Skip navigation
All Places > Nexpose > Blog
1 2 3 Previous Next

Nexpose

319 posts

Just when you’d finished wiping away your WannaCry tears, the interwebs dropped another bombshell: a nasty Samba vulnerability, CVE-2017-7494 (no snazzy name as of the publishing of this blog, but hopefully something with a Lion King reference will be created soon).

 

As with WannaCry, we wanted to keep this simple. First, check out Jen Ellis's overview of the Samba vulnerability, and then review the below steps to quickly scan for this vulnerability on your own infrastructure and create a dynamic asset group for tagging and reporting. If you aren’t already a customer, you can use this free trial to scan for the Samba vulnerability across your environment.

 

Authenticated checks are live in Nexpose and InsightVM, as well as unauthenticated and authenticated remote checks.

 

Here is the InsightVM/Nexpose step-by-step guide to create a scan template specifically to look for CVE-2017-7494:

 

1. Under administration, go to manage templates.

 

 

2. Copy the following template: Full Audit enhanced logging without Web Spider. Don’t forget to give your copy a name and description!

 

 

3. Click on Vulnerability Checks and then “By Individual Check”

 

 

4. Add Check “CVE-2017-7494” and click save.

 

This should come back with 41 checks that are related to CVE-2017-7494.

 

5. Save the template and run a scan to identify all assets with CVE-2017-7494.

 

Creating a Dynamic Asset Group for CVE-2017-7494

Now that you have your assets scanned, you may want to create a Dynamic Asset Group off of which to report/tag off of that will update itself whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the InsightVM console, just under the search button.

 

 

Now, use the "CVE ID" filter to specify the CVE:

 

 

This asset group can now be used for reporting as well as tagging to quickly identify exposed systems.

 

Using these steps, you’ll be able to quickly scan as well as report on the Samba vulnerability. Let us know if you have any more questions!

For a long time, the concept of “infrastructure” remained relatively unchanged: Firewalls, routers, servers, desktops, and so on make up the majority of your network. Yet over the last few years, the tides have begun to shift. Virtualization is now ubiquitous, giving employees tremendous leeway in their ability to spin up and take down new machines at will. Large chunks of critical processes and applications run in cloud services like Amazon Web Services (AWS) and Microsoft Azure. Containers have made it easy to create and launch large applications across any infrastructure.

 

With all these magical improvements to flexibility and efficiency comes additional risk. Network infrastructure is no longer a room on the second floor of your office building; instead, it's a constantly morphing and shifting mass of potentially vulnerable virtual and cloud devices. Soon, InsightVM, Rapid7’s analytics-driven vulnerability management solution, will provide the ability to understand and assess the modern and ever-changing network. Our first major step: container security.

 

I’ve got a container security problem

Container technology has been growing by leaps and bounds in recent years; it has come a long way from the days of Solaris Zones. If you’re into data, check out DataDog’s view of Docker adoption. Year-over-year growth of real, productive use of Docker is 40%. Why is that?

 

Containerization shifts not only the deployment philosophy, process, and speed, but more importantly the ownership of IT assets. What once was a clear divide between IT asset owner and software developer/service provider may now be blurry. Software developers use containers to manage more and more application deployment, meaning IT becomes less and less responsible for patching libraries and dependent software packages. When shipped within the container, software dependencies are no longer managed by the host OS but instead by the runtime container environment.

 

Application developers get more efficient. IT teams have less control and less visibility, without any reduction in responsibility.

 

With greater efficiency comes greater risk

In the history of infrastructure, containers are just another technology with which security teams must come to grips. But they also have some unique characteristics that change the behavior of infrastructure. Specifically:

 

  • Containers are ephemeral. They make modern infrastructure move faster. According to DataDog, “containers have an average lifespan of 2.5 days, while across all companies, traditional and cloud-based VMs have an average lifespan of 23 days.”
  • Container hosts may be densely packed with risk. Much like their hypervisor relatives, container hosts can run any workload and, therefore, assume any risk.
  • Containers are designed to be mixed and matched in myriad ways. Containers aren’t assets—nor are they business applications. Container images are immutable building blocks, defined by their cryptographic hash.


When combining the factors above, it becomes clear that securing container technology is different than securing a general purpose server or virtual machine.

 

Securing containers with InsightVM

We are working on capabilities in InsightVM to help you assess and contain this risk in 3 primary ways:


1. Discovery: InsightVM will increase visibility of where your Docker hosts live in your world so you know where to begin your efforts to contain your container problem. InsightVM will also identify container images, whether running or stopped, and put them at your fingertips: fully searchable by cryptographic hash or container metadata.

 

Simple, easy-to-understand solutions often win the day for time-starved teams. Start with discovery, and increase capability from there. InsightVM will allow customers to discover Docker containers across their environment and understand their container attack surface.

 

2. Configuration: InsightVM will identify container hosts that do not comply with CIS benchmarks for common OSes and Docker itself, and combine that with best-in-class vulnerability and remediation built for IT teams.

 

Ask yourself, which represents less risk, a) or b)?

    1. A container image: purposefully configured, built for an application’s specific needs
    2. A container host: a general purpose computer, configured to run Docker, patched or unpatched


At face value, I’ll take the purposefully configured container over the general purpose computer any day. Even though container images are ephemeral, numerous, and—worst of all—created by those wily developers, they are not general purpose computers and present a different attack surface. Confirm your container hosts are securely configured and vulnerability-free, and you’ve reduced risk across any container that runs on the host.

3. Assessment: InsightVM will offer a fully integrated container assessment service, providing visibility into vulnerabilities and risk associated with the components and layers of a container. This includes full searchability by cryptographic hash or container metadata.

 

With these additions, InsightVM will make it easy for you to:

  • Perform vulnerability assessment on the container image as it is deployed and exists in production
  • Perform vulnerability assessment on the container image as it is built, prior to deployment

 

Security teams that have strong application development partnerships can integrate directly into DevOps pipelines (i.e. CI/CD). But for those who do not enjoy such visibility or relationships with development teams, fear not, you can collect and assess a container image as it exists on the container host itself.

