Rapid7 Blog

UNITED  

UNITED Summit: Day 2

After a jam-packed day one of Rapid7’s UNITED Summit, the UNITED running club started the day bright and early yet again. The rest of us opened UNITED day two with a fireside chat hosted by Jen Ellis, Rapid7 VP of Community and Public Affairs,…

After a jam-packed day one of Rapid7’s UNITED Summit, the UNITED running club started the day bright and early yet again. The rest of us opened UNITED day two with a fireside chat hosted by Jen Ellis, Rapid7 VP of Community and Public Affairs, and a slew of prominent security commentators: Lares founder Chris Nickerson, Mach37 Cyber’s managing director Mary Beth Borgwing, Veracode CTO Chris Wysopal, and Josh Corman of the Atlantic Council and I Am The Cavalry. We skipped last year's on-stage drinking but kept the lively debate, which started with automation and moved swiftly through machine learning, theories on the future of software and security policy, and time frames for security’s being integrated into teams organization-wide. There was little wholesale agreement (that’d make for a boring debate, after all!) but much overlap in the group’s opinions and predictions: Yes, automation is important, and automating what everyone can do frees us as a community to focus on what we, uniquely, can do; machine learning isn’t magic and requires focus on the right problems and the right incentives; there’s plenty of need—and hope—for input and engagement on policy, even and especially when getting it right is difficult; reducing complexity and making it possible for everyone in organizations to do the every-day work of security is key. The panel wrapped up with a lighthearted question: What’s your #1 prediction for the future of infosec? Click through for the respective answers from Chris Nickerson, Josh Corman, Chris Wysopal, and Mary Beth Borgwing. There’s nothing like a fast-talking panel of smart people to get conference-goers geared up for a bunch of action-packed sessions, and that’s exactly what we had in store for UNITED attendees after our fireside chat concluded. Rapid7’s data science team talked about how Rapid7 builds and maintains internet-scale active and passive telemetry platforms (and what we learn from them) in the Research & Collaborate track. Folks listening to talks in the Assess & Remediate track got insight into how to talk to their boards about information security. Phish, Pwn, & Pivot attendees learned how to keep pen testers (and attackers!) out of their networks. And Rapid7’s transportation security director Craig Smith led a brilliant session on self-driving vehicles and their relationship to security. The afternoon was no less bountiful in information and engagement opportunities: the Detect & Respond track revealed the hidden value in log management, we dug into how organizations around the world can prepare for GDPR, and Rapid7 Threat Intelligence Lead Rebekah Brown and the DoJ’s Leonard Bailey discussed information exchange with the government. Research Director Tod Beardsley closed out the Research & Collaborate track with a succinct-yet-cheerful statement: “You’ve got 0-day! Here’s how to deal with it.” Before our phenomenal closing keynote, the Metasploit team awarded prizes for the first-ever UNITED CTF. Congrats to the persistent and talented winners! As the end of 2017’s UNITED Summit drew near, Chief Marketing Officer Carol Meyers took the stage to deliver thanks to Rapid7’s partners, speakers, and—of course—our incredible customers and community attendees. She then introduced Dan Geer, CISO of In-Q-Tel, iconic security futurist and commentator, and undeniable facial hair inspiration (though there’s no defeating Rapid7’s Deral Heiland). Geer invoked a litany of philosophers, scientists, public servants, and writers as he drove home some beautifully, impactfully-delivered points: The attack surface in the world is expanding, and it’s doing so faster than the security skill umbrella can match. What we do here, in this field and everything that touches it, isn’t so much a ‘profession’ as it is an occupation—or as some might have put it, a vocation. Geer referenced the lessons he’s learned in engineering and biostatistics, respectively: First, that getting the problem statement right is essential, and second, that correcting for data bias in an imperfect world will be, necessarily, imperfect. “My principal challenge,” he told the audience, “has been the balance between getting the problem statement right and choosing tolerable failure modes based on the data available...This hasn’t changed: You have to know what problem you’re trying to solve and which data you need to solve it.” This theme kept resurfacing as Geer took the UNITED audience through some of security and technology’s fundamental tensions, particularly when building models and thinking about the future: causality vs. control, optimization vs. resiliency, automation vs. sentience. Our problem statement, he said, is not cybersecurity itself, but rather the side effects of the pursuit of it. If the future is data-rich and the technologies acting upon all that data are dual-use, how do we ensure integrity of that data and the supply chain that underpins it? What, as an industry, are our ‘tolerable failure modes’—do we trust the data we have? Do we make and keep algorithms interrogatable? Do we keep humans in the loop as we move further and further toward automation? And is it a good thing when we do? Big questions deserve deeply-considered answers—your engagement at UNITED and beyond is critical to helping us at Rapid7 and the industry as a whole understand and address our proverbial problem statements. Rapid7 thanks all of you at UNITED for your much-valued participation and your continued attention to the big questions and the big problems that drive us. As Dan said in closing: “There’s never enough time. I thank you for yours.” You can find the full transcript of Geer's speech here. For a limited time, you can watch both UNITED’s fireside chat and Dan Geer’s closing keynote on-demand here. For more UNITED blog content, check out these posts.

