Author: Rapid7

Explanation of New Authenticated Scanning PCI DSS Requirement 11.3.1.2 in PCI DSS V4.0 and how InsightVM can help meet the Requirement

By: Dominick Vitolo, VP of Security Services, MegaplanIT

As a Certified Qualified Security Assessor (QSA) company and a trusted Rapid7 partner, MegaplanIT is committed to guiding organizations through the complexities of compliance and security standards.

PCI DSS version 4.0 is a significant update on the horizon and is set to take effect March 31, 2025. One of the key changes around vulnerability scanning within this update is requirement 11.3.1.2. This new requirement mandates authenticated internal vulnerability scans.

Here, we’ll shed light on why organizations should immediately transition to authenticated vulnerability scanning and how Rapid7’s InsightVM can facilitate this essential change.

The Shift in PCI DSS 4.0

New Requirement 11.3.1.2

Under PCI DSS 4.0, requirement 11.3.1.2 introduces the need for authenticated internal vulnerability scans, marking a departure from the widely practiced unauthenticated scans.

Currently, many organizations rely on unauthenticated scanning which, while useful, offers limited visibility into system vulnerabilities. In previous versions the PCI DSS never specifically called out the need for authenticated vulnerability scanning internally, which led the requirement subject to interpretation.

This established procedure from retirement 11.3.1 remains applicable and is complemented by the new requirement mandating authenticated internal vulnerability scans.

  • Scans must be conducted at least every three months.
  • All high-risk and critical vulnerabilities – as defined by the entity's own risk rankings established in Requirement 6.3.1 – must be remediated.
  • Follow-up rescans are required to verify the resolution of these high-risk and critical vulnerabilities.
  • The scanning tool used must be regularly updated with the latest vulnerability information.
  • The scans must be carried out by qualified individuals, and there must be an organizational separation between the testers and the systems they are testing.

MegaplanIT Perspective: Why Adopt Authenticated Scanning Now Before the Requirement Takes Effect?

  1. Deeper security insights: Authenticated scans delve into systems more deeply, uncovering vulnerabilities that unauthenticated scans may miss. This depth is critical for maintaining robust security.
  2. Proactive compliance strategy: We always advocate for early adoption of new standards. It allows for a smoother transition and avoids the rush associated with impending compliance deadlines. Authenticated vulnerability scanning typically uncovers a greater number of vulnerabilities than unauthenticated scanning. Consequently, this will necessitate a greater allocation of internal resources for planning and executing remediation strategies.
  3. Enhanced risk management: Authenticated scanning enables more effective identification and remediation of vulnerabilities, thus fortifying your defense against potential breaches. Authenticated vulnerability scanning may also lead to a reduced number of false positives.
  4. Operational efficiency: Early adoption allows for the refinement of scanning processes, ensuring they become a seamless part of your security routine and may also lead to a reduced amount of false positives.

How Rapid7’s InsightVM Aligns with This Transition

Credential-Based Scanning

InsightVM's capability to perform scans with provided credentials aligns perfectly with the authenticated scanning requirements of PCI DSS 4.0. Scanning with credentials allows you to gather information about your network and assets that you could not otherwise access. You can inspect assets for a wider range of vulnerabilities or security policy violations.

Additionally, authenticated scans can check for software applications and packages as well as verify patches. When you scan a site with credentials, target assets in that site authenticate the Scan Engine as they would an authorized user.

Leveraging the Rapid7 Insight Agent

Rapid7’s universal Insight Agent gathers extensive vulnerability data, supporting the authenticated scanning process effectively.

Advantages of Implementing InsightVM

  • Comprehensive detection: InsightVM is equipped with a vast and continuously updated repository of known vulnerabilities and identification of configuration issues.
  • Targeted remediation guidance: Detailed insights facilitate prioritized and effective remediation efforts.
  • User-friendly interface: IT teams experience a simplified transition, making the process less daunting.

Transitioning to authenticated internal vulnerability scanning in order to meet the control requirements of PCI DSS 4.0 is a crucial step towards strengthening your organization’s security posture. As a certified QSA, MegaplanIT strongly recommends that organizations begin this shift now.

Tools like Rapid7’s InsightVM are pivotal in this journey, offering a comprehensive, scalable, and user-friendly solution. By embracing this change today, your organization will not only be compliant, but also significantly more secure against ever-evolving cyber threats.

RCE to Sliver: IR Tales from the Field

*Rapid7 Incident Response consultants Noah Hemker, Tyler Starks, and malware analyst Tom Elkins contributed analysis and insight to this blog.*

Rapid7 Incident Response was engaged to investigate an incident involving unauthorized access to two publicly-facing Confluence servers that were the source of multiple malware executions. Rapid7 identified evidence of exploitation for CVE-2023-22527 within available Confluence logs. During the investigation, Rapid7 identified cryptomining software and a Sliver Command and Control (C2) payload on in-scope servers. Sliver is a modular C2 framework that provides adversarial emulation capabilities for red teams; however, it’s also frequently abused by threat actors. The Sliver payload was used to action subsequent threat actor objectives within the environment. Without proper security tooling to monitor system network traffic and firewall communications, this activity would have progressed undetected leading to further compromise.

Rapid7 customers

Rapid7 consistently monitors emergent threats to identify areas for new detection opportunities. The recent appearance of Sliver C2 malware prompted Rapid7 teams to conduct a thorough analysis of the techniques being utilized and the potential risks. Rapid7 InsightIDR has an alert rule Suspicious Web Request - Possible Atlassian Confluence CVE-2023-22527 Exploitation available for all IDR customers to detect the usage of the text-inline.vm consistent with the exploitation of CVE-2023-22527. A vulnerability check is also available to InsightVM and Nexpose customers. A Velociraptor artifact to hunt for evidence of Confluence CVE-2023-22527 exploitation is available on the Velociraptor Artifact Exchange here. Read Rapid7’s blog on CVE-2023-22527.

Observed Attacker Behavior

Rapid7 IR began the investigation by triaging available forensic artifacts on the two affected publicly-facing Confluence servers. These servers were both running vulnerable Confluence software versions that were abused to obtain Remote Code Execution (RCE) capabilities. Rapid7 reviewed server access logs to identify the presence of suspicious POST requests consistent with known vulnerabilities, including CVE-2023-22527. This vulnerability is a critical OGNL injection vulnerability that abuses the text-inline.vm component of Confluence by sending a modified POST request to the server.

Evidence showed multiple instances of exploitation of this CVE, however, evidence of an embedded command would not be available within the standard header information logged within access logs. Packet Capture (PCAP) was not available to be reviewed to identify embedded commands, but the identified POST requests are consistent with the exploitation of the CVE.
The following are a few examples of the exploitation of the Confluence CVE found within access logs:

Access.log Entry
POST /template/aui/text-inline.vm HTTP/1.0 200 5961ms 7753 - Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
POST /template/aui/text-inline.vm HTTP/1.0 200 70ms 7750 - Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
POST /template/aui/text-inline.vm HTTP/1.0 200 247ms 7749 - Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0

Evidence showed the execution of a curl command post-exploitation of the CVE resulting in the dropping of cryptomining malware to the system. The IP addresses associated with the malicious POST requests to the Confluence servers matched the IP addresses of the identified curl command. This indicates that the dropped cryptomining malware was directly tied to Confluence CVE exploitation.
As a result of the executed curl command, file w.sh was written to the /tmp/ directory on the system. This file is a bash script used to enumerate the operating system, download cryptomining installation files, and then execute the cryptomining binary. The bash script then executed the wget command to download javs.tar.gz from the IP address 38.6.173[.]11 over port 80. This file was identified to be the XMRigCC cryptomining malware which caused a spike in system resource utilization consistent with cryptomining activity. Service javasgs_miner.service was created on the system and set to run as root to ensure persistence.

The following is a snippet of code contained within w.sh defining communication parameters for the downloading and execution of the XMRigCC binary.

RCE to Sliver: IR Tales from the Field

Rapid7 found additional log evidence within Catalina.log that references the download of the above file inside of an HTTP response header. This response registered as ‘invalid’ as it contained characters that could not be accurately interpreted. Evidence confirmed the successful download and execution of the XMRigCC miner, so the above Catalina log may prove useful for analysts to identify additional proof of attempted or successful exploitation.

Catalina Log Entry
WARNING [http-nio-8090-exec-239 url: /rest/table-filter/1.0/service/license; user: Redacted ] org.apache.coyote.http11.Http11Processor.prepareResponse The HTTP response header [X-Cmd-Response] with value [http://38.6.173.11/xmrigCC-3.4.0-linux-generic-static-amd64.tar.gz xmrigCC-3.4.0-linux-generic-static-amd64.tar.gz... ] has been removed from the response because it is invalid

Rapid7 then shifted focus to begin a review of system network connections on both servers. Evidence showed an active connection with known-abused IP address 193.29.13[.]179 communicating over port 8888 from both servers. netstat command output showed that the network connection’s source program was called X-org and was located within the system’s /tmp directory. According to firewall logs, the first identified communication from this server to the malicious IP address aligned with the timestamps of the identified X-org file creation. Rapid7 identified another malicious file residing on the secondary server named X0 Both files shared the same SHA256 hash, indicating that they are the same binary. The hash for these files has been provided below in the IOCs section.

A review of firewall logs provided a comprehensive view of the communications between affected systems and the malicious IP address. Firewall logs filtered on traffic between the compromised servers and the malicious IP address showed inbound and outbound data transfers consistent with known C2 behavior. Rapid7 decoded and debugged the Sliver payload to extract any available Indicators of Compromise (IOCs). Within the Sliver payload, Rapid7 confirmed the following IP address 193.29.13[.]179 would communicate over port 8888 using the mTLS authentication protocol.

RCE to Sliver: IR Tales from the Field

After Sliver first communicated with the established C2, it checked the username associated with the current session on the local system, read etc/passwd and etc/machine-id and then communicated back with the C2 again. The contents of passwd and machine-id provide system information such as the hostname and any account on the system. Cached credentials from the system were discovered to be associated with outbound C2 traffic further supporting this credential access. This activity is consistent with the standard capabilities available within the GitHub release of Sliver hosted here.

The Sliver C2 connection was later used to execute wget commands used to download Kerbrute, Traitor, and Fscan to the servers. Kerbute was executed from dev/shm and is commonly used to brute-force and enumerate valid Active Directory accounts through Kerberos pre-authentications. The Traitor binary was executed from the var/tmp directory which contains the functionality to leverage Pwnkit and Dirty Pipe as seen within evidence on the system. Fscan was executed from the var/tmp directory with the file name f and performed scanning to enumerate systems present within the environment. Rapid7 performed containment actions to deny any further threat actor activity. No additional post-exploitation objectives were identified within the environment.

Mitigation guidance

To mitigate the attacker behavior outlined in this blog, the following mitigation techniques should be considered:

  • Ensure that unnecessary ports and services are disabled on publicly-facing servers.

  • All publicly-facing servers should regularly be patched and remain up-to-date with the most recent software releases.

  • Environment firewall logs should be aggregated into a centralized security solution to allow for the detection of abnormal network communications.

  • Firewall rules should be implemented to deny inbound and outbound traffic from unapproved geolocations.

  • Publicly-facing servers hosting web applications should implement a restricted shell, where possible, to limit the capabilities and scope of commands available when compared to a standard bash shell.

MITRE ATT&CK Techniques

Tactics Techniques Details
Command and Control Application Layer Protocol (T1071) Sliver C2 connection
Discovery Domain Account Discovery (T1087) Kerbrute enumeration of Active Directory
Reconnaissance Active Scanning (T1595) Fscan enumeration
Privilege Escalation Setuid and Setgid (T1548.001) Traitor privilege escalation
Execution Unix Shell (T1059.004) The Sliver payload and follow-on command executions
Credential Access Brute Force (T1110) Kerbrute Active Directory brute force component
Credential Access OS Credential Dumping (T1003.008) Extracting the contents of /etc/passwd file
Impact Resource Hijacking (T1496) Execution of cryptomining software
Initial Access Exploit Public-Facing Application (T1190) Evidence of text-inline abuse within Confluence logs

Indicators of Compromise

Attribute Value Description
Filename and Path /dev/shm/traitor-amd64 Privilege escalation binary
SHA256 fdfbfc07248c3359d9f1f536a406d4268f01ed63a856bd6cef9dccb3cf4f2376 Hash for Traitor binary
Filename and Path /var/tmp/kerbrute_linux_amd64 Kerbrute enumeration of Active Directory
SHA256 710a9d2653c8bd3689e451778dab9daec0de4c4c75f900788ccf23ef254b122a Hash for Kerbrute binary
Filename and Path /var/tmp/f Fscan enumeration
SHA256 b26458a0b60f4af597433fb7eff7b949ca96e59330f4e4bb85005e8bbcfa4f59 Hash for Fscan binary
Filename and Path /tmp/X0 Sliver binary
SHA256 29bd4fa1fcf4e28816c59f9f6a248bedd7b9867a88350618115efb0ca867d736 Hash for Sliver binary
Filename and Path /tmp/X-org Sliver binary
SHA256 29bd4fa1fcf4e28816c59f9f6a248bedd7b9867a88350618115efb0ca867d736 Hash for Sliver binary
IP Address 193.29.13.179 Sliver C2 IP address
Filename and Path /tmp/w.sh Bash script for XMrigCC cryptominer
SHA256 8d7c5ab5b2cf475a0d94c2c7d82e1bbd8b506c9c80d5c991763ba6f61f1558b0 Hash for bash script
Filename and Path /tmp/javs.tar.gz Compressed crypto installation files
SHA256 ef7c24494224a7f0c528edf7b27c942d18933d0fc775222dd5fffd8b6256736b Hash for crypto installation files
Log-Based IOC "POST /template/aui/text-inline.vm HTTP/1.0 200" followed by GET request containing curl Exploit behavior within Confluence access.log
IP Address 195.80.148.18 IP address associated with exploit behavior of text-inline followed by curl
IP Address 103.159.133.23 IP address associated with exploit behavior of text-inline followed by curl
Paving a Path to Systems Administration: Naeem Jones’ Journey with Rapid7

Prior to becoming a Systems Administrator at Rapid7, Naeem Jones entered his career in cybersecurity through the Hack. Diversity program. Hack.Diversity is a program that connects talented Black and Latin/x students and early-career professionals with organizations that are looking to build inclusive and equitable working environments. Rapid7 is a founding member of “Hack” and has worked with the organization since 2017.

Jones remembers he and others in his cohort were looking for opportunities to grow and gain valuable experience at an organization, prioritizing the expansion of their expertise while also having ownership of tasks and projects. To Jones, one of the things that stood out the most about Rapid7 was the ability to be himself while having the opportunity to grow.

“One of my favorite core values at Rapid7 is ‘Bring You.’ I love having the ability to bring your authentic self every day – and that looks different for everyone. For myself, I am an avid gamer and even play competitively. I am part of multiple groups at Rapid7 where we discuss all the video games and media we love and are able to bond over our shared interests,” he said. Jones enjoys challenging those around him: “If you think you can beat me in a game, I am here, and I accept the challenge!”

Alongside the promise of a robust culture, there was room for Jones to challenge himself to create impact and grow. “Rapid7 emphasized that, once you join, you are part of the team. Even if you are an intern, you are a Moose and will be working alongside others with the same opportunities.” Employees call themselves “Moose” because it can refer to a single moose or an entire herd, demonstrating how every employee is working both individually and collaboratively to implement solutions. This references one of Rapid7’s five core values: “Impact Together.”

“I started by doing whatever I could to understand and take advantage of learning opportunities. A few months into my internship, I was put in charge of handling the onboarding process, which I continued as I came to Rapid7 full-time,” Jones said. “I had ownership of a critical part of the business, which was to be the face of IT and the first person at Rapid7 to give new employees information on their devices and where they can go when they need help or have issues.”

Every role at Rapid7 is integral to delivering for our customers, and Jones’ ability to demonstrate how to efficiently use devices is a great example. The faster our Moose are acclimated to their laptops and are equipped with the tools they need, the faster they can solve the challenges our customers are facing. This means they can more rapidly build products that will keep our customers ahead of attackers and safe in the midst of a complex digital environment.

As Jones has progressed through his career over the course of five years at Rapid7, he has taken advantage of opportunities to shadow those whose roles he has found fascinating. Through open communication with his managers, Jones was able to have a hand in mapping his progression into a Systems Administrator role. This has created opportunities for Jones to impart helpful information and wisdom of his own.

“Mentorship and cross-collaborationship never goes away. Of course, workload takes precedence but there is still so much for me to learn from my peers regardless of whether they are in a more junior or senior role. I have the opportunity now to also pass my knowledge along to others on processes I am well-versed in,” he said.

“I am able to offer wisdom, tips and tricks, and where to look when things aren’t right. I love being able to empower my team – or any partner – to learn from my experiences and be a teacher,” he said. “It is a privilege to be able to show others how I navigate processes to help them learn and to improve and become better. It is a continuous cycle.” This cycle is critical to the impact made at Rapid7 as Moose are able to work together on projects which foster expanded knowledge and fluid collaboration.

For those looking for their next opportunity, Jones acknowledges a difficult obstacle to overcome that many face: imposter syndrome. Although he recognizes that it may never truly go away, Jones suggests how to push through it: “Always try to partner, learn new skills, and shadow people in roles that interest you. No matter if it is a little thing or a big thing, just try,” he said.

Overall, Jones wants others to know that there is power in taking control in the face of adversity. “There have been points in my career where I felt paralyzed by imposter syndrome,” he said. “But, you can’t let that stop you from giving it a shot. Never let those feelings block you from learning and growing. Even if you ‘fail,’ you will still learn something and can carry that experience with you.

Learn more about opportunities available at Rapid7.

Critical Fortinet FortiOS CVE-2024-21762 Exploited

On February 8, 2024 Fortinet disclosed multiple critical vulnerabilities affecting FortiOS, the operating system that runs on Fortigate SSL VPNs. The critical vulnerabilities include CVE-2024-21762, an out-of-bounds write vulnerability in SSLVPNd that could allow remote unauthenticated attackers to execute arbitrary code or commands on Fortinet SSL VPNs via specially crafted HTTP requests.

According to Fortinet’s advisory for CVE-2024-21762, the vulnerability is “potentially being exploited in the wild.” The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-21762 to their Known Exploited Vulnerabilities (KEV) list as of February 9, 2024, confirming that exploitation has occurred.

Zero-day vulnerabilities in Fortinet SSL VPNs have a history of being targeted by state-sponsored and other highly motivated threat actors. Other recent Fortinet SSL VPN vulnerabilities (e.g., CVE-2022-42475, CVE-2022-41328, and CVE-2023-27997) have been exploited by adversaries as both zero-day and as n-day following public disclosure.

Affected products

FortiOS versions vulnerable to CVE-2024-21762 include:

  • FortiOS 7.4.0 through 7.4.2

  • FortiOS 7.2.0 through 7.2.6

  • FortiOS 7.0.0 through 7.0.13

  • FortiOS 6.4.0 through 6.4.14

  • FortiOS 6.2.0 through 6.2.15

  • FortiOS 6.0 all versions

  • FortiProxy 7.4.0 through 7.4.2

  • FortiProxy 7.2.0 through 7.2.8

  • FortiProxy 7.0.0 through 7.0.14

  • FortiProxy 2.0.0 through 2.0.13

  • FortiProxy 1.2 all versions

  • FortiProxy 1.1 all versions

  • FortiProxy 1.0 all versions

Note: Fortinet’s advisory did not originally list FortiProxy as being vulnerable to this issue, but the bulletin was updated after publication to add affected FortiProxy versions.

Mitigation guidance

According to the Fortinet advisory, the following fixed versions remediate CVE-2024-21762:

  • FortiOS 7.4.3 or above

  • FortiOS 7.2.7 or above

  • FortiOS 7.0.14 or above

  • FortiOS 6.4.15 or above

  • FortiOS 6.2.16 or above

  • FortiOS 6.0 customers should migrate to a fixed release

  • FortiProxy 7.4.3 or above

  • FortiProxy 7.2.9 or above

  • FortiProxy 7.0.15 or above

  • FortiProxy 2.0.14 or above

  • FortiProxy 1.2, 1.1, and 1.0 customers should migrate to a fixed release

As a workaround, the advisory instructs customers to disable the SSL VPN with the added context that disabling the webmode is not a valid workaround. For more information and the latest updates, please refer to Fortinet’s advisory.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to FortiOS CVE-2024-21762 with a vulnerability check available in the Friday, February 9 content release.

5 Insights from the Latest Cybersecurity Trends Research

Rapid7 is committed to promoting research that identifies the latest cybersecurity trends so that  organizations can leverage these insights and create programs that make sense for the modern SOC. To that end, we’ve singled out five quick insights security professionals and stakeholders should consider when looking ahead. These findings are based on Top Trends in Cybersecurity for 2024, a new research report from Gartner®.

Organizations Will Focus on Improving Resilience

As cloud continues to be adopted at a frenzied pace across organizations large, small, and everything in between, it’s critical to maintain organizational resiliency as attack surfaces expand and security becomes more urgent than ever. Indeed, the research notes that: “Improving organizational resilience has become a primary driver of security investments for several interconnected reasons:

  • “Digital ecosystems continue to sprawl, due to increasing cloud adoption.
  • Organizations are entrenching hybrid work arrangements.
  • The threat environment continues to evolve as emerging capabilities also embolden attackers.”

Continuous Threat Exposure Management Programs Will Take Off

Organizational attack surfaces have expanded for many reasons: the adoption of SaaS, remote work, custom application development, and more. All of these changes are efficiency drivers for businesses, but can also become liabilities rife with vulnerabilities. As organizations put more products and policies into place –  especially from multiple vendors – it can become more difficult to manage this new attack surface at scale.

The research stipulates that, in order to try and solve this issue, “security and risk management (SRM) leaders have introduced pilot processes that govern the volume and importance of threat exposures and the impact of dealing with them with continuous threat exposure management (CTEM) programs.” Short-term remediations can only go so far; the game is accelerating and long-term solutions must be put into place.

Generative AI Will Inspire Long-Term-Yet-Cautious Hope

Security organizations are embracing generative AI (GenAI) to help gain visibility across hybrid attack surfaces, spot threats fast, and automatically prioritize risk signals. In other sectors, unmanaged and uncontrolled uses of GenAI need reigning in before they can cause real societal damage with things like deepfakes, misinformation, and copyright infringement.

The research states that “the most notable issues were the use of confidential data in third-party GenAI applications and the copyright infringement and brand damage that could result from the use of unvetted generated content.” As AI companies continue to release new products that are more readily customizable by developers, laws and security policies will need to be put into place to curtail this potential third-party threat.

The C-Suite Communications Gap Will Narrow

With clearer outcome-driven metrics (ODMs) comes the ability to more easily convince the boardroom that direct investment in a cybersecurity initiative is imperative. Indeed, CISOs and other key security personnel and stakeholders have for years been running up against budgetary pushback that all too often leads to a porous attack surface as well as the inability to properly respond or prepare.

According to the research, “the 2023 Gartner Evolution of Cybersecurity Leader Survey asked chief information security officers (CISOs) the following question: ‘What has been the impact of changing business objectives on your cybersecurity strategy?’ In response, 60% said there had been some impact or a major impact.” When goals and/or key performance indicators (KPIs) shift, the security organization must be able to readily communicate where potential risk could lie in the changed environment.

ODMs can create a clearer path for security. From the report:

  • “Explain material cyber incidents to executives and guide specific investments to remediate them.
  • Support transparency to educate executives, lines of business and corporate functions about inappropriate or cavalier risk acceptance.
  • Expose matrixed management problems, such as the role the IT team plays in patching problems for which the security organization is typically held accountable.”

Cybersecurity Reskilling Will Help to Future-Proof

There is a continuing cybersecurity talent gap and, at the same time, there seems to be a shift in the types of skills practitioners need to bring to the job. Think of the implications this “moving target” has on both security organizations and people strategy teams tasked with scouring the marketplace for this magical unicorn.

The report details how, “in the U.S. alone, there are only enough qualified cybersecurity professionals to meet 70% of current demand – an all-time low over the past decade.” A plethora of trends are leading to this current disparity, including: accelerated cloud adoption, the emergence of GenAI, threat-landscape expansion, and vendor consolidation.

Greater business acumen as well as AI ethics and human psychology are just a few of the soft skills that will come to have greater prominence in job descriptions of security talent. Indeed, this may signal a stronger coming partnership between talent acquisition teams and security teams so that all parties involved can be sure that the right talent is recruited in the best way possible.

Read the report here.

Gartner, Top Trends in Cybersecurity for 2024, Richard Addiscott, Jeremy D’Hoinne, et al., 2 January 2024

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Celebrating Excellence: Alex Page Recognized As a CRN 2024 Channel Chief

Congratulations to Rapid7’s Vice President of Global Channel Sales, Alex Page, who is named among the newly-announced CRN 2024 Channel Chiefs!

Alex, who also received this prestigious accolade in 2023, has been recognized for his outstanding contributions and expertise in driving strategic initiatives and shaping the channel agenda for both Rapid7 and the wider partner community.

The Channel Chiefs list, released annually by CRN, showcases the top leaders throughout the IT channel ecosystem who work tirelessly to ensure mutual success with their partners and customers.

"These channel evangelists are dedicated to supporting solution providers and achieving growth by implementing robust partner programs and unique business strategies," said Jennifer Follett, VP, US Content, and Executive Editor, CRN, at The Channel Company.

"Their efforts are instrumental in helping partners bring essential solutions to market. The Channel Company is pleased to acknowledge these prominent channel leaders and looks forward to chronicling their achievements throughout the year."

Under Alex’s leadership, Rapid7 has matured its channel approach to create a win-win-win scenario for all parties — most importantly, the end customer. This includes an obsessive focus on “being easy to do business with" for both partners and customers, and empowering our partners to participate in the full customer journey with us.

In Alex’s words: “Focus matters. You cannot try to be all things to all people, in general – but this very much applies to the channel. Find the partners who best fit your goals as a company, and can help make your customers most successful, and go deep with a small group of them. Your focus will drive more results. Your focus will also be very much felt and appreciated by the partner.”

We are proud to have Alex leading the charge, and of this recognition, which reinforces Rapid7’s commitment to excellence, innovation, and strong partnerships.

Learn more about Rapid7 global partnerships here.

Rapid7 in Prague: Pete Rubio Shares Insights and Excitement for the New Office

As we continue to grow our customer base here at Rapid7, we’re growing our offices as well – this time with a new location in the Czech Republic. With a successful history of building innovation hubs from Boston to Belfast, our teams can’t wait to bring new talent from Prague into the business.

Pete Rubio joined Rapid7 in December of 2020, and is the Senior Vice President, Platform & Engineering. In this role he leads our data and engineering teams as they work to develop, optimize, and deliver security products and solutions to more than 11,000 customers worldwide.

Here, he talks about what he’s excited to see in Prague, what makes working at Rapid7 unique, and how he has experienced growth and development in his role as a leader.

What can you share about our new office location in Prague?

As a cybersecurity company, the need to constantly evolve and bring new, innovative ideas to the table is paramount to our success and the success of our customers. When it comes to expanding our global presence with a new location in Prague, we are excited to grow our talent pool and bring new perspectives and ideas into the business. Creating an innovation hub like this isn’t new to us; we’ve seen success in our Belfast office when it comes to creating a global hub for innovation. I see Prague as a location that will follow that model and have that same impact.

What makes Rapid7 unique as an employer?

At Rapid7, it’s our culture that sets us apart from other global companies. We have really interesting problems to solve and breakthrough innovations to deliver, but it’s how we do things and the culture we’ve created here that makes us quite different. We believe in working together to challenge convention and deliver excellence. We value perspectives and ideas from all areas of the business, and there are no egos or personal agendas when it comes to delivering for our customers.

We also place an extremely high emphasis on giving employees opportunities to stretch themselves, try new things, and really grow their careers in a way that compliments our business strategy. Rapid7 has created an environment where you can grow your career, grow your leadership skills, clearly measure your impact on the business -- and have a lot of fun along the way.

People all over the world spend a lot of time at work, and if you don’t like your co-workers or the environment you’re spending one third of your day in - it’s going to be a struggle. One thing I've found is that our culture has allowed us to work through our challenges and come out even stronger.

Rapid7 in Prague: Pete Rubio Shares Insights and Excitement for the New Office

So what exactly are we building, and what can future employees expect?

There are a few sites at Rapid7 that represent a cross section of the company and have almost every discipline represented. Prague will be one of those sites. We’ll have engineering, product, a SOC location, finance, sales, support, and more. This is more than an engineering location or satellite office. Employees here will be working on critical path initiatives across the whole business. This is exciting for our employees because it creates a lot of opportunities for collaboration as well as growing your career and skills. If you want to lean into different areas of the business, being in a place where you can learn from other people and participate in rotational projects is important to help you get there.

As I mentioned before, professional growth is a critical component of our culture and our values. We are always open to people having new ideas and suggestions that are aligned with or help evolve our strategy in a positive direction. By giving employees the opportunity to have discussions and set their own goals for professional development – while holding managers accountable for having those conversations – we become a place where learning, innovation, and growth are taking place all around us every day. When our people are thriving and doing really impactful work and growing their skills, we’re able to succeed as a business and deliver better products and services to our customers.

Why should someone consider working in Cybersecurity?

There isn’t a more dynamic sector than Cybersecurity. Not a single day has been boring for me since I’ve been in the industry. I also think the ability to make a positive impact on the world is rewarding. We work to secure companies from bad actors. We have well known brand names that we secure, and there's a level of job satisfaction that comes from knowing we built technology that is actively working to make the world a safer place and stop the bad guys. The role between defender and attacker is always going to be a big cat-and-mouse game. We constantly need to be thinking three steps ahead in order to keep customers secure.

Rapid7 in Prague: Pete Rubio Shares Insights and Excitement for the New Office

What customer challenges are we solving?

When you look at the security landscape, our portfolio is probably one of the richest in the industry. So when we approach a customer to understand their security needs, we have almost everything they could possibly need in our offering. Additionally, the experience across our products and services are second to none. When I talk to our customers, I share that we are looking to be the leading platform consolidator.

When customers do business with us, we will make it so that their security programs are much more impactful for every dollar they spend with us. There are a lot of other companies that have a one-point solution, and that limits your ability to expand and grow with your customer. From the employee perspective, that also limits their ability to grow and work on new things. We have multiple products for our employees to work on and explore, and that means you don't need to leave the company to grow.

You can do new and innovative things by changing product teams or working on a new offer. There are a lot of different ways we can increase customer efficiency as well as the efficacy of our programs, while providing really interesting career paths and opportunities for our people along the way.

Rapid7 in Prague: Pete Rubio Shares Insights and Excitement for the New Office

What have you found to be most rewarding in your role at Rapid7?

The most rewarding part of my job has been the opportunities I’ve had to lead; these opportunities go beyond what I was initially hired to do. It’s fantastic to see the breadth and depth of impact I've been able to have in just three short years. There are company-wide challenges I’ve been able to support that have not always been in my domain, but I’ve been given the trust and opportunity to come in and help. Leaning in like that has truly evolved my career – I’ve been able to grow my leadership skills, develop a team, and deliver favorable outcomes for customers.

My story of growth is not unique within the company. As our business becomes more successful, we see opportunities for each person to become more successful as well. Our People Strategy team is intentional about looking at employees as individuals and recognizing that growth and success isn’t always a linear journey. We’re giving employees the opportunity to have ownership of their career trajectory. As leaders, our job is to support their goals, give feedback, and align that evolution and growth to business objectives.

How does Rapid7 maintain a consistent culture across global offices?

Every site has their own microculture that is a core part of our macro culture. Each office has a unique flavor that compliments the culture and employee experience we’re known for. Every time I arrive at a Rapid7 office, it FEELS like a Rapid7 office. This goes beyond the spaces and the way things look. It’s about the people I interact with, the sense of a common goal, and a feeling of being welcomed and included.

When I walk into the Belfast office, I feel like I’m in the Austin office. When I’m at the Boston office, I feel the same way I do when I’m in the Tampa office. Getting the culture to a place where it feels consistent across each and every site is a really hard thing to do – and yet we’ve done that here.

When I think about what makes that possible, I feel it comes down to the way we think about people. We don't have a Human Resources team, we have a People Strategy team. It’s a simple shift, but it’s deliberate. We don’t look at people as resources, we look at them as people. The intellectual property we produce and the value we deliver as a business is created by people. They are our most valuable asset, and the way we support, grow, and engage them has a direct impact on our success as a business.

Rapid7 in Prague: Pete Rubio Shares Insights and Excitement for the New Office

What would you say to someone in Prague looking for a new opportunity?

If you are looking for a place that intentionally values you as a person and gives you incredible opportunities to do your best work, I can't think of a better environment than Rapid7. We’re committed to Prague as our next center for innovation, and we look forward to welcoming some of the most talented and collaborative professionals to join us in building a secure digital future.

View all current openings in Prague.

View all worldwide Product and Engineering openings.


Building the Best SOC Takes Strategic Thinking

So your security team is ready to scale up its security operations center, or SOC, to better meet the security needs of your organization. That’s great news. But there are some very important strategic questions that need to be answered if you want to build the most effective SOC you can and avoid some of the most common pitfalls teams of any size can encounter.

The Gartner® report SOC Model Guide, is an excellent resource for understanding how to ask the right questions regarding your security needs and what to do once those questions are answered.

Question 1: Which Model is Right for You?

There are several different ways to build an effective SOC. And while some are more complicated (perhaps even prohibitively so) than others, knowing what your needs and resources are at the outset will help you make this crucial initial decision.

Gartner puts it this way:

“A SOC model defines a strategy for variation in the use of internal teams and external service providers when running a SOC. It ensures all roles required to operate a SOC are allocated to those best suited to discharge the associated responsibilities. An effective SOC model lets SRM leaders allocate resources based on business priorities, available skill sets and budget…”

There are effectively three ways to build a SOC: internal, external, and hybrid. The report has this to say:

"Opting for a hybrid SOC is one way to help grow capabilities, while managing scale and cost. A hybrid SOC is one in which more than one team, both insourced and outsourced, plays a role in the activities required for proper SOC operation. The question of which teams, roles, jobs and activities are best kept in-house or outsourced is complex. Building a SOC model helps you answer it and ensure a hybrid SOC is well-balanced."

Question 2: Who Does What?

Let’s assume your organization is opting for a hybrid approach. The next question you will need to ask yourself is what roles am I outsourcing and what roles am I keeping in-house? Understanding your business needs and whether internal or external partners are the best course of action can take some serious soul-searching on your part.

Luckily, Gartner has some recommendations. From the report:

Gartner says "Some SOC tasks are strategic, such as those performed by the roles of senior investigator, incident response manager and red team tester. They are often best performed by in-house staff who understand the business’s needs and the security issues.

"Other SOC tasks are tactical, such as building detection content for common
attacks. They are generally best performed by a larger external team, which can do
them more efficiently, on a bigger scale, and for longer periods."

Question 3: How Do We Keep Everything Humming Along?

Once you’ve chosen your SOC model and built your team, it is important to be monitoring and reacting to the ways in which the internal and external partners work together. Let’s assume you’ve followed Gartner recommendations and outsourced your tactical needs and some highly specific skill sets and kept your strategic thinkers in-house, then you need to have a way for the teams to work together that is as dynamic as the environment they are seeking to protect.

Gartner offers this advice:

“Have clear demarcations between objective handlers, but ensure there is shared awareness. A challenge with hybrid models that use different providers or teams to handle objectives is that it can be hard to instill a results-oriented mindset. An external provider or internal team often gets “tunnel vision” — focusing only on its own individual objective — and loses sight of the big picture of SOC performance. You must ensure each provider or team is aware of its impact on adjacent objectives, not just its own.”

Just because different teams are going to have relatively different goals does not mean they should operate in silos. Ensuring that internal and external team members are able to see the big picture and understand the capabilities and limitations of others on the team is a critical component of building a SOC that works well today and grows well together.

Building a SOC from scratch is no easy feat and it is made harder without some serious strategic thinking and soul searching before building the team. Understand your unique needs, the general needs of a SOC team, what your resources are, and the expectations of your organization before building your own A-team of crack security professionals.

To read more about SOC Models check out Gartner SOC Model Guide here.

Gartner, SOC Model Guide, Eric Ahlm, Mitchell Schneider, Pete Shoard, 18 October 2023

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Critical CVEs in Outdated Versions of Atlassian Confluence and VMware vCenter Server

Rapid7 is highlighting two critical vulnerabilities in outdated versions of widely deployed software this week. Atlassian disclosed CVE-2023-22527, a template injection vulnerability in Confluence Server with a maxed-out CVSS score of 10, while VMware pushed a fresh update to its October 2023 vCenter Server advisory on CVE-2023-34048 to note that the vulnerability has now been exploited in the wild.

VMware and Atlassian technologies are mainstays in many corporate environments, and they have historically been targeted by a wide range of adversaries, including in large-scale ransomware campaigns. Rapid7 urges customers to ensure that they are using supported, fixed versions of vCenter Server and Confluence Server in their environments, and that, wherever possible, they are adhering to a high-urgency patching schedule for these products.

VMware vCenter Server CVE-2023-34048

CVE-2023-34048 is a critical out-of-bounds write vulnerability that affects VMware vCenter Server and VMware Cloud Foundation. The vulnerability arises from an out-of-bounds write flaw in vCenter’s implementation of DCERPC, which, if exploited successfully, could lead to remote code execution. It was originally disclosed in October 2023 alongside fixed versions, including for several end-of-life products. Earlier this week, VMware updated their advisory to note that exploitation of CVE-2023-34048 has been observed in the wild. Fixed versions of vCenter Server that remediate CVE-2023-34048 have been available since October 2023.

Per VMware’s advisory, all versions of vCenter Server are vulnerable to CVE-2023-34048 except the following fixed versions (or later):

Customers should update on an emergency basis if they have not done so before now. Patches are also available for the following end-of-life versions of vCenter Server: 6.7U3, 6.5U3, and VCF 3.x. VMware has information on applying individual product updates to Cloud Foundation environments here.

For more information, see VMware’s original advisory and FAQ. A list of vCenter Server versions and builds is available here.

Atlassian Confluence Server and Data Center CVE-2023-22527

CVE-2023-22527 is a critical template injection vulnerability in Atlassian Confluence that allows for unauthenticated remote code execution when exploited successfully in vulnerable target environments. As of January 19, 2024, we are not aware of exploitation in the wild targeting CVE-2023-22527.

Affected versions from Atlassian’s advisory:

  • 8.0.x
  • 8.1.x
  • 8.2.x
  • 8.3.x
  • 8.4.x
  • 8.5.0-8.5.3

The most recent supported versions of Confluence Server (as of January 16, 2024) are not affected. Fixed versions for Confluence Server are 8.5.4 and 8.5.5, both of which are on long-term support. For Confluence Data Center, fixed versions are 8.6.0, 8.7.1, and 8.7.2, all of which apply to Confluence Data Center only.

We strongly recommend that Atlassian Confluence customers update to the latest version in their product’s version stream. Customers should refer to the vendor advisory as the source of truth on affected products and fixed versions.

Rapid7 customers

Vulnerability checks for CVE-2023-34048 have been available to InsightVM and Nexpose customers since October 27, 2023. Vulnerability checks for CVE-2023-22527 have been available to InsightVM and Nexpose customers since January 17, 2024.

Application Security Posture Management

Accelerating the Remediation of Vulnerabilities From Code To Cloud

Written by Eric Sheridan, Chief Innovation Officer, Tromzo

In this guest blog post by Eric Sheridan, Chief Innovation Officer at valued Rapid7 partner Tromzo, you’ll learn how Rapid7 customers can utilize ASPM solutions to accelerate triaging, prioritization and remediation of findings from security testing products such as InsightAppSec and InsightCloudSec.

Application Security’s Massive Data Problem

Application Security teams have a massive data problem. With the widespread adoption of cloud native architectures and increasing fragmentation of development technologies, many teams amass a wide variety of specialized security scanning tools. These technologies are highly specialized, designed to carry out comprehensive security testing as a means of identifying as many vulnerabilities as possible.

A natural byproduct of their deployment at scale is that, in aggregate, application security (appsec) teams are presented with thousands – if not millions – of vulnerabilities to process. If you’re going to deploy advanced application security testing solutions, then of course a significant amount of vulnerability data is going to be generated. In fact, I’d argue this is a good problem to have. It’s like the old saying goes: You cannot improve what you cannot measure.

Here’s the kicker though: given a backlog of, lets say 200k vulnerabilities with a severity of “critical” across the entire product stack, where do you start your remediation efforts and why? Put another way: is this critical more important than that critical? Answering this question requires additional context, of which is often manually obtained by appsec teams. And how do you then disseminate that siloed vulnerability and track its remediation workflow to resolution? And can you replicate that for the other 199,999 critical vulnerabilities? This is what I mean when I say appsec teams have a massive data problem. Accelerating remediation, reducing risk, and demonstrating ROI requires us to be able to act on the data we collect at scale.

Introducing Application Security Posture Management

Overcoming Application Security’s massive data problem requires a completely new approach to how we operationalize vulnerability remediation, and this is exactly what Application Security Posture Management (ASPM) is designed to solve. In a recent Innovation Insight, Gartner defined ASPM as follows:

“Application security posture management analyzes security signals across software development, deployment and operation to improve visibility, better manage vulnerabilities and enforce controls. Security leaders can use ASPM to improve application security efficacy and better manage risk.” - Gartner

Obtaining and analyzing “security signals” requires integrations with various third party technologies as a means of deriving the context necessary to better understand the security implications of vulnerabilities within your enterprise and its environment. To see this in action, let’s revisit the question: “Is this critical more important than that critical?” A robust ASPM solution will provide you context beyond just the vulnerability severity as reported by the security tool. Is this vulnerability associated with an asset that is actually deployed to production? Is the vulnerability internet-facing or internal only? Does either of these vulnerable assets process sensitive data, such as personally identifiable information (PII) or credit card information? By integrating with third party services such as Source Code Management systems and Cloud runtime environments, for example, ASPM is able to enrich vulnerabilities so that appsec teams can make more informed decisions about risk. In fact, with this additional context, an ASPM helps Application Security teams identify those vulnerabilities representing the greatest risk to the organization.

Identifying the most significant vulnerabilities is only the first step, however. The second step is automating the remediation workflow for those vulnerabilities. ASPM enables the scalable dissemination of security vulnerabilities to their respective owners via integration with the ticketing and work management systems already in use by your developers today. Better yet, Application Security teams can monitor the remediation workflow of vulnerabilities to resolution all from within the ASPM. From a collaboration perspective, this is a massive win-win: development teams and appsec teams are able to collaborate on vulnerability remediation using their own respective technologies.

When you put all of this together, you’ll come to understand the greatest value-add provided by ASPM and realized by our customers at Tromzo:

ASPM solutions accelerate the triage and remediation of vulnerabilities representing the greatest risk to the organization at scale.

ASPM Core Capabilities

Effectively delivering on an integrated experience that accelerates the triage and remediation of vulnerabilities representing the greatest risk requires several core capabilities:

  1. The ability to aggregate security vulnerabilities across all scanning tools without impeding your ability to use the best-in-class security testing solutions.
  2. The ability to integrate with and build context from development tools across the CI/CD pipeline.
  3. The ability to derive relationships between the various software assets and security findings from code to cloud.
  4. The ability to express and overlay organizational- as well as team-specific security policies on top of security vulnerabilities.
  5. The ability to derive actions and insights from this metadata that help prioritize and drive to remediation the most significant vulnerabilities.

Doing this effectively requires a tremendous amount of data, connectivity, analysis, and insight. With integrations across 70+ tools, Tromzo is delivering a best-in-class remediation ASPM solution.

How Rapid7 Customers Benefit from an ASPM Solution

By its very nature, ASPM fulfills the need for automation and efficiency of vulnerability remediation via integration across various security testing solutions and development technologies. With efficiency comes real cost savings. Let’s take a look at how Rapid7 customers can realize operational efficiencies using Tromzo.

Breaking Down Security Solution Silos

Rapid7 customers are already amassing best-in-class security testing solutions, such as InsightAppSec and InsightCloudSec. ASPM enables the integration of not only Rapid7 products but all your other security testing products into a single holistic view, whether it be Software Composition Analysis (SCA), Static Application Security Testing (SAST), Secrets Scanning, etc. This effectively breaks down the silos and operational overhead with individually managing these stand-alone tools. You’re freeing yourself from the need to analyze, triage, and prioritize data from dozens of different security products with different severity taxonomies and different vulnerability models. Instead, it’s: one location, one severity taxonomy, and one data model. This is a clear win for operational efficiency.

Accelerating Vulnerability Remediation Through Deep Environmental and Organizational Context

Typical security teams are dealing with hundreds of thousands of security findings and this takes us back to our question of “Is this critical more important than that critical?”. Rapid7 customers can leverage Application Security Posture Management solutions to derive additional context in a way that allows them to more efficiently triage and remediate vulnerabilities produced by best-of-breed technologies such as InsightAppSec and InsightCloudSec. By way of example, let’s explore how ASPM can be used to answer some common questions raised by appsec teams:

1. Who is the “owner” of this vulnerability?

Security teams spend countless hours trying to identify who introduced a vulnerability so they can identify who needs to fix it. ASPM solutions are able to help identify vulnerability owners via the integration with third party systems such as Source Code Management repositories. This automated attribution serves as a foundation to drive remediation by teams and individuals that own the risk.

No more wasted hours!

2. Which vulnerabilities are actually deployed to our production environment?

One of the most common questions that arises when triaging a vulnerability is whether it is deployed to production. This often leads to additional questions such as whether it is internet-facing, how frequently the asset is being consumed, whether the vulnerability has a known exploit, etc. Obtaining answers to these questions is tedious to say the least.

The “code to cloud” visibility offered by ASPM solutions allows appsecteams to quickly answer these questions. By way of example, consider a CVE vulnerability found within a container hosted in a private registry. The code-to-cloud story would look something like this:

  • A developer wrote a “Dockerfile” or “Containerfile” and stored it in GitHub
  • GitHub Actions built a Container from this file and deployed it to AWS ECR
  • AWS ECS pulled this Container from ECR and deployed it to Production

With an integration into GitHub, AWS ECR, and AWS ECS, we can confidently conclude whether or not the Container hosted in AWS ECR is actually deployed to production via AWS ECS. We can even take this further: By integrating within GitHub, we can even map the container back to the corresponding Dockerfile/Containerfile and the team of developers that maintain it.

No more laborious meetings!

3. Does this application process PII or credit card numbers?

Appsecteams have the responsibility of helping their organization achieve compliance with various regulations and industry standards, including GDPR, CCPA, HIPAA, and PCI DSS. These standards place emphasis on the types of data being processed by applications, and hence appsec teams can understand what applications process what types of sensitive data. Unfortunately, obtaining this visibility requires security teams to create, distribute, collect, and maintain questionnaires that recipients often fail to complete.

ASPM solutions have the ability to derive context around the consumption of sensitive data and use this information to enrich applicable security vulnerabilities. A vulnerability deployed to production that stands to disclose credit card numbers, for example, will likely be treated with the highest of priority as a means of avoiding possible fines and other consequences associated with PCI DSS.

No more tedious questionnaires!

4. How do I automate ticket creation for vulnerabilities?

Once you know what needs to be fixed and who needs to fix it, the task of remediating the issue needs to be handed off to the individual or team that can implement a fix. This could involve taking hundreds or thousands of vulnerabilities, de-duplicating them, and grouping them into actionable tasks while automating creation of tickets in a format that is consumable by the receiving team. This is a complex workflow that not only involves automating correctly formatted tickets with the right level of remediation information, but also tracking the entire lifecycle of that ticket until remediation, followed by reporting of KPIs. ASPM solutions like Tromzo are perfectly suited to automate these ticketing and governance workflows, since ASPMs already centralize all vulnerabilities and have the appropriate contextual and ownership metadata.

Leverage ASPM to Accelerate Vulnerability Remediation

ASPM solutions enable Rapid7 customers to accelerate the remediation of vulnerabilities found by their preferred security testing technologies. With today’s complex hybrid work environments, the increased innovation and sophistication of attackers, and the underlying volatile market, automated code to cloud visibility and governance is an absolute must for maximizing operational efficiency and Tromzo is here to help. Check out www.tromzo.com for more information.