InsightVM Certified

Administrator

Copyright Rapid7 2020 v20.08.01

Introductions
• About your instructor
• About you
• Who are you?
• What is your experience level with InsightVM?
• What are your responsibilities/expectations?
Agenda
Day 1
• Introduction to InsightVM
• InsightVM Architecture
• Navigating the User Interface
• Scan Processes/Scan Templates
• Groups and Tagging
• Remediation
• Automated Actions
• Troubleshooting
Day 2
• Planning Your Deployment
• Installing a Scan Engine
• Credentials and Scanning
• Exception Workflow
• Risk Strategies and Scoring
• Reporting
• Insight Platform
• Dashboards, Queries, Projects, Goals
• Practice Exam
Introduction to InsightVM
Objectives:
Understand the vulnerability management cycle
Understand the challenges of vulnerability management and how InsightVM can help
address them
Vulnerability Management Lifecycle

Discover

Prioritize
Verify
Assets

Remediate Assess

Report
 Vulnerability Management

Know Your Network Manage Risk Effectively Simplify Your Compliance

• Security assessment for • Use critical threat • Perform fast, unified

the modern network awareness from
• Identify what’s Metasploit
important to your • Prioritize business risks
business that matter
• Use attacker mindset to • Create concise
find weaknesses actionable remediation
plans
security & compliance
assessment
• Automate workflows
• Leverage built-in Audit &
PCI report templates
 Efficient Security Assessment
• A holistic view of your network connected devices
• Unified scanning
• OS
• Applications
• Web
• Database
• Configuration/Policy

• Consolidated reporting
• Dashboards
Understand Business Context
• Automatic classification
• Identify important systems and assign remediation owners
InsightVM Architecture
OBJECTIVES:
• Understand the components that make up the InsightVM
architecture
InsightVM Components

InsightVM Security Console (nsc)

InsightVM Scan Engine (nse)

InsightVM Database (postgresql)

InsightVM Agents (Win/Mac/Linux)

InsightVM API (version 1.1, 1.2 and Restful v3)

InsightVM Security Console (NSC)
• Centralized Administration
• Configuration, Presentation
• Accessible by port 3780 by default, but changeable
• https://[Server IP]:3780
• Contains scan sites, assets, scan templates, reports, policies, asset groups,
administration, user management
• Communication needs
• To updates.rapid7.com (80)
• To support.rapid7.com (443)
InsightVM Scan Engine (NSE)
• Types:
• Local – Integrated to the Console
• Distributed – Deployed across network
• System requirements different for Engines vs. Consoles
• No asset information is stored on the engines
• Holds the vulnerability checks and engine specific logs
• Software and vulnerability check updates are pushed from the console
• Primary means of communication
• From NSC to NSE (40814)
• From NSE to NSC (40815)
InsightVM Database
• PostgreSQL 11.7.x
• Integrated into the console
• Can be tuned for optimal performance
• No direct database access, however…
• Contains a Reporting Data Model for ease of custom reporting
• You can run SQL Queries through the Reporting GUI

• Ability to export to other MS-SQL, Oracle and MySQL

• Data warehouse/replication to another PostgreSQL server
 InsightVM Agents

• One Agent, Multiple Solutions

• Built on AWS
• Runs a service on each asset
• Only relevant data is gathered and
transmitted to the Insight Platform
• Universal Installers
• Automatically update
Must be able to communicate using:
*endpoint.ingress.rapid7.com (port 443)
https://insight.rapid7.com
InsightVM API
(Application Programming Interface)
• Methods
• RESTful APIv3 - JSON over HTTPS
• Common Uses
• Third-party Integrations
• Workflow Automation
• Simple Utilities
• Dive Deeper in Advanced Vulnerability Manager Course

16
InsightVM Architecture DISTRIBUTED (INTERNAL)
SCAN ENGINES
TCP 40814

TCP 40815 NSE NSE

CONSOLE / LOCAL SCAN

ENGINE
Console/API: https://x.x.x.x:3780
NSC
ALL TCP/UDP PORTS
TCP 40814

http://updates.rapid7.com:80 SCAN TARGETS

TCP 5432 NSE

ALL TCP/UDP PORTS

https://support.rapid7.com:443

Hosted Scan Engines TCP 40814

Agents TCP 443

https://*.insight.rapid7.com:443
Navigating the UI
Objectives:
• Understand components of the InsightVM console user
interface
Accessing the Console

• https://[Console_IP]:3780
• Supported Browsers:
• Chrome
• Firefox/Firefox ESR
• IE 11/Microsoft Edge
• Others work, but not supported
• (i.e. Safari, Ice Weasel)
• Login with the credential defined during the console installation
 Top Menu Items

• Create – Shortcut to create sites, groups, tag, reports

• Search – use keyword or filtered asset searches
• Calendar – feature showing scans and reports in a timeline
• Help – Access online help and news
• Notifications – alerts when new updates are available or content is added
• User – view/update user preferences, change color scheme, or logout
• Items – Add previously removed home page items
Left Side Navigation Menu

• Home – holistic view of assets, site, groups.

• Dashboard –available for InsightVM enabled instances
• Assets – view detailed data on discovered assets
• Vulnerabilities – analyze comprehensive vulnerability
information
• Projects – available to create Remediation for InsightVM
enabled instances
• Goals & SLAs - Track your remediation efforts by
identifying goals and defining metrics
• Automation – Eliminate most manual tasks involved in
addressing security needs
• Automated Actions – Dynamic automation of specific
triggers
Left Side Navigation Menu (continued)

• Policies – create policies to fit the

requirements of your environment
• Reports – create, edit, and view
reports
• Containers – Get visibility into images
in your environment that have
containers present and the
vulnerabilities associated with them.
• Cloud Configuration – Cloud
infrastructure connections
• Administration – perform a variety of
administrative tasks
• Management – Manage Insight
 Risk and
Assets
Over Time
Asset
Overview

Scan, Edit
or Delete
Create a Site
Site

Current
Scan
Statistics

Create
Asset
Group
Navigating User Interface
Demo
The Scan Process
Objectives:
• Understand the Scanning Process
• The Importance of the Scan Template
 Scan Process Overview

Unconfirmed Confirmed
Service OS Policy
Discovery Port Scan Vulnerability Vulnerability
Fingerprinting Fingerprinting Checks
Checks Checks
NSC > NSE: Go and find all ‘alive’ devices

Using ICMP Ping, ARP Ping, TCP and/or UDP Port Scanning
NSC > NSE: What Services are running on the open ports?

Use NMAP Helper Libraries

 NSC > NSE:
What Services are we dealing with?

• Service Fingerprinting
• InsightVM will try and determine services/processes are running on open
ports detected in the previous step.
• Methods:
• Banner-grabbing
• IP Stack Analysis
• Service fingerprinting for custom configuration
• Map custom port to service name
• default-services.properties
 NSC > NSE:
What OS are we dealing with?

• OS Fingerprinting using information collected from the previous scan stages the
scan attempts to guess which operating system is running on the asset.
• Recog is a framework for identifying products, services, operating systems, and
hardware
• Matching fingerprints against data returned from various network probes
• Consists of both XML fingerprint files and an assortment of code, mostly in Ruby, that
makes it easy to develop, test, and use the contained fingerprints.
• A score indicating how certain the scan is about its guess is kept and the
highest ranked guess is used for other stages of the scan.
 NSC > NSE:
What OS are we dealing with?

• OS Fingerprinting
• Credentialed vs. Non-credentialed scans.
• Only scans using administrator/root will provide a Certainty of 1.
• Credentials with less than administrator/root privileges may show a Certainty of 0.85
• Credentialed scans are necessary for policy scans, client side and some system configuration
related vulnerability detection.
• Unconfirmed Vulnerability Checks
• Primarily include checks based on patch and version information. These checks determine that a version of
software etc. is known to have an issue but does not confirm the specific issue exists. An example may be
that a version of software ships with a default password. The check would determine that that version of
software is present and may have default credentials even if the credentials have already been changed.

• Confirmed Vulnerability Checks

• A confirmed check may go a step further than our Unconfirmed Vulnerability check by specifying that a
specific OS, Application, and specific version of each must be present before it tries to take an action to
verify if a vulnerability exists. For the example where a vulnerable version of software is present that is
known to ship with a known default password the check may attempt to login with those known
credentials to verify if the credentials have been changed.
• Policy Checks
• During this stage
checks focused on
determining asset
configurations and
alignment with
predefined baselines
defined in policy files.
• USGCB policies
• United States Government Configuration Baseline
• FDCC policies
• Federal Desktop Core Configuration
• DISASTIGS
• Defense Information Systems Agency Security Technical
Implementation Guides
• CIS Benchmarks
• Center for Internet Security
 Scan Templates
A scan template is a predefined set of scan attributes that you can
select quickly rather than manually define properties including:
• Target assets
• Services
• Vulnerabilities
• Policies

InsightVM includes a variety of preconfigured scan templates to help you assess your
vulnerabilities according to the best practices for a given need.
 Demo & Lab 1:
Creating Custom Templates
Organizing Your Data
Objectives:
• Understand the role of sites and developing a site strategy
• Learn to leverage asset groups for analysis and reporting
• Learn to leverage asset tags for providing context
InsightVM Containers
• Sites
• IP’s/Groups to be Scanned, Schedules, Engines, Scan Templates
• Dynamic and Static
• Asset Groups
• Commonality
• Reporting
• Analysis
• RealContext (Asset Tags)
• Adds business context
Site Overview

Scan
Scan Schedule
Engine
(Optional)

Scan Alerts
Templates (Optional)

Scan InsightVM Credentials

Targets Site (Optional)
 Site Strategy

• Break up your environment in a way that:

• Is easy to manage
• Makes sense to your organization
• Achieves your scanning goal/objectives
• Aligns with change control requirements
• Aligns with technical and business owners
Site Strategy – By Location
• Geographical or Logical
• Los Angeles, Boston, New York, London
• 10.1.1.x/24, 10.1.2.x,24, VLAN10, VLAN20
• Internal, External
• Benefits
• Smaller number of sites/scans = ease of management
• Concerns
• Large number of assets per site = longer scan times
 Site Strategy – Hybrid
• By location and specific function
• HQ – Desktops
• Remote Office – Laptops
• Datacenter – Servers
• Pros
• Efficient chunks = more regular scans
• Focused scans for specific
requirements
• Flexible scheduling
• Cons
• Possibility of large number of sites
Demo & Lab 2:
Creating Sites
Asset Groups
Objectives:
• Understand the difference between Dynamic and Static Asset Groups
Asset Group Overview
• Provide the ability to perform targeted asset reporting

• Provide the ability to provide or limit user access to scan data

• Aggregates assets from one or more sites for vulnerability analysis

Dynamic Static
Subject to change Constant data set

Automatically
Comparative reporting
clean/update
“Frozen time”
“Real time” perspective
perspective
Group Strategy
• Asset Function
• Desktops
• Mobile
• Servers
• Printers
• Database
• Web

• Platform/Product
• Windows
• Linux
• Networking Devices
 Demo & Lab 3:
Create Asset Groups
RealContext (aka Asset Tagging)
• Allows the ability to provide business context around your assets by applying
tags
• Built-in Tags
• Criticality
• Location
• Owner
• Custom Tags
• Examples: PCI, DMZ, SOC, XYZ Network, DEV, XYZ Application, etc..
RealContext - Adjust Risk By Criticality
• Apply risk multipliers to assets
• Adjust configurable risk score multiplier based on criticality

• Disabled by default
 RealContext Best Practices

• Apply risk multipliers to Dynamic Asset Groups

• Public-facing/DMZ assets = Higher Risk
• Assets with sensitive data = Higher Risk
• Infrastructure service assets = Lower Risk
• Use Sites and Asset Groups to bulk tag assets
• Use filtered asset search to bulk tag assets
Demo & Lab 4:
RealContext
InsightVM
Remediation
Objectives:
• Understand and prioritize vulnerabilities
Remediation of Vulnerabilities

Analyzing the vulnerabilities is a critical step in improving your

security posture.
• Frequency
• Affected assets
• Risk level
• Exploitability
Strategic Remediation
Threat Vulnerability Risk

A threat is any potential Vulnerability describes the A risk is the likelihood of a

danger to information or circumstances of a system threat taking advantage of a
systems. that makes it susceptible to validated vulnerability.
damage.
 Demo & Lab 5:
Remediation and Scanning
Security Analytics
Objectives:
• Learn about Security Analytics
• Learn the types of automated actions
• Learn how to create and use automated actions
Security Analytics – Automated
Actions
• Certain “Trigger” events Full Attack Visibility and Assessment
initiate automated actions
• Automatically discover and DHCP

assess new assets as they

join the network VMWARE

• Track your risk as assets

come and go from the MOBILE

network
AWS
• No more waiting for scans to
run
https://insightvm.help.rapid7.com/docs/automating-security-actions-in-changing-environments
Automated Actions
• Automated action can be turned on/off
• You can have as many automated actions as necessary
• Best Practice: avoid conflict (adding asset to two sites, for example)
New Vulnerability Released
• Make instant decisions to scan
based on new vulnerabilities that
have been released.
• Only scans for the vulnerabilities
that meet the threshold.
• Can set threshold by Risk or CVSS
Score
New Asset Discovered
• Allows you to make decisions on
scanning assets when they are
first discovered
• Filter based on asset criteria
• Actions include
• Add to a Site
• Add to a Site and Scan
Immediately
Known Asset Discovered
• You can make instant decision for
assets that are known to exist
• Filter based on asset criteria
• Actions Include:
• Tag the Asset
• Add the Asset to another
Site

• Scan the Asset Now

 TIE File Reputation Event
• Integration with DXL and TIE from McAfee
(formerly Intel Security) allows your security
team to gain insight in to your assets and
automatically prioritize assets when
compromises are detected
• Automatically report vulnerabilities
• Vulnerability ID
• CVSS score
• Detection time
• ePO agent ID

• Enables other solutions like firewalls and

monitoring tools to take actions dependent
on those discoveries
 Demo & Lab 6:
Automated Actions
Troubleshooting
Objectives:
• Learn How To Run Diagnostics
• Learn About The Various Log Files
• Learn How To Use Other Support Resources and the
Administration Page
Administration
 Troubleshooting
• Administration->Troubleshooting->Diagnose->Perform
Diagnostics
• Review all items in red
• Firewall issues
• Experiencing UI inconsistencies?
• Database maintenance tasks
• Report Errors in OS Fingerprinting
• Download Log from Administration>History>Download Log
• View Statistics from Administration>Events>View
Log Locations

• Linux Console: /opt/rapid7/nexpose/nsc/logs/

• nsc.log, nse.log, access.log, auth.log, initdb.log, mem.log
• Windows Console: \Program Files\rapid7\nexpose\nsc\logs
• nsc.log, nse.log, access.log, auth.log, initdb.log, mem.log
• Engines
• Similar directory BUT nsE instead of nsC
• /opt/rapid7/nexpose/nse/logs/
Logs
ACCESS.LOG Accessed resources, i.e. the Web interface.
API call, API version and the IP address of the API client

MEM.LOG Problems with memory. mem.log shows scanning and reporting memory usage.

AUTH.LOG Log in, log off, account lockouts

NSC.LOG System and application level event tracking, scheduling of operations, or tracking any Maintenance Mode
activity

NSE.LOG Troubleshoot specific checks. If a check produces an unexpected result, you can look here to determine how
the scan target was fingerprinted

UPDATE.LOG Contains all information pertaining to update tasking.

