraud.But you can use this to your advantage! One of the best tools in your awareness toolbox is communication. Your users will listen to you especially if you communicate messages they are open to hearing. Online fraud spikes during the next couple of months, so helping your users with their holiday shopping is an excellent way to get your message heard.Remember, imparting awareness is about changing behaviors, so giving your users tools to be aware of their online behaviors in their personal lives can naturally spill over into their corporate lives. It's a win-win!The best thing about this technique is that it's free. There are many resources available from many outlets that you can use to send your message. Or you can create your own, tailored to your users and their needs. I prefer a mix of both of these, as you can tailor your message and also get some support from some significant resources.Here are a couple of articles that popped up recently in my Flipboard feed that have good content:Don't Get Grinched By Cybercrime During The Holiday Season (AP Newswire)The biggest security mistakes people make when buying things online (Business Insider)If you are not aware (ha!) SANS publishes the free OUCH! Newsletter on security awareness, and the November 2015 issue contains online shopping tips. The nice thing about OUCH! Is you can just redistribute it.Again my preference is a combination of all these things. Planning your message to hit the hot topics in your organization will have the best effect for you. For example, during a security awareness roadshow, I got asked the same question by a lot of people that I had not even thought would be an issue today.“Is it safe to use my credit card online?”Of course this depends on your interpretation of safe. However it occurred to me that my users very likely did not understand what the fraud rules were around using credit/debit. So a quick search revealed the FTC rules around the The Fair Credit Billing Act (FCBA) and the Electronic Fund Transfer Act (EFTA). Here's the resource page that explains the liability:Lost or Stolen Credit, ATM and Debit cards The biggest takeaway is the difference between ATM/Debit and credit cards. While the liabilities are limited similarly, the ATM/Debit is higher risk because it directly accesses funds which are then unavailable until the dispute is resolved. This may not be news to you, but you would be surprised at the number of your users who don't understand this. Having you state it and then backing it up with FTC rules makes a very powerful message. Obviously this applies to USA, so for your country the rules may be different.Another strong message is showing how to avoid clickfraud by not clicking on tracking numbers in UPS or FedEx or USPS fake shipping emails. It's natural that people will have ordered something, or maybe a lot of things online, and maybe they've ordered so much they might be wondering what package is arriving. All these outlets have web pages devoted to exposing the fraud.FedExUPSUSPSThe tip here is to not click the link, but go to the shipper's website and enter the tracking number manually. Again, this may seem obvious to you, but to those who are not aware, it can be an epiphany.Another thing I like to do is give users tools to make smart shopping choices. Very often non-technical people are buying computers for themselves or their kids who are in school. Creating a simple matrix on buying a PC (what to look for, what terms mean, etc) and passing it out can be a huge help.And since this is the season of giving, I'm giving this to you! Attached to this post is a Powerpoint my take on a typical outreach document than you can re-brand and distribute, tear apart, or whatever you like. I prefer to use the more visual elements, infographics and a newsletter style, but I included some word summaries that you can take from. Now you can help your users be safe when they want to buy that Sarlaac Toilet or Bacon Bandages! I also included the “How To Buy A Computer Guide” that you can use, modify or whatever.The best gift you can give yourself is to build on this idea. Use this holiday season to start your outreach and then keep it going as often as you can; weekly, monthly, quarterly, or whatever period you can manage. The trick is to keep those lines of communication open, and your users will be more open and willing to accept your messages over time.

How Does #cyberaware Broaden Our Community?

We all know, from experience or the Verizon DBIR, that stolen credentials are the most common attack vector. Users still present massive risk to our organizations, yet there's plenty of debate about the effectiveness of user training. Meanwhile, users are getting all the FUD of…

