Cyber-security company Rapid7 launched today a new web service named AttackerKB, a web portal that crowdsources vulnerability assessments to help companies understand and prioritize which bugs need to be patched before others.
The service launched as a closed beta in January 2020 and enters today into a public beta preview.
The site’s primary purpose is to have infosec professionals review vulnerabilities and share the information with others, for free.
The community can then vote on reviews based on how useful the security flaw would be in the hands of an attacker. The more assessments and votes a vulnerability receives, the more dangerous it is considered, and companies can act to prioritize a patch.
Vulnerability assessments services like these are available today from many threat intelligence and analysis firms; however, most are available for pretty steep prices. AttackerKB comes to provide a community-driven crowdsourced alternative at no extra cost, for both large and small companies alike.
Helping fix vulnerability fatigue
In addition, the AttackerKB portal also comes to address another problem in the cyber-security industry — namely, vulnerability fatigue.
The number of security flaws disclosed each week and month has been on a constant rise for the past decade. Each day, security teams at large companies are bombarded by alerts of newly disclosed vulnerabilities.
When security teams learn of a new bug, they must verify if they have vulnerable equipment on their networks and then assess if the vulnerability is dangerous enough to justify planning a maintenance window, and shutting down operations while they test and deploy patches.
Such reviews take from minutes to hours and can clutter the already busy day of a security professional. In many cases, bugs are also overhyped by news sites or members of the infosec community, and security teams end up wasting their time looking into issues that while having high severity scores, are of little to no use to an attacker.
Rapid7’s new AttackerKB aims to solve this problem by having the larger infosec community review vulnerabilities from an attacker’s perspective (hence, the name Attacker KnowledgeBase), leveraging their own areas of expertise to do so.
“Just as an unnoticed bug may escape broad notice, a novel vulnerability that provokes a lot of concern and press coverage may still be relatively uninteresting from an attacker’s point of view (e.g., because the configuration required for exploitation is obscure and unlikely to be implemented in environments encountered on pen tests or red team engagements),” Brent Cook, senior manager of software engineering at Rapid7, told ZDNet in an email.
“AttackerKB strives to provide this qualitative perspective in addition to more objective information (e.g., ‘no user interaction required’ or ‘RCE’) about truly impactful vulnerabilities.”
Everything can be reviewed
Cook also says that AttackerKB won’t discriminate against the types of vulnerabilities listed on the site. Everything can be reviewed and listed. The site’s true purpose is to review all bugs, and not just those who are of interest to attackers.
“There is no minimum criteria for a vulnerability being listed on the site,” Cook said. “AttackerKB users choose which vulnerabilities to assess as high-impact or benign based on their own interests, skill sets, and personal experiences (e.g., as penetration testers or exploit developers).”
Cook also tells ZDNet that AttackerKB will even include vulnerability assessments for bugs that had yet to receive a CVE identifier.
CVE codes are typically assigned to all major bugs, and, sometimes, companies don’t patch bugs that don’t have a CVE ID, thinking the vulnerability was not important enough to receive a CVE, hence, it’s not important enough to patch.
But, the reality is that many severe bugs fail to receive a CVE in time, primarily due to bureaucracy rather than importance and severity. AttackerKB aims to raise the alarm about such vulnerabilities, even before they receive a CVE.
Furthermore, Cook says that AttackerKB will also list issues that are not eligible to receive a CVE identifier and which aren’t technically “security flaws.” This will help companies be aware of issues that come to light from scientific research, such as feature implementations bugs or weaknesses in protocols, as a whole.
Leaning on the Rapid7 community
All in all, the new AttackerKB site is not meant to be a replacement for the current Common Vulnerability Scoring System (CVSS), an industry-recognized standard for rating security flaws.
“[AttackerKB] is not intended to be an authoritative ranking of which vulnerabilities are the most or least dangerous, but instead a centralized place for the security community to express opinions on which vulnerabilities they consider to be worthy of attention and why they hold those opinions,” Cook said.
As Cook hints, most of the heavy lifting that’s going to happen on the site will be done by its community. However, this isn’t expected to be an issue.
Rapid7 is the company behind Metasploit, today’s most popular penetration-testing toolkit, an open-source project also driven by its users.
The Metasploit community supplies patches, new features, but also develops new Metasploit offensive modules (exploits). Assessing vulnerabilities is a natural step before developing a Metasploit module, a process that Rapid7 now hopes to tap into and leverage to get the AttackerKB portal off the ground.
And Cook tells ZDNet that AttackerKB has struck a nerve with some security professionals during its closed beta period and seems to be filling a gap that many organizations have been longing for.
“We were surprised to hear how frustrated and tired even experienced security professionals were with what they perceived as ‘hype’ surrounding some vulnerabilities,” Cook told ZDNet.
The Rapid7 manager shared the following comment the company received from one of its closed beta users:
“I’m tired of trying to convert hypothetical apocalypses to reality on a regular basis. If a company has strong controls in other areas, many of these ‘doomsday’ zero-days are really mild or not a threat at all. But getting to that final determination is an arduous process.”
Users can sign up to AttackerKB using their GitHub account here.