Skip navigation
All Places > Nexpose > Blog
1 2 3 4 Previous Next

Nexpose

291 posts

Rapid7’s Incident Detection and Response and Vulnerability Management solutions, InsightIDR and Nexpose, now integrate to provide visibility and security detection across assets and the users behind them. Combining the pair provides massive time savings and simplifies incident investigations by highlighting risk across your network ecosystem without writing queries or digging through logs.

 

Nexpose proactively identifies & prioritizes weak points on your network, while InsightIDR helps find unknown threats with user behavior analytics, prioritizes where to look with SIEM capabilities, and combines endpoint detection and visibility to leave attackers with nowhere to hide. Let’s look at three specific benefits: (1) putting a "face" to your vulnerabilities, (2) automatically placing vulnerable assets under greater scrutiny, and (3) flagging users that use actively exploitable assets.

 

Vulnerabilities-User-v2.PNG

 

User Context for Your Vulnerabilities

InsightIDR integrates with your existing network & security infrastructure to create a baseline of your users’ activity. By correlating all activity to the users behind them, you’re alerted of attacks notoriously hard to detect, such as compromised credentials and lateral movement.

 

When InsightIDR ingests the results of your Nexpose vulnerability scans, vulnerabilities are added to each user’s profile. When you search by employee name, asset, or IP address, you get a complete look at their user behavior:

 

InsightIDR-User-Page-v2.gif

 

How this saves you time:

  • See who is affected by what vulnerability – this helps you get buy-in to remediate a vulnerability by putting a face and context on a vulnerability. (“The CFO has this vulnerability on their laptop – let's prioritize remediation.”)
  • Have instant context on the user(s) behind an asset, so you accelerate incident investigations and can see if the attacker laterally moved beyond that endpoint.
  • Proactively reduce your exposed attack surface, by verifying key players are not vulnerable.

 

Automatic Security Detection for Critical Assets

In Nexpose, you can dynamically tag assets as critical. For example, they may be in the IP range of the DMZ or contain a particular software package/service unique to domain controllers. Combined with InsightIDR, that context extends to the users that access these assets.

 

When InsightIDR ingests scan results, assets tagged as critical are labeled in InsightIDR as Restricted Assets. This integration helps you automatically place vulnerable assets under greater detection scrutiny.

 

Some examples of alerts for Restricted Assets:

  • First authentication from an unfamiliar source asset: InsightIDR doesn't just alert on the IP address, but whenever possible, shows the exact users involved.
  • An unauthorized user attempts to log-in: This can include a contractor or compromised employee attempting to access a financial server.
  • A unique or malicious process hash is run on the asset: A single Insight Agent deployed on your endpoints performs both vulnerability scanning and endpoint detection. Our vision is to reliably find intruders earlier in the attack chain, which includes identifying every process running on your endpoints. We run these process hashes against the wisdom of 50 virus scanners to identify malicious processes, as well as identify unique processes for further investigation.
  • Lateral movement (both local and domain): Once inside your organization’s network, intruders typically run a network scan to identify high-value assets. They then laterally move across the network, leaving behind backdoors & stealing higher privilege credentials.
  • Endpoint log deletion: After compromising an asset, attackers look to delete system logs in order to hide their tracks. This is a high-confidence indicator of compromise.
  • Anomalous admin activity, including privilege escalation: Once gaining access to an asset or endpoint, attackers use privilege escalation exploits to gain admin access, allowing them to dump creds or attempt pass-the-hash. We identify and alert on anomalous admin activity across your ecosystem.

 

Identifying Users that Use Exploitable Assets

Many Nexpose customers purchase Metasploit Pro to validate their vulnerabilities and test if assets can be actively exploited in the wild. As an extension of the critical asset functionality above, customers that own all three products can automatically tag assets that are exploited by Metasploit as critical, and thus mark these as restricted assets in InsightIDR. This ensures that assets which are easy to breach are placed under higher scrutiny until the exploitable vulnerabilities are patched.

 

InsightIDR-Asset-Info.PNG

Configuring the InsightIDR-Nexpose Integration

If you have InsightIDR & Nexpose, setting up the Event Source is easy.

 

1. In Nexpose, setup a Global Admin.

2. In InsightIDR, on the top right Data Collection tab -> Setup Event Source -> Add Event Source.

 

Rapid7-Event-Source-Nexpose.png

 

3. Add the information about the Nexpose Console (Server IP & Port).

4. Add the credentials of the newly created Global Admin.

 

And you’re all set! If you have any questions, reach out to your Customer Success Manager or Support. Don’t have InsightIDR and want to learn how the technology relentlessly hunts threats? Check out an on-demand 20 minute demo here.

 

Nathan Palanov contributed to this post.

Finding the CISCO EXTRABACON vulnerability (CVE-2016-6366) on your network with Nexpose

Recently, our research team recently wrote an extensive blog on the EXTRABACON exploit (finally a name that we can all get behind). Our research with Project Sonar showed that a large number of devices and organizations are still exposed to this vulnerability, even though a patch has been released; and today I thought we’d get pragmatic and show how you can measure your exposure using Nexpose vulnerability management.

 

Because Nexpose Live Monitoring is always-on, we allow you to automatically collect, monitor, and analyze your network for new and existing risk, including EXTRABACON.  And when you are integrated with Rapid7 SONAR research (see, tying it all together folks), you immediately identify these risks now, and even if they enter the network later.

 

There are a few ways to do it. Let’s take a look.

 

Use Nexpose Dynamic Asset Groups. Here you can create a filter to show you every asset that contains the relevant CVE (in this case, CVE-2016-6366):

(Note: To avoid typos it may be easier to do “Contains” instead of “is” and just include the final number.)

 

This asset group is dynamic, so it will automatically update after scans. When the number of assets reaches 0, that means you’re done!

 

You can also automatically tag every asset under that filter as highly critical, so that their risk scores get amplified and they get pushed to the top of your remediation reports.

 

To help visualize the impact of the vulnerability, you can also use the LiveBoards in Nexpose to filter cards by the vulnerability to see which newly discovered assets have the vuln, as well as what % of your assets are affected. Simply use the filter: asset.vulnerability.title CONTAINS "cve-2016-6366"

 

Finally, we’re working on a Metasploit module for the exploit as well; Want to see how vulnerable your organization is to EXTRABACON? Download a free trial of our vulnerability scanner today!

anowak

Patch Tuesday, September 2016

Posted by anowak Employee Sep 13, 2016

September continues a long running trend with Microsoft’s products where the majority of bulletins (10) address remote code execution (RCE) followed by elevation of privilege (2) and information disclosure (2). All of this month’s critical bulletins are remote code execution vulnerabilities, affecting a variety of products and platforms including Edge, Internet Explorer, Exchange, Microsoft Office, Office Services and Web Apps, Sharepoint as well as Windows (client and server).

 

While Microsoft continues actively working on resolving these issues, as witnessed in the overwhelming number of critical RCE bulletins, there is an ongoing battle in which they are unable to permanently address these vulnerabilities, which predominantly affect the consumer applications listed above. Unfortunately, this leads to one of the single largest attack vectors, consumers.

 

This month Microsoft resolves 94 vulnerabilities across 14 bulletins. For consumers MS16-104, MS16-105, MS16-106, MS16-107, MS16-115 and MS16-117 are the bulletins to watch out for, addressing 60 vulnerabilities. For server users MS16-108 is the bulletins to watch out for, addressing 21 vulnerabilities. As pointed out by todb, Senior Research Manager at Rapid7, “This update is of particular interest because it patches eleven remote code execution bugs in Oracle Outside In, a rather massive file format parsing library that ships with Exchange and is responsible for parsing a wide variety of file types…  it looks like the Exchange server itself can be compromised merely by e-mailing the target organization a maliciously crafted file.” Unfortunately, at this time one vulnerability addressed by MS16-104 (CVE-2016-3551) is known to have been exploited in the wild.

 

Users should be wary of untrusted sources as maliciously crafted content could allow an attacker to remotely execute code in-order to gain the same rights as their user account. The best protection against these threats is to patch systems as quickly as possible. Administrators, be sure to review this month’s bulletins and in accordance with your specific configuration, prioritize your deployment of this months’ updates. At a minimum, ensure to patch systems affected by critical bulletins (MS16-104 MS16-105 MS16-106 MS16-107 MS16-108 MS16-116 MS16-117).

 

Don’t Create Blind Spots

As a consultant for a security company like Rapid7, I get to see many of the processes and procedures being used in Vulnerability Management programs across many types of companies. I must admit, in the last few years there have been great strides in program maturity across the industry, but there is always room for improvement. Today I am here to help you with one of these improvements – avoiding asset risk blind spots.

 

One of the more common “broken” processes that I still come across relates to the methods and procedures for managing those assets which are too easily ignored… Excluded Assets. These assets are the “black sheep” of vulnerability and risk management, due to the inability to assess risk on assets you cannot “see.”  There are valid reasons to create asset exclusions, but this must be managed with appropriate process and procedure to avoid creating inadvertent blind spots during your vulnerability assessment.

 

Creating Asset Exclusions

Nexpose provides two options for excluding assets from vulnerability scans. This capability is critical in a mature vulnerability scanning tool due to the requirements of operational and risk management teams. These asset exclusion options are permanent configurations that allow for persistent asset exclusion. The permanence of these options are where vulnerability management program processes seem to break down due to the lack of cyclical management and review procedures.

 

Let’s begin by reviewing these asset exclusion configuration options:

 

  1. Global Asset Exclusion: Administration -> Global -> Manage -> Asset Exclusions (Permanent)

Vulnerability Management Global Asset Exclusions

  1. Site Asset Exclusion: Site -> Assets -> Exclude (Permanent)

Vulnerability Management Site Asset Exclusions

One of the primary reasons that operations teams, system owners, and risk management teams request Nexpose administrators to add certain assets to these exclusions is to address perceived or real availability impacts. During my career in vulnerability management, there have been times during the lifecycle of vulnerability scanning tools in which specific vulnerability tests can cause adverse impacts to certain assets with specific identified vulnerabilities. These asset exclusion options provide a way to avoid these specific impacts.

 

Managing Asset Exclusions

The break in the process is that once an asset (IP address) is placed into these exclusion lists, they are usually not revisited… ever. No, really. Set it, and forget it. Vulnerability management is not like cooking a rotisserie chicken, you can’t just set it and forget it. Mature vulnerability management programs involve cyclical processes which involve assessment, reporting, remediation/mitigation, and verification (reassessment). I know the question you have now is… “How can we apply that same cyclical process to manage asset exclusions?

 

Winner, Winner, Chicken Dinner!

Following this 4 step cyclical process can help remove this blind spot in your vulnerability management program caused by unmanaged asset exclusions:

 

  1. Assessment – Identify the asset to be excluded and assess the risk of removing the asset from vulnerability scanning. Ensure that the risk assessment documentation includes the data which resides on the asset, controls that are in place to protect the asset, and the reason that the exclusion request was created.
  2. Reporting – Run periodic reports of all assets which are currently excluded from vulnerability scans, both global and site level exclusions. Ensure that the reason for the exclusion and date the asset was added for exclusion is tracked (excel, database, etc).
  3. Remediation/Mitigation – Identify if the reason given to exclude an asset is something related to specific vulnerability tests in the vulnerability scans. Look into creating a scan template which excludes the specific vulnerability test, and remove the asset from exclusion. You may find that there are “classes” of assets which are impacted by the same (or related) vulnerability tests and these can be managed with a reasonable number of ‘custom’ scan templates.
  4. Verification (Monthly, Quarterly, Annually) – Does this asset still need to be excluded from vulnerability management scans? Apply the same risk assessment provided in step
  • Repeat Step 1

Put It into Practice

Can it get any easier? These simple 4 steps can add a critical process to address the possible “blind spots” that unmanaged asset exclusions can add to your enterprise. Ensuring that your vulnerability management program has a cyclical process to address vulnerability scanning asset exclusions will increase the accuracy of your risk management reporting for your company and reduce the overall risk exposure of unknown vulnerabilities.

 

Example SQL Query:

SELECT ds.name AS site, dst.target AS excluded

FROM dim_site_target as dst

JOIN dim_site ds USING (site_id)

WHERE included = false

ORDER BY ds.name, dst.target;

 

Output:

site

excluded

Affiliate: Network 1

  1. 10.0.0.1-10.0.0.254

Company: CIS Benchmarks

  1. 10.0.0.1-10.0.0.254

 

Want to help improve Asset Exclusion management in Nexpose?

 

Rapid7 offers a way for customers and clients to provide feedback on product “IDEAS” through our IDEA Portal on our Support site. It is an interactive process involving posting an idea, promoting it through “up voting”, and then finally having it included into the product through a release. An Idea has been submitted for this very topic and it can be found at the following link:

https://rapid7support.force.com/customers/ideas/viewIdea.apexp?id=087140000003FG O [customer login required]. Don’t have a login? Use the comments on this blog to share your thoughts.

 

If you would like to see us include an improvement in our vulnerability scanner to address this process in your Vulnerability Management program, spread the word and UpVote the Idea!

Vulnerabilities are not created equal, not when there are so many dependencies, not only around the vuln itself, but it’s applicability to your business. Sure, CVSS helps, a little, but ultimately what it has left us all with is a long list of 9s and 10s (or ‘high’ alerts) and zero visibility into what to actually fix first. Ideally your vulnerability management program is prioritizing vulnerabilities by business impact, not just CVSS.

 

In 2009 Rapid7 acquired Metasploit because we knew it was important to not only test attacker methods on your own systems to uncover security issues, but to understand attacker behavior and mentality. Metasploit not only helps companies think like the attacker, but ultimately it helps Rapid7 Nexpose bring that same mentality to vulnerability management. This expertise in the attacker mindset has allowed our customers to build vulnerability management programs that prioritize risk by the likelihood of exploitability, not just prioritizing risk by a generic risk score.

 

Which Vulnerabilities Will an Attacker be Excited to See?

 

After the Metasploit acquisition, we decided to do something unique with our risk score – focus on its relative danger to actually being used in an attack. Essentially, which vulnerabilities would an attacker be excited to see? These are the ones you want to fix first! (Bummed out hackers are good hackers.)

 

As a refresher, our risk score is 1-1000 (much more granular than CVSS) and because of Metasploit and our attacker mentality it is based on the following:

  • CVSS Score
  • Malware exposure – what malware kits have been written for this vuln?
  • Exploit exposure – what exploits have been written, and how easy are they to use (bonus points for being in Metasploit!)
  • Age – If a vuln came out in 1999, that’s a lot more time for bad guys to play with it and figure out ways to use it

 

Nexpose users now get a prioritized list of vulnerabilities that are truly the most important to fix first, and de-prioritize some vulnerabilities that might have a high CVSS score in a passive scanning tool to later in the list because it simply would not easily be used in an attack. The way our customers say it, “Fix the most vulnerable vulnerabilities first!”

 

 

When a 7.5 is Higher than a 9

It’s been seven years since we introduced our vulnerability scoring methodology to the vulnerability management industry and now there’s ample evidence supporting the method - beyond the thousands of Nexpose customers - notably a research study done by Dan Geer and Michael Roytman that showed if a vulnerability has a Metasploit exploit available for it, it is much more likely to be used in an attack.

 

We can also see evidence in our own data. Take this vulnerability for instance:

CIFS vuln Metasploit - recreate2.PNG

This default password vuln got a CVSS score of 7.5; high, but certainly not a 9 or 10. Yet, it’s a lot nastier than that score implies; it was discovered in 1996, giving attackers plenty of time to come up with ways to use it.

 

And if you click on the Metasploit symbol you can see attackers have plenty of exploit kits available for these vulnerabilities:

If an attacker saw this vulnerability during reconnaissance, he’d have a whole menu of free tools to use to take advantage of it; why would they waste their time with a new CVSS 10 when the keys have already been crafted for him? Hence, our risk score for this vuln is 904, higher than quite a few CVSS 10s.

 

The bottom line? If you were going just by CVSS, this easy-to-exploit vulnerability would have been lost in the pile.

 

How is your vulnerability management program going beyond CVSS to prioritize vulnerabilities? Let us know in the comments, and if you haven’t yet, give Nexpose a spin!

 

Want to see Nexpose in action? Check out this on-demand demo!

The new version of Reporting Data Model (1.3.1) allows Nexpose users to create CSV reports providing information about credential status of their assets, i.e. whether credentials provided by the user (global or site specific) allowed successful login to the asset during a specific scan.

 

Credential Status Per Service

The new Reporting Data Model version contains fact_asset_scan_service enhanced with the new column containing the information about credential status for an asset per service during the particular scan. Credential status information is provided for five services: SNMP (version 1, 2c and 3), SSH, Telnet, CIFS and DCE Endpoint Resolution.

For these services the following credential statuses can be reported:

 

Credential statusRelevant Services
No credentials supplied

SNMP, SSH, Telnet, CIFS, DCE Endpoint Resolution

Login failedSNMP, SSH, Telnet, CIFS, DCE Endpoint Resolution
Login successfulSNMP, SSH, Telnet, CIFS, DCE Endpoint Resolution
Allowed elevation of privilegesSSH
RootSSH and Telnet
Login as local adminCIFS, DCE Endpoint Resolution

 

Newly added dimension dim_asset_service_credential can be used to report on the most recent credential statuses asserted for services on an asset in the last scan performed on this asset.

Both fact_asset_scan_service and dim_asset_service_credential can be joined with the newly added dim_credential_status which provides the above statuses in a human readable form. Examples of queries which can be used to report the credential status per asset per service can be found in the document listed at the bottom.

 

Credential status across services

Nexpose users can now create reports providing the snapshot of credential statuses for an asset, i.e. information about credential status for an asset aggregated across all services discovered in the scan. The newly enhanced fact_asset and fact_asset_scan now report the following statuses:

 

Credential statusDescription
No credentials suppliedOne or more services for which credential status is reported were detected in the scan, but there were no credentials supplied for any of them.
All credentials failedOne or more services for which credential status is reported were detected in the scan, and all credentials supplied for these services failed to authenticate.

Credentials partially successful

At least two of the four services for which credential status is reported were detected in the scan, and for some services the provided credentials failed to authenticate, but for at least one there was a successful authentication.

All credentials successful

One or more services for which credential status is reported were detected in the scan, and for all of these services for which credentials were supplied authentication with provided credentials was successful.

N/ANone of the five applicable services (SNMP, SSH, Telnet, CIFS, DCE Endpoint Resolution) were discovered in the scan.

 

Both these facts can be joined with the new dim_aggregated_credential_status which provides the above statuses in a human readable form. For examples of queries please refer to the following document:

 

SQL Query Export Example: Credential status

We build Nexpose to help security practitioners get from find to fix faster. With the launch of Nexpose Now, Rapid7 delivered Liveboards to help you know what's weak in your world right now. Liveboards combine your live threat exposure data, powerful analytics and intuitive querying so you can spend less time compiling data, and more time improving your security program. Liveboards, powered by the Rapid7 Insight Platform, continuously deliver improvements from our engineers to your fingertips and without maintenance effort on your part.

 

We know its hard to keep up with change; so we'll be sharing tips, tricks and new capabilities in right-sized blog posts. In this post, you'll learn one way Liveboards can do heavy lifting for you: customizing and tailoring your dashboards to match your world.

 

Time for some action

Nexpose Now Liveboards provide visibility into what is weak and the power to dive into your data, enabling you to take action. Dozens of built-for-purpose Cards are available in Liveboards with more being released on a regular basis. Cards help you focus on what matters in an easy to understand and easy to act on form. Spending less time in Excel pivot tables means more time on the actual work of driving remediation.

 

Rapid7_Exposure_Analytics_threecards.png

 

Consider the three Cards above. Driving Assets with Expired SSL Certificates to zero is a worthy goal, as is minimizing Assets Running Obsolete Software. But, these metrics may require refinement before taking action in your organization. If your remediation teams work on a site-by-site basis, understanding the percentage of assets running obsolete operating systems is interesting but not sufficient to drive remediation. When you're trying to get to fix faster, getting to action in your remediation teams is critical. We could help our cause by breaking down our data into parcels the remediation teams understand.

 

Dig a bit deeper by clicking on the Expand Card link and we're immersed in Asset data. Some remediation teams have ownership of Assets of a specific operating system type. An easy way to start is by narrowing down by OS family.

 

assets-by-os-custom-query.gif

 

That query looks useful! Since you've spent time crafting it, maybe you want to save it and use it again later? Here I show how to save a query called "FreeBSD Assets" and then create a copy of the Assets Running Obsolete OS Card but only for FreeBSD Assets.

 

assets-by-os-custom-query-save.gif

 

Repeat this process for each of the OS's supported in your organization and you arrive at a powerful comparison. Here we see percentages of Assets running obsolete operating systems by OS family. With this view, you can quickly see differences and get a much better sense of what is weak: perhaps the Solaris systems need some attention.

 

comparecontrast.png

 

Do you want more?

Give this technique a try with your own data. I used a simple example of filtering by OS, but you can easily build refined queries and Cards to make Nexpose work for you. Some other ideas you could try:

  • Compare KPI on new assets discovered across Sites or Asset Groups
  • Create individual Dashboards for individual teams or Sites

Let us know if you find useful ways to compare and share them here.

 

Nathan Palanov

In July, we added National Institute of Standards and Technology (NIST) Special Publication 800-53r4 controls mappings to version 2.0.2 of the reporting data model for SQL Query Export reports. NIST 800-53 is a publication that develops a set of security controls standards that are designed to aid organizations in protecting themselves from an array of threats.

 

What does this mean for you? Well, now you can measure your compliance against these controls by writing SQL queries. For example, say you want to know how many assets fail or comply with a certain control:

SELECT ncm.control_name,
       SUM(fr.noncompliant_assets) AS noncompliant_assets,
       SUM(fr.compliant_assets) AS compliant_assets
FROM fact_policy_rule fr
   JOIN dim_policy_rule_cce_platform_nist_control_mapping ncm ON ncm.rule_id = fr.rule_id AND ncm.rule_scope = fr.scope
WHERE ncm.control_name LIKE ‘AC-%’
GROUP BY ncm.control_name
ORDER BY ncm.control_name ASC

 

Screen Shot 2016-08-01 at 2.07.36 PM.jpg

 

Or this example shows how you can list your least compliant policy rules (most failed assets) and which CCEs and controls they map to:

SELECT p.title AS policy_name,
       dpr.title AS rule_name,
       ncm.cce_item_id,
       ncm.control_name,
       fr.noncompliant_assets,
       fr.compliant_assets
FROM fact_policy_rule fr
   JOIN dim_policy_rule dpr USING (rule_id, scope, policy_id)
   JOIN dim_policy p USING (policy_id, scope)
   JOIN dim_policy_rule_cce_platform_nist_control_mapping ncm ON ncm.rule_id = fr.rule_id AND ncm.rule_scope = fr.scope
ORDER BY fr.noncompliant_assets DESC

 

Screen Shot 2016-08-01 at 1.52.02 PM.jpg

You can learn more about SQL Query Export here and Nexpose's built-in policy reports here.

anowak

Patch Tuesday, August 2016

Posted by anowak Employee Aug 9, 2016

August continues an on-going trend with Microsoft’s products, the majority of bulletins (5) address remote code execution (RCE) followed by elevation of privilege (2), security feature bypass (1) and information disclosure (1). All of this month’s critical bulletins are remote code execution vulnerabilities, affecting a variety of products and platforms including Edge, Internet Explorer, Microsoft Office, Office Services and Web Apps, Sharepoint as well as Windows (client and server).

 

Looking back at the last year of security bulletins, a resounding trend has emerged and continues to be prominent; the majority of these bulletins address RCE. While Microsoft continues actively working on resolving these issues, as witnessed in the overwhelming number of critical RCE bulletins, there is an ongoing battle in which they are unable to permanently address these vulnerabilities, which predominantly affect consumer applications such as Edge, Internet Explorer, Microsoft Office and .NET. Unfortunately, this leads to one of the single largest attack vectors, consumers.

 

This month Microsoft resolves 27 vulnerabilities across 9 bulletins. For consumers MS16-095, MS16-096, MS16-097 and MS16-102 are the bulletins to watch out for, addressing 14 vulnerabilities. For server users, no particular bulletin draws immediate attention enabling the majority of server admins to roll out patches at a fairly leisure pace. Fortunately, at this time no vulnerabilities are known to be publicly disclosed or have been exploited in the wild.

 

Users should be wary of untrusted sources as maliciously crafted content could allow an attacker to remotely execute code in order to gain the same rights as your user account. Your best protection against these threats is to patch your systems as quickly as possible. Administrators, be sure to review this month’s bulletins and in accordance with your specific configuration, prioritize your deployment of this months’ updates. At a minimum, ensure to patch systems affected by critical bulletins (MS16-095, MS16-096, MS16-097, MS16-099 and MS16-102).

 

This blog shows how to use the power of LogEntries Search and Analytics to monitor your Nexpose installation. LogEntries has joined the Rapid7 family and offers several powerful capabilities to search, analyze, monitor and alert on your Nexpose installation. LogEntries is also super easy to set up and maintain. I spent about five minutes getting it running. The Nexpose engineering team made it very easy by enabling the log4j appender in every installation of Nexpose. All you have to do is follow these steps to get up and running.

 

Set up your free trial

Set up a free trial on LogEntries (https://logentries.com/) by clicking on the "Start a Free Trial" button:

createaccount.png

 

Generate tokens for system logging

You can create logging tokens by clicking on "Add a Log" and choosing the "Java" icon in the "Libraries" section and then click on "Create Log Token" at the bottom of the screen. Create as many as you want appenders (see next step). You can have an appender for every Nexpose log if you want:

 

addalog.png

createlogtoken.png

Configure Nexpose Logging

In your Nexpose installation, copy the logentries appenders in the console's logging configuration located in /opt/rapid7/nexpose/nsc/conf/logging.xml (near the bottom of the file) and paste them into the user-log-settings.xml file in the same directory. Make sure to replace the ${logentries-*-token} with the actual token from your logentries account that you created above Each appender can have it's own token so they can be tracked using different logs in logentries. Here is an example:

 

  <appender name="le-nsc" class="com.logentries.logback.LogentriesAppender">

     <Token>123725d5-10df-4aa7-b683-3e8c71251b2c</Token>

     <Debug>False</Debug>

     <Ssl>False</Ssl>

     <facility>USER</facility>

     <encoder>

       <pattern>${logFormat}</pattern>

     </encoder>

   </appender>

 

 

Unlock the power of LogEntries

Restart Nexpose and you will see logs flowing into your LogEntries account. Now you can start using all the great features of LogEntries including Live Tail, Saved Queries, Alerts, and Tagging to manage your Nexpose console. Here are some examples:

 

Initial Log View

This view will appear as soon as you click on the Log Set that you want to view. In my case, "Demo Set" is the log set that I used when creating my account and hooking up Nexpose. From here you can search and filter to find log entries of interest:

 

viewthelog.png

 

Live Tailing

Live Tailing is a great feature that allows you to debug or monitor issues as they are happening:

 

livetail.png


Creating Tags and Alerts

Tags and alerts allow you to label specific log lines based on regular expressions and also alert if anomalies occur:

alert.png

Wrap Up

Also check out how to do the same thing with Metasploit Pro in Securing Your Metasploit Logs. I hope you have found this helpful and please share any feedback such as alerts, dashboards, or other useful tips and tricks that you have found when using Nexpose with LogEntries.

In any vulnerability management program, defenders are always racing against time to identify new exposures and get the latest data. The recent Nexpose Now release made this easier than ever in Nexpose, but active scans will always remain important. Over the past quarter, we’ve made major strides in improving our scan engine performance so that customers can get the data and the fixes they need fast enough to keep up with the bad guys.

 

The Process

This upgrade is made up of several tweaks and updates we’ve made over the last few months.

 

It all started in May, when we shipped an enhancement to our scan engine that reduced scan time memory utilization by 10x. This allowed us to run scans with 50 threads on a 4GB scan engine. In some instances, we had success running 100 threads on a 4GB scan engine (the default for scan templates is 10 threads). i feel the need.gif

Throughout June, we focused on improving scan performance and multi core utilization. While we initially improved scan times by another 2x, there was obviously more work to do: an engine pool of 5 engines each scanning with 10 threads took 1 hour to scan our lab, and although a single engine with 50 threads should perform the same, it was taking 6 hours. The investigation revealed several inefficiencies in the threaded call manager, which we re-wrote to give a 3x increase in scan performance.

 

Finally, local rock stars Aneel Dadani and Erik Castellanos identified a strange behavior associated with how our content describes Microsoft supersedence relationships that resulted in a considerable amount of additional scan log data. Fixing this resulted in a 3x reduction in scan log size, and thus improved scan performance another 2.5x!

 

 

The Results

After all these improvements, the results were impressive: for our Windows lab, comprised of about 460 Windows assets of different versions, service pack levels, and configurations, scan times improved by as much as 10x, going from 12 hours to just 1 hour and 20 minutes. Just as impressive is the fact that these scans were done with a 4GB engine running 50 threads, something that used to take customers 16GB or 64GB engines to even attempt! This will make it much easier for our customers to tweak and speed up their scan performance (and finally put to bed some of the false rumors our competitors have been spreading about our scan performance for years).

 

for speed.gifHave you noticed the performance improvements over the last month? Do you have ways we can continue to improve scanning efficiency? Let us know, and of course, if you haven’t taken Nexpose for a whirl yet, be sure to download a trial today!

 

Early scan (~5 hours 30 minutes)

Final Scan (~1 hour 20 mins):

anowak

Patch Tuesday, July 2016

Posted by anowak Employee Jul 12, 2016

July continues an on-going trend with Microsoft’s products where the majority of bulletins (6) address remote code execution (RCE) followed by information disclosure (2), security feature bypass (2) and elevation of privilege (1). All of this month’s 'critical' bulletins are remote code execution vulnerabilities, affecting a variety of products and platforms including Edge, Internet Explorer, Microsoft Office, Office Services and Web Apps, Sharepoint as well as Windows (client and server).

 

Looking back at the last year of security bulletins, a resounding trend has emerged and continues to be prominent; the majority of these bulletins address RCE. While Microsoft continues actively working on resolving these issues, as witnessed in the overwhelming number of critical RCE bulletins, there is an ongoing battle in which they are unable to permanently address these vulnerabilities, which predominantly affect consumer applications such as Edge, Internet Explorer, Microsoft Office and .NET. Unfortunately, this leads to one of the single largest attack vectors, consumers.

 

This month, Microsoft resolves 40 vulnerabilities across 11 bulletins.

Fortunately, at this time no vulnerabilities are known to have been exploited in the wild. However, one vulnerability from MS16-092 and MS16-094 is known to be publicly disclosed (CVE-2016-3272 and CVE-2016-3287 respectively).

 

Users should be wary of untrusted sources as maliciously crafted content could allow an attacker to remotely execute code in-order to gain the same rights as your user account. Your best protection against these threats is to patch you systems as quickly as possible. Administrators, be sure to review this month’s bulletins and in accordance with your specific configuration, prioritize your deployment of this months’ updates. At a minimum, ensure to patch systems affected by critical bulletins (MS16-084, MS16-085, MS16-086, MS16-087, MS16-088 and MS16-093).

Auditing your systems for compliance with secure configuration policies like CIS, DISA STIGs, and USBCG is an important part of any effective security program, not to mention a requirement for many industry and regulatory compliances like PCI, DSS, and FISMA. With Nexpose, you can automate this assessment using our Policy Manager feature.

 

Back in March we launched two brand new policy report templates, Policy Rule Breakdown Summary and Top Policy Remediations, to help organizations understand how compliant their assets are and actions to take to improve their compliance posture. You can read more about these reports here.

 

After receiving lots of great feedback, we’ve added two more policy reports in the latest version of Nexpose: Policy Details and Top Policy Remediations with Details. These provide additional information like policy rules, test results, and step-by-step remediation instructions so you can drill into the details and take control of your compliance program.

 

The new Policy Details report is useful for understanding exactly what’s going on with each asset - which rules are failing, the reasons why, and how you can fix it. The report is divided by asset, with the overall compliance score for the asset at the top. Run this report when you want to deep-dive into the configuration settings of your systems.

pjimage.jpg

The new Top Policy Remediations with Details report expands on the report released in March by adding step-by-step instructions for each remediation and a list of the affected assets. With both Top Policy Remediations reports, the recommendations are prioritized for the greatest impact on improving compliance across all your assets and you can change the number of recommendations shown, e.g. change Top 25 to Top 10, to meet your needs. This report is perfect for communicating what needs to be fixed to your IT Operations team.

pjimage (1).jpg

We have lots more enhancements to Policy Manager coming soon, so stayed tuned for more!

