Author: Ed Montgomery

Gone Phishing with Vector Command

Vector Command Opportunistic Phishing Blog

During one of our customer engagements, our red team will continuously attack your network to see if we can exploit a vulnerability. One of the tactics, techniques and procedures (TTPs) we use is “Opportunistic Phishing”. First, let’s share a quick reminder about what Vector Command is.

Vector Command is Rapid7’s new continuous red teaming managed service, designed to  assess your external attack surface and identify gaps in the security defenses on an ongoing basis. Vector Command continues the expansion of our Exposure Management solutions for our customers. While external attack surface management (EASM) tools offer visibility, they often fall short in validation, generating lengthy lists of potential exposures for security teams to sift through. Traditional penetration testing can help validate vulnerabilities, but its point-in-time nature risks leaving critical exposures undetected for extended periods. With Vector Command, our red team will continuously look for exploitable vulnerabilities.

Vector Command Opportunistic Phishing Blog
Rapid7’s Vector Command Landing page

Hacking the Human

Social engineering attacks are based on the exploitation of someone’s personality and can be referred to as “hacking the human”.

Security professionals often comment how the employee can often be the weakest link in a company’s security posture. From end-of-day tiredness, to our more relaxed nature during a quick lunch break and even our predisposed trusting tendencies towards those causes we care deeply about, can be exploited by threat actors. This is the “social” aspect in “Social Engineering”. Humans can be manipulated into making mistakes through psychological means and giving our login credentials away or other sensitive information.

Opportunistic Phishing - The Human Touch

Opportunistic Phishing, also known as “untargeted attacks” may have no warning signs and is often deployed spontaneously, without a specific target. Rapid7’s red team will use this technique to see what information they can get from a customer engagement.

Let’s take the hypothetical example of a former IT contractor who was employed by a company. The off-boarding policy has not yet been completed. The IT contractor had elevated access to one business application containing personally identifiable information (PII). Our red team, once they identify this former contracted employee, could use their access rights to gain entry to sensitive PII and services on the corporate network.

When an opportunistic attempt is executed by a threat actor, it is most commonly conducted via malware or phishing over email.

In this specific technique, an attacker will send out fraudulent messages, taking care to design the emails to look like the actual organization, often using similar logos, fonts, and signatures. Inside the body of the message will be a URL, typically with a misspelled domain name or extra subdomain. If the recipient is not savvy enough to recognise the fake web address from the real one and clicks on the link, this is when the malware is activated as an executable file and downloaded to the device. The payload often  includes keylogging software, used to collect keystrokes, including your passwords, which now gives the threat actor access to your company network.

By deploying this tactic, Rapid7’s red team, think, act and behave like a threat actor, but without the malicious consequences for your organization. Using opportunistic phishing, we will find and identify where your security gaps are, with respect to technology (through different configuration types for campaigns) and people, helping you to act and respond. Our advanced Vector Command reporting even gives a detailed outline of the situation, including remediation recommendations for your IT and Security teams.

Vector Command Opportunistic Phishing Blog
A sample report for a Phishing campaign completed by our Vector Command red team

What should you be on the lookout for?

Let's explore some typical phishing examples that frequently target organizations.


  • Invoices for companies that you do not have a supplier agreement with.
  • Shipping notifications from large retailers, both online and the high street.
  • Password reset requests for your email, or other online account e.g. Amazon, or PayPal.
  • Tax refund emails either at the time of needing to submit your tax return (when it is time sensitive) or months away from when it needs to be completed (anomalous behavior).
  • Can you spot poor grammar, or spelling errors in the subject, or within the body of the email, that would indicate it is not from a reputable source?
  • Does the email have a sense of urgency - “Act now”?
  • Generic greetings like “Dear Customer” as opposed to a more personalized one.
  • Surveys from third-parties or workplace experience coordinators that are out-of-place.
  • Suspicious login alerts from common applications sourcing from an untrusted sender.
  • Password reset requests for your email, or other online account e.g. Amazon, or PayPal.
  • Employee benefit emails either at the time of needing to submit your elections (when it is time sensitive) or months away from when it needs to be completed (anomalous behavior).
  • Shared documents and calendar invitations from third-parties you do not commonly interact with.
  • Browser extensions, software updates, and installation requests via email or phone.
  • Verify unexpected phone calls through internal communication applications such as Teams, or Slack.

