In an ongoing effort to help security organizations gain greater visibility into threat exposure risk, we have determined four key questions every CISO should be considering based on our understanding of the recommendations of a new report from Gartner®. The report, 2024 Strategic Roadmap for Managing Threat Exposure, can help CISOs and other top executives steer away from risk by analyzing their attack surfaces for gaps.
Question #1: What Do You Already Know?
What are the business-driven events that have already been or are currently being scoped and planned for? In analyzing threat exposure for specific events along the course of the year, a security organization will have the power to better tailor their risk mitigation approaches.
“It’s crucial to scope risk in relation to threat exposure, as this is one of the key outputs that will benefit the wider business. To do so, senior leaders must understand the exposure facing the organization, in direct relation to the impact that an exploitation of said exposure would have. Together, with this information, executives can make informed decisions to either remediate, mitigate or accept the perceived risks. Without impact context, the exposures may be addressed in isolation, leading to uncoordinated fixes relegated to individual departments exacerbating the current problems associated with most vulnerability management programs.” says the Gartner report.
Post-risk scoping, it’s a good idea to then consider if there are any measures that can be taken to better protect certain business-driven events if they have been found to have a greater chance of threat-actor exploitability.
Question #2: How Visible Are Your Critical Systems?
It is also incredibly valuable to take inventory of the most critical and exposed systems in the network, along with each system’s level of visibility and its location. Having a thorough catalog of the points that are or could be the most vulnerable is a must. Just because an exploitable asset might not be considered a remediation priority, there is always the possibility it could be exploited down the line.
Within the context of the report, Gartner details a visibility framework that can aid with vulnerability prioritization:
“Coupled with accessibility is the visibility of the exploitable service, port, or asset. These technologies implement configuration to ensure that details of exploitable elements are not revealed to potential attackers, but not directly removing the possibility of their exploitation.”
Therefore, it becomes necessary to leverage technologies that can provide insights into the visibility of an asset so that – if there is currently a low likelihood of exploitability – remediation efforts can be focused elsewhere and efficiences can be gained within the security organization.
Question #3: Who “Owns” IT Systems?
Identifying who is responsible for the deployment and management of critical IT systems is key if the security organization is to get interdepartmental buy-in for an effective plan to manage threat exposure. Sometimes there isn’t just one person responsible for a certain aspect of network management, which is important to keep in mind as efforts to mitigate threat exposure are built out.
Security personnel, as with so many business operations in which they take part, also must keep in mind that there could be pushback or slow buy-in to a plan that is perceived to lack context. To this point, the research states:
“Without impact context, the exposures may be addressed in isolation, leading to uncoordinated fixes relegated to individual departments exacerbating the current problems associated with most vulnerability management programs.”
Question #4: Who is Responsible for Risk?
Potential friction could also lie in the effort to convince a system owner that there is real action required – and that it could upend that team’s workflow. Effective communication will be imperative here, as will the ability to provide the visibility needed to quickly convince stakeholders that action is, indeed, needed and worth the potential interruption. The report drives home the need for allying with those responsible for risk decisions:
“From the perspective of the organization’s business risk owner, it’s important to recognize that the security team’s role is to support risk management in such a way that the owner can make informed data-driven decisions.”
The CISO Says It All
It will ultimately be up to the CISO to manage and connect separate plans to both limit and eliminate threat exposure along attack surfaces. Through this effort, the CISO can demonstrate the benefits of implementing platforms to manage the growing risk of threat exposure. They’ll also be able to prove the worth of the security operations center (SOC) as both key partners in the effort to keep business secure.
We’re pleased to continually offer leading research to help you gain clarity into managing the risk of threat exposure. Read the Gartner report to better understand how a broad set of exposures can impact the workloads of a security organization – and how important it becomes to prioritize properly and communicate effectively.
Gartner, 2024 Strategic Roadmap for Managing Threat Exposure, Pete Shoard, 8 November 2023.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Rapid7 has expanded significantly in Belfast since establishing a presence back in 2014, resulting in the company's largest R&D hub outside the US with over 350 people spread across eight floors in our Chichester Street office. There is a wide range of product development and engineering across the entire Rapid7 platform that happens here, but nearest and dearest to our hearts is that Belfast has really become the epicentre for our more than two decades of investment in data. It has formed the bedrock for our AI, machine learning and data science efforts.
Read on to find out more about the importance of data and AI at Rapid7!
A Forward-thinking Data Attitude
First up let’s talk data. We’ve had a specialist data presence in Belfast for a number of years, initially focused on the consumption, distribution, and analytics for quality product usage data, via interfaces such as Amazon SNS/SQS, piping data into time-series data stores like TimescaleDB and InfluxDB. Product usage data is unique due to its high volume and cardinality, which these data stores are optimized for. The evolution of data at Rapid7 required more scale, so we’ve been introducing more scalable technologies such as Apache Kafka, Spark, and Iceberg. This stack will enable multiple entry points for access to our data.
Apache Kafka, the heart of our data infrastructure, is a distributed streaming platform allowing us to handle real-time data streams with ease. Kafka acts as a reliable and scalable pipeline, ingesting massive amounts of data from various sources in real-time. Its pub-sub architecture ensures data is efficiently distributed across the system, with multiple types of consumers per topic enabling teams to process and analyze information as it flows.
Transforms run via Apache Spark, serving as the processing engine taking our data to the next level, opening us up to either batch processing or streaming directly from Kafka where we ultimately land the data into an object store with the Iceberg layer on top.
Apache Iceberg is an open table format for large-scale datasets, providing ACID transactions, schema evolution, and time travel capabilities. These features are instrumental in maintaining consistency and reliability of our data, which is crucial for AI and analytics at Rapid7. Additionally, the ability to perform time travel queries with Iceberg allows us to analyze and curate historical data, an essential component in building predictive AI models.
