Author: Rapid7

[The Lost Bots] S02E03: Browser-in-Browser Attacks — Don't Get (Cat)-Phished

Welcome back to The Lost Bots! In our latest episode, we're talking about phishing attacks — but not your standard run-of-the-mill version. Instead, we're focusing on a new technique known as browser-in-browser attacks, unpacking what it means and how it should factor into your organization's security strategy.

Our hosts Jeffrey Gardner, Detection and Response Practice Advisor, and Stephen Davis, Lead D&R Sales Technical Advisor, highlight the telltale signs of browser-in-browser attacks you should look out for as you're carrying out your day-to-day work and life on the internet. They also discuss how to set up user behavior analytics rules in your SIEM that will help you detect this type of threat, as well as how to make end-user training more effective.

Check back with us on Thursday, September 29, for the next Lost Bots installment!

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


[Security Nation] Jen and Tod on Hacker Summer Camp 2022

In this episode of Security Nation, Tod and Jen chat about their experience at this year’s Hacker Summer Camp, the multi-event lineup of cybersecurity conferences in Las Vegas that includes BSides, Black Hat, and DEF CON. Tod gives us his highlights from the virtual sessions, and Jen recounts her jam-packed week of presentations (which resulted in a somewhat diminished ability to use her voice for this recording).

No Rapid Rundown this week, since our Vegas wrap-up overlaps with much of the latest security news, making it a Rapid Rundown in itself!

Show notes

Learn more about some of our favorite presentations from the Vegas conferences, including:

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Want More Inspiring Stories From the Security Community?

Subscribe to Security Nation Today

OCSF: Working Together to Standardize Data

Teams spend a lot of time normalizing data before any analysis, investigation, or response can begin. It’s an unacceptable burden for you. And its days are finally numbered.

Rapid7 and other security vendors are collaborating on an Open Cybersecurity Schema Framework (OCSF), an open standard for both data producers and users to adopt. Much like the MITRE Att@ck Framework, common language and understanding change everything.

OCSF, includes contributions from 17 leading cybersecurity and technology organizations: AWS, Cloudflare, CrowdStrike, DTEX, IBM Security, IronNet, JupiterOne, Okta, Palo Alto Networks, Rapid7, Salesforce, Securonix, Splunk, Sumo Logic, Tanium, Trend Micro, and Zscaler.

OCSF is an open standard that can be adopted in any environment, application, or solution provider and fits with existing security standards and processes. As cybersecurity solution providers incorporate OCSF standards into their products, security data normalization will become simpler, allowing teams to focus on analyzing data, identifying threats, and stopping attackers before they cause damage.

“We, as security vendors, need to do right by the security teams who work tirelessly to protect not only their organizations, but the greater community, against a constantly evolving array of threats,” said Sam Adams, Vice President of Detection and Response, Rapid7. “A step towards that is standardizing the data on which these teams rely. If we can minimize the complexity of using security data from disparate sources, we can save security professionals millions of hours every year. Rapid7 has a proud history of supporting the open-source community. We are thrilled to join our peers who share this belief and build a solution that will break down data silos, removing a heavy burden that hinders security teams’ efforts to stay ahead of threats.”

Data holds the key

The key to efficiently detecting and rapidly responding to today’s threats and attacks is data and how you use that data. It’s mission-critical for security teams to evaluate data from various sources (e.g. the endpoint, threat intelligence feeds, logs, etc.), coordinating with a myriad of security tools and solutions. In a recent study, SOC Modernization and the Role of XDR, eight in 10 organizations said they collect, process, and analyze security operations data from more than 10 sources. While it might sound like a lot, survey respondents actually want to use more data, in order to keep up with the evolving attack surface.

As the industry comes together to unburden security teams of the work required to collect and normalize data, Rapid7 will be rolling out support for OCSF, starting with InsightIDR, our joint SIEM and XDR solution. Look for updates on OCSF support in the coming months!

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


How One Engineer Upskilled Into a Salesforce Engineering Role at Rapid7

At Rapid7, we believe the growth and development of our people enables us to better serve customers who depend on us. When our Engineering team was searching for candidates to help with our Salesforce ecosystem, John Millar demonstrated many of our core values – most importantly, the appetite to learn and grow his career as part of our commitment to “Never Done.” Through his own grit and determination – and support from his team – he transitioned into a new role and acquired a new set of skills along the way.

Here’s a closer look at that journey, told in John’s own words.

Celebrating a new path

Coming up on nearly two years at Rapid7, I am over the moon with what I have achieved personally and professionally. Before joining the company, I was a Q developer working with KDB+ systems. Now, I am an Engineer working in our Salesforce ecosystem in Belfast.

Getting up to speed with our Salesforce system, becoming a valuable member of our development team, and helping to knock out some big projects in that time period have made me incredibly proud of how my career has grown in under two years. I have also become the team’s SME for an integrated software tool that is connected with Salesforce and have completed my first Salesforce certification, with more planned before the end of the year. These certifications are funded by Rapid7 as part of their core value of "Never Done."

Creating a new direction for my career and having the opportunity to grow has certainly paid off, but it didn’t happen overnight.

Jumping into something new

Rewinding back to 2020 – I had been working for over two years as part of a periodic low-frequency development team for a Tier 1 bank. We were responsible for the maintenance and development of the low frequency components of the plant. This role revolved around a holistic time series database system built on kdb+ (q language), containing a wide range of data covering both periodic and aperiodic frequencies and all asset classes.

I felt like I wanted a new challenge and was interested in moving back into a role based around an object oriented language, similar to what I had been working with throughout University. I had heard of and researched Rapid7, so when they contacted me and outlined their goals, objectives, and culture along with the specific role I would be applying for, I knew it was for me and wanted to make that jump.

Supporting new skills and growth

One of the core values of Rapid7 is “Never Done,” which encourages employees to constantly learn and improve their knowledge stack. I believe this was pivotal in my upskilling process, as the support needed was very accessible.

Rapid7 was invested in my growth from the moment I joined. As a candidate, I didn’t fit 100% of the requirements at the time. I understood the fundamentals and met the core criteria, but I didn't have a ton of experience in Java and had no experience with Salesforce. Rapid7 recognized my potential and was invested in helping me grow my skills and become a great Salesforce developer for the team.  

When upskilling to Salesforce, the main area I used was Trailheads, a free program provided by Salesforce. These exercises and learning modules are very detailed, interesting, and interactive. They really help with absorbing and understanding the information in conjunction with actively completing tasks in parallel. Additionally, I was supported and mentored by colleagues from Rapid7, who were equally invested in my growth. Whether it was through formal 1:1s or just making themselves available for advice and questions, I felt supported throughout the process.

Creating impact

Making the transition was not easy, and it took a lot of time and effort. I had to be self-motivated and determined to get up to speed with the Salesforce CRM and Salesforce Apex. Having completed this transition journey into Salesforce, it is all the more satisfying when completing and planning work, knowing that it has paid dividends in terms of my career growth.

Our team is making an impact by enabling the Salesforce ecosystem to operate more efficiently. We do this by analyzing and debugging issues, identifying opportunities, and improving our integration capabilities. This means the Rapid7 team is better positioned to support and protect our customers against outside threats to their business, as well as protect the personal information and data of their customers.

I have great confidence and pride in the work that I complete and feel I play a vital role in our team. I would highly recommend anyone thinking of making that jump to something new, to go for it. I know I haven't looked back.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


Building Cybersecurity KPIs for Business Leaders and Stakeholders

In the final part of our “Hackers 're Gonna Hack” series, we’re discussing how to bring together parts one and two of operationalising cybersecurity together into an overall strategy for your organisation, measured by key performance indicators (KPIs).

In part one, we spoke about the problem, which is the increasing cost (and risk) of cybersecurity, and proposed some solutions for making your budget go further.