Updates

• InsightVM can be configured to automatically receive updates for

• Product
• Vulnerability Coverage

• Patching and updating the operating system on which the security console
is installed is your responsibility.
Lab 7: Troubleshooting
Challenge

End of Day One

Agenda
Day 1
• Introduction to InsightVM
• InsightVM Architecture
• Navigating the User Interface
• Scan Processes/Scan Templates
• Groups and Tagging
• Remediation
• Automated Actions
• Troubleshooting
Day 2
• Planning Your Deployment
• Installing a Scan Engine
• Credentials and Scanning
• Exception Workflow
• Risk Strategies and Scoring
• Reporting
• Insight Platform
• Dashboards, Queries, Projects, Goals
• Practice Exam
Planning your Deployment
Objectives:
• Understand various vulnerability scanning perspectives
• Make the best use of your available resources to gain the scanning coverage
needed to meet your objectives
 Deployment Architecture

Highly Scalable
Scan Engines
Backup
• Console

Unified Platform &

Management Engine
• Console Firewall

Management Console Engine

• Flexible
Deployment Engine

Standards-based
Open API and Pre-
• Build Connector

API
System Requirements

• Factors that feed into determining the deployment architecture and

resource requirements are:
# and
Scan Data
Frequency
Retention
of Reports

Scan Report
Frequency Retention

Total # of
Deployment Network
IP’s
Architecture Architecture
Scanned
Hardware Requirements

See https://www.rapid7.com/products/insightvm/system-requirements for more information to help plan your deployment.

Currently Supported Operating Systems
64-bit versions of the following platforms are supported.
• Ubuntu Linux 18.04 LTS
• Ubuntu Linux 16.04 LTS
• Microsoft Windows Server 2016
• Microsoft Windows Server 2012 R2
• Microsoft Windows Server 2008 R2
• Microsoft Windows 8.1
• Red Hat Enterprise Linux Server 7
• Red Hat Enterprise Linux Server 6
• CentOS 7
• Oracle Linux 7
• SUSE Linux Enterprise Server 12
• openSUSE Leap 15
Scan Perspectives
• Deployment architecture
• Scan Engine placement, in-line networking devices, types of devices
• Objectives for scanning
• Compliance, vulnerability management, validation
• Streamlining running and scheduling scans
• Asset availability, scan windows, data for reporting
• Software Coverage
• https://kb.help.rapid7.com/docs/nexpose-vulnerability-coverage
• Software list encompasses those products and services that we are
specifically committed to providing ongoing, automated coverage.
Scan Perspective - Internal

• Scan traffic from engines located behind your perimeter firewall

• Targets devices located on the company intranet
• Provides the ‘inside looking in’ perspective
• Addresses risk due to:
• Trusted insiders
• Curious/Rogue employees

80
Scan Perspective - Internal

YOUR
Satellite Office
DMZ INTERNAL 1000 Assets
50 Assets
NETWORK

NSE
VPN
NSE
Headquarters
2000 Assets
Remote Sales
WAN LINK Office - 250 Assets

NSC / NSE
NSE
 Scan Perspective - External
• Scan traffic originates from an NSE located outside your perimeter firewall
• Targets devices located on the company extranet
• Provides the ‘outside looking in’ perspective
• True attacker perspective of your network
• Rapid7 offers these ‘Hosted Services’ and SONAR
Scan Perspective - External

DMZ
50 Assets Only OPEN
Ports

Rapid7
Datacenter

Headquarters
2000 Assets

TCP 40814

NSC / NSE
 Scan Perspective - Hybrid
• Scans utilize multiple strategically located NSE’s
• Can be both internal/externally located
• Use Cases for a Distributed Scanning Strategy
• Large number of target IP addresses
• Highly segmented network
• Bandwidth restrictions
Scan Perspective - Hybrid Rapid7
Datacenter

DMZ
50 Assets

NSE

Headquarters
2000 Assets
Remote Sales
WAN LINK Office - 250
Assets

NSC / NSE
NSE
Scan Engine vs. Insight Agent
A scan engine is an application used with the Security Console that helps
discover and collect network asset data and scans them for vulnerabilities
and policy compliance.

The Insight Agent is lightweight software you can install on supported

assets—in the cloud or on-premises—to easily centralize and monitor data
on the Insight platform.
 Project Sonar
• Project Sonar is a community effort to improve security through the active analysis of
public networks.
• This includes running scans across public internet-facing systems, organizing the
results, and sharing the data with the information security community.
• Sonar regularly ‘scans the internet’ and gathered data is archived and made publicly
available in cooperation with the University of Michigan.

'Scanning' a Sonar site *does not* perform an assessment of those assets, it simply retrieves archived scan data from Sonar.
Installing InsightVM
Objectives:
• Install InsightVM on a Windows/Linux Server
Windows Installation

• Latest Installer
• https://kb.help.rapid7.com/docs/insightvm-and-nexpose-
installers-md5sum-files-and-virtual-appliances
• Console + Scan Engine or Scan Engine Only
• Services
• Nexpose Security Console - Automatic
• Download the appropriate md5sum file to ensure that the
installer was not corrupted during download.
Linux Installation

• Latest Installer
• https://kb.help.rapid7.com/docs/insightvm-and-nexpose-installers-
md5sum-files-and-virtual-appliances
• chmod +x Rapid7Setup-Linux64.bin
• Console + Scan Engine or Scan Engine Only
• Textual-based Installer
• ./Rapid7Setup-Linux64.bin
• Disable SELinux
• Download the appropriate md5sum file to ensure that the installer was
not corrupted during download.
Installation Process
• Default Install Directory
• C:\Program Files\rapid7\nexpose
• /opt/rapid7/nexpose
• Verify you meet the minimum
requirements
• Default PostgreSQL Listener Port: 5432
• Company Info
• Uses this information to create SSL
certificates and be included in requests to
technical support
• Create an initial Admin user with strong
password
Manage Scan Engines
Objectives:
• Learn How To Create A Scan Engine
• Learn How To Manually Pair An Engine
• Learn About Engine Pooling
Scan Engine Quantity
• Not an exact science…
• How many assets do you want to scan?
• How fast do you want to scan them?
• How much resources are you allocating to your engines?
Scan Engine Placement

• For the most efficient performance and comprehensive scan results, scan engines
should:
• Be located as close as possible to the assets being scanned
• Be placed inside demilitarized zones, secure network environments
• Be distributed to geographical regions/locations, depending on the number of assets to be scanned
and bandwidth between the engine and the target assets
• Be placed behind, or very least whitelisted though firewalls and other security controls
 Scan Engine Performance
• Scan times vary
• Non-credentialed scans on a single asset can take an average of 5 minutes,
depending on the device type, with no web spidering.
• Credentialed scans on a single asset can take an average of 7-10 minutes,
depending on device type, with no web spidering.
• Web spider Non-credentialed scans on a single asset can be around 15 minutes.
• Web spider credentialed scans on a single asset can be around 20 minutes.

Adjust simultaneous assets per engine count in scan template to fully utilize scan engine.

95
Scan Engine Management
Force
Update the
Engine

Engines
Current
Status

Currently
Running
Refresh Version
the Status
 Pairing a Distributed Scan Engine
• Console to engine configuration communicates on port 40814
• Engine to console configuration communicates on port 40815
• Two step pairing process:
• Generate key in Console

• Install and authorize the console on the engine

 Scan Engine Management
• Updates
• Console updates the distributed engines
• Product and Content
• Scan Engine Pools
• Combine two or more engines into a logical engine
• Distributes the load of assets in a scan
• Ideal for large number of assets in a single site
• Overlapping scans may queue causing delays, start times should be staggered.
 Demo & Lab 8:
Pair a Scan Engine
Credentialed Scanning
Objectives:
• Learn The Importance Of Using Credentials
• Learn The Different Types Of Credentials
• Learn How To Add Shared And Site Credentials
Credentialed Scans
• Allows target assets to
be scanned with
authentication
• 100% OS/Service
Fingerprint
• Identify local/client-side
patch and configuration
vulnerabilities
• Reduces false-positives
• Allow for
Credential Management
Two types of scan credentials available:
• Shared
• Shared scan credentials allow
a user to use the same
credentials across multiple
sites
• Can select which sites to apply
• Site-specific
• Site-specific credentials limit
the credentials scope to just
the assets defined in the site
Encryption Types
To ensure the security of the application, Nexpose uses the following types
of encryption algorithm keys in these areas:
• Identification/authentication: RSA
• Credential password storage: RSA
• Connection to the Web interface: RSA and HTTP over SSL
• Credential encryption: 3DES encrypted with RSA
• Zip files generated for diagnostic information to be uploaded to support.rapid7.com:
PGP KeyID: 959D3EDA
• Upload diagnostic information to a server at support.rapid7.com: TLSv1.2
• Security Console to Scan Engine communication: TLSv1.2,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for backwards compatibility, and
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.
 Demo & Lab 9:
Manage Credentials
Vulnerability Exceptions
Objectives:
• Learn Why Exceptions Are Important
• Understand The Exception Workflow
• Learn How To Create And Approve Vulnerability Exceptions
Exceptions
• Prevents excepted vulns from being calculated in charts, graphs, reports
• Reason
• Compensating Control
• Acceptable Use/Risk
• False Positive
• Exception workflow allows for dual control
• Vulnerability Exception Scopes can include:
• All instances on an asset
• All instances on all assets
• All instances in the selected asset groups
• Exception Expiration
• Report created specifically for Vulnerability Exceptions
Exception Submission and Review
Exception Status
Expiration Date

Exception Scope
 Demo & Lab 10:
Create an Exception
Vulnerability and Risk
Scoring
Objectives:
• Understand the importance of risk scoring
• Understand the common vulnerability scoring system (CVSS)
• Learn the various risk scoring strategies
 Vulnerability and Risk Scoring
The Need for Standardized Scoring
• Historically, vulnerability scoring had been
done on a vendor specific level
• Created to address the need for defining &
quantifying detected vulnerabilities across
enterprise platforms
• No standardization meant that
intercommunication/integration between
enterprise security applications could not
share vulnerability information
 CVSS History
• CVSS v.1
• Research commissioned in 2003;
DHS accepted in 2004
• Public launch at RSA in 2005; Active
until 2007
• CVSS v.2
• Public launch in June, 2007; PCI
mandated in July, 2007
• CVSS v.3
• Released in late 2015
CVSSv2 Base Metrics
Exploitability Metrics
• Access Vector
• Access Complexity
• Authentication
Impact Metrics • Scored relative to overall impact
• No awareness of cases which a flaw in one app
impacts other apps
• Confidentiality • Access Vector may be unable to rate local system
• Integrity access with physical hardware attacks
• Availability • Authentication scores biased towards None/Single