Our Engineers are constantly developing applications on this stack to facilitate ETL pipelines in languages such as Python, Java and Scala, running within K8s clusters. In keeping with our forward-thinking attitude to data, we continue to adopt new tooling and governance to facilitate growth, such as the introduction of a Data Catalog to visualize lineage with a searchable interface for metadata. In this way, users self-discover data but also learn how specific datasets are related, giving a clearer understanding of usage. All this empowers data and AI Engineers to discover and ingest the vast pools of data available at Rapid7.
Our Data-Centric Approach to AI
At the core of our AI engineering is a data-centric approach, in line with the recent gradual trend away from model-centric approaches. We find model design isn’t always the differentiator: more often it’s all about the data. In our experience when comparing different models for a classification task, say for example a set of neural networks plus some conventional classifiers, they may all perform fairly similarly with high-quality data. With data front and centre at Rapid7 as a key part of our overall strategy, major opportunities exist for us to leverage high-quality, high-volume datasets in our AI solutions, leading to better results.
Of course, there are always cases where model design is more influential. However marginal performance gains, often seen in novelty-focused academia, may not be worth the extra implementation effort or compute expense in practice. Not to say we aren’t across new models and architectures - we review them every week - though the classic saying “avoid unnecessary complexity” also applies to AI.
The Growing Importance of Data in GenAI
Let’s take genAI LLMs as an example. Anyone following developments may have noticed training data is getting more of the spotlight, again indicative of the data-centric approach. LLMs, based on transformer architectures, have been getting bigger, and vendors are PRing the latest models hard. Look closely though and they tend to be trained with different datasets, often in combination with public benchmark data too. However, if two or three LLMs from different vendors were trained with exactly the same data for long enough we’re willing to bet the performance differences between them might be minimal. Further, we’re seeing researchers push in the other direction, trying to create smaller, less complex open-source LLMs that compare favourably to their much larger commercial counterparts.
Considering this data-centric shift, more complex models in general may not drive performance as much as you think. The same principles apply to more conventional analytics, machine learning and data science. Some models we’ve trained also have very small datasets, maybe only 100-200 examples, yet generalise well due to accurately labelled data that is representative of the wild. Huge datasets are at risk of duplicates or mislabelled examples, essentially significant noise, so it’s about data quality and quantity. Thankfully we have both in abundance, and our data is of a scale you’re unlikely to find elsewhere.
Expanding our AI Centre of Excellence in Belfast
Rapid7 is further investing in Belfast as part of our new AI Centre of Excellence, encompassing the full range of AI, ML and data science. We’re on a mission to use data and AI to accelerate threat investigation, detection and response (D&R) capabilities of our Security Operations Centre (SOC). The AI CoE partners with our data and D&R teams in enabling customers to assess risk, detect threats and automate their security programs. It ensures AI, ML and data science are applied meaningfully to add customer value, best achieve business objectives and deliver ROI. Unnecessary complexity is avoided, with a creative, fast-fail, highly iterative approach to accelerate ideas from proof-of-concept to go or no-go.
The group's make-up is such that our technical skills complement one another; we share our AI, ML and data science knowledge while also contributing on occasion to new external AI policy initiatives with recognised bodies like NIST. We use, for example, a mix of LLMs, sklearn, PyTorch and more, whilst the team has a track record of publishing award-winning research at the likes of AISec at ACM CCS and with IEEE. All of this is powered by data, and the AI CoE’s goals are ambitious.
Interested in joining us?
We are always interested in hearing from people with a desire to be part of something big. If you want a career move where you can grow and make an impact with data and AI, this is it. We’re currently recruiting for multiple brand-new data and AI roles in Belfast across various levels of seniority as we expand both teams - and we’d love to hear from you! Please check out the roles over here!
On December 13th, Newsweek Magazine published their list of ‘America’s Greatest Workplaces for Diversity for 2024’. Like many companies today, Rapid7 recognizes the positive impact diversity plays in driving organizational success, attracting and retaining exceptional talent, and creating positive career experiences for all people.
Sophia Dozier, Director of Diversity, Equity and Inclusion at Rapid7 shares “We are proud to be on a list showcasing companies committed to Equity, Inclusion and Diversity. Diversity of lived experience and thought create a more impactful depth and breadth of knowledge. This knowledge is what enables us to push boundaries and deliver extraordinary results and experiences for our partners, our customers, and our employees."
The process for selection includes extensive research on publicly available information, along with an anonymous online survey capturing feedback from more than 220,000 employees at companies in the United States. Research captures information on company leadership, employee resource groups and internal communities, dedicated diversity program leaders, and social good reporting and initiatives. In the surveys, participants answer questions pertaining to work-life-balance, working environments, and workforce management. Companies then undergo an evaluation that includes media monitoring and validation of findings.
The findings from this year’s awards program reflect Rapid7’s intentional efforts to ensure diversity is a key part of their business strategy. As stated by Chief People Officer, Christina Luconi, “Rapid7 is committed to building an organization that thrives with the spirit of diversity and inclusion. We don’t think of DE&I as a project or a checklist item; it’s a core part of our culture and values set. As a cybersecurity company, our mission is bold and challenging. Ensuring we attract unique perspectives and backgrounds, and empowering them to come together in a way that is truly inclusive, is one way we feel like we are set up to achieve our audacious goals.”
In addition to being recognized by Newsweek as a great workplace for Diversity, Rapid7 has also been recognized and included in a variety of other diversity focused lists and indexes. In 2023, the company was listed on the Bloomberg Equity Index for the 5th consecutive year. The firm also participated in the Human Rights Campaign’s Corporate Equality Index, receiving an impressive score of 90% as a first time participant.