We all know, from experience or the Verizon DBIR, that stolen credentials are the most common attack vector. Users still present massive risk to our organizations, yet there's plenty of debate about the effectiveness of user training. Meanwhile, users are getting all the FUD of breaches in the news, and aren't yet armed to have constructive conversations about them. Now, this is not to say there aren't awesome security teams running security training programs out there – there most definitely are. But no matter how well-crafted the message, one small, very busy security team pushing out security information or training to users gives only one point of contact. That's just not enough for anything— let alone something as complex as security — to stick. Thankfully the conversation is shifting from security being something for just the “technical folks” to worry about, to security as a shared responsibility in which everyone needs to – and can – be involved. After all, security doesn't impact only the security team. Security isn't important only inside the workplace. Why should conversations about security awareness be? For people to be truly aware, learn, and take responsibility, there must be conversation, overlap, and multiple points of contact. That's why this October for National Cyber Security Awareness Month, Rapid7 has taken security awareness outside the office. We have placed ads on the MBTA in Boston – where Rapid7 has its Headquarters and Cambridge office. Commuters can visit rapid7.com/aware to test their knowledge of a few low hanging fruit, get some quick tips, and educate themselves on why these things are important. We've also put together three NCSAM email templates ready for sharing to your company, family, and friends to encourage them to engage and brush up on security pointers. Lastly, visitors to the interactive site are invited to refer a colleague to test their security chops – increasing touch-points with the content and starting conversations across organizations. While Rapid7's focus is and always will be on innovative security software and services, it is important – especially during NCSAM – to look at the big picture impact to our community, which includes non-security roles. Let us know what you think! Do you want to see security awareness ads in your city? What other things should we, as an industry, do to get the general public's attention to help them think more about their own security practices?

Top 3 Takeaways from the "How to Make your Workplace Cyber-Safe" Webcast

In the first of four Cyber Security Awareness Month webcasts, a panel of security experts, including Bob Lord, CISO in Residence at Rapid7, Ed Adams, President and CEO at Security Innovation, Chris Secrest, Information Security Manager at MetaBank, and Josh Feinblum, VP of Information Security…

In the first of four Cyber Security Awareness Month webcasts, a panel of security experts, including Bob Lord, CISO in Residence at Rapid7, Ed Adams, President and CEO at Security Innovation, Chris Secrest, Information Security Manager at MetaBank, and Josh Feinblum, VP of Information Security at Rapid7, came together to discuss, "How to Make your Workplace Cyber-Safe". They touched upon how to create a security-centric culture, combating common threats targeted at users, characteristics of an effective security awareness program, and best practices for managing passwords and devices. Read on to learn the top 3 takeaways from this webinar:1. Security should be a reflex – A strong sign that an organization has successfully created a security-centric culture is if secure actions are reflexes for users across the organization. For example – has it become second nature for employees to know how to treat sensitive data, when it's okay to share information, and how to spot phishing attacks? If employees aren't sure about something, do they ask security or just click? If users are asking before acting, it's a pretty good indicator that a security-centric culture has successfully started to spread.2. It takes 2 Factor Authentication – Every user can be a pathway in. Any given user may not be the most impactful entry point – but they can be the first step to lateral movement within an environment. Be skeptical of all user activity, and use 2 factor authentication to remove risky users from the equation. Don't let one mistake from a risky user impact your organization. A successful hack is substantially more difficult when 2 factor authentication is in play, and can make the act just challenging enough that the attacker may move on to an easier target.3. Security is a Team Sport – Teach users at your organization to be more skeptical. Hiring more security professionals isn't enough to improve security – you need security-smart eyes and ears all over the organization. Plus, you'll benefit from less hostile, more understanding relationships between security and other business units. Build bridges not walls! Integrate security into your culture, and groups around the organization will start to recognize the need to bring security into projects earlier. Don't just give users rules to blindly follow – teach them how attackers work and think, and empower users to make decisions when the security team is not around. To listen to the full discussion: view the on-demand webcast now. Learn more and register for additional sessions in our Cyber Security Awareness Month Webcast Series.