Data Mining the Undiscovered Country

Using Internet-scale Research Data to Quantify and Reduce Exposure It’s been a busy 2017 at Rapid7 Labs. Internet calamity struck swift and often, keeping us all on our toes and giving us a chance to fully test out the capabilities of our internet-scale research…

Using Internet-scale Research Data to Quantify and Reduce Exposure It’s been a busy 2017 at Rapid7 Labs. Internet calamity struck swift and often, keeping us all on our toes and giving us a chance to fully test out the capabilities of our internet-scale research platform. Let’s take a look at how two key components of Rapid7 Labs’ research platform—Project Heisenberg and Heisenberg Cloud—came together to enumerate and reduce exposure the past two quarters. (If reading isn't your thing, we'll cover this in person at today's UNITED talk.) Project Sonar Refresher Back in “the day” the internet really didn’t need an internet telemetry tool like Rapid7's Project Sonar. This: was the extent of what would eventually become the internet and it literally had a printed directory that held all the info about all the hosts and users: Fast-forward to Q1 2017 where Project Sonar helped identify a few hundred million hosts exposing one or more of 30 common TCP & UDP ports: Project Sonar is an internet reconnaissance platform. We scan the entire public IPv4 address range (except for those in our opt-out list) looking for targets, then do protocol-level decomposition scans to try to get an overall idea of “exposure” of many different protocols, including: In 2016, we began a re-evaluation and re-engineering project of Project Sonar that greatly increased the speed and capabilities of our core research gathering engine. In fact, we now perform nearly 200 “studies” per-month collecting detailed information about the current state of IPv4 hosts on the internet. (Our efforts are not random, and there’s more to a scan than just a quick port hit; there’s often quite a bit of post-processing engineering for new scans, so we don’t just call them “scans.”) Sonar has been featured in over 20 academic papers (see for yourself!) and is a core part of the foundation for many popular talks at security conferences (including 3 at BH/DC in 2017). We share all our scan data through a research partnership with the University of Michigan — https://scans.io. Keep reading to see how you can use this data on your own to help improve the security posture in your organization. Cloudy With A Chance Of Honeypots Project Sonar enables us to actively probe the internet for data, but this provides only half the data needed to understand what’s going on. Heisenberg Cloud is a sensor network of honeypots developed by Rapid7 that are hosted in every region of every major cloud provider (the following figure is an example of Heisenberg global coverage from three of the providers). Heisenberg agents can run multiple types and flavors of honeypots. From simple tripwires that enable us to enumerate activity: to more stealthy ones that are designed to blend in by mimicking real protocols and servers: All of these honeypot agents are managed through traditional, open source cloud management tools. We collect all agent-level log data using Rapid7's InsightOps tool and collect all honeypot data—including raw PCAPs—centrally on Amazon S3. We have Hesienberg nodes appearing to be everything from internet cameras to MongoDB servers and everything in between. But, we’re not just looking for malicious activity. Heisenberg also enables us to see cloud and internet service “misconfigurations”—i.e., legit, benign traffic that is being sent to a node that is no longer under the control of the sending organization but likely was at some point. We see database queries, API calls, authenticated sessions and more and this provides insight into how well organizations are (or aren’t) configuring and maintaining their internet presence. Putting It All Together We convert all our data into a column-storage format called “parquet” that enables us to use a wide array of large-scale data analysis platforms to mine the traffic. With it, we can cross-reference Sonar and Heisenberg data—along with data from feeds of malicious activity or even, say, current lists of digital coin mining bots—to get a pretty decent picture of what’s going on. This past year (to date), we’ve publicly used our platform to do everything from monitoring Mirai (et al) botnet activity to identifying and quantifying (many) vulnerable services to tracking general protocol activity and exposure before and after the Shadow Brokers releases. Privately, we’ve used the platform to develop custom feeds for our Insight platform that helps users identify, quantify and reduce exposure. Let’s look into a few especially fun and helpful cases we’ve studied: Sending Out An S.O.S. Long-time readers of the Rapid7 blog may remember a post we did on protestors hijacking internet-enabled devices that broadcasters use to get signals to radio towers. We found quite a bit of open and unprotected devices: What we didn’t tell you is that Rapid7’s Rebekah Brown worked with the National Association of Broadcasters to get the word out to vulnerable stations. Within 24 hours the scope of the issue was reduced by 50% and now only a handful (~15%) remain open and unprotected. This is an incredible “win” for the internet as exposure reduction like this is rarely seen. We used our Sonar HTTP study to look for candidate systems and then performed a targeted scan to see if each device was — in fact — vulnerable. Thanks to the aforementioned re-engineering efforts, these subsequent scans take between 30 minutes to three hours (depending on the number of targets and complexity of the protocol decomposition). That means, when we are made aware of a potential internet-wide issue, we can get active, current telemetry to help quantify the exposure and begin working with CERTs and other organizations to help reduce risk. Internet of Exposure It’d be too easy to talk about the Mirai botnet or stunt-hacking images from open cameras. Let’s revisit the exposure of a core component of our nation’s commercial backbone: petroleum. Specifically, the gas we all use to get around. We’ve talked about it before and it’s hard to believe (or perhaps not, in this day and age) such a clunky device... ...can be so exposed. We’ve shown you we can count these IoThings but we’ve taken the ATG monitoring a step further to show how careless configurations could possibly lead to exposure of important commercial information. Want to know the median number of gas tanks at any given petrol station? We’ve got an app for that: Most stations have 3-4 tanks, but some have many more. This can be sliced-and-diced by street, town, county and even country since the vast majority of devices provide this information with the tank counts. How about how much inventory currently exists across the stations? We won’t go into the economic or malicious uses of this particular data, but you can likely ponder that on your own. Despite previous attempts by researchers to identify this exposure—with the hopeful intent of raising enough awareness to get it resolved—we continue to poke at this and engage when we can to help reduce this type of exposure. Think back on this whenever your organization decides to deploy an IoT sensor network and doesn’t properly risk-assess the exposure depending on the deployment model and what information is being presented through the interface. But, these aren’t the only exposed things. We did an analysis of our Port 80 HTTP GET scans to try to identify IoT-ish devices sitting on that port and it’s a mess: You can explore all the items we found here but one worth calling out is: These are 251 buildings—yes, buildings—with their entire building management interface directly exposed to the internet, many without authentication and not even trying to be “sneaky” and use a different port than port 80. It’s vital that you scan your own perimeter for this type of exposure (not just building management systems, of course) since it’s far too easy to have something slip on to the internet than one would expect. Wiping Away The Tears Rapid7 was quick to bring hype-free information and help for the WannaCry “digital hurricane” this past year. We’ve migrated our WannaCry efforts over to focused reconnaissance of related internet activity post-Shadow Brokers releases. Since WannaCry, we’ve seen a major uptick in researchers and malicious users looking for SMB hosts (we’ve seen more than that but you can read our 2017 Q2 Threat Report for more details). As we work to understand what attackers are doing, we are developing different types of honeypots to enable us to analyze—and, perhaps even predict—their intentions. We’ve done even more than this, but hopefully you get an idea of the depth and breadth of analyses that our research platform enables. Take Our Data...Please! We provide some great views of our data via our blog and in many reports: But, YOU can make use of our data to help your organization today. Sure, Sonar data is available via Metasploit (Pro) via the Sonar C, but you can do something as simple as: $ curl -o smb.csv.gz\ https://scans.io/data/rapid7/sonar.tcp/2017-08-16-1502859601-tcp_smb_445.csv.gz $ gzcat smb.csv.gz | cut -d, -f4,4 | grep MY_COMPANY_IP_ADDRESSES to see if you’re in one of the study results. Some ones you really don’t want to show up in include SMB, RDP, Docker, MySQL, MS SQL, MongoDB. If you’re there, it’s time to triage your perimeter and work on improving deployment practices. You can also use other Rapid7 open source tools (like dap) and tools we contribute to (such as the ZMap ecosystem) to enrich the data and get a better picture of exposure, focusing specifically on your organization and threats to you. Fin We’ve got more in store for the rest of the year, so keep an eye (or RSS feed slurper) on the Rapid7 blog as we provide more information on exposure. You can get more information on our studies and suggest new ones via research@rapid7.com.

UNITED Summit: Day 1

Day one of Rapid7’s UNITED Summit is almost over! We kicked off this morning with welcome remarks from CEO Corey Thomas (after a very, ahem, colorful performance by the Blue Man Group!), who spoke on the need to de-silo data and teams in the…

Day one of Rapid7’s UNITED Summit is almost over! We kicked off this morning with welcome remarks from CEO Corey Thomas (after a very, ahem, colorful performance by the Blue Man Group!), who spoke on the need to de-silo data and teams in the interest of driving innovation and solving big problems. He made a point of calling out the cybersecurity industry’s tendency to believe that security teams can be successful independently of IT—a shackle, as Corey put it, that holds us back, often unnecessarily. One of Corey’s most powerful attributes as a speaker is the way he constantly evokes forward motion; at UNITED, he asked key questions for the security industry as a whole and for Rapid7 as a company: How can we harness our collective imagination to create a sense of optimism in our field and beyond? Are the organizational models of the past really serving us today? What areas of expertise will ensure our continued relevance and success in a changing world? Looking ahead with clarity and focus is a talent our CEO has in spades. We’re thrilled to be able to share Corey’s vision so intimately with our customers and the community! We chose a formidable speaker and technologist as UNITED’s opening keynote: Nicholas Negroponte spoke eloquently on everything from the breakdown of barriers between the natural and manmade worlds to the need for innovation and the inevitability of change. UNITED’s thematic notes resonated in the MIT Media Lab co-founder’s words—we in technology are both witness and driver to the crumbling walls of old models and distinctions, whether those borders lie between nation-states or between IT and security teams. As we look to package and deliver information in new ways (a car from a seed!), it’s urgent that we ask whether we’re developing new approaches to big problems. “When I wake up in the morning, I ask myself a question,” Negroponte told the UNITED audience. “‘Will normal market forces do what I’m doing today?’ If the answer is yes, I stop. They don’t need me.” Rapid7 Chief Product Officer Lee Weiner and Customer Success SVP Stephanie Furfaro offered smart, actionable answers to the morning’s big questions on the future of technology with a powerhouse presentation on customer-centered innovation. UNITED attendees got a close-up look at how the vision for Rapid7’s Insight platform informs and enhances individual product improvements—from fresh container security assessment functionality in InsightVM to uniting UBA and SIEM capabilities with InsightIDR. Much like Corey Thomas recognizes the pressing need for collaboration between IT and security teams, Lee and Stephanie put strong emphasis on synergy between product and customer success teams. As Stephanie said right off the bat, “Our customers are heroes….We want to be there when you need us.” A rousing round of applause for our three Rapid7 Customer Award winners marked the end of the morning presentations and the beginning of an afternoon that included talks on everything from automation and container security to the evolution of the CVE and cybersecurity for trade agreements. The Metasploit crew kicked off their exclusive UNITED CTF, Deral Heiland and Craig Smith led an IoT lab complete with hands-on demos, and a slew of different Rapid7 teams gave 1:1 expert consultations (at no cost!) for attendees. This afternoon we’ll host a series of industry roundtables so UNITED guests can share challenges and solutions with others in their industry. Want to gear up for tomorrow? Plan your day with the full agenda, and if you’re extra motivated, get up early to join the UNITED running club for a 5K jogging tour of Boston! Not here in person? Follow the #R7UNITED hashtag on Twitter and take advantage of the UNITED live stream showing tomorrow’s fireside chat and Dan Geer’s closing keynote. Thanks to everyone who made the trip out to Boston to join us this week, and to those of you watching at home! You’re all our heroes.

Keeping it simple at UNITED

The following post is a guest blog by Bo Weaver, Senior Penetration Tester at CompliancePoint. If you're attending UNITED, you can catch Bo's talk at 11:45 AM on Thursday, September 14 in the Phish, Pwn, and Pivot track. Hi! I’m Bo. I’ll…

The following post is a guest blog by Bo Weaver, Senior Penetration Tester at CompliancePoint. If you're attending UNITED, you can catch Bo's talk at 11:45 AM on Thursday, September 14 in the Phish, Pwn, and Pivot track. Hi! I’m Bo. I’ll be speaking at Rapid7’s UNITED Summit in Boston this week, and Rapid7's community manager asked me to write a little blog about my talk. I marvel how on the net we make up new words for a common digital thing—even spell check says "blog" isn’t a word! I know what a "bog" is and I know in our line of work a "blob" is a large chunk of data in a database table. Living in the mountains makes finding bogs kinda hard, but the chunk of word data below is swampy enough to qualify. I’ve worked in the security field for over twenty years. Long before the Internet I worked in private security, mostly undercover on corporate and industrial espionage. This was back in the day when you actually had to physically steal stuff. I also did a lot of work in Executive Protection. My Internet career started even before that when I was in the Navy: I studied as an Electronic Technician while in school; we all worked on a little R&D project called ARPANET. While working on this I never thought that it would turn into what it’s become! In the 90s I did a lot of work with BBSes and then dialup ISP in the Southeast—mostly securing these networks. Since then I’ve had about every network security job there is. I've learned a lot over the years, and I'll be sharing some of that knowledge at UNITED. My passion has always been hacking. For roughly the last 5 years I have been working for Compliancepoint, an Atlanta-based security consulting company as a senior penetration tester and security researcher. The thing I love most about my job here is that we test everything from Mom and Pop companies running an online business to major corporate and government networks. We get to see it all. My talk at UNITED is about reducing complexity and how even big problems can have relatively simple solutions. Sometimes organizations think they need to throw millions at a problem when some time, some knowledge, and little expense can fix even major issues. I learned about KISS in engineering school and have never forgotten: “Keep It Simple, Stupid”. Doesn’t matter if you’re building a toaster or a world network. Kiss it! See the full UNITED agenda here.

GDPR or GDP-argh? Find out at UNITED!

Contained within this post is a secret look into the talk-planning life of Samantha Humphries, Rapid7's senior manager for international solutions, and Katie Ledoux, a senior security analyst. Let's watch what happens. From: Caitlin Condon Sent: 16 August 2017 15:26 To: Samantha Humphries; Katie…

Contained within this post is a secret look into the talk-planning life of Samantha Humphries, Rapid7's senior manager for international solutions, and Katie Ledoux, a senior security analyst. Let's watch what happens. From: Caitlin Condon Sent: 16 August 2017 15:26 To: Samantha Humphries; Katie Ledoux Subject: Re: Blog post for your GDPR session at UNITED Sam! Katie! How would you two feel about writing a blog post on your UNITED session on GDPR and how it’s going to affect U.S.-based companies? It seems like some folks here think this is a Europe-only issue. Your session should debunk that myth. You game? From: Samantha Humphries Sent: 16 August 2017 16:26 To: Katie Ledoux Subject: Re: Blog post for your GDPR session at UNITED Hey Katie, I started writing about how to our session will help UNITED attendees understand what GDPR is, how they can prepare, and how our own governance team has addressed and overcome challenges...AND THEN I CHECKED OUT THE BLOODY AGENDA FOR UNITED. Have you seen the list of sessions that are running concurrently with ours?! Rajeev is talking about how bots are changing IT and security as we know it; Rebekah and the DoJ are speaking on cyber threat exchange with the government; and Leon’s session is on hacking with “flair”—I don’t even know what that means! Do you think he’ll have drones?! What if nobody comes to our session? I can’t even ask my mum to make up the numbers, because she lives here in the UK! Yours panickingly, Sam From: Katie Ledoux Sent: 16 August 2017 16:48 To: Samantha Humphries Subject: Re: Blog post for your GDPR session at UNITED Sam, calm down, I’m sure...WHOA, Leon told me he might have a light show to go with his ‘flair’ and I think he might be serious! We need costumes and vodka shots! Do you think we can have live animals on stage? From: Samantha Humphries Sent: 16 August 2017 17:33 To: Katie Ledoux Subject: Re: Blog post for your GDPR session at UNITED Right, how about this? http://www.argos.co.uk/product/3144114 Everyone loves hearing from Compliance Stormtroopers—it is known! I’ll see if Kyle’s got budget for them. Will report back in a mo. From: Samantha Humphries Sent: 16 August 2017 19:33 To: Katie Ledoux Subject: FW: Re: FW: Blog post for your GDPR session at UNITED Sigh. The boss said no...but he didn’t say anything about the vodka shots. From: Kyle Flaherty Sent: 16 August 2017 18:06 To: Samantha Humphries Subject: Re: FW: Blog post for your GDPR session at UNITED Sam, you know we don’t shell out for stormtrooper costumes unless it’s for a keynote talk. You and Katie have an awesome session planned—you don’t need gimmicks to talk about why GDPR applies to ANY organization in the world that holds personal data about EU citizens, regardless of vertical, company size, or geographic location. Attendees will want to learn about how they can prepare and why GDPR is a good thing! Take a breath. /kff DISCLAIMER: There is no commitment to provide vodka shots, live animals, or costumes at our GDPR or GDP-argh talk. You will get a full 568mls of GDPR goodness though, including some great insights into what GDPR is, how you need be preparing, and how we’re thinking about GDPR internally at Rapid7. We should also mention that if you come dressed as a Stormtrooper, you get extra points. See you there! (Here's how to register if you've not done so already!)

UNITED Spotlight: Industry Roundtables

Rapid7’s annual UNITED Summit is fast approaching, on September 13th and 14th in Boston. As a past attendee (both as a customer and as a Moose), I can assure you that UNITED is a great opportunity to learn about emerging and ongoing cybersecurity and…

Rapid7’s annual UNITED Summit is fast approaching, on September 13th and 14th in Boston. As a past attendee (both as a customer and as a Moose), I can assure you that UNITED is a great opportunity to learn about emerging and ongoing cybersecurity and IT topics—from the Rapid7 team and from experts across many different industries. My favorite example of this is the Industry Roundtables, scheduled on Wednesday, September 13th. These roundtables will focus on the Retail, Finance, Software Technology & Communications, Government, Healthcare, Manufacturing, and Higher Education industries, so we hope there is something for everyone in attendance. The best part about these roundtables is that it’s an opportunity for you to connect with other people in your industry that likely share similar priorities and concerns. It’s a chance for you to share your experiences with your peers, get feedback from others on current or future initiatives, and make new connections within your industry. To ensure that we’ve created the right atmosphere for these roundtables, no media, industry analysts, or sales professionals are permitted to attend these sessions. Read more about the rules of engagement here. Last year’s roundtables covered topics such as budgetary constraints and how to work around them, industry specific regulations, the challenge of obtaining buy-in and support for security initiatives, and even interoffice politics. Some of the groups even stayed in touch after UNITED to keep the discussion going. Given that each industry has a unique set of cyber and IT challenges, these roundtables will offer you the opportunity to network with others who have similar environments. If you haven’t already done so, register for UNITED, and be sure to join the industry round tables while you’re there. Look for me in all of the Assess & Remediate track sessions. I look forward to seeing you soon in Boston!

Cybersecurity for NAFTA

When the North American Free Trade Agreement (NAFTA) was originally negotiated, cybersecurity was not a central focus. NAFTA came into force – removing obstacles to commercial trade activity between the US, Canada, and Mexico – in 1994, well before most digital services existed. Today, cybersecurity is a…

When the North American Free Trade Agreement (NAFTA) was originally negotiated, cybersecurity was not a central focus. NAFTA came into force – removing obstacles to commercial trade activity between the US, Canada, and Mexico – in 1994, well before most digital services existed. Today, cybersecurity is a major economic force – itself a large industry and important source of jobs, as well as an enabler of broader economic health by reducing risk and uncertainty for businesses. Going forward, cybersecurity should be an established component of modernized trade agreements and global trade policy. The Trump Administration is now modernizing NAFTA, with the first renegotiation round concluding recently. There are several key ways the US, Mexican, and Canadian governments can use this opportunity to advance cybersecurity. In this blog post, we briefly describe two of them: 1) Aligning cybersecurity frameworks, and 2) protecting strong encryption. For more about Rapid7's recommendations on cybersecurity and trade, check out our comments on NAFTA to the US Trade Representative (USTR), or check out my upcoming presentation on this very subject at Rapid7's UNITED conference! Align cybersecurity frameworks Trade agreements should broadly align approaches to cybersecurity planning by requiring the parties to encourage voluntary use of a comprehensive, standards-based cybersecurity risk management framework. The National Institute of Standards and Technology's (NIST) Cybersecurity Framework for Critical Infrastructure ("NIST Cybersecurity Framework") is a model of this type of framework, and is already experiencing strong adoption in the U.S. and elsewhere. In addition to our individual comments to USTR, Rapid7 joined comments from the Coalition for Cybersecurity Policy and Law, and also organized a joint letter with ten other cybersecurity companies, urging USTR to incorporate this recommendation into NAFTA. International alignment of risk management frameworks would promote trade and cybersecurity by Streamlining trade of cybersecurity products and services. To oversimplify, think of a cybersecurity framework like a list of goals and activities – it is easier to find the right products and services if everyone is referencing a similar list. Alignment on a comprehensive framework would enable cybersecurity companies to map their products and services to the framework more consistently. Alignment can also help less mature markets know what specific cybersecurity goals to work toward, which will clarify the types of products they need to achieve these goals, leading to more informed investment decisions that hold service providers to consistent benchmarks. Enabling many business sectors by strengthening cybersecurity. Manufacturing, agriculture, healthcare, and virtually all other industries are going digital, making computer security crucial for their daily operations and future success. Broader use of a comprehensive risk management framework can raise the baseline cybersecurity level of trading partners in all sectors, mitigating cyber threats that hinder commercial activity, fostering greater trust in services that depend upon secure infrastructure, and strengthening the system of international trade. Helping address trade barriers and market access issues. Country-specific approaches to cyber regulation – such as data localization or requiring use of specific technologies – can raise market access issues or force ICT companies to make multiple versions of the same product. International alignment on interoperable, standards-based cybersecurity principles and processes would reduce unnecessary variation in regulatory approaches and help provide clear alternatives to cybersecurity policies that inhibit free trade. To keep pace with innovation and evolving threats, prevent standards from reducing market access, and incorporate the input of private sector experts, the risk management framework should be voluntary, flexible, and developed in an industry-led and transparent process. For example, the NIST Cybersecurity Framework is voluntary and was developed through an open process in which anyone can participate. The final trade agreement text need not dictate the framework content beyond basic principles, but should instead encourage the development, alignment, and use of functionally similar cybersecurity frameworks. Prohibit requirements to weaken encryption Critical infrastructure, commerce, and individuals depend on encryption as a fundamental means of protecting data from unauthorized access and use. Market access rules requiring weakened encryption would create technical barriers to trade and put products with weakened encryption at a competitive advantage with uncompromised products. Requirements to weaken encryption can impose significant security risks on companies by creating diverse new attack surfaces for bad actors, including cybercriminals and unfriendly international governments – ultimately undermining the security of the end-users, businesses, and governments. NAFTA should include provisions forbidding parties from conditioning market access for cryptography used for commercial applications on the transfer of private keys, algorithm specification, or other design details. The final draft text of the Trans-Pacific Partnership (TPP) contained a similar provision – though Congress never ratified TPP, so it never came into force. Although this provision would be helpful to protect strong encryption, it would only apply to commercial activities. The current version of NAFTA contains exceptions for regulations undertaken for national security (as did TPP, in addition to clarifications that a nation's law enforcement agencies could still demand information pursuant to their legal processes). This may limit the overall protectiveness of the provision, but should also moderate concerns a nation might have about including encryption protection in the trade agreement. This is beginning The NAFTA parties have set an aggressive pace for negotiations, with the goal of agreeing on a final draft by the end of the year. However, the original agreement took years to finalize, and NAFTA covers many subjects that can attract political controversy. So NAFTA's timeline, and openness to incorporating new cybersecurity provisions, are not entirely clear. Nonetheless, the Trump Administration has indicated that both international trade and cybersecurity are priorities. Even as the NAFTA negotiations roll on, the Administration has begun examining the Korea-US trade agreement, and both new agreements and modernization of previous agreements are likely future opportunities. Trade agreements can last decades, so considering how best to embed cybersecurity priorities should not be taken lightly. Rapid7 will continue to work with private and public sector partners to strengthen cybersecurity and industry growth through trade agreements.

Gone Phishing: A Case Study on Conducting Internal Phishing Campaigns

To many, emails are boring. It’s been a long time since they were ‘cool,’ and they’re probably the slowest form of communication in an evolving fast-paced digital world. Nevertheless, there were 215 billion emails exchanged per day in 2016, and that number is…

To many, emails are boring. It’s been a long time since they were ‘cool,’ and they’re probably the slowest form of communication in an evolving fast-paced digital world. Nevertheless, there were 215 billion emails exchanged per day in 2016, and that number is growing at 3% annually. It's clear that emails aren’t going away anytime soon—and neither are their implications for security. According to the 2017 Verizon data breach investigations report (DBIR): “43% of all data breaches happened through social attacks or through social engineering. And of those social engineering attacks, phishing constitutes 93%.” Furthermore, nobody is immune to phishing—not even security companies. At this year’s UNITED Summit, I and several others on Rapid7’s IT and engineering teams will take our audience on a journey to explore the intricacies of conducting an internal phishing campaign. We’ll present a case study directly from the people who run internal phishing simulations at Rapid7, and we’ll talk about practical challenges and solutions when building an effective campaign. Among the questions we’ll address: How can we avoid spam filters in top email service providers like GSuite and Office365? How important is the reputation of your email to ensuring deliverability? What results did Rapid7’s security engineers see when they conducted internal phishing campaigns, and how did they change over time? And perhaps most important of all—how can you use this knowledge to improve security across your own organization? Email might be boring, but working on ways to better understand and combat phishing is endlessly interesting. Come hear about how Rapid7 solves security challenges both inside and outside its own walls—and if you haven’t yet signed up to join us at UNITED this year, register here. Want to know what other Rapid7 talks will headline at UNITED? Check out these teasers from threat intelligence lead Rebekah Brown, Metasploit's Brent Cook, and Research Director Tod Beardsley.

Survival of the fastest: evolving defenders with broad security automation

If you’ve read the news at all lately, you know that we're having some struggles with information security. Everything from elections to hospitals to Westeros is considered a target, and adversaries continue to learn and innovate—often faster than the defense can respond. It’…

If you’ve read the news at all lately, you know that we're having some struggles with information security. Everything from elections to hospitals to Westeros is considered a target, and adversaries continue to learn and innovate—often faster than the defense can respond. It’s not that they have better tools or work harder than the defense, so what gives? If you're struggling with these issues and happen to be coming Rapid7's annual United Summit, swing by the Detection and Response track on Wednesday, September 13 and hear Justin Pagano and I talk about how we are working on solving these problems! Turns out, the status quo is kind of the worst. Defenders are trying to work against the clock, to go back in time to deal with issues we thought were resolved decades ago...and on top of that, there aren’t nearly enough defenders out there (yet!). So what can we do against these types of odds? The key is automation—but not just any old kind of automation. Limited, silo-ed approaches to automation have helped put us where we are now. To move forward, we need broad security automation based on our understanding of the adversaries: how they operate, how they've targeted us in the past, and how they're likely to target us in the future. And that brings us to why I'm involved in this talk in the first place—the combination of broad security automation and threat intelligence! We need to automate what we should, not just what we can. This won’t look the same for every organization because organizations are protecting different types of information, defending against different types of adversaries, have different resources and constraints. What our talk will offer isn't a magical, one-size-fits-all solution, but instead a new approach to security automation. We will cover broad automation’s dependencies (e.g., scripting/programming skills, APIs, time, money, motivation, and prioritization), as well as what it takes to have worthwhile threat intelligence (sources, timely analysis, and expertise). We'll wrap it up with how to combine the two and develop a program that focuses on real threats, helps prioritize non-automated responses, and frees up the time needed to innovate and learn as defenders. We hope to see you there! If you haven't registered yet, do so here.

Metasploit: The New Shiny

It's been a while since I've written a blog post about new stuff in Metasploit (and I'm not sure if the editors will let me top the innuendo of the last one). But I'm privileged to announce that I'm speaking about Metasploit twice next month:…

It's been a while since I've written a blog post about new stuff in Metasploit (and I'm not sure if the editors will let me top the innuendo of the last one). But I'm privileged to announce that I'm speaking about Metasploit twice next month: once at the FSec 17 Conference in Varaždīn, Croatia September 7-8, and a second time at UNITED 2017, Rapid7's annual security conference in Boston September 11-14. The talk should be a wild ride through some of the interesting new features that Metasploit has gained over the past year, as well as amazing stuff we have underway for the next major version of Metasploit. With a project so large and varied, it can be challenging keeping it fresh and relevant. Amazing new open-source security projects pop up almost as fast as CVE allocations. Metasploit is definitely seeing a generational shift, with new developers coming in and older ones moving to new projects. As a result, we have done a lot of work this year moving Metasploit Framework to the next level, while preserving the things people love about it the most. Our 2017 Roadmap was just the beginning—we have a lot of interesting work on the horizon that will change how you think about Metasploit. I'm also helping with the Metasploitable3 CTF at the UNITED conference and helping run some Metasploit training. So if you have any questions about Metasploit, past, present, or future, this is your chance to get expert advice, either from me or from the five other Metasploit developers who will also be attending. It should be fun and educational, if not a little exhausting! Hope to see you there! Haven't yet signed up to join us at UNITED this year? Register here, or read more about some of the talks and features of this year's summit.

You've Got 0-Day!

Hey all, it feels like it's been forever since I wrote a blog post that wasn't about some specific disaster currently consuming the Internet, so I just wanted to drop a note here about how I'll be speaking at UNITED 2017, Rapid7's annual security summit…

Hey all, it feels like it's been forever since I wrote a blog post that wasn't about some specific disaster currently consuming the Internet, so I just wanted to drop a note here about how I'll be speaking at UNITED 2017, Rapid7's annual security summit in Boston September 11-14. Specifically, I'll be closing out the Research and Collaborate track at UNITED on a topic near and dear to my heart: the vagaries of vulnerability disclosure. Vuln disclosure is a funny business; when you're on the receiving side, it's at best some unwelcome news about some bug in your product that's putting your customers at risk. If you're on the giving side, it's pretty much an invitation for angry letters from CTOs and their attorneys. So why bother? Turns out, despite all the emotional pain associated with it, reasonable vulnerability disclosure is pretty much the most effective tool we have to make the internet-connected products and services we produce and use that much stronger in the face of an increasingly hostile public network. We need vuln disclosure conversations in order to get better at what we do, since it's literally impossible to write, assemble, package, and deliver software of any complexity completely vulnerability-free on the first try. So, the goal of this talk is to share some stories about my experiences in vuln handling from both sides. As director of research here at Rapid7, I'm often the first point of contact for software and technology vendors when one of our researchers uncovers a vulnerability. On the flip side, I also get notifications about Rapid7 product bugs from security@rapid7.com, so I spend a fraction of my work life helping to get those bits of nastiness resolved. If you're looking for tips and advice on how to handle vulnerability disclosures—either as a discoverer, or as someone responsible for patching shipping software—then I hope my experiences will give you some insight into how this surprisingly emotion-driven business of disclosure works. Haven't yet signed up to join us at UNITED this year? Register here.