When it comes to the year ahead, Dozier is looking forward to continuing to evolve the company’s diversity programs by leveraging support from business leaders, strategic partnerships, and employees. “In 2024 we will continue to build programs focused on enhancing the skills needed to compete at a global level and navigate complex challenges. We’re proud to have long standing partnerships with organizations who are committed to providing historically underrepresented and underserved communities with pathways into cybersecurity and technology careers. Internally, we will continue to collaborate with our employees to be a better version of ourselves, staying true to one of our core values #neverdone.”
To learn more about how Rapid7 approaches diversity, equity and inclusion click here. To explore career opportunities and learn more about Rapid7’s values and Rapid Impact Groups, visit their careers page.
Rapid7 is excited to announce that version 0.7.1 of Velociraptor is live and available for download. There are several new features and capabilities that add to the power and efficiency of this open-source digital forensic and incident response (DFIR) platform.
In this post, Rapid7 Digital Paleontologist, Dr. Mike Cohen discusses some of the exciting new features.
GUI improvements
The GUI was updated in this release to improve user workflow and accessibility.
Notebook improvements
Velociraptor uses notebooks extensively to facilitate collaboration, and post processing. There are currently three types of notebooks:
Global Notebooks - these are available from the GUI sidebar and can be shared with other users for a collaborative workflow.
Collection notebooks - these are attached to specific collections and allow post processing the collection results.
Hunt notebooks - are attached to a hunt and allow post processing of the collection data from a hunt.
This release further develops the Global notebooks workflow as a central place for collecting and sharing analysis results.
Templated notebooks
Many users use notebooks heavily to organize their investigation and guide users on what to collect. While Collection notebooks and Hunt notebooks can already include templates there was no way to customize the default Global notebook.
In this release, we define a new type of Artifact of type NOTEBOOK which allows a user to define a template for global notebooks.
In this example I will create such a template to help users gather server information about clients. I click on the artifact editor in the sidebar, then select Notebook Templates from the search screen. I then edit the built in Notebooks. Default artifact.
Adding a new notebook template
I can define multiple cells in the notebook. Cells can be of type vql, markdown or vql_suggestion. I usually use the markdown cells to write instructions for users of how to use my notebook, while vql cells can run queries like schedule collections or preset hunts.
Next I select the Global notebooks in the sidebar and click the New Notebook button. This brings up a wizard that allows me to create a new global notebook. After filling in the name of the notebook and electing which user to share it with, I can choose the template for this notebook.
Adding a new notebook template
I can see my newly added notebook template and select it.
Viewing the notebook from template
Copying notebook cells
In this release, Velociraptor allows copying of a cell from any notebook to the Global notebooks. This facilitates a workflow where users may filter, post-process and identify interesting artifacts in various hunt notebooks or specific collection notebooks, but then copy the post processed cell into a central Global notebook for collaboration.
For the next example, I collect the server artifact Server.Information.Clients and post process the results in the notebook to count the different clients by OS.
Post processing the results of a collection
Now that I am happy with this query, I want to copy the cell to my Admin Notebook which I created earlier.
Copying a cell to a global notebook
I can then select which Global notebook to copy the cell into.
The copied cell still refers to the old collection
Velociraptor will copy the cell to the target notebook and add VQL statements to still refer to the original collection. This allows users of the global notebook to further refine the query if needed.
This workflow allows better collaboration between users.
VFS Downloads
Velociraptor’s VFS view is an interactive view of the endpoint’s filesystem. Users can navigate the remote filesystem using a familiar tree based navigation and interactively fetch various files from the endpoint.
Before the 0.7.1 release, the user was able to download and preview individual files in the GUI but it was difficult to retrieve multiple files downloaded into the VFS.
In the 0.7.1 release, there is a new GUI button to initiate a collection from the VFS itself. This allows the user to download all or only some of the files they had previously interactively downloaded into the VFS.
For example consider the following screenshot that shows a few files downloaded into the VFS.
Viewing the VFS
I can initiate a collection from the VFS. This is a server artifact (similar to the usual File Finder artifacts) that simply traverses the VFS with a glob uploading all files into a single collection.
Initiating a VFS collection
Using the glob I can choose to retrieve files with a particular filename pattern (e.g. only executables) or all files.
Inspecting the VFS collection
Finally the GUI shows a link to the collected flow where I can inspect the files or prepare a download zip just like any other collection.
New VQL plugins and capabilities
This release introduces an exciting new capability: Built-in Sigma Support.
Built-in Sigma Support
Sigma is fast emerging as a popular standard for writing and distributing detections. Sigma was originally designed as a portable notation for multiple backend SIEM products: Detections expressed in Sigma rules can be converted (compiled) into a target SIEM query language (for example into Elastic queries) to run on the target SIEM.
Velociraptor is not really a SIEM in the sense that we do not usually forward all events to a central storage location where large queries can run on it. Instead, Velociraptor’s philosophy is to bring the query to the endpoint itself.
In Velociraptor, Sigma rules can directly be used on the endpoint, without the need to forward all the events off the system first! This makes Sigma a powerful tool for initial triage:
Apply a large number of Sigma rules on the local event log files.
Those rules that trigger immediately surface potentially malicious activity for further scrutiny.
This can be done quickly and at scale to narrow down on potentially interesting hosts during an IR. A great demonstration of this approach can be seen in the Video Live Incident Response with Velociraptor where Eric Capuano uses the Hayabusa tool deployed via Velociraptor to quickly identify the attack techniques evident on the endpoint.
Previously we could only apply Sigma rules in Velociraptor by bundling the Hayabusa tool, which presents a curated set of Sigma rules but runs locally. In this release Sigma matching is done natively in Velociraptor and therefore the Velociraptor Sigma project simply curates the same rules that Hayabusa curates but does not require the Hayabusa binary itself.
You can read the full Sigma In Velociraptor blog post that describes this feature in great detail, but here I will quickly show how it can be used to great effect.
First I will import the set of curated Sigma rules from the Velociraptor Sigma project by collecting the Server.Import.CuratedSigma server artifact.
Getting the Curated Sigma rules
This will import a new artifact to my system with up to date Sigma rules, divided into different Status, Rule Level etc. For this example I will select the Stable rules at a Critical Level.
Collecting sigma rules from the endpoint
After launching the collection, the artifact will return all the matching rules and their relevant events. This is a quick artifact taking less than a minute on my test system. I immediately see interesting hits.
Detecting critical level rules
Using Sigma rules for live monitoring
Sigma rules can be used on more than just log files. The Velociraptor Sigma project also provides monitoring rules that can be used on live systems for real time monitoring.
The Velociraptor Hayabusa Live Detection option in the Curated import artifact will import an event monitoring version of the same curated Sigma rules. After adding the rule to the client’s monitoring rules with the GUI, I can receive interesting events for matching rules:
Live detection of Sigma rules
Other Improvements
SSH/SCP accessor
Velociraptor normally runs on the endpoint and can directly collect evidence from the endpoint. However, many devices on the network can not install an endpoint agent - either because the operating system is not supported (for example embedded versions of Linux) or due to policy.
When we need to investigate such systems we often can only access them by Secure Shell (SSH). In the 0.7.1 release, Velociraptor has an ssh accessor which allows all plugins that normally use the filesystem to transparently use SSH instead.
For example, consider the glob() plugin which searches for files.
Globing for files over SSH
We can specify that the glob() use the ssh accessor to access the remote system. By setting the SSH_CONFIG VQL variable, the accessor is able to use the locally stored private key to be able to authenticate with the remote system to access remote files.
We can combine this new accessor with the remapping feature to reconfigure the VQL engine to substitute the auto accessor with the ssh accessor when any plugin attempts to access files. This allows us to transparently use the same artifacts that would access files locally, but this time transparently will access these files over SSH:
Remapping the auto accessor with ssh
This example shows how to use the SSH accessor to investigate a debian system and collect the Linux.Debian.Packages artifact from it over SSH.
Distributed notebook processing
While Velociraptor is very efficient and fast, and can support a large number of endpoints connected to the server, many users told us that on busy servers, running notebook queries can affect server performance. This is because a notebook query can be quite intense (e.g. Sorting or Grouping a large data set) and in the default configuration the same server is collecting data from clients, performing hunts, and also running the notebook queries.
This release allows notebook processors to be run in another process. In Multi-Frontend configurations (also called Master/Minion configuration), the Minion nodes will now offer to perform notebook queries away from the master node. This allows this sudden workload to be distributed to other nodes in the cluster and improve server and GUI performance.
ETW Multiplexing
Previous support for Event Tracing For Windows (ETW) was rudimentary. Each query that called the watch_etw() plugin to receive the event stream from a particular provider created a new ETW session. Since the total number of ETW sessions on the system is limited to 64, this used precious resources.
In 0.7.1 the ETW subsystem was overhauled with the ability to multiplex many ETW watchers on top of the same session. The ETW sessions are created and destroyed on demand. This allows us to more efficiently track many more ETW providers with minimal impact on the system.
Additionally the etw_sessions() plugin can show statistics for all sessions currently running including the number of dropped events.
Artifacts can be hidden in the GUI
Velociraptor comes with a large number of built in artifacts. This can be confusing for new users and admins may want to hide artifacts in the GUI.
You can now hide an artifact from the GUI using the artifact_set_metadata() VQL function. For example the following query will hide all artifacts which do not have Linux in their name.
Only Linux related artifacts will now be visible in the GUI.
Hiding artifacts from the GUI
Local encrypted storage for clients
It is sometimes useful to write data locally on endpoints instead of transferring the data to the server. For example, if the client is not connected to the internet for long periods it is useful to write data locally. Also useful is to write data in case we want to recover it later during an investigation.
The downside of writing data locally on the endpoints is that this data may be accessed if the endpoint is later compromised. If the data contains sensitive information this can be used by an attacker. This is also primarily the reason that Velociraptor does not write a log file on the endpoint. Unfortunately this makes it difficult to debug issues.
The 0.7.1 release introduces a secure local log file format. This allows the Velociraptor client to write to the local disk in a secure way. Once written the data can only be decrypted by the server.
While any data can be written to the encrypted local file, the Generic.Client.LocalLogs artifact allows Velociraptor client logs to be written at runtime.
Writing local logs
To read these locally stored logs I can fetch them using the Generic.Client.LocalLogsRetrieve artifact to retrieve the encrypted local file. The file is encrypted using the server’s public key and can only be decrypted on the server.
Inspecting the uploaded encrypted local file
Once on the server, I can decrypt the file using the collection’s notebook which automatically decrypts the uploaded file.
Decrypting encrypted local file
Conclusions
There are many more new features and bug fixes in the 0.7.1 release. If you’re interested in any of these new features, we welcome you to take Velociraptor for a spin by downloading it from our release page. It’s available for free on GitHub under an open-source license.
As always, please file bugs on the GitHub issue tracker or submit questions to our mailing list by emailing velociraptor-discuss@googlegroups.com. You can also chat with us directly on our Discord server.