Detecting Intruders Early Can Ruin Their Business Model

If you look at attackers as faceless, sophisticated digital ninjas, it instills fear, but doesn't really help to stop them. While there are many motivations for attacking an organization and stealing its data, the most frequent are based on money. This is why it sometimes…

If you look at attackers as faceless, sophisticated digital ninjas, it instills fear, but doesn't really help to stop them. While there are many motivations for attacking an organization and stealing its data, the most frequent are based on money. This is why it sometimes helps to view them as you would any other business: as having costs and needing to generate revenue to survive. Attacker groups are similar to high-tech startups There is a thriving economy full of people who breach organizations, steal the information contained on their systems, and sell it. There are teams that cover the breadth of skills necessary and those who specialize on social engineering, exploit development, or drop servers, but the consistency across them all is that they will cease to exist if they cannot fund their efforts. The most threats to the vast majority of organizations today is not going to be funded by a foreign government; they need to successfully sell information to continue paying social engineers or buying credentials, servers, exploits, malware, and any other tools they need to steal from their next target. The most successful groups are continually building new tools, testing their effectiveness and iterating on their process according to the results. They learn from any failed attempts to gain access to a network, move through the organization, and exfiltrate data they can sell. This process of trying, learning from the results, expanding what works and throwing away what doesn't is very similar to the Lean Startup methodology. A lot of businesses have developed their "secret sauce" through this process and criminal groups are similarly finding their "secret sauce" of tools they use to steal and sell information without going to prison. Financially motivated attackers increase their revenue through continued access There is one area in which these groups have not been forced to iterate a great deal. In the last few years, the breaches yielding the most sales for their crew of attackers used a lot of very similar tools to, once inside, steadily explore the network undetected. "Smash and grab" attacks still happen, but to really maximize their return, attackers need to gain access to the network and progressively access more systems to find the valuable data they can sell to others, whether it is in the form of credit card data, personal information, health records, or intellectual property. They make no money from the initial compromise, so they are incented to stay inside undetected for as long as possible and the results are on their side. Though it does take them time to make money from a breach, it takes an order of magnitude more time for most organizations to detect them. If you have pets, as I do, this description might conjure images of a tick. I am not going to include a real image of these disgusting parasites because I want someone to read this post, but I see a great deal of similarities and we can learn a little from our experience dealing with them. We cannot completely eliminate ticks, but they also don't really benefit, or cause significant harm, unless they remain on you or your animal undetected for a long period of time. For this reason, as ticks with a resistance to prevention-only tick treatments survived and multiplied [yay, natural selection!], a new chemical was added to slowly kill them from the bite because it was no longer assumed you could just stop them all from latching. Even with these treatments, we still need to periodically check for ticks because resistant ones emerge and finding them before they do damage is so important. We need to significantly shorten the time to contain to cut off their revenue Just as letting a tick live on your household pet for more than a day can lead to both a satisfied parasite and serious disease, letting intruders remain on your network for more than a few hours means money for the attacker and damage to your organization. Unfortunately, there is no "treatment" we can give our internal systems to kill attacker hard drives, but when we accept that some attackers will get onto our network eventually, we can focus on detecting them once inside and stopping them from stealing any valuable data. Finding and eliminating the parasitic intruders soon after the initial compromise has the same impact on their ability to survive as a business that effective prevention does. While there are many reasons startups fail, the consistency across the failures is the inability to function without revenue. To learn more about Rapid7's Incident Detection and Response solutions, check out our new solutions page which includes our Incident Response Services.

Top 3 Takeaways from the "Security Pro's Guide to Breach Preparedness and Response" Webcast

In this week's webcast Wade Woolwine and Mike Scutt talked about how to prepare for an incident and be ready to respond effectively when one occurs. Breaches are happening all the time. They vary in size and scope, but will end up affecting every organization…

In this week's webcast Wade Woolwine and Mike Scutt talked about how to prepare for an incident and be ready to respond effectively when one occurs. Breaches are happening all the time. They vary in size and scope, but will end up affecting every organization in one way or another. Incident preparedness leads to more efficient and streamlined incident response. Read on to learn the top takeaways from Wade and Mike's “Security Pro's Guide to Breach Preparedness and Response” webcast: 1. Know Thyself… and Thy Adversary – Understand your goals, your technology and people's capabilities, and the criticality of what you are protecting (assets, users, data). Have a very clear understanding of the likely threats against your environment. Know what tools and processes are already in place, where your gaps are, and take steps to fill those gaps. Be aware of your security architecture's deficiencies so that you know when you'll need specialized equipment. As soon as alarm bells start ringing during a breach, take measures to figure out what you're dealing with. How were you initially compromised? Where is your valuable data? How can the attacker(s) communicate in your environment? Make sure to have a comprehensive understanding of the tools the attacker has deployed, and their capabilities. Know how to get the data to understand where the intruder is in the attacker lifecycle and what actions to take before they can get critical data out of your environment. You should be prepared to prioritize threats, incidents, and remediation to apply the right resources at right time and perform your investigation while getting the best possible evidence from it. 2. Practice, Practice, Practice – There are a lot of intersecting technologies, processes, and people involved in incident preparedness and response. This requires consistent coordination, communication, and practice so that when it comes time to respond, everyone knows how to perform their role, communicate, handle evidence, and how the incident will be managed. Even with a great deal of preparation, things won't be perfect. There will be a huge adrenaline rush, and people will be running around hoping to take action, possibly without even understanding the severity of what you're looking at yet. Stick to practiced routines during a real breach as much as possible to stay grounded. Know who to call to take care of each piece of the response. Make sure to stop every so often to double check that you're following procedure, and that it's fitting your needs. Don't be afraid to step back and recollect yourselves to ensure you're on the right track. The more practice your organization has through your incident preparedness, the easier it will be to fall back on a solid routine in a time of crisis to get through it effectively. 3. Post-Mortems are Paramount –  One of the most important steps in incident preparedness and response is the last one: a wrap-up to determine lessons learned. Bring all the people involved together to figure out if everything was coordinated properly and executed according to plan. What went well? Were there any holes in your procedures or execution of plans? Were you able to pivot if things weren't going as expected? Figure out what can be done better in the future, and be ready to apply these learnings for the next incident response. Perform threat exercises incorporating your gained knowledge and adapt policies as needed in the meantime. Watch the on-demand webcast now for the in-depth view of the 6 Steps to Prepare for Incident Response, and tips for what to do when you're thrown into response mode.

Top 3 Takeaways from the "Planning for Failure: How to Succeed at Detecting Intruders on your Network" Webcast

Last week, Rick Holland, Principal Analyst at Forrester Research joined Christian Kirsch to discuss the concept of planning for failure in your security programs by being equipped to detect and investigate effectively when intruders get past your defenses. Read on to learn the top takeaways…

Last week, Rick Holland, Principal Analyst at Forrester Research joined Christian Kirsch to discuss the concept of planning for failure in your security programs by being equipped to detect and investigate effectively when intruders get past your defenses. Read on to learn the top takeaways from their discussion on “Planning for Failure: How to Succeed at Detecting Intruders on your Network”: Avoid Expense in Depth –Buying more and more stuff/increasing the amount of vendors and technologies you work with rather than expanding within your existing ones to find capabilities you aren't using is ultimately hurtful. This tactic results in a Frankenstein's monster-like environment that makes it very difficult to coordinate a defense. It's important to have an actual strategy and some introspection to understand what is happening in your environment and why. All expense in depth ends up doing is creating internal friction and slowing organizations down. Examine your investments in people, processes, and technology to become more agile and create friction for adversaries. Triage Based on High Value Assets – Figure out where you should be focusing security efforts by zeroing in on your high value assets. Do this by looking at what generates revenue, what generates fines, technical discovery using data loss prevention tools, and by identifying people and assets associated with risks. Have an inventory of accounts adversaries are most likely to target and make sure to consider PCI, PII, and PHI data, as well as intellectual property. It's all about balance – Couple the knowledge of internal priorities/high value asset protection with what attackers are likely targeting: credentials! Intruders use credentials to mask as users and dig deeper in your environment by escalating their privileges. This makes them really difficult to find, so emphasis must be placed on understanding user context. UserInsight makes it possible for security teams to do this by giving insight into Intruder Analytics – it allows for automatic detection of attacks, quick and simplified investigation, connecting solutions for benefits like adding user context to data from monitoring solutions, and setting traps for intruders. You can drill into user and intruder data without having to write any queries. Check out the recording from the live session to see UserInsight in action and hear the in-depth discussion on planning for failure to protect your organization: view the on-demand webcast now.