In part two, we spoke about the foundational components of a target operating model and what that could look like for your business. In the third installment of our webinar series, we summarise the foundational elements required to keep pace with the changing threat landscape. In this talk, Jason Hart, Rapid7’s Chief Technology Officer for EMEA, discussed how to facilitate a move to a targeted operational model from your current operating model, one that is understood by all and leveraging KPIs the entire business will understand.

First, determine your current operating model

With senior stakeholders looking to you to help them understand risk and exposure, now is the time to highlight what you're trying to achieve through your cybersecurity efforts. However, the reality is that most organisations have no granular visibility of their current operating model or even their approach to cybersecurity. A significant amount of money is likely being spent on deployment of technology across the organisation, which in turn garners a large amount of complex data. Yet, for the most part, security leaders find it hard to translate that data into something meaningful for their business leaders to understand.

In creating cyber KPIs, it's important they are formed as part of a continual assessment of cyber maturity within your organisation. That means determining what business functions would have the most significant impact if they were compromised. Once you have discovered these functions, you can identify your essential data and locations, creating and attaching KPIs to the core six foundations we spoke of in part two. This will allow you to assess your level of maturity to determine your current operating model and begin setting KPIs to understand where you need to go to reach your target operating model.

Focus on 3 priority foundations

However, we all know cybersecurity is a wide-ranging discipline, making it a complex challenge that requires a holistic approach. It's not possible to simply focus on one aspect and expect to be successful. We advise that, to begin with, security leaders consider three priority foundations: culture, measurement, and accountability.

For cybersecurity to have a positive and successful impact, we need to change our stakeholders' mindsets to make it part of organisational culture. Everyone needs to understand its importance and why it's necessary. We can't simply assume everyone knows what is essential and that they'll act. Instead, we need to measure our progress towards improving cybersecurity and hold people accountable for their efforts.

Translate cybersecurity problems into business problems

Cybersecurity problems are fundamentally business problems. That's why it's essential to translate them into business terms by creating KPIs for measuring the effectiveness of your cyber initiatives.

These KPIs can help you and your stakeholders understand where your organisation needs improvements, so you can develop a plan everyone understands. The core components that drive the effectiveness of a KPI, begin with defining the target, the owner, and accountability. The target is the business function or system that needs improvement. The owner is responsible for implementing the programme or meeting the KPI. Accountability is defined as who will review the data regularly to ensure progress towards achieving desired results.

40% of our webinar's audience said they don't currently use cybersecurity KPIs.

Additionally, when developing KPIs, it's crucial to think about what information you'll need to collect for them to be effective in helping you achieve your goals. KPIs are great, but to be successful, they need data. And once data is being fed into the KPIs, as security leaders, we need to translate the “technical stuff” – that is, talk about it in a way the business understands.

Remember, it's about people, processes, and technology. Technology provides the data; processes are the glue that brings it together and makes cybersecurity part of the business process. And the people element is about taking the organisation on a journey. We need to present our KPIs in a way the organisation will understand to stakeholders who are both technical and non-technical.

Share and build the journey

As a security leader, you need to drive your company's cybersecurity strategy and deploy it across all levels of your organisation, from the boardroom to the front lines of customer experience. However, we know that the approach we're taking today isn't working, as highlighted by the significant amounts of money we're trying to throw at the problem.

So we need to take a different approach, going from a current to a target operating model, underpinned by KPIs that are further underpinned by data to take you in the direction you need to go. Not only will it reduce your organisational risk, but it will reduce your operational costs, too. But more importantly, it will translate what's a very technical industry into a way everyone in your organisation will understand. It's about a journey.

To find out what tools, processes, methodologies, and KPIs are needed to articulate key cybersecurity goals and objectives while illustrating ROI and keeping stakeholders accountable, watch part three of “Cybersecurity Series: Hackers 're Gonna Hack.”