Learn more about Velociraptor by visiting any of our web and social media channels below:
In today's digital era, where industries are increasingly reliant on advanced technologies, safeguarding critical infrastructure against cyber threats has become paramount. The convergence of operational technology (OT) and information technology (IT) has ushered in new efficiencies but has also exposed vulnerabilities. This article explores the pivotal role of Vulnerability Management and Detection and Response (VM/DR) in the realm of Industrial Cybersecurity.
Introduction to Industrial Cybersecurity
In an interconnected world, the importance of cybersecurity cannot be overstated. In industrial settings, where the consequences of cyberattacks can extend beyond data breaches to impact physical safety and operational continuity, cybersecurity is a top priority. This article delves into the significance of VM/DR in fortifying industrial cybersecurity defenses.
Vulnerability Management and Detection and Response (VM/DR) in Industrial Context
VM/DR are not mere buzzwords, but a proactive strategy to combat the ever-evolving cyber threats facing industrial organizations and the small talent pool from which they hire. It entails continuous monitoring, rapid threat detection, and efficient incident response while understanding the industrial processes these technologies control. In the context of industrial operations, VM/DR takes on added significance as it safeguards critical processes from disruption.
The Core Components of Industrial VM/DR
A successful VM/DR program in an industrial setting comprises several key components:
Real-time threat monitoring: This involves continuous surveillance of network traffic and system activities to detect anomalies and potential threats.
Incident detection and analysis: Rapid identification and thorough analysis of security incidents are crucial for timely response and mitigation.
Incident response and remediation: An effective response strategy is vital to minimize the impact of cyber incidents and promptly restore normal operations.
These components work in tandem to provide a comprehensive security shield against industrial cyber threats.
Utilizing SCADAfence’s real-time passive threat monitoring alongside Rapid7’s InsightVM and InsightIDR products allows for industrial–focused threats to be detected, analyzed, responded to, and remediated in a timely manner.
Industrial-Specific Threats and Vulnerabilities
In the industrial landscape, cyber threats go beyond traditional IT concerns. Attack vectors extend to Industrial Control Systems (ICS), which govern critical processes. Vulnerabilities unique to OT systems, such as legacy equipment and proprietary protocols, pose additional challenges. Understanding these threats is essential for effective protection.
The Landscape of Industrial Threats and Vulnerabilities
Industrial systems are the backbone of modern society, controlling everything from power grids to manufacturing processes. With connectivity becoming ubiquitous, these systems have become prime targets for malicious actors.
Reference:According to a report by IBM X-Force, attacks on industrial systems increased by over 2000% in 2020, highlighting the growing threat landscape in the industrial sector.
Legacy Systems and Proprietary Protocols
Many industrial environments still rely on legacy systems that were not designed with modern cybersecurity in mind. These aging systems often run on proprietary protocols, making them vulnerable to exploitation.
Reference: The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has noted an increase in vulnerabilities related to legacy systems and proprietary protocols in their annual reports.
Human Error and Insider Threats
Human error remains a significant factor in industrial incidents. Insider threats, whether intentional or unintentional, can have catastrophic consequences in industrial settings.
Reference:A study by Ponemon Institute found that 57% of industrial organizations surveyed had experienced at least one insider threat incident in the past year.
Supply Chain Vulnerabilities
Industrial systems rely on a complex network of suppliers and vendors. Weak links in the supply chain can introduce vulnerabilities that adversaries could exploit.
Reference: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued alerts about supply chain vulnerabilities in industrial control systems.
IoT and Edge Devices
The proliferation of Internet of Things (IoT) devices and edge computing has expanded the attack surface in industrial environments. These devices are often inadequately secured.
Reference:A report from Kaspersky highlights a 46% increase in attacks on IoT devices in the first half of 2020, with many incidents affecting industrial sectors.
Ransomware Targeting Critical Infrastructure
Ransomware attacks have evolved to target critical infrastructure, disrupting essential services and demanding hefty ransoms.
Reference:The Colonial Pipeline ransomware attack in May 2021 brought widespread attention to the threat of ransomware against critical infrastructure.
Integration with Existing Workflows/Playbooks
VM/DR is not a standalone solution but a complement to existing industrial workflows and/or playbooks. It bridges the gap between IT and OT, breaking down silos that often hinder effective cybersecurity. By integrating VM/DR seamlessly into existing processes, organizations can enhance their ability to promptly respond to threats. Having detailed playbooks with key operational Points of Contact (POC) helps to reduce dead time when dealing with a business and process interruption inside of an industrial process.
Implementing response and action plans within the current organization’s workflows helps analysts better communicate in the operational verbiage and expedites remediations directly in the field. This alleviates IT's need for Confidentiality, Integrity, and Availability (CIA) and supports OT's requirements for Availability, Integrity, Confidentiality (AIC).
Measuring Success with Key Performance Indicators (KPIs)
Success in industrial VM/DR can be quantified through various KPIs:
Time to detect (TTD): The speed at which threats are identified
Time to Respond (TTR): The efficiency of incident response
Incident Resolution Rate: The effectiveness of mitigation efforts
These KPIs provide a tangible measure of an organization's cybersecurity resilience.
Collaboration between IT and OT
The collaboration between IT and OT teams is pivotal in industrial cybersecurity. VM/DR serves as a unifying force, facilitating communication and coordination between these traditionally separate domains. This collaboration is vital for the timely identification and mitigation of threats.
Compliance and Regulatory Considerations
Industrial organizations are subject to various cybersecurity regulations and standards such as the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP). NERC CIP regulatory compliance is a set of mandatory cybersecurity standards and requirements designed to safeguard the North American power grid's critical infrastructure.