Recently I've been diving into some advanced and targeted analysis features. Today I'd like to keep things simple while still addressing a significant use case - Vulnerability Regression. Often times the immediate response to high visibility vulnerabilities does not involve setting up future monitoring, leaving the door open for the same vulnerabilities to show back up time and again.

 

[RELATED: Vulnerability Regression Monitoring [VIDEO] | Rapid7  ]

 

The Immediate Response - AKA Fire Drill

Sooner or later, for better or worse, everyone hits a fire drill.  You probably know the situation - late nights, high pressure, and a lot of leadership visibility.  It's a find-fix scramble under a microscope, and it's no fun.  Some slightly dated examples (more on that later) include: Shellshock, Heartbleed, and, for those of you with air-gapped networks, BadUSB.

 

My question is - what happens when the smoke clears?  Everyone takes a deep breath, some pats on the back, a cold beverage or two, maybe even a day off to recuperate before post-mortem reporting begins.  Unfortunately, when the immediate response ends is often when the real visibility gap begins.

 

The Regression

Over time these vulnerabilities have a way of reappearing.  Maybe an old system gets booted up when it was supposed to be deprecated, or maybe a new system gets rolled out with some old software installed on it.  One way or another, older, high-visibility vulnerabilities can come creeping back into the network.  I picked these examples intentionally, because I still see them in the field after all this time;  I even see them even in environments where a fire drill was run and considered a complete success.

 

Regression Monitoring

Without ongoing monitoring for regressions, any immediate response action is inherently a point-in-time fix and not a systematic remediation or root-cause resolution.  The idea of regression testing has been around for quite some time in the development world, and I think there's a huge value to applying that same concept in the security world.  Here's a quick example of how to set up a basic Heartbleed regression check in Nexpose:

 

Create a Dynamic Asset Group (you'll notice a trend - I use DAGs a lot, they are pretty neat):

 

TargetedAnalysis1.png

 

Set up a filter for "Heartbleed" based on Vulnerability Title:

 

VulnerabilityRegression2.png

 

 

Click 'Search' and then 'Create Asset Group' as per usual.  If you create a Dynamic Asset Group the group membership will automatically be updated each time you run a new scan.

 

Conclusion - More Success!

There you have it - a simple, easy way to set up regression monitoring for high visibility vulnerabilities.  Go on and set up a few of these - you might just be surprised what you find!

 

For those of you who want something a bit broader than single vulnerability searching, check out my piece on the usage and value of Vulnerability Categories.

anowak

Update Tuesday, June 2016

Posted by anowak Employee Jun 14, 2016

June continues an on-going trend with Microsoft’s products where the majority of bulletins (7) address remote code execution (RCE) with elevation of privilege as a close second (6); the three address information disclosure (2) and denial of service. All critical bulletins are remote code execution vulnerabilities affecting a variety of products and platforms including Edge, Internet Explorer, Microsoft Office, Office Services and Web Apps as well as Windows (client and server). However, this month is missing resolutions for Adobe Flash issues; Adobe has recognized CVE-2016-4171 as being exploited in the wild (APSA16-03) but no solution is presently available.

 

Looking back at the last year of security bulletins, a resounding trend has emerged and continues to be prominent; the majority of these bulletins address RCE. While Microsoft continues actively working on resolving these issues as witnessed in the overwhelming number of critical RCE bulletins, there is an ongoing battle in which they are unable to permanently address these vulnerabilities, which predominantly affect consumer applications such as Edge, Internet Explorer, Microsoft Office and .NET. Unfortunately, this leads to one of the single largest attack vectors, consumers/end-users.

 

This month Microsoft resolves 36 vulnerabilities across 16 bulletins with MS16-063, MS16-068, MS16-069, MS16-070 and MS16-080 as the bulletins to watch out for, addressing 21 vulnerabilities. Fortunately at this time, no vulnerabilities are known to have been exploited in the wild. However, one vulnerability from MS16-068 is known to be publicly disclosed CVE-2016-3222.

 

Users should be wary of untrusted sources as maliciously crafted content could allow an attacker to remotely execute code in order to gain the same rights as your user account. Your best protection against these threats is to patch your systems as quickly as possible. Administrators, be sure to review this month’s bulletins and in accordance with your specific configuration, prioritize your deployment of this month's updates. At a minimum, ensure to patch systems affected by critical bulletins (MS16-063, MS16-068, MS16-069, MS16-070 and MS16-071).

 

Resolved Vulnerability Reference:

Filter Blog

By date: By tag: