Posts by Rapid7

10 min Komand

Investigating Our Technology — Internet of Things or Internet of Threats?

One cold winter afternoon as I sat in my office, cursing the air several degrees warmer around me due to slow internet connectivity, I thought to take a look at exactly the issue was. I had recently installed a new system of wireless access points which should be blanketing the entire house with a strong enough signal to make the air glow well out into the yard. I logged into the controller for the APs, which helpfully provided all manner of statistics regarding the different devices connected,

5 min Komand

Malware Incident Response Steps on Windows, and Determining If the Threat Is Truly Gone

Malware can be a sneaky little beast. Once it's on your computer or network, it may be hard to detect unless you're explicitly looking for it. When dealing with malware, it is extremely important to not only know the signs to look for, but also how to stop malware in a timely manner to reduce the spread of infection in the event that it's detected. Malware can spread pretty quickly, especially in a corporate environment where company-wide email is used as the primary method of communication and

4 min Automation and Orchestration

Cybersecurity exercises – benefits and practical aspects (part 2 of 2)

Synopsis In the series of articles titled “Incident Response Life Cycle in NIST and ISO standards” I reviewed incident response life cycle [/2017/01/11/introduction-to-incident-response-life-cycle-of-nist-sp-800-61/] defined and described in NIST Special Publication (SP) 800-61 – Computer Security Incident Handling Guide. Before I move on to discuss ISO/IEC 27035 standard, I believe it is interesting to discuss shortly how cybersecurity exercises can help prepare to handle incidents. Cybersec

4 min Automation and Orchestration

Cybersecurity exercises – benefits and practical aspects (part 1 of 2)

Synopsis In the series of articles titled “Incident Response Life Cycle in NIST and ISO standards” I reviewed incident response life cycle [/2017/01/11/introduction-to-incident-response-life-cycle-of-nist-sp-800-61/] defined and described in NIST Special Publication (SP) 800-61 – Computer Security Incident Handling Guide. Before I move on to discuss ISO/IEC 27035 standard, I believe it is interesting to discuss shortly how cybersecurity exercises can help prepare to handle incidents. Cybersec

4 min Automation and Orchestration

Cybersecurity Information Sharing - European Perspective (part 1 of 2)

Synopsis In the series of articles titled “Incident Response Life Cycle in NIST and ISO standards” we already reviewed incident response life cycle [https://www.rapid7.com/blog/post/2017/01/11/introduction-to-incident-response-life-cycle-of-nist-sp-800-61/] defined and described in NIST Special Publication (SP) 800-61 – Computer Security Incident Handling Guide. We also discussed information sharing requirements [https://www.rapid7.com/blog/post/2017/02/21/nist-sp-800-61-information-sharing/]

4 min Komand

How to Onboard and Train Your Security Team

Hiring the right people [/2016/07/07/the-importance-of-investing-in-people-before-tools-in-cybersecurity/] is the first step when building a great security operations team. But you also have to train them on how your company approaches and implements security measures. The common reality is that many companies lack the time or expertise to design and execute an effective training program. Hiring the best security people still means they need to understand how your network and systems are confi

4 min IT Ops

Log Analysis for System Troubleshooting

Systems of all kinds create log data constantly and voluminously. In searching out the most compelling reasons to dig into and analyze such data, we compiled a list of seven reasons that usually drive such activity. In this blog post we tackle the first of those 7, which include: 1. System troubleshooting 2. Security incident response 3. Security troubleshooting 4. Performance troubleshooting 5. Understanding user behavior or activities 6. Compliance with security policies 7. Complianc

3 min Automation and Orchestration

Sybil Attacks, Detection and Prevention

Synopsis Sybil attacks are named after a fictional character with dissociative identity disorder. Sybil Attacks are attacks against the reputation of online social networks by proliferation of fake profiles using false identities. Fake profiles have become a persistent and growing menace in online social networks. As businesses and individuals embrace social networks the line between physical and online world is getting blurred. Hence it is critical to detect, prevent and contain fake accounts i

3 min Komand

Security Orchestration and Security Automation: What is the Difference?

What's the difference between security orchestration [https://www.rapid7.com/fundamentals/security-orchestration/] and security automation [https://www.rapid7.com/fundamentals/security-automation/]? While you probably understand that they are different, you may not know exactly where the line is drawn between them or how they fit together. In this post, we'll explain what each one means and how security orchestration and automation can be used together [https://www.rapid7.com/solutions/security-

8 min IT Ops

Roots and Culture: Logging and the Telephone Bill

Telephone systems were the Internet before there was an Internet. Think about it. By 1920 millions of people were exchanging data on a worldwide network using a device that connected on demand. Sounds like the Internet to me. But unlike the current day Internet, the telephone system cost money to use. Alexander Graham Bell’s investors wanted it that way. That’s why they gave him the money. Thus, people who used the telephone system had to pay for it. So going as far back as 1877, every mont

4 min Komand

Comparing and Modifying Objects in React

A central feature of the React [https://facebook.github.io/react/] framework is that a component will re-render when its properties change. Additional action, or deliberate inaction, can also be taken on a change of properties using componentWillRecieveProps() -- at which point you’ll do your own comparison of the new and old props. In both cases, if the two properties in question are objects, the comparison is not so straightforward.How do I easily modify and compare javascript objects by some

6 min Komand

Incident Investigation: It's All About Context

When security operations centers or security teams have data output from our security devices or from threat intelligence sources, it all too often lacks any sort of reasonable context on which to base an investigation. When we have Indicators of Compromise (IoCs) that define a particular type of attack, often largely IP addresses and file hashes, this can make a very difficult starting place; inefficient at best, paralyzing at worst. Data with no intelligence lacks context and we need context

4 min Automation and Orchestration

Automated Cybersecurity Information Sharing with DHS AIS system

Synopsis In the series of articles titled “Incident Response Life Cycle in NIST and ISO standards” we reviewed incident response life cycle [/2017/01/11/introduction-to-incident-response-life-cycle-of-nist-sp-800-61/], as defined and described in NIST Special Publication (SP) 800-61 – Computer Security Incident Handling Guide. The NIST document contains recommendations on incident information sharing. Besides these recommendations and organization’s internal procedures, there are legal requirem

4 min Automation and Orchestration

Information sharing recommendations of NIST SP 800-61

Maintaining information sharing balance Cybersecurity information sharing issues are a hot topic. This is because a balance must be maintained between benefits and risks of information sharing. This balance is sometimes hard to maintain, and at the same time there are currently legal requirements regarding sharing such information. The main benefit of sharing cybersecurity information is more effective: * incident prevention and * incident response. The main risks of sharing cybersecurity i

4 min Automation and Orchestration

Suricata Overview

Synopsis: Suricata is an open source threat detection engine that was developed by the Open Information Security Foundation (OISF). The Beta was released at the end of 2009, with the standard version coming out in the middle of 2010. Suricata can act as an intrusion detection system (IDS), and intrusion prevention system (IPS), or be used for network security monitoring. It was developed alongside the community to help simplify security processes. As a free and robust tool, Suricata monitors ne