These regulations are a response to the increasing cybersecurity threats faced by the energy sector. NERC CIP compliance mandates that electric utilities and power generation companies establish and maintain robust cybersecurity programs, including measures such as access controls, incident response planning, and regular security assessments. The primary goal of NERC CIP is to ensure the reliable operation of the electric grid while minimizing vulnerabilities to cyberattacks, thus safeguarding the continuous supply of electricity to homes, businesses, and critical infrastructure across North America. Compliance with NERC CIP is essential to maintain the security and resilience of the energy sector in the face of evolving cybersecurity threats.
Implementing a compliance governance portal is a strategic move for organizations seeking to streamline and centralize their compliance management efforts. Such a portal serves as a centralized platform where compliance policies, procedures, and documentation can be efficiently stored, accessed, and monitored. It facilitates real-time tracking of compliance activities, automates workflow processes, and provides a comprehensive view of the organization's adherence to regulatory requirements.
This not only enhances transparency and accountability but also simplifies reporting and auditing. The implementation of a compliance governance portal empowers organizations to proactively manage risk, ensure regulatory adherence, and respond swiftly to compliance-related challenges, ultimately fostering a culture of compliance throughout the organization. VM/DR plays a crucial role in helping organizations meet compliance requirements, providing assurance to regulators and stakeholders.
Securing the Future
In the face of relentless cyber threats, mastering industrial cybersecurity is not a luxury – it's a necessity. VM/DR is the linchpin that empowers organizations to fortify their defenses, protect critical infrastructure, and ensure operational continuity in an increasingly digital world.
As digital transformation continues, industrial VM/DR represents a proactive, adaptive, and collaborative approach to safeguarding the backbone of our society. It's time for industrial organizations to embrace VM/DR and secure their future.
It’s the holiday season and since we’re in a giving mood we thought we’d surprise our loyal readers with a fun, hands-on hardware exercise to enjoy during some well-earned downtime.
But first, a little background. Every year Rapid7 has a pretty solid presence at DefCon in Las Vegas. This year was no exception. One of the cornerstones of our DefCon experience is participating in the IoT Village. Deral Heiland, our Principal Security Researcher for IoT, takes attendees through each of the steps of breaking into a particular piece of IoT hardware. And every year we release his talk (with a few additions) for those who couldn’t make it to Vegas for the conference.
What we have here is this year’s Hands-On IoT presentation for the hacking of an IP camera over Universal Asynchronous Receiver/Transmitter (UART). It’s Deral’s original presentation with some added details and context. In this paper, Deral takes you step by step through the process, offering insight into how UART and U-Boots operate, as well as some troubleshooting techniques should your attempts not work as seamlessly as Deral’s.
Typically, we would release Deral’s presentation in a series of blog posts over a few weeks. But this year we decided to spare y’all the suspense each week and release it as one comprehensive paper. We hope you enjoy reading it as much as we enjoyed making it and we wish you all the best this holiday season.
By Caitlin Condon, Senior Manager, Vulnerability Research at Rapid7, and Christiaan Beek, Senior Director, Threat Analytics at Rapid7
It’s that time of year again — time for the annual tradition of cybersecurity predictions. Here at Rapid7 we’ve seen a whole lot of threats and exploited vulnerabilities in 2023, many in the form of zero days. So it can be a little overwhelming to think about what could be in store for us in the year ahead.
We thought we’d start off by asking ChatGPT for its predictions.
Unsurprisingly, it gave the answer, “increased emphasis on AI and machine learning.” ChatGPT explained that AI-driven systems can better analyze and detect anomalies, and that we may see even more AI-powered tools for threat detection, response, and automation.
Well, there you have it folks, ChatGPT TO THE RESCUE!
This “prediction” is pretty obvious, and everyone in the cybersecurity industry knows it. But more importantly, it doesn’t solve the huge issue that exists in the cybersecurity industry: We’re all focusing on what could be without having the basic mechanisms in place to address what is.
So instead of making 2024 cybersecurity predictions, we suggest you make the following three resolutions and a promise to yourself that you will lay the groundwork to make them happen in 2024.
Resolution 1: Just implement MFA already
It seems like every CISO has spent 2023 getting up to speed on AI. Certainly AI will play an important role in 2024, both in the opportunities it presents to defenders as well as the security challenges it brings.
From a cybersecurity standpoint, however, it’s still important to keep your business focused on the basics such as correctly implemented multi-factor authentication (MFA). That’s because in 2024, a business is significantly more likely to be breached due to weak MFA than it is by an advanced-AI cyber attack.
Our 2023 Mid-Year Threat Report found that 40% of incidents in the first half of the year stemmed from non-existent or poorly enforced MFA. Our message is simple: implement MFA now, particularly for VPNs and virtual desktop infrastructure. It’s the best and most important accomplishment you can make if you haven’t yet done so.
Resolution 2: Learn from what file transfer vendors did right
Without a doubt, 2023 was the year of file transfer vulnerabilities, with MOVEit Transfer dominating headlines. However, we expect 2024 to be slightly different based on our experience with these vendors’ response processes.
The file transfer software providers Rapid7 researchers disclosed vulnerabilities to were extremely responsive, fixing vulnerabilities in half the time it usually takes and proactively looking at ways to mature their vulnerability disclosure programs.
In fact, some of these organizations now have more established patch cycles and vulnerability disclosure mechanisms in place (hooray!), as well as security programs implemented where products are reviewed more frequently. These proactive cycles should result in more mature, security-bolstering software development practices — at least for these solution providers and those who have learned from them — in 2024.
Resolution 3: Get a grip on your data
Lots of data does not equal effective security analysis. We all get fatigued and miss things when we feel overwhelmed and overstretched. And well, the same happens to security teams when they are just given enormous amounts of raw data. Context is everything! It’s the missing piece of the puzzle to improving security posture and the effectiveness of solutions.
