Rapid7: next generation security for the digital era
“March 2020 will be the point we look back and see a fundamental change in how the internet functions, as well as how people and enterprises interact with the internet,” says Rapid7’s Tod Beardsley, referring to the seismic shift in the digital and IT landscape that has occurred as a result of the global COVID-19 pandemic. For Beardsley, and indeed Rapid7, this change will be analysed and understood in the broader context of cybersecurity, threat and risk.
The business, based in the US, offers a host of solutions that simplify the complex, and which advance security for enterprise customers with visibility, analytics and automation delivered through its insight cloud. Beardsley has been with Rapid7 for 10 years - a period that he concedes is “a lifetime in a tech job” - and today is responsible for software vulnerability research efforts, vulnerability disclosures, and contributing to the company’s data science-driven research projects.
Prior to this, as he explains, he was a technical engineering manager for the open source Metasploit project. “Kids these days have it so easy,” he jokes, dissecting his career path to the present day. “My route to Rapid7 came when the company acquired Metasploit, which is an open source project that’s pretty much seen as the de facto standard for penetration testers - so exploits, proof of concept codes, evasion techniques; it’s essentially everything a penetration tester would need, and I helped work on that.
“Rapid7, prior to the acquisition, used Metasploit routinely, and after that acquisition I’ve continued to work here - it’s super fun and always exciting,” he continues. “That background at Metasploit, though, as well as previous work that included bug hunting, patch management, auditing, and stints at companies such as Dell and Westinghouse, has really informed a kind of ‘security common sense’ that continues to drive my work today.”
Understanding the threat landscape
Most recently, that work is reflected in Rapid7’s 2020 Threat Report, the latest iteration of a quarterly report that leverages intelligence from the company’s extensive network. This includes Rapid7 Insight Cloud, Rapid7 Managed Services and Rapid7 Incident Response. The report gives insight into the rapidly evolving threat landscape for businesses, provides a clearer picture of the key threats facing industries and defines how those threats will evolve over the course of 2020.
As a snapshot, it’s invaluable to any business or leader embarking on, or entrenched in, a digital journey of any scale. For Beardsley and Rapid7, it is a moment in time in the continuing evolution of the threat landscape which can be very different for organisations, depending on the industry sector they work in. Indeed, during his time at the organisation, Beardsley has seen much change. “The most significant,” he says, “certainly over the last five or 10 years, is the moving of significant amounts of information into the cloud and having a really good infrastructure provided by Microsoft or Google, for example.
“For most, it’s just so much better than running your own racks of servers; everyone is awful at that and, if it’s not your business, you’re doubly bad,” he continues. “But at the same time, that change also alters the potential threats for your organisation, and has everyone now concerned about a host of technologies and risk factors that didn’t even exist 10 years ago.”
Aside from this key change, Beardsley relates that phishing is still the number one cyber risk for enterprises, explaining that “if you can solve phishing, you solve 90% of your problems - it’s that simple. Network segmentation is one way of combating it,” he continues, “and you do get some notion of that with the shift to the cloud because, on the most basic level, it’s not on your premises - it’s Google’s problem, unless they get lucky and hit one of your developers. The problem with the enterprise is that everything is a big flat network, and it’s still very hard to get people to change that. The concern is that with the sudden shift to remote working as a result of COVID-19, you’ve gone from a home workforce of 5-10% to 100% and a whole new bunch of VPN traffic that lets anyone have a straight shot to an internal network. It’s a recipe for security failure.”
2020 Threat Report
Rapid7’s latest Threat Report was published in February, before the major implications of the coronavirus pandemic had become well known - the business is set to publish a report on this topic later in the year. The Threat Report analysed the Rapid7 data with the view to answer three core questions: what does this mean for you, how can you use it, and how can it improve your security programme? These are answered across the four key areas of threat telemetry, detection telemetry, recommendations and security programmes.
On the former, it was revealed that organisations continue to host vulnerable, internet-exposed systems. Rapid7 also found the levelling off of EternalBlue exploit attempts in its project Heisenberg honeynet, and revealed that the overall population of vulnerable services holds steady, therefore holding the attention of attackers. In detection telemetry - and as Beardsley already has mentioned - attackers continue to favour phishing attacks, as well as malware and malicious documents; valid user accounts remain the preferred method for breaching an environment.
“A lot of what we found, we predicted,” he explains. “For example, that companies continue to build and deploy straight up, vulnerable systems and then put them on the internet. So, things like Windows machines with SMBs - Windows’ ‘everything’ protocol for file sharing, administration, authorisation, printing… everything - just exposed to the internet. That’s pretty shocking, it was probably the most visceral reaction I had to the data.”
For the first time in a Threat Report, Rapid7 has addressed the recommendations that its Managed Detection and Response (MDR) team identifies. This team currently identifies and stops 85% of threats within one hour of initiation and more than 90% within one day. “At first I thought the data was wrong on that,” says Beardsley. “We’re huge fans of the MITRE ATT&CK Enterprise Framework at Rapid7 because it really lets you lay out all the preconditions for an event, showing what attackers do to move from compromise, privilege, escalation and lateral movement, through payload, execution and exfiltration of data. We’ve moved all of our detection and response to fit into the attack framework and, I don’t think this report should be about us patting ourselves on the back, but those figures are really good and impressive. I would say that, for a mature security organisation, 50% would be a good baseline, so the fact we’re hitting 90% is kind of shocking - in a good way.”
Conclusions from the Threat Report covered several areas. Based on the above, it should be little surprise that Rapid7 encourages all organisations to adopt the MITRE ATT&CK Enterprise Framework to guide threat prevention and response programmes. Other key recommendations included a greater focus on external footprint, the use of multiple threat detection methodologies and the augmentation of technology with skilled individuals, and countering attacks on valid user accounts by patching, network segmentation and UBA. Organisations should also proactively deploy mitigating controls based on trends in the threat landscape.
“If you have more than one person in your organisation you need to be adopting attack framework right now,” Beardsley states. “It just makes everything so much easier and is in the absolute best interest of your enterprise. Having some kind of endpoint protection that does instrumenting, lets you get into detecting at a very early stage of compromise right before anything bad happens, and finally, scanning your enterprise network is essential - and we do that very easily for anyone that needs it. You look at those three things, you’re 80% of the way there.”
In the next edition of the publication we will look more closely at several of the threats facing enterprises as part of our series of conversations with Beardsley.
Read the latest Rapid7 Threat Report here.