InsightVM – CyberSecurity Confabulation

What’s New in Rapid7 Products & Services: Q2 2024 in Review

Posted 2 months ago by Margaret Wei

This quarter we continued to make investments that provide security professionals with a holistic, actionable view of their entire attack surface. In Q2, we focused on enhancing visualization, prioritization, and integration capabilities across our key products and services. Below we’ve highlighted key releases and updates from the quarter across Rapid7 products and services—including InsightCloudSec, InsightVM, InsightIDR, Managed Detection and Response, and Rapid7 Labs.

Rapid7 acquires Noble to deliver comprehensive visibility and command of your attack surface

Rapid7 has acquired Noble, a leading provider of continuous cyber asset inventory, visibility, and management. This acquisition further enhances our ability to provide customers with the necessary control to monitor and manage exposures across their entire attack surface - from endpoint to cloud - with confidence. Visit our announcement overview page to learn more and stay tuned for additional details coming this summer.

Anticipate imminent threats from endpoint to cloud

Uncover multiple paths to risky compromised resources across cloud environments

We continue to enhance Attack Path Analysis in InsightCloudSec, most recently adding a new visualization that shows all of the various paths to a potentially compromised resource, providing a better understanding of the potential blast radius of an attack. We’ve also added the ability to export Attack Path graphs as a PDF, JPG, PNG, or SVG for easy sharing with additional stakeholders.

Automatically prioritize the most at-risk resources based on Layered Context

Layered Context provides insight into the riskiest resources running across cloud environments by taking into account a variety of risk signals from vulnerabilities to identity-related risk and public accessibility. This context makes it easier for security teams to effectively and efficiently prioritize cloud risk remediation efforts.

We recently released the following updates to Layered context:

Automatic prioritization of riskiest resources by taking into account the presence of toxic combinations to assign a relative risk score to all cloud resources.
A new risk tab, located on the Resource Details panel, that details all the risks impacting a resource in one view, transparently and efficiently diagnosing what is risky and why.

Access agent-based policy assessment results with InsightVM’s Bulk Export API.

Agent-based policy assessment is used to conduct configuration assessments of IT assets against widely used industry benchmarks or custom internal policies. Now customers can use the new Bulk Export API to export the policy assessment results data to their business intelligence tools and build custom visualizations and workflows that meet their reporting needs. Additionally, this API allows for efficient request and download of large data sets directly from the Insight Platform, avoiding unnecessary load on the Security Console and giving greater flexibility in handling the high volume of data that policy assessments produce.

Insight Agent support for ARM-based Windows 11 devices in InsightVM

Take advantage of the ARM processor chip’s great performance and low power requirements while maintaining agent-based visibility and assessment of remote assets within InsightVM. We also released enhanced vulnerability coverage for Windows 11 to provide customers with even higher quality, accurate vulnerability content.

Pinpoint critical signals of an attack and act confidently against threats

Rapid7 AI Engine extended to include Generative AI, driving improved MDR efficiency

Enhancements to the Rapid7 AI Engine have brought new Generative AI capabilities to the Rapid7 SOC, improving the efficacy and efficiency of our MDR services. These new additions include:

The new SOC Assistant that guides our internal SOC and MDR analysts through complex investigations and streamlines response workflows by querying sources like the Rapid7 MDR Handbook, keeping our analysts a step ahead.
The ability to automatically generate incident reports once investigations are closed out, streamlining a typically manual and time-intensive process. Every report that is generated by the Rapid7 AI Engine is reviewed and enhanced as needed by our SOC teams, making certain every data point is accurate and actionable.

Stop attacks before they begin with Rapid7’s patented Ransomware Prevention

Rapid7’s patented, preemptive Ransomware Prevention technology focuses on disrupting the evasive behaviors that ransomware and other forms of malware leverage, preventing both known and unknown (zero-day) attacks before they start. Coexisting alongside NGAV, EDR, and EPP solutions, Ransomware Prevention:

Provides an additional layer of protection on the endpoint focused on mitigating the risk associated with ransomware by using proprietary Data Encryption detection and response technology.
Focuses on the inner techniques that malicious and evasive attacks employ and embed in processes (instead of passively looking for patterns and analyzing processes and behaviors on runtime or post-execution), manipulating their logic so that they refrain from execution.

Monitor Crowdstrike Falcon EDR alerts within InsightIDR for streamlined alert triage

Simplify operations and optimize resource allocation by further integrating third party endpoint detection and response solutions with Rapid7. Managed Detection and Response customers can integrate CrowdStrike Falcon Endpoint with InsightIDR and leverage Rapid7’s highly skilled and experienced MDR SOC to help triage incoming alerts.

A growing library of actionable detections in InsightIDR

In Q2 2024 we added over 750 new detection rules. See them in-product or visit the Detection Library for descriptions and recommendations.

The latest in cybersecurity trends and research

New research from Rapid7 Labs: The 2024 Attack Intelligence Report

Since 2020, Rapid7 has tracked huge increases in zero-day exploits, ransomware attacks, mass compromise incidents, and evolutions in attacker behavior. In our 2024 Attack Intelligence Report, Rapid7 Labs analyzed 14 months of attacker behavior and marquee vulnerabilities and provides expert analysis and practical guidance for security professionals.

Dive into key findings—like how 36% of the widely exploited vulnerabilities Rapid7 tracked involved network edge technology—in the report here.

Take Command: Global security leaders, hands-on practitioners, and top researchers weigh in on the latest cybersecurity trends

In May we partnered with AWS for our Take Command 2024 Cybersecurity Summit, where we took a deep dive into new attack intelligence technologies like AI that are disrupting the threat landscape, macro influences on SOC teams, MDR services to build cyber resilience, and more. The sessions deliver clear guidance to zero in on threats and proactively prevent breaches—check them out on demand here.

