<- All Blogs
Cyber Workforce Resilience

Threat monitoring with AttackerKB

Written by
Evander Pierre
Published on
April 30, 2020

One of the core values Immersive Labs stands by is that when it comes to cyber readiness, humans are much more useful than machines. This is a belief that we hold firm and put all our efforts into exploring. We extend a hand to the cybersecurity community to make sure all of our customers are as informed and prepared as possible when it comes to dealing with the latest cyberattacks.

Rapid7 recently released a new platform, AttackerKB, which employs the concept of human cyber readiness to boost the entire cyber community. Color us intrigued.

What is AttackerKB?

AttackerKB is a new platform designed to use real human expertise to assess the importance of cyber vulnerabilities. It’s a forum that shares important data, insights, and professional views on a cyberthreat that otherwise could get lost in a sea of misinformation, overhype, and scaremongering online.

That’s where the humans come in. Real individuals of the security landscape, whether that’s pen testers, defenders, researchers, consultants, or knowledgeable hobbyists, will share their real-world, first-hand experience on AttackerKB to benefit the whole community. They’ll submit value ratings, pervasiveness, accessibility, exploitability, shelflife, usefulness, and a technical analysis of specific threats so that users can accurately assess their priority and learn how to defend themselves.

How is it used?

There are two parts to the way Attacker KB is used. Firstly, users can consume the data in the platform to identify vulnerabilities that are more tuned to their specific needs. Secondly, experts in the field can share their own analysis to help users further understand, assess, and identify the importance of a specific threat.

What does AttackerKB solve?

The platform solves the issue of crucial information about cyberthreats getting lost in the noise. By cutting through the hype with clear, structured information in a single place, individuals and organizations can more easily assess what is most important to their own needs, rather than what the news outlets might say the priorities are for the rest of the world.

By employing the human element of analysis in this way, teams can make more informed decisions about cyberthreats based on real life advice. You can’t get that from data.

How is Immersive Labs helping?

We’ll be using AttackerKB to help us identify more events in the community as they emerge, ensuring our users are kept up to date with the latest threats as and when they occur.

As a pillar in the cybersecurity community, and a major believer in the human element of cyber readiness, our experts will also be contributing to the professional assessment side of things when able to do so.

Further, Director of Cyber Threat Research Kevin Breen has built a Python library that allows users to interact with the official AttackerKB API and build other tools and scripts that can be integrated into an organization.

See how it works in the fictional scenario below.

Threat monitoring with AttackerKB in action

Your organization runs an external WordPress site that is used to engage with customers. There is no sensitive data, but as the cybersecurity expert for the company, you are acutely aware that it could still be targeted by attackers. Any compromise is bad, regardless of the level of data access.

You have some monitoring in place and a security scanner that regularly checks for updates to the WordPress core and its plugins.

You’re concerned about a zero-day for one of the plugins that might come out and impact your site. To combat this in advance, you create a Python script that leverages the AttackerKB API to monitor for any new CVEs that mention your plugins. If it finds one, it will send a Slack message to your team.

You deploy your script to an AWS Lambda set to run every hour. Time to get back to work!

A few hours later, the Slack channel you set up to notify you of a CVE impacting your WordPress site has been triggered. It tells you there is a CVE for the Duplicator plugin.

You visit AttackerKB and start reading the analysis on this specific CVE.

The report identifies an update to the plugin that patches the vulnerability. However, it also reveals that this vulnerability has been actively exploited in the wild. There are some indicators of compromise you can use to identify if your server has been attacked.

It’s time to take a deep dive into some log analysis to determine whether or not your server was attacked. If it was, who did it? What information were they able to gain?

Share this post