Metasploit Team Unveils Community Powered Knowledge Base of Vulnerabilities and Insights
Rapid7 has launched an open beta of AttackerKB, a community-sourced knowledge base of the latest vulnerabilities. Its purpose is to provide a central repository of information on vulnerabilities to help defenders understand and triage threats.
Announcing the beta version in January 2020, Rapid7’s Metasploit R&D manager Caitlin Condon, blogged, “When a new vulnerability prompts discussion on Twitter or hits media outlets, the security community collectively participates in a familiar triage process: Is the bug pervasive, exploitable, or both? Is it worth dropping everything to patch or mitigate? Is the expected shelf life long enough that it’s worth developing an exploit for? Or is it actually…not useful or interesting?”
The problem for corporate security teams is that this vital discussion is dispersed and fragmented across Twitter, individual blogs, news outlets and other media. Security teams cannot easily access the combined understanding of the world’s security researchers and hackers, and consequently spend more time and effort than should be necessary trying to interpret the potential impact on their own environment.
This problem was not lost on Rapid7’s Metasploit team. “Our R&D teams have commented in the past on the lack of a community-driven venue for discussing, analyzing, and prioritizing threats. Instead of continuing to lament that gap, we simply decided to fill it,” explains Cindy Stanton, VP vulnerability and risk management at Rapid7.
The response was AttackerKB — effectively a marketplace for the community of researchers and hackers to discuss and evaluate threats, and provide a central source of knowledge to security teams for their own time-critical decisions. “Our aim with the community,” continued Stanton, “is to foster collaboration to advance security, while also giving cyber practitioners confidence in their understanding of a threat and its potential business impact when they raise the alarm to stakeholders.”
Users of the knowledgebase will be able to sort content by date, popularity and attacker value. They will also be able to search for specific common vulnerabilities and exposures (CVEs) using a range of filters such as CVE year, attack vector, required privilege and more.
Robin Wood, a freelance security tester and researcher (and co-founder of SteelCon, an annual hacker conference in the North of England), believes this is a good idea with the best of intentions. “It moves beyond ‘this vulnerability is a CVSS 7.1 so may be worth patching’ and ‘some people on twitter say it could bring everything down so we must patch’,” he told SecurityWeek, “and aims to give a more thought-through commentary which is definitely useful.”
He sees only two potential problems. Firstly, “if there is a split in the people in the group over whether a vulnerability is a problem or not, then you have to pick who to side with — so you still have to make the judgement calls on how to react, just with a bit better information. The other one is if they ever get anything seriously wrong — especially saying something isn’t a problem which then becomes one. If that happens, it may lose credibility as people are more likely to weigh a mistake much more than all the good work.”
These are issues that Rapid7 has considered. In order to protect the value of the crowd wisdom he seeks to provide, contributing researchers earn profile points based on the number of assessments created and the votes received. The platform will also feature a leader board and in the future, researchers will earn badges for the quality of their advice.
AttackerKB’s primary purpose is to help security teams sift through the huge volume of new vulnerabilities discovered every year. According to NIST NVD, there were about 17,500 vulnerabilities announced in 2019 — more than double the amount of 2016 and a figure likely to be exceeded this year. “We’re excited to collaborate with folks from every part of this industry,” blogged Condon, “to boost signal, stomp out noise, and highlight the hot takes and measured technical assessments that, together, do the necessary (and sometimes messy!) work of moving this industry forward.”
Related: Rapid7 Releases Metasploit 5.0
Related: Rapid7 Adds Automation, Orchestration Capabilities to Insight Platform
Related: Privilege Escalation Vulnerability Found in Rapid7 InsightIDR
Related: GitHub Becomes CVE Numbering Authority, Acquires Semmle