Take Command of your Attack Surface

Stay tuned as we continue to share insights of other TTPs employed by Rapid7's expert  red team to test your cyber resilience.

We have created a self-guided product tour for Vector Command which you can check out at your leisure.

Vector Command: Request Demo ▶︎

Ready to see how continuous red team managed services can ensure your potential attack pathways are remediated before they can ever be exploited?

“Only 17% of organizations can clearly identify and inventory a majority (95% or more) of their assets.” - Gartner

Mind the Gap: How Surface Command Tackles Asset Visibility in Attack Surface Management

Imagine the scenario: your organization has been exposed to a new zero-day vulnerability. You are responsible for Threat & Vulnerability Management (TVM), you have asked your IT department for an assessment of the asset inventory in your organization.

You make the same request to your security team. Both teams give you a different number of assets, with a significant disparity: IT reports 10,000 assets, compared to 8,200 from your colleagues in security.

When you look up your Configuration Management Database (CMDB_ application, you quickly discover that it has not been updated for months and does not accurately represent of your attack surface either.

How do you measure your risk exposure when three sources of information are not in agreement? Your highly-skilled colleagues are now back to using spreadsheets to document your assets—a very manual and time-consuming process that is not a productive use of their time.

Attack Surface Management (ASM)

ASM covers both internal and external assets—the physical and digital assets that an organization needs to have visibility into in order to understand its security posture. By establishing visibility of the attack surface and implementing management processes to prioritize, validate, and mobilize responses, security teams can reduce exposures exploited by malicious threat actors.

“Asset inventory is a common and well-known problem for organizations.”

Manage the Gap in Asset Inventory with Surface Command

We began this blog with a real-life and anonymized example for a customer and the disparity in their asset count between IT and Security teams. Surface Command addresses this operational challenge. Firstly, Surface Command is platform-agnostic; what’s important to Rapid7 is capturing your actual number of assets using a mixture of external scanning and importing data feeds from over 100 commonly used IT and Security tools (EDR, CNAPP, VM, CMDB, etc.). This provides a true, constantly updated view of all assets across the cloud and on-premises. Assets detailed will include cloud containers, servers, workstations, IoT devices, identities, smartphones and more.

To help demonstrate the value of this complete visibility, we have created a short, 2-minute product tour, which you can view at your convenience. In this initial product tour, we show how to identify coverage gaps in your security posture using Surface Command. Take the example of a zero-day vulnerability discovered for a particular operating system; you need to understand your attack surface immediately.

Surface Command will quickly display assets missing  key security controls, such as a deployed endpoint security agent. You can drill down further to focus on assets by operating system or device type. This technology is powered by Rapid7’s Machine Learning (ML) classifiers to ensure coverage and data accuracy.

Watch as we filter down from a large number of total assets, to a smaller, focused number of high-risk assets that can be prioritized for action by your IT and Security Teams, all done with just a few clicks.

This scenario is commonly used by our customers to quickly identify simple security gaps, and with Surface Command, you can easily save this for future use, as well as publish the results to reporting dashboards.

By establishing visibility of the attack surface and implementing management processes to prioritize, validate, and mobilize responses, security teams can reduce their exposure and improve cyber risk management.

After all, you can’t protect what you can’t see.

Mind the Gap: How Surface Command Tackles Asset Visibility in Attack Surface Management

To learn more, click here.

Sources:

Gartner, Innovation Insight: Attack Surface Management - 9 April 2024 - ID G00809126

Gartner, Innovation Insight: Attack Surface Management - 9 April 2024 - ID G00809126

Rapid7 Introduces Vector Command, a New Managed Service for Continuous Red Teaming

Rapid7 is delighted to announce the launch of Vector Command, a continuous red teaming managed service designed to assess your external attack surface and identify gaps in the security defenses on an ongoing basis. Following the launch of Surface Command and Exposure Command in August, Vector Command will continue our expansion of Exposure Management protection for our customers.