Spending more money or gathering more data is not going to improve your cybersecurity posture, but understanding data and, more importantly, what kind of data is needed to make better decisions will. Less is more is our credo for 2024. For example, take time to understand what data you are already collecting from a log perspective. Understand what type of data is inside those logs and how that data might indicate a possible attack technique. If you have only partially the right information, what type of data would you need to enrich that for enough context to decide or prioritize events?
Bonus: Take some time to decompress
Trust us, we know that for defenders taking time to decompress is easier said than done, but it’s so important to look after ourselves and avoid burnout. Our advice to you is put your coverage plan in place, communicate it well, and most importantly, take the time you need. Even Gartner has predicted that 25% of cybersecurity leaders will change roles entirely by 2025 due to work-related stress. So, make sure you take the time to decompress, relax, and enjoy life.
For insights from the Rapid7 team on what 2024 could bring, watch the Top Cybersecurity Predictions webinar on-demand.
At Rapid7, our Customer Advisors play a pivotal role at ensuring our customers understand their threat landscape – and feel confident in their security programs. By collaborating across various internal teams, strengthening customer relationships, and proactively seeking solutions and advocating for customer needs, Customer Advisors have a direct impact on the fortunes of our business. To do this successfully requires a clear understanding of Rapid7’s core values and associated behaviors as well as an equal balance of strong technical knowledge and exceptional customer relationship skills.
Jonathan:“You need to create a strong relationship with customers to fully understand their needs and their business. You also have to be able to talk in detail about very technical scenarios. This requires having some experience or education in the cybersecurity field as well as the ability to relay information to our engineers and developers. Customers are extremely aware of the potential risks a security event may pose to their businesses, so it’s important their questions are answered in detail. This enables a clear understanding of what is happening in their environments.”
In addition to presenting and reviewing activity reports, Customer Advisors like Jonathan take a proactive approach to providing guidance and advice on all aspects of a customer’s security ecosystem.
Jonathan:“I may be asked to advise on reviewing the results of a recent Pen test, break down a bug or issue with a particular piece of code, or speak up if there is a storage container system they are using that I wouldn’t agree with or recommend”.
Jonathan also notes that the requirements for each customer can also vary depending on industry or field, based on specific security frameworks that may be in place that govern how they do business. Understanding these requirements helps provide additional guidance and shape recommendations for the unique needs of individual customers.
Jonathan:“HIPAA is a common example of a security framework. So if I have a customer who is in the medical field, I’m also thinking of the regulations in place for protecting patient health information and how to best advise them based on those specific requirements.”
While the role is dynamic and requires a wide range of skills to be successful, Jonathan says it’s the ability to see the impact of his work that he finds most rewarding.
Jonathan:“I’ve always had an aspiration to help people. In this role, I can feel the impact my work has on the customer as well as internally at Rapid7. When I have provided the right guidance and solutions and they are happy with our services, that leads to customer renewals and helps you feel like you're contributing directly to the success of the business.”
The responsibility for cultivating relationships isn’t limited to external customers. For Jonathan, building internal relationships helps him drive positive impact in his role and for his own development and growth.
Jonathan:“Collaboration is a huge part of Rapid7’s culture. You should never be afraid of reaching out to ask a question or to raise your hand if you need help. Any time I’ve reached out to someone with a question – whether it was big or small, in a team chat or a 1:1 conversation, everyone has always been willing to jump in and help.
“We talk a lot about our values as a company, and when it comes to those Rapid7 core values like Advocating for Customers, Challenging Convention, and Impacting Together, we all understand that having these conversations helps get us to the best possible outcome. Additionally, the events the company hosts to bring people from different teams together are helpful in understanding how different teams operate and how you might eventually partner together in the future.”
An emphasis on collaboration and a deep dive of Rapid7’s core values are key elements of a new hire’s global onboarding program. The current program combines a mix of company education (culture, values, benefits processes, etc.) with programs specific to each person's role or team.
Jonathan:“Once hired, I would recommend fully taking advantage of the first few weeks of onboarding. A lot of content is self paced, and it sets a good foundation of how to be successful at Rapid7 as well as imparts information about our products and services. I also recommend new Customer Advisors become certified for Insight IDR. As an employee, you can take the test for free, and it gives you a great foundation to build on. This is also a great time to shadow some calls to get familiar with some common topics and questions that might come up.”
Throughout onboarding and beyond, Jonathan also states the importance of being eager to learn (reflected in Rapid7’s “Never Done” core value).
Jonathan:“For new hires in this role, come in with an open mind and be ready to learn and ask questions. This is a very complex role, and it can be stressful at times due to the nature of our industry. The more you recognize and seek the experience and feedback of those around you, the more successful you will be. Take advantage of opportunities to learn and grow throughout your time here – not just as a new hire.”
Rapid7 is continuing to grow teams in locations around the world. Learn more about career opportunities or browse all open jobs.
When you’re a seller, it’s important to represent a reputable brand and products you can stand behind. For many companies, their partners act as an extension of the sales team to help identify and engage new customers. As a Senior Channel Account Manager, Joanne Guariglia shares what she loves most about her role, Rapid7, and why now is a great time to join the team.
What is it that initially attracted you to Rapid7?
In my previous role, I was with a company that had an integration with Rapid7 so I had been working in tandem with some of the leadership team. They were always down to earth, very genuine,open and honest about the great things happening, and what some of the challenges were. My partners also enjoyed working with the Rapid7 team and I could see they were making waves in the partner community.
Aside from that, Rapid7 is not just a single solution. Our products can meet customers where they are in their security journey, and grow and scale with them. So having that ability to grow alongside customers was something that I was really interested in.
Would you say a cybersecurity background is required for your role? What skills or knowledge is most important?