Top Reasons for Graduate Students to Attend UNITED

The countdown is on to Rapid7's annual UNITED Summit in Boston on September 13-14. Rapid7 has partnered with top universities all over the globe to provide students with industry-leading security solutions as part of their coursework, equipping them with hands-on knowledge as they head into…

The countdown is on to Rapid7's annual UNITED Summit in Boston on September 13-14. Rapid7 has partnered with top universities all over the globe to provide students with industry-leading security solutions as part of their coursework, equipping them with hands-on knowledge as they head into the workforce. This year, for the first time, Rapid7 is expanding its Higher Education Program and providing scholarships to allow select graduate students in cybersecurity Master's and PhD programs to attend UNITED. Read on for what students stand to gain from joining us at UNITED (or just skip down to the bottom and apply now!). Top Reasons for Students to Attend UNITED We can think of a lot more reasons to attend UNITED's inaugural year of student programming, but for the sake of time, we've narrowed this list down to the top three: UNITED is a great place to network with other students, cybersecurity practitioners, and thought leaders. We'll have pen testers, incident responders, and other practitioners eager to share their knowledge (not to mention Metasploit developers!). Whether you're looking for a job or just aiming to hone your skills, networking and learning opportunities abound at UNITED. Local to Boston? We're always looking for great talent. Rapid7 is fueled by research. Whether it's through our Heisenberg project, threat intelligence, Project Sonar, or one of the many other research and open source projects we support, we're constantly thinking about how we can inform and advance the community. At UNITED, you'll be able to attend workshops that explore the data and philosophies behind these projects. Brainstorm with our researchers or have a deep-dive discussion with our data scientists—there will be plenty of time to seek out people who are leading their fields in security research and beyond. Want to meet and learn from the Metasploit team? UNITED is your perfect chance: In addition to talking shop with the people who make the world's de facto framework for penetration testing, Metasploit is hosting an exclusive CTF (Capture the Flag) competition at UNITED. Learn how to hack with the best, and win prizes doing it. I want to attend! How do I get in on this? For more information and to confirm eligibility, contact us here with your name, school, the degree program in which you're enrolled, and what you're hoping to gain from attending. Want to learn more about our Higher Education Program? We are committed to solving the information security talent gap and training the next generation of cybersecurity professionals. Learn more here. Not a student but still want to attend UNITED? See the full agenda and register here!

Hack with Metasploit: Announcing the UNITED 2017 CTF

Got mad skillz? Want mad skillz? This year at Rapid7's annual UNITED Summit, we're hosting a first-of-its-kind Capture the Flag (CTF) competition. Whether you're a noob to hacking or a grizzled pro, you'll emerge from our 25-hour CTF with more knowledge and serious bragging rights.…

Got mad skillz? Want mad skillz? This year at Rapid7's annual UNITED Summit, we're hosting a first-of-its-kind Capture the Flag (CTF) competition. Whether you're a noob to hacking or a grizzled pro, you'll emerge from our 25-hour CTF with more knowledge and serious bragging rights. Show off your 1337 abilities by competing for top prizes, or learn how to capture your first ever flag. Read on for details, and if you haven't already done so, register for UNITED! Our UNITED competition isn't your average CTF. Why? Because this CTF is designed and hosted by the Metasploit team. That means two things: First, if you need a hand learning the ropes or help reverse-engineering an exceptionally tricky flag, you'll have access to the foremost experts in the offensive security field. Second, you'll be the first members of the public to test out the brand new Metasploitable3 Linux vulnerable machine. The Metasploit team has been waiting to debut a Linux version of Metasploitable, and we can't think of a better opportunity than UNITED to do it. Details The competition will kick off September 13, 2017 at 1:15 PM EDT at the inaugural workshop in UNITED's Phish, Pwn, and Pivot track: A Hands-on Introduction to Capture the Flag (CTF) Competitions Using Metasploitable (aptly named). Flag-capturing will end at 2:15 PM September 14, when we'll present awards and host discussion on advanced tactics for all the future CTFs you'll be able to dominate. New to CTF competitions? Be sure to attend the hands-on introduction. Already captured, like, a million flags in your career? You don't need to attend sessions to participate—just connect to the competition infrastructure and get to work! Metasploit experts will be available to all participants during the conference, both in and outside of the sessions. OK, what can I win? Prizes will be awarded to the top three competitors. Top prize: Two complimentary passes to UNITED 2018, a HAK5 ESSENTIALS FIELD KIT, and a T-shirt. Second place: A HAK5 WIFI PINEAPPLE (NANO Basic) and a T-shirt Third place: A HAK5 USB RUBBER DUCKY and a T-shirt What do I need to participate? A desire to learn, perseverance, and a laptop with WiFi capabilities. You will need to generate an SSH key pair and connect to the competition infrastructure via SSH. To generate your keys, follow these tutorials: Windows: https://www.ssh.com/ssh/putty/windows/puttygen Ubuntu and OS X: https://www.ssh.com/ssh/keygen/ Never generated an SSH key pair before? We can help you when you arrive! If you are using Windows please download PuTTY and PuTTYgen in advance. We look forward to seeing you at UNITED 2017 for what's basically guaranteed to be the coolest CTF in the history of flags and competitions. Haven't yet registered for UNITED? Fix that here—or contact your Rapid7 Account Executive or Customer Success Manager. You can explore more of UNITED 2017's lineup of speakers, trainings, and track sessions here.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Upcoming Event

UNITED 2017

Rapid7's annual security summit is taking place September 12-14, 2017 in Boston, MA. Join industry peers for candid talks, focused trainings, and roundtable discussions that accelerate innovation, reduce risk, and advance your business.

Register Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now