CVSSv3 Base Metrics

• Scored relative to impact of affected
Exploitability Metrics Impact Metrics Scope component
• Scope supports cases which the
• Access Vector • Confidentiality • Unchanged vulnerable entity is distinct from affected
• Access Complexity • Integrity • Changed entity
• Privileges • Availability • Local and Physical are now distinct in
Required AV
• User Interaction • Privileges required indicates greatest
privs required for exploit vs number of
authentications required
CVSSv2 Base Metric Group

BASE METRIC GROUP Vectors

AV:[L,A,N]/AC:[H,M,L]/Au:[M,S,N]/C:[N,P,C]/I:[N,P,C]/A:[N,P,C]

Access Authentication Integrity

Vector
Access Confidentiality Availability
Complexity
CVSSv2 Exploitability Metrics
Access Vector Access Complexity Authentication
Local (L) High(H) Multiple(M)
Scoring Value = .395 Scoring Value =.35 Scoring Value =.45

Adjacent Network (A) Medium(M) Single(S)

Scoring Value = .646 Scoring Value = .61 Scoring Value =.56

Network (N) Low(L) None (N)

Scoring Value = 1.0 Scoring Value =.71 Scoring Value =.704
CVSSv2 Impact Metrics
Confidentiality Availability Integrity
None(N) None(N) None(N)
Scoring Value =0.0 Scoring Value =0.0 Scoring Value =0.0

Partial(P) Partial(P) Partial(P)

Scoring Value =.275 Scoring Value =.275 Scoring Value =.275

Complete(C) Complete(C) Complete(C)

Scoring Value =.660 Scoring Value =.660 Scoring Value =.660
CVSS Calculating Base Score

Base score for an example vulnerability:

AV:N/AC:L/Au:N/ C:N/ I:N/A:C/

Access Vector = Network = 1.0 Confidentiality = None = 0.0

Access Complexity = Low = .71 Integrity = None = 0.0

Authentication = None = .704 Availability = Complete = .66
CVSS Base Scoring Formulas

Impact = 10.41*(1-(1-Confidentiality)*(1-Integrity)*(1-
Availability))

Exploitability = 20*
AccessVector*AccessComplexity*Authentication

f(impact) = 0 if Impact=0, 1.176 otherwise

BaseScore = (((0.6*Impact)+(0.4*Exploitability)–
1.5)*f(Impact))
CVSS Base Scoring - Exploitability

Calculate the Exploitability value:

AV:N/AC:L/Au:N/C:N/ I:N/A:C/
Exploitability = 20* AccessVector*AccessComplexity*Authentication

Exploitability = 20*(1.0(Network) *.71(Low)*.704(None))

Exploitability = 10.0
CVSS Base Scoring - Impact

Calculate the Impact value:

AV:N/AC:L/Au:N/C:N/I:N/A:C/
Impact = 10.41*(1-(1-0.0(None) )*(1-0.0(None))*(1-.66(Complete))

Impact =6.9
CVSS Base Scoring – f(Impact)

Calculate the f(Impact) value:

f(Impact) = 0 if Impact=0, 1.176 otherwise

Impact =6.9(calculated using Impact equation in step 2)

f(Impact) = 1.176
CVSS Calculating Base Score

Exploitability = 10.0 (Step 1)

Impact =6.9 (Step 2)
f(Impact) = 1.176 (Step 3)
BaseScore=(( (0.6*6.9) +(0.4*10.0)–1.5)*1.176)

BaseScore = 7.8
OpenSSL “Heartbleed” Flaw (CVE-2014-0160)

CVSSv2 CVSSv3

Network-accessible, low complexity, no

Network-accessible, low
exploit complexity, no
authentication, partial impact
to confidentiality, and no
impact to integrity nor
availability:
Base score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Resources: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
privileges needed, user interaction not
required, scope unchanged, high impact
to confidentiality, no impact to
integrity, and no impact to availability:
Base score: 6.1
(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Vulnerability and Risk Scoring

• A practical approach to determining which

detected Vulnerabilities present the greatest
risk and likelihood of exploitation to enterprise
assets.
• Vendor specific scoring Algorithms used to
determine Risk values
Real Risk

• This default strategy analyzes potential types of exposures associated

with vulnerabilities
• The algorithm applies exploit and malware exposure metrics for each
vulnerability to CVSS base metrics for asset impact
• Confidentiality, Integrity, and Availability
• Access Vector, Access Complexity, and Authentication
• Time, Exposure, Malware, Metasploit Modules
Temporal

• This strategy indicates how time continuously increases likelihood of

compromise.
• The calculation applies the age of each vulnerability, based on its
date of public disclosure, as a multiplier of CVSS base metrics for
likelihood (access vector, access complexity, and authentication
requirements) and data impact (confidentiality, integrity, and
availability).
 TemporalPlus

• This strategy provides a

more granular analysis of
vulnerability impact, while
indicating how time
continuously increases
likelihood of compromise
and aggregation – relative
to other vulnerabilities.
• TemporalPlus risk scores
have no maximum unlike
Temporal scores because
TemporalPlus expands the
risk contribution of partial
impact vectors.
Weighted
• This strategy applies user-defined site importance to a calculation of asset and
vulnerability data to reflect your unique security priorities.
• Factors include:
• Number and severity of vulnerabilities discovered on each asset
• Number and types of services running on each asset
• Class of each asset and its associated risk.
• User assigned a weight or level of importance to any sites
RD = Risk Score for a Device
NC = Number of Critical Vulnerabilities
SC = Average Severity of Critical Vulnerabilities
NS = Number of Severe Vulnerabilities
SS = Average Severity of Severe Vulnerabilities
NM = Number of Moderate Vulnerabilities
SM = Average Severity of Moderate Vulnerabilities
PO = Open Port
SR = Service Risk
RW = Risk Weighting Factor
PCI

• Scale ranges from 1 (lowest severity) to 5

(highest severity).
• Approved Scanning Vendors (ASVs) and
other users can assess risk from a PCI
perspective.

https://www.rapid7.com/solutions/compliance/pci-dss/
Demo & Lab 11:
Risk Scoring
REPORTING
Objectives:
• Learn how to create report templates
• Learn about the various types of report formats
• Discover useful reports for building a sustainable program
Report Configuration

Report
Schedule
Report
Report
Specific
Template
Configuration

Report
Report InsightVM Distribution
Scope Report and Access
Report Formats
• InsightVM provides a flexible, easy to use, reporting
• Export in a variety of formats e.g. XML – CyberScope, SCAP, XCDDF
 Report Templates

• Customizable Templates
• Report Templates are made up of Report Sections
• You can edit the template and define which
sections to utilize
• You cannot edit the sections themselves – they
are static
• Static Templates
• Report structure/format cannot be modified
• SQL Query Export Template
• Query the reporting data model directly
Demo & Lab 12:
Create Reports
InsightVM Platform
Objectives:
• Understand the role of the Dashboard
• Learn the importance of cards and creating Remediation Workflows
Environmental Considerations
• Domains that need to be allowed to communicate with the InsightVM Security Console
(Port 443)
• data.insight.rapid7.com
• s3.amazonaws.com
• s3-external-1.amazonaws.com
• exposure-analytics.insight.rapid7.com
• Network requirements and expectations
• Network traffic between the Console and R7 Insight Platform will be similar to the traffic
between the Console and a Scan Engine.

For a complete list of platform communication requirements, visit:

https://insightvm.help.rapid7.com/docs/configure-communications-with-the-insight-platform

137
Data Handling

If you opt to end your engagement with Rapid7, you may collect and transfer any data that is
possible to export. If you request that Rapid7 delete all your data, the request will be
processed within 14 days.

Visit https://www.rapid7.com/trust for more information.

Dashboards
• Use Built In
Dashboards (read
only)
• Moving items on a
dashboard saves
automatically
• Create and share as
many Dashboards as
you like
 Cards
• Cards are small windows located on
the dashboard
• Choose from many different cards in a
variety of categories
• Assets
• KPI
• Risk
• Sites
• Vulnerabilities
• Agents
• Most cards are expandable
Building Queries

• Intuitive Drop Down and Expandable Query Builder

• Can use Boolean Logic for multiple filters
• Coordinates well with building Projects
• Managed efficiently under main menu
Downloading the Rapid7 Agent
• Agents are managed and downloaded through
the InsightVM dashboard
• Windows
• Mac
• Linux
InsightVM Agents Use Cases

• Remote access credentials are unavailable

• Only online for short periods of time
• Sensitive to network-based scanning
• Requires continuous monitoring as opposed to periodic scans
• Located in a dynamic, cloud, or other complex modern environment that
requires flexible deployment
• Located in a highly isolated or micro-segmented network or outside of the
corporate network
• Does not have remote access services (SMB, SSH, etc.) enabled

143
 Monthly Executive Summary

• The Executive Report provides a monthly curated assessment of your organization’s

vulnerability management program.
• An Executive Report for the previous month will be available on the seventh of every
month.
• Allows you to easily see your remediation efforts in one place so that you can compare
data from current and previous reporting periods. There are also high-level graphs to
provide visibility and insight from the previous 12 months.
• The report includes easy-to-read visuals, graphs, and explanations including:
• Environment Overview
• Program Improvements
• Location Tag
• Owners Tag
• Criticality Tag
Creating Projects
• Can be created directly from vulnerability in card
• Patch all the critical things
• Assign to remediation owner
• See progress as it happens
Setting Goals

• Goals help reduce overall risk and

improve the security of your
environment.
• Track your remediation efforts by
identifying goals and defining
metrics to measure against those
goals.
• Goal cards can be added to
dashboards to display progress at
a glance.
• There are two types of goals that
can be created:
• Time bound
• Continuous
Setting Goals
• A time bound goal lets you specify metrics for assets or vulnerabilities and assign a
target date so you can track your progress as your deadline approaches.
• A continuous goal lets you monitor progress or criteria without a time limit, such as a
rule or a key performance indicator.
 Containers
• A container represents a software application and may contain all of the necessary
code, run-time, system tools, and libraries needed to run the application.
• Using containers to manage application deployment is a rapidly growing
technology, but Container hosts may be packed with risk. InsightVM provides
visibility into vulnerabilities and risk associated with the components and layers of
a container.
• These repositories contain groups of container images. InsightVM supports the
following registries:
• Amazon EC2 Container Registry (ECR)
• Docker Hub
• Privately Hosted Docker Registry
• Google Container Registry (GCR)
• Quay.io
• Microsoft Azure
 Demo & Lab 13:
The Insight Platform
Certification Exam
Overview and Practice
Exam
 Get Certified
• This course includes one attempt at the online exam
• Accessed from the Skilljar environment
• 60 questions: 120 minutes
• Passing score of 80%
• Open book/documentation/notes/product
• https://help.rapid7.com/insightvm/en-us/
• Materials from this course (slide deck and lab guide)
• A running instance of InsightVM, with global admin privileges
Directions regarding product certification:

The product training exam exists as a separate lesson within your Skilljar training environment.
After completing class, return to your Skilljar account and select the exam lesson for your class.
Results are displayed immediately upon completion.
Acclaim badges are issued weekly to the registered email address.

Partner program participants certify by taking the technical quiz from the partner portal. Your
program coordinator will notify us of successful completion for badge issue.

If you have any questions/comments/concerns, please reach out

to Education_Services@rapid7.com and we would be happy to assist.
Review and Practice Exam
Practice Exam

1. Agents are managed and downloaded through the InsightVM

Dashboard.
a. True
b. False
Practice Exam

2. Why is it recommended to use valid credentials with vulnerability

scans?

a. To obtain maximum accuracy and visibility into vulnerability

findings.
b. To confirm the Console users identify before scanning
c. To ensure a secure session between the Engine and the host(s)
d. For logging and accountability purposes
Practice Exam

3. When sending your diagnostic information to

support.rapid7.com you are doing it over a TLS-encrypted
session over port 443.

a. True
b. False
Practice Exam

4. The default risk model for InsightVM is:

a. Weighted risk
b. Real risk
c. Temporal risk
d. PCI ASV 2.0 Risk
Practice Exam

5. To edit a built-in scan template you would:

a. Edit the template directly

b. Delete and re-create the template
c. Copy and paste the template into a new site
d. Copy the template, make changes, and save as a new
template, leaving the old as-is
Practice Exam

6. If the error message "Not enough memory to complete scan" occurs

during a scan, which of the following actions should be considered?

a. Run fewer simultaneous scans

b. Lower the number of scan threads allocated by your scan
template
c. Power off the console
d. Both A and B
e. Both A and C
Practice Exam

7. What is the minimum RAM system requirement (in GB) for

InsightVM console installations?

a. 32
b. 4
c. 16
d. 12
e. 8
Practice Exam

8. Which of the following report data export formats can InsightVM

output?

a. CSV Export
b. XML Export
c. Database Export
d. CyberScope XML Export
e. All of the above
Practice Exam

9. Project metrics are ________________ updated as vulnerabilities are

found not to exist any more, so that you can fully visualize the
achievements of your remediation teams.
a. automatically
b. never
c. sometimes
d. seldom
Practice Exam

10. What URL would you use if trying to reach a remote InsightVM
install on another server?

a. http://servername/Console:3780
b. https://localhost:3780
c. https://serverIPaddress:3780
d. https://serverIPaddress:40814
Practice Exam

11. You have a single dual-processor InsightVM console with 8GB of

RAM in a geographically diverse organization. You currently have no
additional scan engines installed. You are attempting to scan 12
class C networks. Your scans seem to be failing and you are seeing
‘out of memory’ errors entries in the console log. What is the BEST
course of action that you should take to resolve the issue?

a. Increase the console's RAM.

b. Deploy Remote Scan Engines and reassign scans to the engines
c. Increase available memory by stopping unnecessary services.
d. Spread your scans over a longer period.
Practice Exam

12. Specify the items to which you can apply custom tags: (Select all
that apply)

a. An individual asset
b. Asset groups
c. Sites
d. Reports
e. Scan templates
Practice Exam

13. Performing a filtered asset search is the first step in creating what
type of asset groups?

a. Full
b. Asset
c. Dynamic
d. Site
Practice Exam

14. Which of the following is a factor in the determination of

vulnerability severity levels?

a. Temporal Scores
b. CVSS Scores
c. Weighted Scores
d. SANS Vulnerability Scores
Additional Resources

• Rapid7 Support Portal

• https://www.rapid7.com/for-customers/

• Rapid7 Help – Online Product Documentation

• https://help.rapid7.com/docs/

• Rapid7 Academy
• https://academy.rapid7.com/

• Rapid7 Extension Library

• https://extensions.rapid7.com/
 Advanced Vulnerability Manager
• SQL Query Reports – understand the reporting data model
and learn to create custom queries for export

• InsightVM API – learn about InsightVM automation

capabilities using the API, learn to interact with the API to
perform routine tasks.

• Scripting with the InsightVM Ruby Gem –learn the basics of

Ruby scripting and leverage the InsightVM Gem to automate
routine tasks and extend functionality

• InsightVM Best Practices – learn tips and tricks to tune and

optimize InsightVM to achieve the best performance and
results.

• Advanced Troubleshooting - learn the various ways to

troubleshoot InsightVM issues.

169
 We want your
feedback!!
Please take 2 minutes to fill out this survey about the class:

https://r-7.co/2ODGuZf
https://docs.google.com/forms/d/e/1FAIpQLSdlUQwqoeSSmqoBskGgE66XW40XcaxB926UgmpH__PWPAXqJg/viewform?c=0&w=
1