Top 4 Takeaways from the "2015 Security New Year's Resolutions: Expert Panel" Webcast

In this week's webcast, our panel of security experts took the time to reflect on the past year and discuss their 2015 Security New Year's Resolutions. For this discussion Trey Ford, Global Security Strategist at Rapid7, and Josh Feinblum, VP of Information Security at Rapid7…

In this week's webcast, our panel of security experts took the time to reflect on the past year and discuss their 2015 Security New Year's Resolutions. For this discussion Trey Ford, Global Security Strategist at Rapid7, and Josh Feinblum, VP of Information Security at Rapid7 were joined by Andrew Plato, President/CEO at Anitian, Chris Calvert, Senior Strategy Manager – Red Team and Cyber Threat Intelligence at TELUS, and Bob Jones, Information Security Manager at City of Corpus Christi, TX. The panelists spoke about lessons learned from the past year, best practices to implement going forward, and each person's top 2015 security initiatives. Read on to learn the top takeaways from this lively discussion: Security is an enterprise problem, not an IT problem – 2014 was the year that security became a topic of conversation in board rooms and dining rooms through a steady stream of public events. Higher ups are more receptive than ever to hearing from security practitioners, and general awareness about security as an issue that needs attention beyond compliance is high. We should take advantage of this by ensuring that users are educated about steps they should take to protect themselves and that security professionals get included in the first stages of business decision conversations. If they're brought in too late they can be seen as a disruption to progress, or worse, issues can slip by without notice from security. Executives are realizing that check box security isn't enough, and security professionals need to seize this opportunity to partner with leaders and keep security top of mind. Be smart with your budget – Now that many boards and executives are paying attention to the issue of security, and in some cases allowing for more budget to support security programs, security professionals need to be very smart about how they manage their money. Throwing more money and more tools at an issue won't solve any problems. Tools alone aren't enough - you need to understand what the problem is and have the ability to do something about it. Security teams need smart people solving problems creatively, and to hold their security vendors accountable to consistently provide value and improve a team's ability to reduce noise to something manageable. The technology and controls in place need to work for security professionals to get them the data and insight they need, and if processes and policies aren't working, we should get out of our comfort zones to update and change them. Nail the fundamentals – More than anything else, the extreme importance of working to perfect security fundamentals was hammered home during this discussion. It is dangerous and ineffective for security professionals to get ahead of themselves, especially with many major breaches still occurring through simple avenues. Security teams must know exactly what systems they have, how many are running in their environment, who should be accessing them, who owns them, and what normal behavior looks like on each system. They need things like defense in depth, multiple layers of controls, configuration, change, and vulnerability management to start. These are the building blocks to anything a security organization needs to get done (for more details on security fundamentals check out the webcast recording), and these fundamentals need to be successfully managed for a company to become mature and think about adding in more complex solutions. Security professionals must practice doing the common uncommonly well. 4. Assume breach! – When it comes to being breached, it is not a question of if, but when! Have a breach response plan, and don't assume that because things are quiet you are safe and secure. Always assume the next attack is looming so you are ready and aware when an incident occurs. By operating on an "attackers will find a way" premise you can focus on making sure the attacker's mobility is limited and quickly identifiable once they've entered your environment. To listen to the full discussion and learn about each expert's 2015 security initiatives view the on-demand webinar now.

How Vulnerable Are Your Phishing Targets?

When you're assessing the exposure to phishing in your organization, one important part are the client-side vulnerabilities that would enable a malicious attacker to exploit a browser. In this blog post, I'd like to outline a non-invasive (and free!) way to get visibility into your…

