This week’s launch of Vector Command by Top 250 MSSP Rapid7 comes with the assurance of continuous red teaming services to help customers identify and validate IT security posture weaknesses — from an attacker’s perspective.
Powered by Rapid7’s Command Platform and its red team experts, Vector Command will increase visibility of an external attack and improve risk prioritization while providing same-day reporting on successful exploits, visualized attack paths and regular expert consultation, according to the company.
Jeremiah Dewey, senior vice president of Service Delivery at Rapid7, explained the MSSP imperative for red teaming and offensive security.
“Red teaming is a critical, proactive step that not only validates potential exploitables and helps teams prioritize, it also elevates our customers’ security posture and reduces noise downstream for our managed SOC team,” Dewey told MSSP Alert. “When we improve our customers’ ability to effectively triage risk, we not only deepen our relationship as a partner and extension of their team, we are also ensuring better end-to-end security across the threat lifecycle.”
Key benefits of Vector Command include:
- Increased visibility of the external attack surface with persistent, proactive reconnaissance of both known and unknown internet-facing assets.
- Improved risk prioritization with ongoing, expert-led red team operations that cut through the noise of EASM-only tools as well as the latency of point-in-time security testing exercises to surface validated critical exposures.
- Guaranteed same-day reporting of successful exploits, clearly visualized attack paths, and regular expert consultation to confidently drive remediation efforts and resiliency planning.
Rapid7 Responds to Customer Concerns
Explaining the inspiration and motivation behind Vector Command, Dewey said that sprawling external attack surfaces have made organizations more vulnerable to breaches. And this expansion has happened much more rapidly than most security teams have been able to scale their operations.
In response, Rapid7’s customers were voicing concerns about:
- Limited visibility into their internet-facing exposures
- Teams inundated with unvalidated exposures and lack of resources to prioritize critical exposures
- Lacking an effective method for ongoing assessment of the external environment to validate existing security controls.
“Security leaders want to know what's out there, and what could potentially be impactful,” he said. “In other words, they want a continuous form of monitoring to know if there’s a misconfigured website or an externally-facing asset they’re not even aware is out there, before an attacker finds it.”
Dewey believes that basic security practices, like point-in-time pentesting, are no longer enough.
“Today, there’s an undeniable need to continuously monitor the external exposures, validate them and test if the defenses hold up, should the organization be attacked,” he said. “That’s why we developed Vector Command.”
How Vector Command Works
Rapid7’s red team operators will use identified vulnerabilities, misconfigurations and the latest attacker TTPs to perform complex, real-world attacks against an organization.
“When our team successfully breaches, they will take two steps in the door of the customer's internal network, looking for ways to laterally move, privilege escalate and set persistence,” Dewey said. “This allows the customer to observe how an attacker would behave in their environment, determine the blast radius of the initially compromised asset and understand where they need to stop the attack in the kill chain to have the most impact.”
Customers can access the attack path and other detailed findings the same-day as the breach via an intuitive reporting portal to prioritize remediation. Rapid7 will conduct regular consultations with the customer to provide them with prescriptive guidance for strengthening their overall security posture against successful attack chains.
Vector Command is the inverse of MDR, Dewey noted, as the solution complements the ongoing detections with continuous, real-world offensive exercises.
“Rapid7's red team operators simulate a threat actor group, focused on customers in their managed portfolio,” he said. “During Vector Command's early testing, Rapid7 exploited numerous vulnerabilities and misconfigurations that organizations were shocked to learn about, despite their ongoing vulnerability scanning and annual penetration testing activities.”
Real-World Use Cases Detailed
Rapid7 offered examples of actual attack chain applications using Vector Command:
- When a third-party hosted email gateway that was misconfigured, allowing emails to be spoofed, Rapid7's red team operators exploited it to perform a targeted phishing attack against employee credentials and multi-factor authentication (MFA), gaining access to sensitive cloud-hosted applications.
- Another attack involved breaching an organization's perimeter through a vulnerability being flagged as a false-positive through automated testing. By reviewing the vulnerability, Rapid7 determined that it could be exploited in another way, and compromised the server. The host was determined to lack proper DMZ network segmentation from the internal network, which Rapid7 used with other vulnerabilities to pivot into the corporate network and set persistence.
In some cases there are exploitable vulnerabilities weren’t deemed as having the highest impact.
“In one instance,” said Dewey, “Rapid7 found a SQL injection that allowed a website to be compromised. However, the site was outdated and no longer used, had no trust relationships with the company's internal network, and could barely be used for reputational impact. While normally a critical vulnerability, the operators were able to show that the impact of exploitation was actually lower.”