Stay tuned for more!

As always, we’re continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and release notes as we continue to highlight the latest in product and service investments at Rapid7.

Rapid7 completes IRAP PROTECTED assessment for Insight Platform solutions

Posted 2 months ago by Rapid7

Exciting news from Australia!

Rapid7 has successfully completed an Information Security Registered Assessors Program (IRAP) assessment to PROTECTED Level for several of our Insight Platform solutions.

What is IRAP?

An IRAP assessment is an independent assessment of the implementation, appropriateness, and effectiveness of a system’s security controls. Achieving IRAP PROTECTED status means Australian Government agencies requiring PROTECTED level controls can access our industry-leading, practitioner-first security solutions. Meeting this status further strengthens our position as a trusted partner for Australian government organizations seeking to enhance their cybersecurity posture.

Rapid7 is one of the only vendors to be IRAP-assessed across what we consider a consolidated cybersecurity operation. This places us in a unique position to supply services across federal, state, and local government in Australia. It provides our government customers with the confidence that we have the right governance and controls in place for our own business in order to deliver that service effectively for our customers, specifically covering:

Vulnerability management on traditional infrastructure
Endpoints
The secure implementation of web applications
Detection and response to alerts or threats
The ability to securely automate workflows

Why is being IRAP PROTECTED important?

Being IRAP-assessed demonstrates our commitment to providing secure and reliable information security services for Government Systems, Cloud Service Providers, Cloud Services, and Information and Communications Technology (ICT) Systems, and more widely to our Australian customers.

Importantly, it highlights how we take the shared responsibility model extremely seriously. It also shows we’re protecting our customers’ information and data across their traditional infrastructure and in the cloud.

Which solutions are approved?

Solutions assessed and approved for PROTECTED Level include InsightIDR (detection and response), InsightVM (vulnerability management), InsightAppSec (application security), and InsightConnect (orchestration and automation). These solutions provide a comprehensive security platform to help government agencies tackle the challenges of today's evolving cybersecurity landscape.

The successful completion of the IRAP assessment at the PROTECTED level demonstrates our commitment to supporting Australian government customers. It means they have access to a comprehensive security platform necessary to tackle the ever-evolving challenges of today's cybersecurity landscape.

As more government agencies migrate to hybrid cloud environments, we can help them better manage the growing complexity of identifying and securing the attack surface.

As attackers become increasingly sophisticated, better armed, and faster, the IRAP assessment is yet another string in our cybersecurity bow, showcasing our potential to support Australian Government agencies and more widely, our customers.

New! Insight Agent Support for ARM-based Windows in InsightVM

Posted 4 months ago by Justin Prince

We are pleased to introduce Insight Agent support of ARM-based Windows 11 devices for both vulnerability and policy assessment within InsightVM. Customers with Windows 11 devices powered by ARM processors can now take advantage of the great performance and lower power requirements of these chips without sacrificing the agent-based visibility of their remote assets. This release coincides with enhanced vulnerability content for Windows 11 in InsightVM, providing customers with high-quality, accurate coverage. The full list of operating systems supported by the Insight Agent can be found in our documentation.

The latest generation of ARM64 chips promises excellent CPU performance and multi-day battery life on a single charge, making them more attractive than ever for enterprise and consumer devices, including laptops. As hardware and software vendors continue to bolster support for Windows on ARM, Rapid7 customers using or considering adoption of these devices can deploy the Insight Agent to Windows 11 devices immediately. The existing Windows (x64) installer – downloaded as ‘agentInstaller-x86_64.msi’ – can be used for installation, and the Insight Agent will automatically run in emulation mode. No other action is required, but do note that only InsightVM functionality is supported at this time.

You can find more information on how to download and install the Insight Agent in our Help Documentation and on the Agents page within the Insight Platform:

Customers can use the Agent Test Set feature to roll out newer versions of the Insight Agent on a select set of machines before deploying it widely.

Explanation of New Authenticated Scanning PCI DSS Requirement 11.3.1.2 in PCI DSS V4.0 and how InsightVM can help meet the Requirement

Posted 7 months ago by Rapid7

By: Dominick Vitolo, VP of Security Services, MegaplanIT

As a Certified Qualified Security Assessor (QSA) company and a trusted Rapid7 partner, MegaplanIT is committed to guiding organizations through the complexities of compliance and security standards.

PCI DSS version 4.0 is a significant update on the horizon and is set to take effect March 31, 2025. One of the key changes around vulnerability scanning within this update is requirement 11.3.1.2. This new requirement mandates authenticated internal vulnerability scans.

Here, we’ll shed light on why organizations should immediately transition to authenticated vulnerability scanning and how Rapid7’s InsightVM can facilitate this essential change.

The Shift in PCI DSS 4.0

New Requirement 11.3.1.2

Under PCI DSS 4.0, requirement 11.3.1.2 introduces the need for authenticated internal vulnerability scans, marking a departure from the widely practiced unauthenticated scans.

Currently, many organizations rely on unauthenticated scanning which, while useful, offers limited visibility into system vulnerabilities. In previous versions the PCI DSS never specifically called out the need for authenticated vulnerability scanning internally, which led the requirement subject to interpretation.

This established procedure from retirement 11.3.1 remains applicable and is complemented by the new requirement mandating authenticated internal vulnerability scans.