 

We are now conducting direct customer engagement on these capabilities through the Rapid7 Voice program with InsightVM customers and will roll out new capabilities starting in Q2 2017. Of course, we have much, much more in store, and I encourage you to reach out to your Customer Success Manager or Account Executive to learn more. Also, if you're not a Rapid7 customer, you can try a free trial of InsightVM for 30-days!

 

NOTE: Rapid7 creates innovative and progressive solutions that help our customers confidently get their jobs done. As such, the development, release, and timing of any product features or functionality described remains at our discretion in order to ensure our customers the excellent experience they deserve, and is not a commitment, promise, or legal obligation to deliver any functionality.

Today, Rapid7 is notifying Nexpose and InsightVM users of a vulnerability that affects certain virtual appliances. While this issue is relatively low severity, we want to make sure that our customers have all the information they need to make informed security decisions regarding their networks. If you are a Rapid7 customer who has any questions about this issue, please don't hesitate to contact your customer success manager (CSM), or your usual support contact.

 

We apologize for any inconvenience this may cause our customers. We take our customers’ security very seriously and strive to provide full transparency and clarity so users can take action to protect their assets as soon as practicable.

 

Description of CVE-2017-5242

Nexpose and InsightVM virtual appliances downloaded between April 5th, 2017 and May 3rd, 2017 contain identical SSH host keys. Normally, a unique SSH host key should be generated the first time a virtual appliance boots.

 

A malicious user with privileged access to one of these vulnerable virtual appliances could retrieve the SSH host private key and use it to impersonate another user’s vulnerable appliance.

 

In order to do so, an attacker would also need to redirect traffic from the victim’s appliance to the attacker’s appliance. Likewise, an attacker that can capture SSH traffic between a victim’s client machine and the victim’s virtual appliance could decrypt this traffic.

 

In either attack scenario, an attacker would need to gain a privileged position on a victim’s network in order to capture or redirect network traffic. Since our virtual appliances are rarely exposed directly to the internet, this added complexity makes it a relatively low-risk vulnerability.

 

Am I affected?

Customers can determine whether their virtual appliance is affected by running the following command:

 

stat /etc/ssh/ssh_host_* | grep Modify

Modify: 2017-04-29 13:20:13.684650643 -0700
Modify: 2017-04-29 13:20:13.684650643 -0700
Modify: 2017-04-29 13:20:13.724650642 -0700
Modify: 2017-04-29 13:20:13.724650642 -0700
Modify: 2017-04-29 13:20:13.764650641 -0700
Modify: 2017-04-29 13:20:13.764650641 -0700
Modify: 2017-04-29 13:20:13.592650647 -0700
Modify: 2017-04-29 13:20:13.592650647 -0700

 

Affected virtual appliances contain SSH host keys generated between April 5th, 2017 and May 3rd, 2017. If the modified date for any of the SSH host keys falls in this range, then the virtual appliance is affected and the remediation steps below should be completed.

 

Remediation

Customers should either download and deploy the latest virtual appliance or regenerate SSH host keys, using these commands:

 

/bin/rm -v /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server
/etc/init.d/ssh restart

 

Post-remediation

After regenerating the SSH host keys, customers will see a "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!" notice the next time they SSH to the virtual appliance. Customers should run the following command on the client they use to SSH to the virtual appliance.

 

ssh-keygen -R <Virtual_Appliance_FQDN_or_IP>

 

Resources

The latest virtual appliances are available at: https://community.rapid7.com/docs/DOC-2595

 

Additional details to resolve “REMOTE HOST IDENTIFICATION HAS CHANGED!” warning can be found at: https://www.cyberciti.biz/faq/warning-remote-host-identification-has-changed-err or-and-solution/

***Update 5/18/17: EternalBlue exploit (used in WannaCry attack) is now available in Metasploit for testing your compensating controls and validating remediations. More info: EternalBlue: Metasploit Module for MS17-010. Also removed steps 5 and 6 from scan instructions as they were not strictly necessary and causing issues for some customers ***

***Update 5/17/17: Unauthenticated remote checks have now been provided. For hosts that are locked down to prevent null or guest access an authenticated remote check has also been provided.

The pre-existing instructions below will enable the remote checks on creation of the template.***

 

 

Today, security teams are starting their work week with a scramble to remediate MS17-010, in order to prevent the associated ransomware attack, WannaCry, also known as Wanna Decryptor, WNCRY, and Wanna Decryptor 2.0 (how I miss the halcyon days when vulnerabilities had gentle names like Poodle).

 

With all of the WannaCry information circulating we want to keep this simple. First, check out this link to an overview of the WannaCry ransomware vulnerability written by Bob Rudis, and then review the below steps to quickly scan for this vulnerability in your own infrastructure (if you aren’t already a customer, go try out InsightVM for free you can use this free trial to scan for this vulnerability across your environment), create a dynamic asset group to continuously see affected assets, as well as create a dynamic remediation project to track the progress of remediating WannaCry.

 

Here is the InsightVM/Nexpose step-by-step guide to create a scan template specifically to look for MS17-010:

 

 

1. Under the Administration tab, go to Templates > Manage Templates

 

2. Copy the following template: Full Audit enhanced logging without Web Spider. Don’t forget to give your copy a name and description; here, we’ll call it “WNCRY Scan Template”


 

3. Click on Vulnerability Checks and then “By Individual Check”

 

4. Add Check “MS17-010” and click save:

This should come back with 192 checks that are related to MS17-010. The related CVEs are:

CVE-2017-0143

CVE-2017-0144

CVE-2017-0145

CVE-2017-0146

CVE-2017-0147

CVE-2017-0148

 

 

5. Save the template and run a scan to identify all assets with MS17-010.

 

Creating a Dynamic Asset Group for MS17-010

Now that you have your assets scanned, you may want to create a Dynamic Asset Group to report/tag off of that will update itself whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the InsightVM console, just under the search button:

 

Now, use the "CVE ID" filter to specify the CVEs listed below:

This asset group can now be used for reporting as well as tagging to quickly identify exposed systems.