I wouldn’t necessarily say a cyber background is a must have before joining Rapid7. We have a comprehensive onboarding program that can help give you a strong foundation in cyber security knowledge as well as our products and services. What’s most important is your ability to grow relationships with our partners and to bring the best technology and solutions to the customer. This is a role where you have to be an effective communicator and a bridge between cross functional teams including Sales, Marketing, Customer Success, Sales Operations, Finance, and the Renewals team to make sure we are aligned on business decisions moving forward. Having that collaboration between teams and knowing we are all working towards the same goal has been really rewarding.
What does the cybersecurity landscape look like, and how does Rapid7 differentiate itself from competitors?
When it comes to the landscape, cyber criminals are always evolving their tactics and continue to increase efforts against businesses of all sizes. Security is not a ‘nice to have'; It's a priority for all businesses and industries, so it’s a field that’s very stable and always growing.
Cybersecurity can also be challenging because it is a crowded market but where Rapid7 has a competitive advantage is in consolidation. Our customers don’t have to work with multiple vendors to satisfy all aspects of their security needs, we can consolidate multiple products and offerings into one cost with one vendor. We’ve come a long way in growing our portfolio and responding to the customers needs, and we are well positioned to continue that growth into 2024 and beyond.
What do you find most rewarding about your role?
What I enjoy most is being able to build lasting relationships with our partners. Partners want to work with trusted brands that are leaders in the space and we have that here at Rapid7. Being that trusted voice and growing the relationship, while educating them about our offerings, enables me to have a positive impact.
Another thing I find rewarding is the ability to create change and outcomes that our partners find valuable. We are a large company, but we are still agile enough to pivot when needed and our culture is one that is supportive of asking questions and sharing new ideas that we can bring to fruition.
What are you most excited for in 2024?
2024 is exciting because our channel team is at the forefront of impacting growth across the organization. We are investing heavily in our partnerships and partner programs, and are making strides with the channel community more than ever. Our company strategy and goals are really clear, and we’re all excited to execute and drive positive impact for the business.
With incredible product offerings and an opportunity to foster and grow partner relationships, there is no better time to be a part of this journey. 2024 is going to be a huge year for us!
From developing driver-assistance software for a luxury car brand to jumping on board an NFT startup, Martin Votruba, Lead Software Engineer, is not one to shy away from a challenge. In September of 2023, joined Rapid7 as the first hire in its new Prague office. Martin is leveraging Rapid7’s excitement and energy of a startup while having the resources and support of an established organization to build a new team in Prague. He sat down to share his experience as one of the first employees in Prague, and discuss how Rapid7’s culture of collaboration and continuous learning helped him build a successful foundation on which to grow his team.
How have your past experiences contributed to how you approach your role today?
At Rapid7, my team’s job is to search for reported vulnerabilities and communicate those within our product (InsightVM) so that our customers can determine whether or not they are at risk. With different software vulnerabilities, each case is unique. This makes our job different from traditional engineering where you follow one recipe or code path and deploy it. I’m constantly drawing inspiration from past challenges and experiences to think about how to approach each new case here. I enjoy the opportunity to be creative in identifying solutions and helping our product deliver the best outcomes to our customers.
What was it that initially attracted you to Rapid7?
To be honest, I had never heard of the company before. It was exciting to see that it was starting a new office in Prague, while also having an established team globally to collaborate and partner with. I was looking for an opportunity to grow and learn from others and was interested in a global company. Being able to maintain the excitement and energy of a startup environment by being part of a new office is a unique opportunity. It also is a really fun environment building its own organic culture as new people are excited about working for Rapid7 and joining us every week.
What is something you didn’t realize or expect about Rapid7’s culture?
As far as culture, it was a nice surprise to see that even though Rapid7 is a global company and has larger structures in place, it isn’t so rigid that you are bogged down by processes or unable to feel you are making an impact. For example, right after I joined I had an opportunity to be a part of the interview team for some new roles. I was given that trust automatically to help shape what the office looks like and who we are bringing on board.
Another thing that may be surprising to a lot of people is that even though we are a cybersecurity company, you don’t have to be a cybersecurity expert to have a successful career here. I’m still a software engineer - not a cybersecurity expert (although I’ve learned a lot). What I’m responsible for is still core to my expertise as an engineer, I’m just working within a domain and product that happens to be cybersecurity.
How have you been able to build relationships as a new employee?
We have a really interesting program called “Insight Coffee” that encourages people from around the company to set up 1:1s and get to know one another. There's no agenda, and it’s truly just to learn about another person's background, experience, or role. The program opens the door for you to reach out and form relationships in a way that is really approachable and encouraged. If I know I’m going to be working closely with someone on a different team, I’ll set up a quick Insight Coffee to get to know them before diving into a project. That way, when we are working together, it helps open up that avenue of communication and understanding, making the entire process or project run more smoothly.
What was your interview experience like?
After talking with the recruiter about the opportunity, my interview consisted of a call with the Hiring Manager, an interview where we talked about the role and Rapid7’s culture, and a technical challenge. The technical challenge was interesting, and is designed to see how you approach solving a specific problem. Even though I was being assessed on my skills, I felt I was supported and encouraged to ask questions if I was stuck or unsure of something. Now that I am on the other side of this process and helping others with their technical challenge, I know it’s important to understand how someone thinks, what questions they ask, and how they approach the challenge. Of course, getting to the right answer or resolution is the goal, but how they get there and how they approach it is equally important when assessing if someone is the right person for the job. As a manager, I want to bring that same level of support to my team, so they know no matter what challenge they are up against, we are all here to work together and find the best solution as a team.
To learn more about Rapid7’s new office in Prague, click here. View and apply to Rapid7 jobs in Prague here.