In today’s digital landscape, organizations are more exposed to cyber threats than ever before. Cloud resources, SaaS solutions, and ever-growing shadow IT create vast external attack surfaces, making businesses increasingly vulnerable. Meanwhile attackers are constantly on the prowl, conducting reconnaissance to exploit weaknesses. Security teams lack visibility into their internet-facing exposures, leaving them vulnerable to potential breaches.

While external attack surface management (EASM) tools offer visibility, they often fall short in validation, resulting in lengthy lists of potential exposures for security teams to sift through. Traditional penetration testing can help validate vulnerabilities, but its point-in-time nature risks leaving critical exposures undetected for extended periods.

Introducing Vector Command

Vector Command is designed to address these challenges head-on, providing a continuous, proactive approach to securing your external attack surface by combining Rapid7’s trusted technology for external attack surface assessments with our world-class red team expertise. By providing an attacker’s perspective, Vector Command empowers security teams to visualize internet-facing assets, validate critical exposures, and take decisive action to mitigate risks.

Vector Command benefits include:

  • Increased visibility of the external attack surface with persistent, proactive reconnaissance of both known and unknown internet-facing assets
  • Improved prioritization with ongoing, expert-led red team operations to continuously validate your most critical external exposures
  • Same-day reporting of successful exploits with expert-vetted attack paths for multi-vector attack chains and a curated list of “attractive assets” that are likely to be exploited
  • Monthly expert consultation to confidently drive remediation efforts and resiliency planning

Rapid7 advantage: trusted technology and red team expertise

At the heart of Vector Command is our red team operators, among the best in the industry, bringing years of experience in simulating real-world attacks and identifying vulnerabilities that automated tools might miss. This combined with our recently launched Command Platform’s external attack surface assessment capability provides a unique and powerful solution to ensure that you are not just receiving a list of potential vulnerabilities, but actionable insights based on real-world attack scenarios.

External attack surface assessment: Powered by Rapid7’s Command Platform, Vector Command will leverage the external attack surface capability to perform ongoing, active reconnaissance and discovery of your external attack surface to help you

  • Find the unknown and ensure continuous understanding of where shadow IT or unknown business assets may exist like exposed web services, remote admin services, and more
  • Zero-in on potential remote access risks, and risky or unencrypted services
Rapid7 Introduces Vector Command, a New Managed Service for Continuous Red Teaming

Red team expertise: Our expert operators leverage the latest tactics, techniques, and procedures (TTPs) to safely exploit the external exposures and test your security controls with red team exercises like:

  • Opportunistic phishing - Our experts will design and conduct phishing campaigns using the latest TTPs with focus on demonstrating the impact of credential capture and payload execution.
  • External network assessment - Ongoing assessment of vulnerabilities exposed in the external network, focused on obtaining access to your organization and its sensitive systems.
  • Post-compromise breach simulation - Upon breach, our experts will safely emulate the latest tactics to obtain command and control over the compromised system. Post-exploitation activities emulate adversary behavior to assess privilege escalation, lateral movement, and persistence.
  • Emergent threat validation - Assess your network perimeter’s susceptibility to the latest Rapid7 emergent threat vulnerabilities to validate patching and security configurations.
Rapid7 Introduces Vector Command, a New Managed Service for Continuous Red Teaming

Take command of your attack surface defenses

In an era where cyber threats are constantly evolving, Vector Command empowers you to stay one step ahead of attackers. By providing continuous visibility, validation, and expert guidance, we help you transform your cybersecurity posture from reactive to proactive.

Don’t wait for a breach to expose weaknesses in your defenses. With Vector Command, you can command your attack surface with confidence, knowing that you have Rapid7’s trusted technology and Red Team expertise on your side.

Learn More