When you're assessing the exposure to phishing in your organization, one important part are the client-side vulnerabilities that would enable a malicious attacker to exploit a browser. In this blog post, I'd like to outline a non-invasive (and free!) way to get visibility into your client-side risk landscape.There are essentially two ways to use phishing as part of your security program.Phish 2 Pwn: If you are a penetration tester, you'll likely use spear phishing of a couple of users to compromise a machine to gain a first foothold in the network and then pivot from there. Phish 2 Educate: Phishing as part of your security program uses simulated phishes to see how many of your users would click on a link or enter credentials on a fake form.Metasploit Pro offers phishing options for both Phish 2 Pwn and Phish 2 Educate. For this blog post, we'll focus on the latter. With Metasploit, you would typically set up your phishing email, containing a link to a landing page, which could be used to do any of the following:Exploiting the browser or its pluginsDisplaying a fake login page to harvest credentials (e.g. OWA login page)Tracking click-throughsDelivering security awareness trainingAny combination of the aboveSome phishing projects don't allow you to exploit clients, but there is a great way to determine client-side vulnerabilities using a free Rapid7 product called BrowserScan. Think of BrowserScan like Google Analytics for client-side vulnerabilities: You embed an invisible JavaScript snippet in your landing page and view the vulnerabilities in your BrowserScan dashboard. It records both browser and plugin vulnerabilities. While a vulnerability management, such as Nexpose, can give you this kind of information about clients inside your network, BrowserScan gives you the vulnerability ratings of the machine actually used by the user, such as the user's home PC.Here's how you do it:Create your free BrowserScan accountClick on Tracking and choose the Transparent badge, which is not visible when the user visits the pageEmbed the JavaScript code in your phishing landing pageOnce you have run your phishing campaign, you'll be able to see the the results of the vulnerable scanners in your BrowserScan Dashboard:You can view the number of vulnerable clients overall or by a particular plugin. Here's Oracle Java by vulnerability status:You can also see the breakdown by version number:BrowserScan is not only limited to your phishing campaigns - you can also host it on other web pages, e.g. your intranet page or a frequently used internal web application, to get a quick, easy, and free view of your users' security posture, no matter where they may access the page from. You can even include a badge on your intranet page that gives the user instant feedback of their security posture. You may even consider this for your phishing training page:Want to give this a try? Create your free BrowserScan account now!

Social Media: Vector for the New Economic Attack?

The big news in security this week has been the hijacking of the Associated Press' Twitter account. The attackers leveraged the "bad news" atmosphere created by the events in Boston last week to gain some measure of credibility for a tweet about bombs exploding at…

The big news in security this week has been the hijacking of the Associated Press' Twitter account. The attackers leveraged the "bad news" atmosphere created by the events in Boston last week to gain some measure of credibility for a tweet about bombs exploding at the White House. This is not a particularly new approach: in 2007, the Storm Worm used bad news in an email subject to get people's attention (“230 dead as storm batters Europe”) and install malware on their machines.The difference here is that the AP twitter hack resulted in 4,000 retweets within 15 minutes, and the DOW dropped 143 points. It not clear whether the latter was the motivation for the attack, but it does raise the question of whether we might see more social media attacks aimed at impacting the stock market in the future. The impact on the stock exchange may have only been momentary, but it was significant. This seems to me like it could potentially spawn a new attack trend with some pretty significant economic implications.We have seen a number of high profile brands targeted through their social media profiles. For instance, in February, Burger King's twitter account was hacked and its photo was set to the McDonald's logo with a message stating that Burger King was sold to McDonalds. Fortunately, in addition to the merger tweet, the hacker tweeted other inappropriate things – so it was fairly obvious the account was hacked. And it is safe to say that the fast-food company's stock did not fluctuate wildly.So the four things I would challenge individuals and organizations to consider are:The power of social media tools and the impact it can have on your reputation, personally or at an organizational level. Organizations might want to consider developing a security/ risk management strategy around these systems.The criticality of good passwords on every account, not just sensitive financial or company data. Use longer passwords (8-12 characters), don't reuse passwords across multiple sites, and use special characters.  Also, don't use words obviously associated with you, your organization, or the site in question. For example, "Rapid7_Twitter_password" might be long and use special characters, but it's probably not the best bet for us!The entry point for the attack was a spear-phishing email. These can be really hard to spot these days, so be wary in general of emails encouraging you to click on something or open something. Always check whether the "from" address look right and don't click on the link itself - open a browser and type in what you think the link should be based on logic. Bottom line: if in doubt, forward the email to your colleagues in security or IT, or else just ignore it.Lastly, consider testing your users to measure their susceptibility to these kinds of attacks. to user risk testing, For example, automated social engineering testing can help you identify training and education needs.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now