Creating a WannaCry Dashboard

Recently, Ken Mizota posted an article on how to build a custom dashboard to track your exposure to exploits from the Shadow Brokers leak. If you already did that, you're good to go! If you wanted to be specific to WannaCry, you could use this Dashboard filter:

asset.vulnerability.title CONTAINS "cve-2017-0143" OR asset.vulnerability.title CONTAINS "cve-2017-0144" OR asset.vulnerability.title CONTAINS "cve-2017-0145" OR asset.vulnerability.title CONTAINS "cve-2017-0101" OR asset.vulnerability.title CONTAINS "cve-2017-0146"asset.vulnerability.title CONTAINS "cve-2017-0147" OR asset.vulnerability.title CONTAINS "cve-2017-0148"

OR asset.vulnerability.title CONTAINS "cve-2017-0102"

 

Creating a SQL Query Export

@00jay kindly posted this handy discussion for details on using the SQL export in InsightVM/Nexpose: WannaCry - Scanning & Reporting

 

Creating a Remediation Project for MS17-010:

In InsightVM, you can also create a remediation project for MS17-010 to track the progress of remediation live. To do this, go to the “Projects” tab and click “Create a Project”:

 

Give the project a name, and under vulnerability filter type in "vulnerability.alternateIds <=> ( altId = "ms17-010" )"

Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability.

 

Now, you can give this project a description, and configure who is responsible for remediation, as well as access levels if you wish. If you have JIRA, you can also configure the automatic ticketing integration between InsightVM and JIRA to automatically assign tickets to the right folks.

 

Using these steps, you’ll be able to quickly scan for the WannaCry vulnerability as well as ensure that the vulns are being remediated. If you have any questions please don’t hesitate to let us know!

 

For more information and resources on WannaCry and ransomware, please visit this page.

We’ve had some inquiries about checks for CVE-2017-5689, a vulnerability affecting Intel AMT devices. On May 5th, 2017, we released a potential vulnerability check that can help identify assets that may be vulnerable. We initially ran into issues with trying to determine the exact version of the firmware remotely, and so a potential check was released so that you would still be able to identify devices that may be impacted by this.

 

We didn't stop there though. As part of yesterday's Nexpose release, we issued an updated vulnerability check that is a remote direct condition test that will definitively identify the issue if it is present. Detection of this vulnerability does not require authentication to the asset.

 

Please note, you will have to modify your scan template to include a couple of extra TCP ports: 16992 and 16993. To learn more about how to configure your scan template see this help page for details. Happy Hunting!

 

UPDATE - May 12th, 2017: On Wednesday, May 10th, we also added an unauthenticated scanner in Metasploit to check for vulnerable systems in a network, gathering metadata such as firmware version, serial number, vendor, and model number.

Many security teams work in a world that they can't fully see, let alone control. It can be difficult to know how to make meaningful progress in your vulnerability management program when simply maintaining visibility can be a struggle. One way to get some leverage is to make wise use of asset discovery. If you are able to tap into repositories or sources of assets, you stand a better chance of gaining and maintaining visibility.

 

Over the years, we've written a thing or two about expanding your ability to discover assets from wherever they may leave a trace. You might have read about our vulnerability scanner having the ability to discover assets from McAfee ePO, or Infoblox DHCP, or even Rapid7's own Project Sonar. Or perhaps you've scoured the recently redesigned https://help.rapid7.com to learn about how you may discover assets from AWS or VMware vSphere. If you were a voracious reader, you may have even tried out Adaptive Security to automate your response to what you discover, and then you could've started to monitor the work automated actions do for you.

 

Today we are pleased to share the availability of asset discovery from Active Directory.

 

Getting started

We've made it simple for you to gain visibility into your catalog of assets as they reside within Active Directory. In the Administration tab, create a new Discovery Connection.

Next, select Active Directory (LDAP). You'll immediately be able to enter in information to connect to your own Active Directory server.

Give your connection a name, enter the hostname of the Active Directory server, and select a protocol. Both LDAP and LDAPS are supported. Provide a username and password, and then test your credential. If your credentials are good to go, you can then move on to creating your Base Query and Search Query.

 

Your Active Directory is likely tailored to meet the needs and contours of your organization. We've provided the ability to enter a Base Query to specify the portion of the AD tree you'd like to import, and a Search query that you may use to further qualify the computers to discover. Once you've created your query, you might want to take it for a spin to make sure its working properly. Try out Preview to see the top 50 results of your query to make sure you've got it dialed in.

 

Let's refine our search just a bit, to focus on just Exchange servers. I'll enter a Search Query: (dnshostname=exch*), and perform another quick test.

Now that I'm feeling good about this query, I think I'd like to put it to work for me...

 

Simple automation

Did you notice the Consumption Settings in the screenshot above? It looks pretty familiar to the setup for importing assets from McAfee ePolicy Orchestrator, and it works in the same manner. Simply enable Consume assets, and select a site to import into and let the system do the work for you. You'll see assets populated from Active Directory as soon as the connection is saved. The time it takes to complete will vary, and will largely be driven by the time it takes the Active Directory server to respond to the query. Here is a view of the assets immediately after they've been imported:

 

You'll notice we've also pulled in OS information from Active Directory where available, so you can create asset groups by the hostname and the OS. Of course, if you have existing dynamic asset groups, these assets may also be included.

 

The Discovery Connection imports assets once a day, maintaining the visibility you need, while limiting the burden on your Active Directory server. And just like that, you're on your way to better visibility, with a minimum of effort, and a great deal of flexibility to match the contours of your world.

 

All of our innovations are built side-by-side with our customers through the Rapid7 Voice program. Please contact your Rapid7 CSM or sales representative if you're interested in helping us make our products better.

 

Not a customer of ours? Try a free 30- day trial of InsightVM today.