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


[Security Nation] Curt Barnard on Defaultinator (Black Hat Arsenal Preview)

In this episode of Security Nation, Jen and Tod chat with Curt Barnard, Principal Security Researcher at Rapid7, about a new tool he’ll be presenting at Black Hat Arsenal, the showcase of open-source tools at Black Hat 2022 in Las Vegas. Curt gives us the details about the tool, Defaultinator, which helps security pros look up and audit for default credentials more quickly and effectively. He also tells us what else he’s excited about at this year’s lineup of cybersecurity conferences in Vegas next week.

Stick around for our Rapid Rundown, where Tod and Jen talk about a Rapid7 alum’s discovery of a vulnerability in DSL- and fiber-based web routers from Arris, as well as a recent article that debates the benefits of sharing exploit proofs of concept versus keeping them private.

Curt Barnard

[Security Nation] Curt Barnard on Defaultinator (Black Hat Arsenal Preview)

Curt Barnard is a cybersecurity professional with 15 years of experience across both the public and private sector. At Rapid7, Curt is a Principal Security Researcher working with projects Sonar and Heisenberg, analyzing internet-wide security issues with global impact. Before joining the team at Rapid7, Curt spent time breaking software with the Department of Defense, vetting cybersecurity companies for venture capital firms, and building his own startup from the ground up. When he isn't busy popping calc.exe, Curt enjoys changing your desktop's wallpaper and moving your icons around.

Show notes

Interview links

Rapid Rundown links

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Want More Inspiring Stories From the Security Community?

Subscribe to Security Nation Today

[The Lost Bots] Season 2, Episode 2: The Worst and Best Hollywood Cybersecurity Depictions

Welcome back to The Lost Bots! In this episode, our hosts Jeffrey Gardner, Detection and Response (D&R) Practice Advisor, and Steven Davis, Lead D&R Sales Technical Advisor, walk us through the most hilariously bad and surprisingly accurate depictions of cybersecurity in popular film and television. They chat about back-end inaccuracies, made-up levels of encryption, and pulled power plugs that somehow end cyberattacks. Then they give a shout-out to some of the cinematic treatments that get it right — including a surprising nod to the original 1993 "Jurassic Park."

For Season 2, we're publishing new episodes of The Lost Bots on the last Thursday of every month. Check back with us on Thursday, August 31, for Episode 3!

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


[Security Nation] Jacques Chester of Shopify Talks CVSS Scores

In this episode of Security Nation, Shopify Senior Staff Software Developer Jacques Chester joins Jen and Tod to discuss his intriguing paper on CVSS scores and the overall oddness of vulnerability distribution. The trio also dives into Jacques’ journey to understanding how security systems affect people in the real world.

Stick around for our Rapid Rundown, where Tod and Jen discuss PyPi's alert to certain open-source publishers about the institution of 2FA technology on the platform.

Jacques Chester

[Security Nation] Jacques Chester of Shopify Talks CVSS Scores

Jacques is a Senior Staff Software Developer at Shopify in the Ruby & Rails Infrastructure group. He leads work on upstream and community improvements to supply chain security, with a focus on the Ruby ecosystem. Previously he worked in cloud-native platforms and consulting for VMware and Pivotal. He is a cat dad.

Show notes

Interview Links

Rapid Rundown Links

PyPi issues mentioned

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Want More Inspiring Stories From the Security Community?

Subscribe to Security Nation Today

How to Build and Enable a Cyber Target Operating Model

Cybersecurity is complex and ever-changing. Organisations should be able to evaluate their capabilities and identify areas where improvement is needed.

In the webinar “Foundational Components to Enable a Cyber Target Operating Model,” – part two of our Cybersecurity Series – Jason Hart, Chief Technology Officer, EMEA, explained the journey to a targeted operating cybersecurity model. To build a cybersecurity program is to understand your business context. Hart explains how organisations can use this information to map out their cyber risk profile and identify areas for improvement.

Organisations require an integrated approach to manage all aspects of their cyber risk holistically and efficiently. They need to be able to manage their information security program as part of their overall risk management strategy to address both internal and external cyber threats effectively.

Identifying priority areas to begin the cyber target operating model journey

You should first determine what data is most important to protect, where it resides, and who has access to it. Once you've pinned down these areas, you can identify each responsible business function to create a list of priorities. We suggest mapping out:

  • All the types of data within your organisation
  • All locations where the data resides, including cloud, database, virtual machine, desktops, and servers
  • All the people that have access to the data and its locations
  • The business function associated with each area

Once you have identified the most recurring business functions, you can list your priority areas. Only 12% of our webinar audience said they were confident in understanding their organisation's type of data.

Foundations to identify risk, protection, detection, response, and recovery

To start operationalising cybersecurity within a targeted area, we first set the maturity of each foundation. A strong foundation will help ensure all systems are protected from attacks and emerging threats. People play a critical role in providing protection and cyber resilience. They should be aware of potential risks so they can take appropriate actions to protect themselves and their business function.

1. Culture

A set of values shared by everyone in an organisation determines how people think and approach cybersecurity. Your culture should emphasise, reinforce, and drive behaviour to create a resilient workforce.

Every security awareness program should, at minimum, communicate security policy requirements to staff. Tracking employee policy acknowledgements will ensure your workforce is aware of the policy and helps you meet compliance requirements.

A quick response can reduce damages from an attack. Security awareness training should teach your workforce how to self-report incidents, malicious files, or phishing emails. This metric will prove you have safeguards in place. Tailor security awareness training to employees' roles and functions to measure the effectiveness of each department.

2. Measurement

Measuring the ability to identify, protect, detect, respond, and recover from cybersecurity risks and threats enables a robust operating model. The best approach requires an understanding of what your most significant risks are. Consider analysing the following:

  • Phishing rate: A reduction in the phishing rate over time provides increased awareness of security threats and the effectiveness of awareness training. Leverage a phishing simulation to document the open rates per business function to track phishing risks.
  • The number of security breaches: Track and record the number of new incidents and breaches every month. Measure a monthly percentage increase or decrease.
  • Mean time to detect (MTTD): Calculate how long it takes your team to become aware of indicators of compromise and other security threats. To calculate MTTD, take the sum of the hours spent detecting, acknowledging, and resolving an alert, and divide it by the number of incidents.
  • Patching cadence: Determine how long it takes to implement application security patches or mitigate high-risk CVE-listed vulnerabilities.
  • Mean time to recovery (MTTR): Take the sum of downtime for a given period and divide it by the number of incidents. For example, if you had 20 minutes of downtime caused by two different events over two days, your MTTR is 20 divided by two, equalling 10 minutes.

3. Accountability

A security goal generates the requirement for actions of an entity to be traced uniquely to support non-repudiation, deterrence, fault isolation, intrusion detection, prevention, after-action recovery, and legal action.

The quality of your incident response plan will determine how much time passes between assigning tasks to different business functions. Calculate the mean time between business functions aware of a cyber attack and their response. Additionally, calculate the mean time to resolve a cyber attack once they have become aware by measuring how much time passes between assigning tasks to different business functions.

Also, consider recording how internal stakeholders perform with awareness or other security program efforts to track the effectiveness of training.

4. Process

Processes are critical to implementing an effective strategy and help maintain and support operationalising cybersecurity.

To determine your increase in the number of risks, link the percent differences in the number of risks identified across the business monthly. Identify accepted risks by stakeholders and vendors monthly, and hold regular information security forums between business functions to review levels of progress. It’s also wise to document meeting notes and actions for compliance and internal reference.

5. Resources

Ownership of cybersecurity across the business creates knowledge to manage, maintain and operate cybersecurity.

When determining the effectiveness of resources, analyse what levels of training you give different levels of stakeholders. For example, administration training will differ from targeted executives.

Calculate the engagement levels of input and feedback from previous awareness training and record positive and negative feedback from all stakeholders. Ensure that different parts of the business have the required skill level and knowledge within the business function's scope. Use a skills matrix aligned to security domains to uncover stakeholders' hidden knowledge or skill gaps.

6. Automation

The automation of security tasks includes administrative duties, incident detection, response, and identification risk.

Consider implementing automation in vulnerability management processes internally and externally to the business. Additionally, detect intrusion attempts and malicious actions that try to breach your networks. And finally, automate patch management actions on all assets within scope by assessing the number of patches deployed per month based on the environment, i.e. cloud.

A journey that delivers outcomes

A cyber-targeted operating model is a unique approach that provides defensibility, detectability, and accountability. The model is based on the idea that you can't protect what you don't know and aims to provide a holistic view of your organisation's security posture. By identifying the most critical business functions and defining a process for each foundation, you can develop your cyber maturity over time.

To get the maximum benefit from Cybersecurity Series: Hackers ‘re Gonna Hack, watch Part One: Operationalising Cybersecurity to benchmark your existing maturity against the six foundational components. Watch Part 2: Foundational Components to Enable a Cyber Target Operating Model on-demand, or pre-register for Part Three: Cybersecurity KPIs to Track and Share with Your Board to begin mapping against your priority areas. Attendees will receive a complete list of Cybersecurity KPIs that align with the maturity level of your organisation.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


[Security Nation] Pete Cooper and Irene Pontisso on the Results of the UK Government’s Security Culture Challenge

In this episode of Security Nation, Jen and Tod are joined again by Pete Cooper and Irene Pontisso of the UK Cabinet Office for a follow-up on the cybersecurity culture challenge they launched in 2021. Pete and Irene run us through the results, what kinds of interventions participants came up with, and what has them excited about building a more resilient government security culture in the years to come.

Stick around for our Rapid Rundown, where Tod and Jen talk about a recent write-up that takes a deep dive into a curious form of phishing: pig-butchering scams. Spoiler: They have nothing to do with actual pigs but everything to do with highly specific text messages from numbers you don’t recognize.

Pete Cooper

[Security Nation] Pete Cooper and Irene Pontisso on the Results of the UK Government’s Security Culture Challenge

Pete is Deputy Director Cyber Defence within the Government Security Group in the UK Cabinet Office where he looks over the whole of the Government sector and is responsible for the Government Cyber Security Strategy, standards, and policies, as well as responding to serious or cross-government cyber incidents. With a diverse military, private sector, and government background, he has worked on everything ranging from cyber operations, global cybersecurity strategies, advising on the nature of state-versus-state cyber conflict to leading cybersecurity change across industry, public sector and the global hacker community, including founding and leading the Aerospace Village at DEF CON.  A fast jet pilot turned cyber operations advisor, who on leaving the military in 2016 founded the UK’s first multi-disciplinary cyber strategy competition, he is passionate about tackling national and international cybersecurity challenges through better collaboration, diversity, and innovative partnerships. He has a Post Grad in Cyberspace Operations from Cranfield University. He is a Non-Resident Senior Fellow at the Cyber Statecraft Initiative of the Scowcroft Centre for Strategy and Security at the Atlantic Council and a Visiting Senior Research Fellow in the Dept of War Studies, King's College London.

Irene Pontisso

[Security Nation] Pete Cooper and Irene Pontisso on the Results of the UK Government’s Security Culture Challenge

Irene is Assistant Head of Engagement and Information within the Government Security Group in the UK Cabinet Office. Irene is responsible for the design and strategic oversight of cross-government security education, awareness, and culture-related initiatives. She is also responsible for leading cross-government engagement and press activities for Government Security and the Government Chief Security Officer. Irene started her career in policy and international relations through her roles at the United Nations Platform for Space-based Information for Disaster Management and Emergency Response (UN-SPIDER). Irene also has significant industry and third sector experience, and she partnered with the world's leading law firms to provide free access to legal advice for NGOs on international development projects. She also has experience in leading large-scale exhibitions and policy research in corporate environments. She holds a MSc in International Relations from the University of Bristol and a BSc from the University of Turin.

Show notes

Interview links

Rapid Rundown links

  • Check out the article on so-called pig-butchering scams.

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Want More Inspiring Stories From the Security Community?

Subscribe to Security Nation Today