A good alert includes: .- Detection context.- Investigation/response context.- Orchestration actions.- Prevalence info .- Environmental context (e.g, src IP is scanner).- Pivots/visual to understand what else happened.- Able to answer, "Is host already under investigation?".

RT @rapid7: A statement from @ChristiaanBeek, Rapid7 Senior Director, Threat Analytics, regarding the #LockBit ransomware group ⤵️ https://….

Final Thoughts:. Security is a continuous process with no finish line—but choosing what to secure first matters. Our goal in sharing these insights is to help you make informed decisions about where to focus your resources to better protect your organization and its people.

Bonus: Social Engineering via Microsoft Teams. We’ve seen threat actors impersonating IT in Teams chats, convincing users to install RMM tools like AnyDesk or ScreenConnect. ✅ Action:.- Lock down external Teams chat—or only allow specific trusted domains. - Enforce app.

5. Exposed RDP. Still a ransomware favorite. If you’re exposing RDP to the public internet, it’s a matter of when, not if. ✅ Action:.- Don’t expose RDP directly—use a VPN, jump host, or PAM solution to broker access. - Enable NLA and TLS for all RDP sessions. - Lock down access.

4. SEO Poisoning. Attackers poisoned Google search results to serve trojanized tools (often VMware-related) to IT admins. Those tools came bundled with remote access malware. ✅ Action:.- Turn on SafeSearch at the org level (via Google Admin or DNS filtering like Umbrella or.

3. Brute Forcing . Public services with no lockout policies continue to get hammered. ✅ Action:.- Set account lockouts or rate limits after failed login attempts. - Use longer passwords—12+ characters—and screen them against breached password lists (e.g., HaveIBeenPwned). -.

2. Vulnerability Exploitation. These were all known vulnerabilities with patches available—but still got hit in the wild. Targets included:.Fortinet (FortiOS / FortiProxy):.- CVE-2024-55591 – Auth bypass via WebSocket → super-admin.- CVE-2025-24472 – CSF proxy bypass →.

1. Account Compromise (No MFA).Over 50% of ransomware-related intrusions started with compromised credentials. What we saw:.- Single-factor sign-ins (VPNs, email, portals).- Accounts that should’ve had MFA, but didn’t—usually due to misconfigurations. ✅ Action:.- MFA all of the.

How Ransomware Groups Got In: @rapid7 MDR’s Top Initial Access Vectors from Q1 2025. Top Initial Access Vectors.- Account Compromise (No MFA).- Vuln Exploitation (all known, patchable).- Brute Forcing.- Exposed RDP.- SEO Poisoning. What our #MDR team saw in real-world.

What it’s like to be an #MDR analyst @rapid7: .You start your shift and scan the queue. One alert stands out — and it follows a familiar ransomware pattern. A QuickAssist session was launched right after a conversation with an external Microsoft Teams user. You’ve seen this.

RT @4n6lady: I’m an Incident Responder on the AWS Customer Incident Response Team (CIRT). And I get asked a lot of questions, like:.“Where….

You just landed your first SOC/MDR analyst role. Here’s how to crush your first few months:. • Be someone people want to work with. • Build strong connections with your team. • Build a relationship of trust with your manager. • Ask questions early and often. Write everything.

How often does your #SOC / #MDR conduct quality control checks? ⬇️.

What traits make a great #SOC analyst? . I'll start. - Curious: Always digging to understand how things work. - Candid: Quick to say what they know – and what they don't. - Passionate about learning: Chases new knowledge beyond security. - Driven: Always asking, "How else.

Attackers are exploiting CVE-2025-31324 (CVSS 10.0) in SAP NetWeaver Visual Composer to gain initial access. @rapid7 #MDR has tracked active exploitation since at least March 27:.- Targets: mainly manufacturing orgs.- Method: unrestricted file upload to deploy webshells. 🛡️.

In my journey, we’ve hired a lot of people into the #SOC who didn’t start in tech. One was an underwater welder. Another, a police officer. We’ve brought on videographers, retail specialists, accountants—even a bat scientist. What they had in common: grit, curiosity, passion.

RT @Felipe_Millon: Today, we at OpenAI launched Deep Researcher and I wanted to share a deeply personal story about how amazing this tool i….

Big news! I've joined @rapid7 as VP of Threat Detection and Response. Energized to lead our #MDR into its next phase of growth. My focus: revolutionizing the #SOC by reimagining the analyst experience and pushing the boundaries of threat detection to deliver industry-leading.

RT @Jdomedion: @jhencinski The biggest takeaway from his book is that he worked with what he had rather than trying to become something he….

RT @biffbiffbiff: @jhencinski AiTM phishing is def the rule more than the exception now over the last 2 years. Excellent tips. I'd also add….