Greg Wiseman

Patch Tuesday - May 2017

Posted by Greg Wiseman Employee May 10, 2017

It's a relatively light month as far as Patch Tuesdays go, with Microsoft issuing fixes for a total of seven vulnerabilities as part of their standard update program. However, an eighth, highly critical vulnerability (CVE-2017-0290) that had some of the security community buzzing over the weekend was also addressed late Monday evening. A flaw in the scanning engine used by various Microsoft anti-malware products could allow attackers to fully compromise a user's system simply by sending them a file as an email attachment or in an instant message, or by enticing them to visit a malicious web page. This vulnerability is especially dangerous for two reasons. In most attacks, users need to be tricked into opening a file or visiting a web page, and even then the malware would generally run at their privilege level unless it's able to escalate. But because the engine runs as SYSTEM, the highest privilege level, it's game over for a compromised system; the attacker has full control. Additionally, because the engine may scan files in the background before the user even sees them, exploitation can occur without the typical prerequisite social engineering tactics. The only good news here is that Microsoft shipped the fix very quickly after being notified, and since it's being delivered as an anti-malware update as opposed to via Windows Update, most users should get the patch without having to take any action.

 

The fixes released as part of the regular Patch Tuesday updates continue some long-standing trends we've seen from Microsoft, with critical KBs for all supported operating systems addressing remote code execution (RCE) and privilege escalation vulnerabilities. Two separate RCE vulnerabilities in Office were also patched, one of which (CVE-2017-0261) is known to be exploited in the wild. The other Office vulnerability, CVE-2017-0281, is rated "Important" but affects a wide range of products beyond just Office, including Skype for Business and several server platforms such as SharePoint, Office Web Apps, and Project Server 2013. Edge and Internet Explorer remain reliable attack surfaces with RCE vulnerabilities being patched for both. Rounding out the vulnerabilities this month is a DNS denial of service (CVE-2017-0171) affecting all supported server operating systems.

 

Alongside today's updates Microsoft published Security Advisory 4010323 indicating that they've now fully deprecated SSL/TLS certificates that use SHA-1 due to known weaknesses in the algorithm. IE 11 and Edge will no longer load sites with such certificates, and will instead display an invalid certificate warning. The exception to this is self-signed and enterprise certificates (those not chained to a Microsoft-trusted root); however, any such sites really should switch to SHA-2 based certificates as soon as possible.

Rebekah Brown and the Rapid7 team have delivered a spot-on breakdown of the recent Shadow Brokers exploit and tool release. Before you read any further, if you haven’t done so already, please read her post. It’s probably not the only post you’ve read on this topic, but it is cogent, well-constructed and worth the 5 minutes.

 

Back with me? With all of the media attention and discussion in the infosec community, it would not surprise me to hear that a security team still wondered aloud: “Nation-state intrigue makes for scintillating reading, but what do I do with this news?”

 

So long as there are attackers and defenders in infosec, the Rapid7 community continues to be on the front lines of the struggle. But, in such a position, which action is prudent? Purchasing an underground bunker outright may not be a sound decision for you.  However, there are practical actions you can take.

 

Don't waste a learning moment

You invest in building and maintaining your vulnerability management program. This includes making sure you have visibility to the latest threats and perhaps automating your response. The exploits thrust onto the world stage by the Shadow Brokers, while newsworthy, distill down to a seemingly normal set of patches and updates. As Rebekah's post states:

If you are unsure if you are up to date on these patches, we have checks for all of them in Rapid7 Nexpose and Rapid7 InsightVM. These checks are all included in the Microsoft Hotfix scan template.

It turns out, if you’re maintaining your vulnerability scans, and getting the visibility to your Windows assets, you already have the visibility you need. But that doesn’t mean you have to treat this event as business as usual.  Perhaps you’d like to see how your security program fares when up against vaunted Shadow Brokers trove?

 

Here are a few ideas you can try based on a mix of newer and long-standing capabilities.

 

Look for what you need

If you want to efficiently identify the presence of Shadow Brokers’ leaked vulnerabilities, and you don’t want to change your existing Scan regime, create a new Scan template.

 

You’ll find creating a new Scan Template in the Administration tab. Start off by naming your template:

Next, configure your Scan Template for specific vulnerability checks. Tailor your template by looking only for the checks associated with the CVEs exploited by the Shadow Brokers leak.

 

EternalBlue

EternalSynergy

EternalRomance

EternalChampion

MS17-010

msft-cve-2017-0143

msft-cve-2017-0144

msft-cve-2017-0145

msft-cve-2017-0146

msft-cve-2017-0147

msft-cve-2017-0148

EmeraldThread

MS10-061

WINDOWS-HOTFIX-MS10-061

EskimoRoll

MS14-068

WINDOWS-HOTFIX-MS14-068

EducatedScholar

MS09-050

WINDOWS-HOTFIX-MS09-050

EclipsedWing

MS08-067

WINDOWS-HOTFIX-MS08-067

Use the CVEs to search for the checks and add to your template. Here, I’ve added CVE-2017-0144.

 

Now that you’ve got one template squared away, you can take your new Scan Template out for a spin on an entire Site, or an ad hoc scan, or you might want to check out improvements to Scan Configuration to target a scan for just the subset of a Site.

 

If you don’t have time for manual scans, create an Automated Action to scan an asset when it is discovered on your network. Whether you’ve discovered the asset via DHCP discovery connection or just by a regular discovery scan, you can use Automated Actions to scan the Asset when it appears.

 

Give your stakeholders a view

I couldn’t leave you without one final tried and true tip for satisfying demanding executive stakeholders: You can always create a new dashboard!

 

I’ve created a custom Shadow Brokers Leak dashboard to house all the cards and analysis I’ll need.

Next, I’ll start adding Cards that I’d like to work with. Let’s use the Newly Discovered Assets card as a starting point. I’ve added this card to my Dashboard and I’ll click Expand Card to drill in.

Next, I’ll create a new filter to look only for Assets that are affected by CVE and hotfixes identified above. I’ll paste this into the Filter field:

*UPDATE: Corrected May 24,2017: Changed "ms10-068" to "ms14-068"*

asset.vulnerability.title CONTAINS "cve-2017-0143" OR asset.vulnerability.title CONTAINS "cve-2017-0144" OR asset.vulnerability.title CONTAINS "cve-2017-0145" OR asset.vulnerability.title CONTAINS "cve-2017-0146" OR asset.vulnerability.title CONTAINS "cve-2017-0147" OR asset.vulnerability.title CONTAINS "cve-2017-0148" OR asset.vulnerability.title CONTAINS "ms10-061" OR asset.vulnerability.title CONTAINS "ms14-068" OR asset.vulnerability.title CONTAINS "ms09-050" OR asset.vulnerability.title CONTAINS "ms08-067" OR asset.vulnerability.title CONTAINS "ms17-010"

It’ll look something like this:

I’ve saved this filter so I can use it across any number of cards I wish. Since I’ve done the work of creating the filter once, it is straightforward to add cards, apply the filter, and then save the Cards to my dashboard. I’ve built a tailored view, showing the impact of the Shadow Brokers leaked exploits on my organization.

 

 

If you’re feeling comfortable with this approach, take a step futher! Try out an Actionable Remediation Project from here and get started taking down these risks on your turf.

 

Not a customer of ours? Try a free 30-day trial of InsightVM here.

Many security groups today use ticketing systems that were originally designed for IT or developers, and are usually ill-suited to their vulnerability management needs. Even more commonly, teams simply rely on spreadsheets and unwieldy reports. On the other end of the spectrum, some security teams build a self-service workflow for their remediators and run into lack of user adoption – remediators just are not logging in to the security console. At Rapid7, we think there has got to be a better way, so we’ve built Remediation Workflow Ticketing.

 

What is "Remediation Workflow Ticketing?"

Remediation Workflow Ticketing is a way to connect your Remediation Workflow to the systems that remediation work in on a daily basis. We’ve built a capability that simply integrates remediation projects with Atlassian JIRA to make it easier and more efficient to collaborate with vulnerability remediation teams.

Security, IT, DevOps, Development, and Engineering may keep using their existing systems and workflow. The Remediation Workflow Ticketing Integration is not a replacement, but rather a complement to the native Remediation Workflow projects.  With this ticketing integration, users can enable the automated generation tickets for only the Remediation Workflow projects they see fit, saving increasingly more time as new work is added and must be tracked easily.

 

Here’s how you can get started...

 

Easy setup and re-use of ticketing preferences

A brief setup wizard asks for the minimal amount of information necessary – no need for complicated, tedious mappings between it and your ticketing system.

set_up_new_connection.png

The wizard will guide you through setting up your first connection.

 

 

Enable/Disable ticketing options on a Remediation Workflow project whenever you are ready.

 

Creating ticketing preferences does not automatically create tickets. Users can feel confident that their remediators will not be flooded with tickets while also being able to re-use preferences across projects.

 

Users can designate the assignees of the tickets utilizing rules based on filters.  The filter query language is the same as the one today for Liveboard cards and Remediation Workflow Dynamic Projects.  Tickets that meet the filter criteria will be assigned to the ticketing system user of your choice.  Users can reuse these preferences, saving time and effort by no longer having to constantly remember and repeat assignment logic. 

Ticket assignment happens automatically.

 

Deliver the right message to IT

Tickets generated by the Remediation Workflow integration are targeted, precise, and contain the solution, vulnerability and asset information.  Security groups no longer have to spend valuable time to decipher, redact, and translate long reports into actionable work items.

 

Utilize variables for asset, vulnerability, solution, and Remediation Workflow data in your tickets.

 

With powerful templating options, users can decide how much and how verbose they wish to be with the security data (i.e. context) or as terse as they want to be with what they share on the tickets to their remediators. This is helpful as security groups interface with and rely on multiple groups, each with its own way of working with security. 

 

Using remediation variables, users can be strategic about managing their remediation orchestrations.

 

Tracking progress

User can quickly monitor the progress of their remediation by looking at the “Tickets” column in the list of projects.  While viewing a specific project, users can quickly see if a ticketing connection exists and whether it’s enabled.  By inspecting further, users can access each individual ticket associated with a particular solution.  In short, users enjoy the flexibility of taking quick temperature reads of remediation tickets overall and also viewing individual tickets in full detail.

 

The Projects list page provides a quick view to quickly scan for areas of progress across your organization.

 

User can see if there are any tickets generation by inspecting a solution in a project.  Users can also access a link to the ticket created.

 

How to get started

The Remediation Workflow Ticketing Integration is a flexible way to gain greater visibility and control into your organization’s remediation efforts, both big and small.  It extends and is also a great complement to the native capabilities of Remediation Workflow.  Security teams are freed from user management overhead and remediators do not have to disrupt their existing workflows.  Both teams benefit from having just the right amount of security context in their tickets.

 

Get started today by going to Remediation Workflow - Project lists page and clicking on “Add a Ticketing Connection.”   Of course, you can also read more in our Help documentation for Remediation Workflow Ticketing Integration. If you are not a current customer of InsightVM, you can download a free 30-day trial and test drive this new capability as well.

Security practitioners and the remediating teams they collaborate with are increasingly asked to do more with less. They simply cannot remediate everything; it has never been more important to prioritize and drive remediations from start to finish.

 

The Remediation Workflow capability in InsightVM was designed to drive more effective remediation efforts by allowing users to project manage efforts both large and small. Remediation Workflow is designed for security practitioners, with the aim of getting them from where they are today to where they envision their security programs to be in the future.

 

Vulnerability remediation can be a struggle

Let’s say a security team wants a set of 10 vulnerabilities remediated across a set of 500 assets.  This sounds simple, but in practice could entail months of effort across several remediation teams. There are many considerations:

  • What’s the most efficient way to eliminate 10 vulnerabilities across 500 assets? Which assets should be remediated first?
  • The vulnerability is found across multiple OS’s and platforms.  As a remediator, how do I track down the solution that is applicable to the asset I am trying to fix?
  • How do I get the right instructions to the right asset owners/administrators?


To address these questions through typical means i.e. by vulnerability and by asset means exposing the security team to theoretically 5,000 scenarios (10 vulnerabilities times 500 assets). This is most certainly an exaggeration, but doesn’t the back and forth of remediation sometimes FEEL like there are 5,000 questions? We think there’s a better way, and we’ve designed Remediation Projects to be driven by solutions, not vulnerabilities or assets.

 

 

Solutions drive vulnerability remediation

Solutions are the remediation steps to eliminate or mitigate a given vulnerability. A vulnerability may contain one or more solutions. Each solution may contain:

  • The steps to perform the solution
  • References to learn more about the solution or vulnerability
  • Risk associated with the solution


Here’s the key: A single solution can remediate multiple vulnerabilities. You just have to know which solutions are shared across vulnerabilities. If you knew that, you could determine which solutions to execute on which assets to take down the greatest risk. This is precisely what Remediation Projects are designed to do: take the mindless work of finding the best solutions for the assets within scope.

 

Creating Actionable Projects

The objective of using a Remediation Project is to drive action in remediation. That’s it. To that end, a project should be readily actionable by you and the project’s assignees. What do we mean by actionable?

  • The project should be able to be understood at a glance, without significant filtering, sorting or scrolling.
  • The project should be attainable within a finite period of time.

 

With these principles in mind, we have a few thoughts on how to create projects for action. 

Start with Dynamic Projects

We recommend creating dynamic projects first because the asset and vulnerability filters give you more visibility and control over the number of solutions that will populate the project.  

 

Dynamic projects are very powerful and flexible.  They provide elastic scoping based on real time criteria on assets and vulnerabilities. In other words, any assets or vulnerabilities that meet the dynamic project’s criteria will be included in the scope of the project. 

 

figure_1.png

Dynamic Projects utilize Asset and Vulnerability filters to scope solutions to be populate the project.

 

figure_2.png

    Refine the assets in scope by adding further criteria.

 

figure_3.png

Refine the vulnerabilities in scope by adding further criteria.

 

project_detail_png.png

Viewing the Asset and Vulnerability filters that define the scope of the dynamic project. 

 

Dynamic projects provide unprecedented ways to maintain oversight on a defined set of work and enable users to pivot quickly in the event there are spikes (numerous instances of a vulnerability found or an influx of matching assets enters the network).

  • Any assets of a certain OS or platform family: Windows, Linux, servers, desktops, virtual hosts, etc.
  • Any assets with vulnerabilities of a certain category: Critical, Exploitable, CVSS or Risk Scores over a certain threshold.
  • Microsoft Patch Tuesday remediation tracking: Utilize the filter criteria such as vulnerability.title CONTAINS “msft-cve-2017” AND vulnerability.datePublished BETWEEN 03-01-2017 AND 04-01-2017.
  • Mission-critical, legacy, or otherwise sensitive assets.
  • Remediation response to 0-day.

 

Determine your use case

If you’re seeking to drive vulnerability remediation efforts and monitor progress, then utilize the asset filters to help scope by asset ownership (owner tag or OS/Platform) and vulnerability filters to focus on remediations prioritized by risk, CVSS score, severity, category, and exploitability, etc.


Projects are not just for assigning work. There are other uses for Remediation Workflow aside from delegating solutions to assigned remediators. Security Managers can utilize projects without assignees in order to ease ad-hoc and recurring reporting requests. Security Managers can define organization-wide project scopes and separate “sub” projects of increasingly smaller scope in order to have visibility into remediation progress quickly and without disturbing or disrupting remediators.


Is your aim more geared towards reporting and monitoring? If so, create project with a due date and no assignees (unless they are required to aid in reporting). 

Refine your project’s scope

As a project owner, you can edit your dynamic project’s scope at any time.  Because some solutions can remediate multiple vulnerabilities, a high number of assets and a high number of vulnerabilities do not necessarily guarantee that a large number of solutions will result. However, scoping dynamic projects to a small number of assets and a narrow set of vulnerabilities will help yield a project with a manageable amount of solutions. You can test results of the asset and vulnerability filters by hitting “Apply.”


If your aim is to project manage and drive vulnerability remediation efforts, a dynamic project that is not too broad in scope is best in order to avoid solutions populating a project that are not really part of what you want to have actioned. Utilize the type-ahead behavior of the filters, as well as the Syntax Help/Query Dictionary (see below), in order to get a fuller sense of the filter criteria at your disposal. 

  • Vulnerability Exploitability
  • Skill set required to exploit the vulnerability
  • Asset tags (owner, custom, location)
  • Asset OS (family, architecture, vendor)
  • Asset risk score
  • Vulnerability severity, CVSS score
  • Vulnerability title contains a certain string
  • Vulnerability publish date

 

syntax_helper_query_dictionary.png

 

How to Get Started

Remediation Workflow provides a powerful and flexible way to define, monitor, manage, and drive remediation efforts big and small throughout your organization. Remediations can be challenging. Remediation Workflow reduces friction between security and IT teams with its solution centric approach that automatically incorporates solution, asset, and vulnerability data, empowering teams to get from start to remediated faster.

 

Get started today by clicking on the Projects button in the left hand navigation menu, and if you need more details, you can find them in our Help documentation for Remediation Workflow.

A few months ago, I shared news of the release of the macOS Insight Agent. Today, I’m pleased to announce the availability of the the Linux Agent within Rapid7's vulnerability management solutions. The arrival of the Linux Agent completes the trilogy that Windows and macOS began in late 2016. For Rapid7 customers, all that really matters is you’ve got new capabilities to add to your kit.

 

Introducing Linux Agents

Take advantage of the Linux Agent to:

 

  • Get a live view into your exposures: Automatically collect data from your endpoints and seamlessly update your Liveboards, which are always populated with real time data with out the need to hit refresh or rescan.
  • Get visibility into remote workers:  Remote workers rarely, or in some cases never, connect to the corporate network and often miss scheduled scan windows. Our lightweight agents can be deployed to monitor risks posed by the mobile workforce.
  • Eliminate restricted asset blind spots: Some assets are just too critical to the business to be actively scanned. With our agents, you'll get visibility into assets with strict vulnerability scanning restrictions, while removing the need to manage credentials to gain access.
  • Get visibility into elastic or ephemeral assets by building the Insight Agent into your base machine images or VM templates.