Scans must be conducted at least every three months.
All high-risk and critical vulnerabilities – as defined by the entity's own risk rankings established in Requirement 6.3.1 – must be remediated.
Follow-up rescans are required to verify the resolution of these high-risk and critical vulnerabilities.
The scanning tool used must be regularly updated with the latest vulnerability information.
The scans must be carried out by qualified individuals, and there must be an organizational separation between the testers and the systems they are testing.

MegaplanIT Perspective: Why Adopt Authenticated Scanning Now Before the Requirement Takes Effect?

Deeper security insights: Authenticated scans delve into systems more deeply, uncovering vulnerabilities that unauthenticated scans may miss. This depth is critical for maintaining robust security.
Proactive compliance strategy: We always advocate for early adoption of new standards. It allows for a smoother transition and avoids the rush associated with impending compliance deadlines. Authenticated vulnerability scanning typically uncovers a greater number of vulnerabilities than unauthenticated scanning. Consequently, this will necessitate a greater allocation of internal resources for planning and executing remediation strategies.
Enhanced risk management: Authenticated scanning enables more effective identification and remediation of vulnerabilities, thus fortifying your defense against potential breaches. Authenticated vulnerability scanning may also lead to a reduced number of false positives.
Operational efficiency: Early adoption allows for the refinement of scanning processes, ensuring they become a seamless part of your security routine and may also lead to a reduced amount of false positives.

How Rapid7’s InsightVM Aligns with This Transition

Credential-Based Scanning

InsightVM's capability to perform scans with provided credentials aligns perfectly with the authenticated scanning requirements of PCI DSS 4.0. Scanning with credentials allows you to gather information about your network and assets that you could not otherwise access. You can inspect assets for a wider range of vulnerabilities or security policy violations.

Additionally, authenticated scans can check for software applications and packages as well as verify patches. When you scan a site with credentials, target assets in that site authenticate the Scan Engine as they would an authorized user.

Leveraging the Rapid7 Insight Agent

Rapid7’s universal Insight Agent gathers extensive vulnerability data, supporting the authenticated scanning process effectively.

Advantages of Implementing InsightVM

Comprehensive detection: InsightVM is equipped with a vast and continuously updated repository of known vulnerabilities and identification of configuration issues.
Targeted remediation guidance: Detailed insights facilitate prioritized and effective remediation efforts.
User-friendly interface: IT teams experience a simplified transition, making the process less daunting.

Transitioning to authenticated internal vulnerability scanning in order to meet the control requirements of PCI DSS 4.0 is a crucial step towards strengthening your organization’s security posture. As a certified QSA, MegaplanIT strongly recommends that organizations begin this shift now.

Tools like Rapid7’s InsightVM are pivotal in this journey, offering a comprehensive, scalable, and user-friendly solution. By embracing this change today, your organization will not only be compliant, but also significantly more secure against ever-evolving cyber threats.

Method to an Old Consultant’s Madness with Site Design

Posted 10 months ago by Landon Dalke

If it's your first time purchasing and setting up InsightVM – or if you are a seasoned veteran – I highly recommend a ‘less is more’ strategy with site design. After many thousands of health checks performed by security consultants for InsightVM customers, the biggest challenge most consultants agree on is site designs with too many sites not healthy. When you have too many sites, it also means you have too many scan schedules, which are the most complex elements of a deployment. Simplifying your site structure and scan schedules will allow you to better optimize your scan templates, leading to faster scanning and fewer potential issues from overlapping scans.

Weekly scanning cadence is the best practice.

The main goal is to use sites to bring data into the database as efficiently as possible and not to use sites to organize assets (data). For data organization, you will want to exclusively use Dynamic Asset Groups (DAGs) or Query Builder, then use these DAGs as your organized scope point for all reporting and remediation projects. Using Dynamic Asset Groups for all data organization will reduce the need for sites and their respective scan schedules, making for a much smoother, automatable, maintenance-free site experience.

For example, if you have a group of locations accessible by the same scan engine:

Site A, managed by the Desktop team using IP scope 10.10.16.0/20

Site B, managed by the Server team using 10.25.10/23

Site C, managed by the Linux team using 10.40.20.0/22

Instead of creating three separate sites for each location, which would require three separate schedule points, it would be better to put all three ranges in a single site (as long as they are using the same scan engine and same scan template), then create three Dynamic Asset Groups based on IP Address: ‘is in the range of’ filtering. This way, we can still use the DAGs to scope the reports and a single combined site with a single scan schedule. Example DAG:

Another reason why this is important is that over the last 10 years, scanning has become extremely fast and is way more efficient when it comes to bulk scanning. For example, 10 years ago, InsightVM (or Nexpose at the time) could only scan 10 assets at the same time using a 16GB Linux scan engine, whereas today, with the same scan engine, InsightVM can scan 400 assets at the same time. Nmap has also significantly increased in speed; it used to take a week to scan a class A network range, but now it should take less than a day, if not half a day. More information about scan template tuning can be found on this Scan template tuning blog.

Depending on your deployment size, it is okay to have more than one site per scan engine; the above is a guideline – not a policy – for a much easier-to-maintain experience. Just keep these recommendations in mind when creating your sites. Also, keep in mind that you’ll eventually want to get into Policy scanning. For that, you’ll need to account for at least 10 more policy-based sites, unless you use agent-based policy scanning. Keeping your site design simple will allow for adding these additional sites in the future without really feeling like it's adding to the complexity. Check out my Policy Scanning blog for more insight into Policy scanning techniques:

Next, let's quickly walk through a site and its components. The first tab is the ‘Info and Security’ tab. It contains the site name, description, importance, tagging options, organization options, and access options. Most companies only set a name on this page. I generally don’t recommend using tags with sites and only tagging DAGs. The ‘importance’ option is essentially obsolete, and the organization and access are optional. The only requirement in this section is the site Name.

The Assets tab is next, where you can add your site scope and exclusions. Assets can be added using IP address ranges, CIDR (slash notation), or hostname. If you have a large CSV of assets, you can copy them all and paste them in, and the tool should account for them. You can also use DAGs to scope and exclude assets. There are many fun strategies for scoping sites via DAGs, such as running a discovery scan against your IP ranges, populating the DAGs with the results, and vulnerability scanning those specific assets.

The last part of the assets tab is the connection option, where you can add dynamic scope elements to convert the site into a dynamic site. You can find additional information regarding dynamic site scoping here.

The authentication tab should only validate that you have the correct shared credentials for the site scope. You should always use shared credentials over credentials created within the site.

For the scan template section, I recommend using either the ‘full audit without web spider,’ discovery scan, or a custom-built scan template using recommendations from the scan template blog mentioned above.

In the scan engine tab, select the scan engine or pool you plan to use. Do not use the local scan engine if you’re scanning more than 1500 assets across all sites.

Mostly, I don’t use or recommend using site alerts. If you set up alerts based on vulnerability results, you could end up spamming your email. Two primary use cases for alerts are alerting based on the scan status of ‘failed’ or ‘paused’ or if you want additional alerting when scanning public-facing assets. You can read this blog for additional information on configuring public-facing scanning.

Next, we have schedules. For the most part, schedules are pretty easy to figure out; just note the “frequency” is context-sensitive based on what you choose for a start date. Also, note that sub-scheduling can be used to hide complexity within the schedule. I do not recommend using this option; if you do, only use it sparingly. This setting can add additional complexity, potentially causing problems for other system users if they’re not aware it is configured. You can also set a scan duration, which is a nice feature if you end up with too many sites. It lets you control how long the scan runs before pausing or stopping. If your site design is simple enough, for example, seven total sites for seven days of the week, one site can be scheduled for each day, and there would be no need for a scan duration to be set. Just let the scan run as long as it needs.

Site-level blackouts can also be used, although they’re rarely configured. 10 years ago, it was a great feature if you could only scan in a small window each day, and you wanted to continue scanning the next day in that same scan window. However, scanning is so fast these days that it is almost never used anymore.

Lastly, a weekly scanning cadence is a recommended best practice. Daily scanning is unnecessary and creates a ton of excess data – filling your hard drive – and monthly scanning is too far between scans, leading to reduced network visibility. Weekly scanning also allows you to set a smaller asset data retention interval of 30 days, or 4 times your scan cycle, before deleting assets with ‘last scan dates’ older than 30 days. Data retention can be set up in the Maintenance section of the Administration page, which you can read about here.

I am a big advocate of the phrase ‘Complexity is the enemy of security’; complexity is the biggest thing I recommend avoiding with your site design. Whether scanning a thousand assets or a hundred thousand, keep your sites set as close as possible to a 1:1 with your scan engines. Try to keep sites for data collection, not data organization. If you can use DAGs for your data organization, they can be easily used in the query builder, where they can be leveraged to scope dashboards and even projects. Here is a link with more information reporting workflows.

In the end, creating Sites can be easier than creating DAGs. If, however, you put in the extra effort upfront to create DAGs for all of your data organization and keep Sites simple, it will pay off big time. You’ll experience fewer schedules, less maintenance, and hopefully a reduction of that overwhelming feeling seen with so many customers when they have more than 100 sites in their InsightVM deployment.

Additional Reading: https://www.rapid7.com/blog/post/2022/09/12/insightvm-best-practices-to-improve-your-console/

Setup of Discovery Connection Azure

Posted 11 months ago by Rapid7

By: fuzzy borders

Are you having trouble trying to get your Azure assets into your InsightVM security console? In this blog post, we wanted to bring additional insight into leveraging the Azure Discovery Connection with InsightVM.

This blog post is brought to you by the Fuzzy Borders project, whose members come from different teams across Rapid7. Our goal is to find answers for requests that may fall into gray (fuzzy) areas. Our past work includes example API calls and SQL queries for InsightVM Security Consoles.

We hope this blog will help you get started with assessing your Azure virtual machines in InsightVM.

There are 3 main areas of configuration: Azure App Registration, IAM Subscription, and InsightVM Discovery Connection configuration.

Here is the overview of the steps:

Azure Configuration

App Registration
API Permissions
Generate and Save the Secret Value
IAM role permissions (Subscriptions Tab)
Attach Reader role to App Registration

InsightVM Discovery Connection Configuration
Prerequisite: Allow outbound traffic to Azure from the InsightVM console server.

Create a new site for Azure assets*
Create Azure Discovery Connection
Enter Azure Tenant ID, Application ID, Application Secret certificate Value

*The Azure Site should be dedicated to this discovery connection only.

Please keep note of the following items:

Application ID

Directory ID (a.k.a Tenant ID)

Value for the certificate Secret.

Configure Azure

App Registration

We need to establish trust between Rapid7 and Azure. Click on “App registrations”

Click: New registration

Enter a display name for the application and click Register at the bottom. In this example we use “FuzzyDiscovery”

We leave default values. Once you click Register it will return the Application ID, and Directory ID (a.k.a Tenant ID) that will be required in later steps.

Tip:
Either take a screenshot or copy and paste both the Application and Directory ID to a secure location to reference later.

Generate and Save the Secret Value

Click on Certificates & Secrets, click: Client Secrets, and add New Client Secret

Important Note: We require the generated Secret Certificate Value, not the Secret ID.

Configure API Permissions

Click on “Add a Permission” Search and Select: “Directory.Read.All”, and click Grant and Consent

Subscription Access

Click Home, and click Subscription, to set up our IAM role.

In the Subscriptions page, click Access Control (IAM), and click Add Role Assignment under “Grant access to this resource”

Select the Reader role

Enter the member created earlier. (Example: FuzzyDiscovery)

Configure Console
Prerequisite: Allow outbound access to Azure https://docs.rapid7.com/nexpose/creating-and-managing-dynamic-discovery-connections/#preparing-insightvm

Create a dedicated new Site as a Destination for your Azure assets https://docs.rapid7.com/nexpose/creating-and-managing-dynamic-discovery-connections/#adding-a-microsoft-azure-connection

Create Azure Discovery Connection

Navigate to Administration - click: Discovery Connections

From Azure App Registration fill out:

Tenant ID
Application ID

Application Security Certificate Value previously generated in Azure

Please note: In the case the secret was not saved previously, a new secret will have to be generated, and the previously generated secret can be revoked.

Troubleshooting Tips:

In the InsightVM console logs, review the eso.log for any errors and provide logs to support via a case.

What’s New in InsightVM and Nexpose: Q3 2023 in Review

Posted 12 months ago by Roshnee Mistry Shah

A lot of new and exciting product updates this quarter to help customers continue driving better security outcomes. We are thrilled to launch a new vulnerability risk scoring strategy this quarter along with upgrades like improved UI for the Engine Pool page, more policy coverage, and more. Let’s take a look at some of the key updates in InsightVM and Nexpose from Q3.

[InsightVM and Nexpose] Introducing Active Risk

We’re excited to launch Active Risk in InsightVM and Nexpose Active Risk is Rapid7’s vulnerability risk-scoring methodology designed to help security teams prioritize vulnerabilities that are actively exploited or most likely to be exploited in the wild.

Our approach takes into account the latest version of the Common Vulnerability Scoring System (CVSS) available for a vulnerability and enriches it with multiple threat intelligence feeds, including proprietary Rapid7 research, to provide security teams with a threat-aware vulnerability risk score. Learn more here.

[InsightVM] Two new Active Risk dashboard cards

To help security teams communicate the risk posture cross-functionally by providing context on which vulnerabilities need to be prioritized and where the riskiest assets lie, we have launched two new dashboard cards in InsightVM:

Vulnerability Findings by Active Risk Score Severity - indicates total number of vulnerabilities across the Active Risk severity levels and number of affected assets and instances. Ideal for executive reporting.
Vulnerability Findings by Active Risk Score Severity and Publish Age - shows number of vulnerabilities across the Active Risk severity levels and by publish age. Ideal for sharing with remediation stakeholders to prioritize vulnerabilities for next patch cycle (ex: publish age is between 0-29 days) or identify critical vulnerabilities that may have been missed (ex: publish age is greater than 90 days for critical vulnerabilities).

[InsightVM and Nexpose] Engine Pool page update

In continuation with the Security Console user interface (UI) upgrades, Engine Pools is now located on its own page and has been updated with a new look. The updated UI can be accessed from the Administration page, and supports both light and dark modes for a more intuitive and consistent user experience.

[InsightVM and Nexpose] Containerized Scan Engine Kubernetes support

Customers are adopting modern, containerized infrastructure due to its ease of installation and maintenance (OS upgrades). Containerized Scan Engine delivers the Scan Engine as a packaged or portable application that can easily be deployed to modern infrastructure. Rapid7 customers can now deploy containerized Scan Engine in popular cloud-hosted K8s platforms like Amazon EKS (Elastic Kubernetes Service) and Google GKE. Learn more here.

[InsightVM and Nexpose] Policy coverage for Palo Alto Firewall 10

Customers can now enable policy assessment for Palo Alto 10, a critical firewall technology, in their environments. Policy assessment in InsightVM helps security teams assess the configuration of IT assets against commonly used CIS or DISA STIG benchmarks, allowing them to better meet compliance mandates and proactively secure their environment. You can use the Palo Alto Firewall 10 policy as-is or customize it to meet your business needs. Learn more here.

[InsightVM] Quick Actions in InsightVM

Quick Actions are pre-configured automation actions you can run within InsightVM to automate some of your most frequent tasks like creating an incident with ServiceNow, searching for vulnerabilities with AttackerKB, and more. No configuration is required for leveraging Quick Actions; you don’t need to deploy an orchestrator or create a single connection. Learn more here.

Note: To use Quick Actions, you’ll need an InsightConnect license, which is included at all tiers of the Cloud Risk Complete package.

[InsightVM and Nexpose] Checks for notable vulnerabilities

We have been committed to providing swift coverage for the emergent threats Rapid7 responds to under our Emergent Threat Response (ETR) program. Since Q4 2022, we provided coverage the same day or within 24 hours for almost 30 emergent threats, which includes zero-day vulnerabilities. ETRs we responded to in the past quarter include:

Exploitation of Juniper Networks
On August 17, 2023, Juniper Networks published an out-of-band advisory on four different CVEs affecting Junos OS on SRX and EX Series devices. InsightVM and Nexpose customers can assess their exposure to all four CVEs with vulnerability checks. Learn more here.

CVE-2023-35078 - Critical API Access Vulnerability in Ivanti Endpoint Manager Mobile
CVE-2023-35078 is a remote unauthenticated API access vulnerability in Ivanti Endpoint Manager Mobile, which was previously branded as MobileIron Core. The vulnerability has a CVSS v3 base score of 10.0 and has a severity rating of Critical. An unauthenticated vulnerability check for CVE-2023-35078 is available to InsightVM customers. Learn more here.

Critical Zero-Day Vulnerability in Citrix NetScaler ADC and NetScaler Gateway
Citrix published a security bulletin warning users of three new vulnerabilities affecting NetScaler ADC and NetScaler Gateway. CVE-2023-3519 is known to be exploited in the wild. This product line is a popular target for attackers of all skill levels, and we expect that exploitation will increase quickly. Rapid7 strongly recommends updating to a fixed version on an emergency basis, without waiting for a typical patch cycle to occur. Learn more here.

Active Exploitation of Multiple Adobe ColdFusion Vulnerabilities
Adobe ColdFusion, an application server and a platform for building and deploying web and mobile applications, was affected by multiple CVE this month, including a Rapid7-discovered vulnerability (CVE-2023-29298). Learn more about the vulnerabilities and mitigation guidance here.

15 CVEs Affecting SonicWall
SonicWall published an urgent security advisory warning customers of 15 new vulnerabilities affecting on-premise instances of their Global Management System (GMS) and Analytics products.While these vulnerabilities are not known to be exploited in the wild, they could allow an attacker to view, modify, or delete data that they are not normally able to retrieve, causing persistent changes to the application's content or behavior. Learn more here.

Introducing Active Risk

Posted 12 months ago by Rapid7

Cyber risk is increasing both in volume and velocity. Given the landscape of threats, weaknesses, vulnerabilities, and misconfigurations, organizations, teams and vulnerability analysts alike need of better prioritization mechanisms. That's why we developed a new risk scoring methodology: Active Risk.

Rapid7 has offered five risk strategies for many years, each strategy with its own specific approach to surfacing that which matters most. Our sixth risk strategy, Active Risk, is designed to focus security and remediation efforts on the vulnerabilities that are actively exploited in the wild or most likely to be exploited.

Active Risk uses CVSS scores along with intelligence from threat feeds like AttackerKB, Metasploit, ExploitDB, Project Heisenberg, CISA KEV list, and other third-party dark web sources to provide security teams with threat-aware vulnerability risk scores on scale of 0-1000.

Active Risk is available via InsightVM, InsightCloudSec, Nexpose, and our recently released Executive Risk View.

Enter Active Risk

Exploitability has become one of those terms that the security community has maligned, not out of spite, but simply because it’s been applied to too many use cases. Exploitability refers to the ease with which a vulnerability in a computer system, software application, or network can be exploited. But, even that definition can be misleading. Semantics aside, exploitability is really a question of likelihood.

This new risk strategy is focused on delivering unambiguous near-time intelligence, by systematically including a number of threat intelligence sources to enhance vulnerability risk score(s).

There are a number of vulnerability intelligence sources that fuel prioritization in Active Risk, including:

AttackerKB: Launched in 2020, a forum for the security community at large to share insights and views that help cut through all the hype and chaos, with a primary purpose to inform infosec professionals on vulnerabilities and security threats
Project Heisenberg: A network of low interaction honeypots with a singular purpose, to understand what attackers, researchers, and organizations are doing in, across, and against cloud environments. This global network established in 2014, by Rapid7, it records telemetry about connections and incoming attacks to better understand the tactics, techniques, and procedures used by bots and human attackers
Metasploit: Arguably the most widely used, community supported, ethical hacking framework on the planet, used by whitehats, security researchers and generalists in pentesting, <pick-your-color> teaming, CTF drills, education as well as broad or very specialized security assessment exercises
Exploit Database (exploit-db.com): Widely used online repository and reference for security researchers, pentesters, and ethical hackers; it’s become a go-to resource offering an extensive archive of exploits and vulnerabilities, allowing users to track the evolution of security threats over time across software, hardware, and operating systems
CISA Key Exploited Vulnerabilities (KEV) Catalog: Established in 2021 to “provide an authoritative source of vulnerabilities that have been exploited ‘in the wild,’” by the Cybersecurity & Infrastructure Security Agency; witnessing fairly broad and hasty adoption across industries as a method to focus and improve remediation throughput
OSINT and Commercial Feeds: Dependent on the nature of the vulnerability or threat the sources above are combined and validated with additional intelligence and context to enhance prioritization results and ultimately customer outcomes

The immediate value in threat intel data ingestion and normalization alone, that Active Risk delivers, will incentivize and amplify the interest for potential adoption. Active Risk is also CVSS 3.1 compliant across all new CVEs and makes ready future adoption of revised scoring systems (CVSS v4.0 is targeting October 31, 2023 publication). There is strong market demand and intensifying use and application of ‘exploitability’ intelligence as seen in CVSS v4.0 and in CISA KEV as previously mentioned.

Normalize vulnerability risk scoring across cloud and on-prem environments

Active Risk normalizes risk scores across cloud and on-premises environments to effectively assess and collaborate with teams across an organization.

Security teams can leverage Active Risk dashboard cards in InsightVM and Executive Risk View in our Cloud Risk Complete solution to support cross-functional conversations.

Active Risk is a step change along the path of risk prioritization improvement, and the much longer and windier road we travel together towards improved risk management outcomes.

What’s New in InsightVM and Nexpose: Q2 2023 in Review

Posted 1 year ago by Roshnee Mistry Shah

The past few weeks have been extraordinary for the global threat landscape with zero-day vulnerabilities like MOVEit (CVE-2023-34362) and Barracuda’s Email Security Gateway (ESG) (CVE-2023-2868). Rapid7’s security research team was one of the first to detect exploitation of Progress Software’s MOVEit Transfer solution—four days before the vendor issued public advisory. From there, the team moved quickly to provide prompt remediation guidance to InsightVM and Nexpose customers.

With continued focus to drive better customer outcomes, this quarter is filled with product upgrades like improved UI for the Console, custom policy for Agent-Based assessment, an updated dashboard card, and more. Let’s take a look at some of the key updates in InsightVM and Nexpose from Q2.

[InsightVM] Agent-Based Policy supports custom policy assessment

Guidelines from Center for Internet Security (CIS) and Security Technical Implementation Guides (STIG) are widely used industry benchmarks for configuration assessment. However, a benchmark or guideline alone may not meet the unique needs of every business.

So, Agent-Based Policy assessment now supports Custom Policies. Global Administrators can now customize built-in policies, upload policies, or enable a copy of existing custom policies for agent-based assessments. Learn more here.

[InsightVM] Top Riskiest Asset Locations dashboard card provides even more details

The Top Riskiest Asset Locations dashboard card previously showed site location and risk score. This card was enhanced, on customer request, to also include total assets and total vulnerabilities in the card preview. This provides customers additional context around why a location has a large risk score and helps alert users to sites requiring additional attention.

[InsightVM and Nexpose] A new look for the Users section of the Console Administration

This quarter, we also continued updating the user interface (UI) of the Console Administration to facilitate a more intuitive and consistent user experience across the Console and the Insight Platform, including InsightVM.

The latest section to be updated is the Users section of the Console Administration. The update improves accessibility and the overall user experience of the Users page. We also made some cool new additions like light mode, a wizard to make adding new users under “Add Users” section more intuitive, and the ability to Manage columns displayed on the Users overview section.

[InsightVM and Nexpose] Support for Ubuntu 22.04 LTS

Security Console and Scan Engine now support Ubuntu 22.04 Operating System. Ubuntu is one of the most popular Linux distributions. Version 22.04 of Ubuntu will receive long term support from the vendor for hardware and maintenance updates as well as extended security maintenance. Customers on the previous versions of Ubuntu can now upgrade to 22.04!

[InsightVM and Nexpose] Containerized scan engine - continuous release

Containerized Scan Engine delivers the Scan Engine as a packaged or portable application that can easily be deployed to modern infrastructure. Now a new Containerized Engine image is automatically created and posted to Docker Hub with every InsightVM Product or Content update. This ensures you’re continuously working with the latest release. Prior versions are also available, denoted by tag. Learn more about containerized scan engines.

[InsightVM and Insight Platform] New retention setting for tracking Insight Agents

You can now configure the retention period that determines how long Insight Agents are tracked in your Agents table. In addition to the default 30 day period, this new setting allows you to set retention periods of 7 and 15 days. See our updated Agent management settings documentation for configuration instructions and more details.

[InsightVM and Nexpose] Checks for notable vulnerabilities

We have been committed to providing swift coverage for the emergent threats Rapid7 responds to under our Emergent Threat Response (ETR) program. Since Q4 2022, we provided coverage the same day or within 24 hours for over 20 emergent threats, which includes zero-day vulnerabilities.

Rapid7’s Emergent Threat Response (ETR) program flagged multiple CVEs this quarter. InsightVM and Nexpose customers can assess their exposure to many of these CVEs with vulnerability checks, including:

MOVEit Transfer solution CVE-2023-34362: Rapid7’s research team saw the first instances of compromise in Progress Software’s MOVEit Transfer solution. This was four days before the vendor issues public advisory. Since then our team has been tracking this critical zero-day vulnerability. Rapid7 has remote and authenticated vulnerability checks available to InsightVM and Nexpose customers for both MOVEit Transfer vulnerabilities. Learn more here.
Widespread Exploitation of Zyxel Network Devices CVE-2023-28771: Added to the Known Exploited Vulnerabilities (KEV) list by CISA, this vulnerability impacted the Zyxel networking devices. The vulnerability is present in the default configuration of vulnerable devices and is exploitable in the Wide Area Network (WAN) interface, which is intended to be exposed to the internet. Learn more about Rapid7’s response here.
PaperCut Remote Code Execution Vulnerability CVE-2023-27350: an unauthenticated remote code execution vulnerability in PaperCut MF/NG print management software that allows attackers to bypass authentication and execute arbitrary code as SYSTEM on vulnerable targets. InsightVM customers have an authenticated check available for the CVE on Windows and MacOS systems. Learn more about Rapid7’s response here.
Barracuda ESG Appliances CVE-2023-2868: The Email Security Gateway (ESG) appliances of Barracuda Networks were impacted by a remote command injection vulnerability that the firm said had been exploited in the wild by threat actors since at least October 2022. Learn more about the CVE and mitigation guidance here.
Fortinet’s Fortigate Firewall CVE-2023-27997: A critical remote code execution (RCE) vulnerability was discovered in Fortigate SSL VPN firewalls. Fortinet device vulnerabilities are historically popular with attackers of all skill levels, though exploitability varies on a vuln-by-vuln basis. An authenticated vulnerability check is available for Rapid7 customers to assess their exposure. Learn more here.

Using Rapid7 Insight Agent and InsightVM Scan Assistant in Tandem

Posted 1 year ago by John Hartman

Background

Rapid7 Insight Agent and InsightVM Scan Assistant are executables that can be deployed to assist in understanding the vulnerabilities in your environment. Frequently there are questions around when and where you would deploy each, if you need both, what they actually monitor, etc. This article will answer those questions, but first let's look at each executable in more detail.

Rapid7 Insight Agent

Notice the name of this starts with Rapid7. This is important, because the Insight Agent can be used for multiple tools, primarily InsightVM and InsightIDR. However, the agent does different things for each. For InsightIDR, the agent monitors process start and stop events and has log collection abilities. For InsightVM, the Insight Agent is used for assessment of vulnerabilities. In this article, we’ll focus on using Insight Agent for InsightVM.

The Insight Agent performs an "assessment" roughly every six hours. Notice the word "assessment" and not "scan". The Insight Agent has the permissions necessary to gather information about the asset that it is installed on and then forward that information directly to the Insight Platform. The Insight Platform then forwards that data to the InsightVM Security Console. The Security Console then takes that data and runs it against a scan template to determine what vulnerabilities that asset has. Once done, the Security Console updates its own database with the results for that asset and then on the interval of communication with the Insight Platform it will forward the assessment results back to the Insight Platform.

With the Insight Agent, you do not determine a scan schedule or have the ability to kick off ad hoc or remediation scans on that asset. As noted above, assessments occur every six hours. However, not every agent is being assessed on the same six hour interval. The schedule is maintained entirely by the Insight Platform.

Another key takeaway about the communication path mentioned above: The Insight Agent does not communicate directly to the console. This makes Insight Agent particularly beneficial when it comes to protecting your remote workforce. Given that remote assets are not on your network, you typically cannot scan them directly. So, Insight Agent is the main option to view the vulnerabilities for those assets.

Recently, Rapid7 released the ability to perform Policy Scans using the Insight Agent as well. This ability is limited to assets that are available for the installation of the InsightAgent though (Windows, Linux, Mac), however that typically covers a large portion of the policy scanning needed. Policy scanning occurs every 12 hours.

InsightVM Documentation: Insight Agents with InsightVM

InsightVM Scan Assistant

The InsightVM Scan Assistant executable is solely dedicated to InsightVM and is configured to display a certificate on port 21047. The Scan Assistant can only be used when being accessed from a scan engine (distributed or local). Unlike the Insight Agent, which monitors and performs assessments on a scheduled basis, the Scan Assistant is dormant unless called upon by a Scan Engine either through a manual or scheduled scan configured from the Security Console.

For this to work, first you must generate a certificate from InsightVM in the credential setup. Then, you need to edit any scan templates being used to additionally look for port TCP 21047 on both Asset and Service discovery. From there, the Scan Engine will use those credentials and look for that port to be open on the endpoint servers. If the certificate being presented on that port matches the certificate created within InsightVM, the scan engine will use it to authenticate to the endpoint asset. The Scan Assistant has the permissions necessary to perform all local checks on the endpoint asset.

Using the Scan Assistant instead of regular domain credentials offers better security, as it eliminates the possibility of a domain account with elevated permissions to be used in your environment. Additionally, the Scan Assistant has proven to be more efficient and perform scans quicker than domain credentials.

InsightVM Documentation: Using the Scan Assistant

So why use both?

As stated above, the two executables are completely independent of each other. The Insight Agent communicates to the platform whereas the Scan Assistant talks directly to the Scan Engine performing the scan. The Insight Agent is not configurable in its scheduled assessment whereas the Scan Assistant is completely dormant until scanned and is completely reliant on an administrator configuring scanning.

So, WHERE should each executable be installed? I would suggest having the Insight Agent on all local and remote assets—everything capable of having the Insight Agent installed. For the Scan Assistant, only internal assets would be applicable. You could install the Scan Assistant on remote assets as well, if you have a policy that requires users to connect to the VPN on set schedules and you plan to scan through that VPN or office wi-fi. However, in most situations, the Insight Agent is the only way to assess your remote assets.

So that brings us to the internal assets that should have BOTH the Insight Agent and the Scan Assistant installed. You might be asking ‘why in the world would I want to deploy yet another executable if the Insight Agent is already performing the assessment on those assets?’ Well, let's circle back to the fact that the Insight Agent is only performing the local checks. So, you will need to perform at least monthly scanning of those assets to view network vulnerabilities. Additionally, as mentioned above, the Insight Agent is incapable of kicking off an ad-hoc scan. This is where the Scan Assistant comes into play for remediation scans specifically.

Scenario: I have an asset "abc.company.com." InsightAgent discovers a local vulnerability on the asset at 10AM and it's only 1030AM. I send the finding off to my system administrator to patch the vulnerability immediately. By 11AM the vulnerability is patched, and I want to verify that the vulnerability has been remediated. Without a credentialed scan, I have to wait another five hours before InsightAgent conducts another assessment. However, with the Scan Assistant I can immediately kick off an authenticated vulnerability scan against that asset to determine that the vulnerability is no longer present.

The other main use case for the Scan Assistant is to take advantage of the full breadth of the Policy Scanning. Currently, InsightAgent can only assess up to 100 different policies and can only assess for the default values of the policies through CIS or DISA.

Using the Scan Assistant with the scan engine you have access to ALL categories of Policy Scans, including CIS, DISA, FDCC, and USGCB. Additionally, you can use the custom policy builder to edit values within typical benchmarks. For example, you might change the minimum password length from 14 characters to 20 characters if that's what your internal policy dictates.

	InsightVM Scan Assistant	Rapid7 Insight Agent
Installation Endpoints	All internal assets	All assets internal and remote
Communication path	Scan Engine (Distributed or Local)	Insight Platform
Policy Scanning	CIS, DISA, FDCC, USGCB, Custom	Limited to CIS and DISA
Scheduling	Determined by Administrator	Every 6 hours handled by Platform
Ad Hoc scans	yes	no