Performing Additional Predeployment Tasks

The following sections provide information on gathering network information, setting up honeypots, setting up event sources for Metasploit and Nexpose, and getting access to the Insight Platform.

Gathering network information

Some key information regarding the network configuration needs to be added in to the Insight Platform configuration.  The information that needs to be entered is:

  • Internally assigned VPN IP addresses
  • If using a public IP address range for internal IP addresses, the public IP address range
  • IP address ranges with static IPs 

If possible, collect this information before the deployment so that it can be added at that time.

Preparing for intruder trap setup

Honeypots are fake assets that produce an alert any time a user attempts to connect to them.  Once attackers find an initial toehold in a network, their next step is typically a network scan to identify all the other assets on the network.  If you deploy the Rapid7 honeypot and enable the associated alerts in InsightIDR, you will be notified if such activity occurs. 

You will be able to download the Rapid7 Honeypot as an Open Virtualization Appliance (OVA) once you have logged into the Insight Platform and started your deployment.  That is, if you want to use the honeypot, you will download the file and import it as an virtual machine in your VMware environment.

Honey files

A honey file is a kind of intruder trap that allows you to detect if a specific file has been interacted with by a user.  If someone is snooping through files and attempt to access the honey file in any way, it generates an alert.

The requirements for setting up honey file traps are:

  • Honey files must be placed on a system running a Microsoft Windows OS.
  • The Windows assets that will hold the honey file must have "Audit Detailed File Share" enabled.  This is a Windows setting that is configured on the Windows system.
  • A Continuous Agent or an endpoint scan agent must be deployed onto the Windows asset prior to the start of the honey file setup.
  • You will need the file name of the honey file, including the file extension and valid file path.

Honey users

To prepare for the honeypot, Rapid7 recommends that you create a “honey user”.  A honey user is a dummy user not associated with a real person within your organization.  Because the honey user is not a real user, it should never be accessed.  Attackers frequently attempt to authenticate to as many user accounts as possible during the reconnaissance phase of an attack.  Therefore, the idea behind the honey user is that if you see any activity on the honey account, it is an indicator of such activity.  In InsightIDR, this type of activity generates a Honey User Authentication incident. 

To create a honey user, you will need to create a new user in Active Directory with a believable name; the user should have every appearance of being a normal employee in your organization.  In order to make the user more believable, you may wish to create several user accounts for the user.  You'll need to remember the honey user’s name so that it can be entered in during the Insight deployment.

To learn more about honeypots, please see Setting Up Honeypots.

Preparing for Nexpose or Metasploit integration

Integrating Nexpose into your InsightIDR platform allows you to view vulnerability and risk information found in Nexpose in the Insight Platform.  Integrating Metasploit Pro into your InsightIDR deployment allows you to view phishing campaign data from Metasploit in the Insight Platform.

  • For Nexpose integration, you need a Nexpose user account that is a Global Admin.
  • For Metasploit integration, you need an API Token, which can be generated from the Metasploit Pro interface.  See the guide for more information.

To learn more about integrating with Metasploit and Nexpose, please see Adding Nexpose and Metasploit Pro Event Sources.

Getting access to InsightIDR

To log in to InsightIDR, browse to https://insight.rapid7.com if you are in the US, if you are in EMEA, you can go to https://eu.insight.rapid7.com. When you are on are the login page, click the Reset password link. Enter in your email address and follow the password reset mechanism to get your credentials. You'll be able to use your email address and new credentials to log in to InsightIDR.