 

Of course, Linux isn’t a monolithic OS like Windows or macOS. In order for our customers to get the widest possible coverage, Linux Insight Agents support an array of distributions:

  • Debian 7.0 - 8.2
  • CentOS 5.2 - 7.3
  • Red Hat Enterprise Linux (RHEL) Client 5.2 - 7.3
  • Red Hat Enterprise Linux (RHEL) Server 5.2 - 7.3
  • Red Hat Enterprise Linux (RHEL) Workstation 5.2 - 7.3
  • Oracle Enterprise Linux (OEL) Server 5.2 - 7.3
  • Ubuntu 11.04 - 16.10
  • Fedora 17 - 25
  • SUSE Linux Enterprise Server (SLES) 11 -12
  • SUSE Linux Enterprise Desktop (SLED) 11 -12
  • openSUSE LEAP (42.1 - 42.2)
  • Amazon Linux

 

With such a diverse list, we hope you’re able to find a match for your environment. Ready to get started? Check out the steps to download and install, and you’ll be up and running in no time.

...and more

If you’ve read this far, you may be wondering: “Hey, what about the ‘...and more’ promised in the title?”

 

Since the release of Insight Agents for vulnerability management in late 2016, we’ve received great feedback from our customers. In particular, we heard that customers liked the visibility they were able to attain, but found the management capabilities lacking.

 

With our most recent release, we’ve now brought management capabilities to your Assets with Agents. You can now treat

your Assets with Agents just like any other asset in your system. You are now able to:

 

 

All of your Assets with Agents will be synchronized from the Insight Platform into an automatically created “Rapid7 Insight Agents” site so you’ll always know where to find them.

 

I hope you grab a moment to give these new tools a spin and let us know what you think! All of our innovations are built side-by-side with our customers through the Rapid7 Voice program. Please contact your Rapid7 CSM or sales representative if you're interested in helping us make our products better.

 

Download a free 30-day trial of InsightVM.

This month's updates deliver vital client-side fixes, resolving publicly disclosed remote code execution (RCE) vulnerabilities for Internet Explorer and Microsoft Office that attackers are already exploiting in the wild. In particular, they've patched the CVE-2017-0199 zero-day flaw in Office and WordPad, which could allow an attacker to run arbitrary code on a victim's system if they are able to successfully social engineer their target into opening or previewing a maliciously crafted document.

 

Microsoft has also already issued a fix for their new version of Windows 10 (1703, also known as the "Creators Update"), which was only made generally available today. It addresses several RCE and elevation of privilege vulnerabilities.

 

Data center admins can't rest easy, however. This month sees updates for all supported versions of Windows Server, with fixes across the board for RCE, privilege escalation, and denial of service (DoS) vulnerabilities.

 

Administrators should be aware that after today, Windows Vista will no longer be supported. Any systems running Vista should be upgraded to a supported version in order to continue receiving security fixes. As the recent zero-day IIS exploit for Server 2003 R2 reminded us, attackers are happy to take advantage of obsolete systems still in use.

 

It is also worth noting that information about this month's fixes are only available from Microsoft's Security Updates Guide. Instead of grouping related fixes under Security Bulletins such as MS16-XXX, their new system allows users to pivot on the vulnerability identifiers (CVEs) and KB article numbers. They also provide the ability to search and filter based on product, severity, and impact (e.g. RCE, DoS, etc.) which can help administrators prioritize how they roll out the updates. Please refer to this blog post for more details about how this affects Nexpose users.

In 2015 Rapid7 introduced the Insight platform, built to reduce the complexity inherent in security analytics. This reality was introduced first to our InsightIDR users, who now had the capabilities of a SIEM, powered by user behavior analytics (UBA) and endpoint detection. Soon we started to roll out new solutions and amplified other products with platform services, which significantly reduce the overall total cost of ownership inherent with on-premise, analytics-driven solutions. Taking advantage of the Insight platform means users can automatically scale their individual use-cases, whether incident detection or vulnerability management, to meet their particular needs.

 

This same platform now daily processes more than 50 billion events, and monitors millions of assets. With today’s announcement, it is the first platform to unify solutions for vulnerability management, user behavior analytics (UBA), SIEM, IT log analytics, and application security.

 

Vulnerability Management = VM

Today Rapid7 announces the launch of InsightVM, which builds on Rapid7’s award-winning, vulnerability management solution, Nexpose, now fully leveraging the power of the cloud to provide live answers to security professionals’ most critical questions. InsightVM’s live monitoring gathers continuous data - whether via agents or agentless - so security professionals can see the risk posed by their entire network footprint, including cloud, virtual, and endpoints.

 

Let’s dive into this more.

 

InsightVM automatically collects live data across your environment and uses the Insight platform for data analytics and processing to provide:

  • Liveboards, our live dashboards that are fully customizeable, update instantly with always fresh data, and can be easily queried to focus on any use case, from sys admins to CISOs, with no need for complex scripting or waiting for data to refresh. New capabilities include cards for tracking remediation progress and accountability.

 

 

  • Insight Agents, a lightweight endpoint agent that minimizes network usage by taking a baseline at first install and then communicating only changes on a system to the InsightVM console and platform. InsightIDR uses the same agent, so you get a unified solution for monitoring endpoints for new vulnerabilities and attacker behavior. New capabilities include proxy and Linux support.

 

 

  • Remediation workflows, which let you create and track remediation duties from within InsightVM, and enable IT and Security to work closer together on fixing issues, without miscommunication and back-and-forth meetings. New capabilities include in-product integration with JIRA to automatically create tickets for new projects, and update remediation projects when tickets are closed.

jira project.png

  • A new subscription based pricing model, licensed by number of active assets you want to scan. This makes it easier and more cost effective for customers to purchase InsightVM, simplifies scope for deployment, and allows InsightVM to easily grow with your network.

 

Along with the introduction of InsightVM, we are also helping simplify and bolster Nexpose users. In the past we had several editions of Nexpose, but with this announcement we now have two effective vulnerability management solutions: InsightVM, powered by our cloud platform, and Nexpose, our on-premise solution.

 

Why? Well, there are a lot of reasons, primarily feedback from our customers over the years that we have been evolving our vulnerability management solution. And, this allows us to have separate product roadmaps for our dedicated on-premise offering and our cloud-powered InsightVM solution, which will make it easier to incorporate future customer feedback and deploy exciting new capabilities in both solutions!

 

Over the coming weeks, you’ll see numerous blog posts detailing these new capabilities and how they will help our customers save time, better understand their risk, and improve their security posture. If you’d like to learn more, be sure to sign up for our webcast on the 19th, and check out the FAQ.

Background Information

 

As part of the Nexpose 6.4.28 release on Wednesday, March 29th, we introduced a new way to view remediation solution data in both the Nexpose Console UI and the Top Remediations Report.


Over the years, we’ve heard from our customers that the Top Remediations Report is one of the most useful features in our vulnerability management solution, but there’s always room for improvement.  Specifically, they want to only see solutions that are applicable to the asset based on its OS, instead of solution data for all operating systems and platforms.  This led to larger reports and frustrated remediators who need to figure out which exact solution to apply.

Enhanced Top Remediations Report

We’ve improved the Top Remediations Report to present a single solution called the “best solution”. This solution is selected from a pool of solutions that are the highest in their supersedence chain, i.e. “rollup”, and are applicable to the asset’s OS/platform.  Usually, there is only a single choice, but if there are multiple solutions that meet the criteria for the best solution, Nexpose will choose the latest or most comprehensive solution.

Top Remediations Report.png

We have also added formatting improvements, including a risk take down %

 

This results in a more concentrated delivery of solution prescriptions in the Top Remediations report.  The report provides solutions that will mitigate the same or more amount of risk with a fewer, more finely distilled selection of solutions.

 

In addition to changes in the Top Remediations Report, we have also updated the presentation of solution data in the console UI itself. On the Asset Details Page - New Solutions “Pill” in Vulnerabilities Table:

solutions_column.png

 

These pill icons indicate the status of the solution.

Solution Pill IconDescription
pill single soln.pngA single best solution for the vulnerability.
pill warning.pngWarning – there is no single best solution or “tie breaker”, so one or more of the following solutions needs to be applied.
pill error.pngError – no solution is applicable, usually because solution is deprecated by the vendor or the Console is decommissioned and not taking updates.

 

Clicking on the new pill icons in the Solutions column will navigate to a new Remediations portlet. This makes all the solution data pertaining to a vulnerability accessible without overwhelming users with the full set of data right away.  Rather than loading the full solution superset every time, the solution information is presented in a more structured way - with the best solutions displayed first, followed by supporting data ordered by priority.

Fix all vulnerabilities on an asset or just a targeted few

remediations portlet 1.png

New portlet “Remediations”

 

The Remediations portlet can be found on the Asset Details page and has three tabs. The first two tabs are helpful when you are remediating an asset and focused on mitigating as much risk as possible on the asset.  Best Solutions shows the single solution for each vulnerability on the asset, selecting from the data in the Applicable Solutions tab.  The Solutions by Vulnerability tab provides a different view showing solutions by vulnerability, which is helpful in scenarios where remediators are targeting a specific vulnerability to fix.

 

solution detail in remediation portlet.png

The solutions listed at the top in each of the tabs are links that navigate to the full solution entry, specifically the fix steps, references, and also a summary of the number of vulnerabilities the solution remediates and which vulnerabilities. 

Best solutions for one or all assets

The Remediations portlet is also available on the Vulnerabilities Detail Page.

 

remediation 2 tabs.png

Remediations Portlet on the Vulnerabilities Details page

 

Since we are viewing a vulnerability without an asset in mind, the tabs provided show all the solutions that remediate the vulnerability across any OS, platform, library, etc., both in rollup and non-rollup view.

 

header.png

We have added “header” information at the top of the Vulnerability Details page when viewing a vulnerability found on a specific asset.

 

However, when viewing a vulnerability found on a particular asset, users will see more information.  The two additional tabs show information in the same fashion as on the Assets Detail Page, so that users can view specific remediation steps to take for a specific vulnerability on a specific asset.

 

remediation first of four tabs.png

The Remediations portlet when viewing a vulnerability on an asset has the following two additional tabs.  (1 of 2)

 

 

Asset Best Solutions lists the single best solution for remediating the vulnerability on this asset.

remediation second of four tabs.png

The Remediations portlet when viewing a vulnerability on an asset has the following two additional tabs.  (2 of 2)

 

The second tab, Asset Applicable Solutions, allows users to view other possible solutions.  These entries are specific to the OS/Platform or other profile data of the asset, and are also the highest in their supersedence chains.

More resources

In summary, this new structured solution data in the Console UI and enhancement of the Top Remediations report strikes a balance between keeping the Top Remediations Report clean and actionable while also making available the full set of solution data.  Users will be able to fix faster without losing the ability to look at all of their options.

 

Here are a couple links that may provide more background on the topics covered in this post:



In Nexpose version 6.4.28, we are adding support for privileged elevation on Cisco devices through enable command for those that are running SSH version 2.

 

A fully privileged policy scan provides more accurate information on the target's compliance status, and the ability to do so through enable password, while keeping the actual user privilege low, adds an additional layer of security for your devices. This allows our users to run fully privileged policy scans on Cisco IOS without having to pre-configure the target with a user that has full privilege. Instead, they could enter the enable password in the credential window similar to how sudo elevation is set up.

 

Simply navigate to the credential configuration page for SSH services and select Cisco Enable / privileged exec as your elevation type and enter your enable password as the elevation password, per the screenshot below:

 

Screen Shot 2017-03-22 at 5.13.43 PM.png

Filter Blog

By date: By tag: