News, news analysis, and commentary on the latest trends in cybersecurity technology.
HD Moore's Discovery Journey
Metasploit creator's shift into enterprise asset discovery and passive scanning with startup runZero is a natural evolution of his exploratory cyber career.
September 26, 2023
For as long as he can remember it, HD Moore has loved discovering unexplored connections between devices. Even as a kid, he was captivated by the idea that a world of phones were out there, just a random number away. Pick a number, dial it, and you would be connected to a new person. Then as he got into the Internet side of things, that urge for exploration was even stronger.
"You make up any random 32-bit number and there's probably something there, which is really cool," Moore explains. "The whole world is just a series of numbers."
This impulse, of course, is what drove his storied early career in network security. Moore, founder of the Metasploit Project and a recognizable researcher for exploring the dusty and buggy corners of the Internet, has been both celebrated and sometimes vilified for his work externally scanning and prodding devices connected to the public Internet.
More has come full circle in his discovery journey — but with a twist — through his startup runZero. Whereas so much of his career before this has been focused on the outside-looking-in exploration of external network scanning, the work at runZero is all about internal enterprise asset discovery.
"It's really neat taking the approach that I took previously for external-based network discovery and then applying that to the internal side," Moore says. "We're able to do that for companies behind the firewall and in their internal networks and all their cloud connections, VPNs, and multisite and regional links."
The Evolution of Moore's Career
Through all of that early external network discovery, Moore has personally discovered a large number of critical security flaws and innumerable exposed devices. And through his development work on open source tools, like Metasploit, WarVOX, and AxMan, he has enabled other security researchers and penetration testers to do the same.
About a decade ago, his Critical IO project at Rapid7 scanned the public Internet and picked up on 40 million to 50 million network devices wide open to attacks. It shined a light on the pervasive and insecure nature of open network connectivity right at the dawn of the Internet of Things (IoT) era. It also brought down heavy-handed threats from federal law enforcement that for a time had a chilling effect on the public nature of Moore's research career, particularly in combination with the burnout from building up post-IPO Rapid7. He kept his head down with more Metasploit and Rapid7 development work, eventually stepped back from Rapid7, and took a break from any public role. In 2017, Moore pivoted into a research and development role with the security assessment practice at Atredis Partners, a "boutique pen testing firm," as Moore describes it. The position gave him the opportunity to keep exploring — just in more tightly scoped engagements.
"I had been grinding away for six years straight, trying to ship software continuously, and I wanted to get back in the field, talk to customers, and see real networks," he explains of that period. "You spend too much time in the product space, and sometimes you worry that the world's moved on and you're now a dinosaur. Like, do I even know what the world looks like anymore? So it was good to get back in the field and every two weeks be going to a brand new merchant bank or a large retailer or whatever and just hacking everything."
As he progressed, one of the trends he noticed is that those companies that could afford a boutique security assessment firm tended to do a really great job locking down the assets they knew about. But even with huge budgets and lots of resources, his team inevitably found vulnerable assets that those organizations didn't know about in their quarterly pen tests.
"It could be a tape backup library in the corner or an ATM modem they forgot about. All that weird, screwy stuff in the corner where those customers had no way to defend it because it wasn't part of their EDR or SCCM," he says. "And that was the premise we started runZero with: How do we quickly find all of that stuff?"
In 2019 he started the first iteration of the firm as Rumble and bootstrapped it with a grassroots approach that focused on working closely with beta customers and a free tier that provided a lot of feedback that drove further refinement of the product. By 2021 the firm started picking up venture capital funds — $5 million in seed funds in 2021 and another $15 million in Series A in 2022 — and last year rebranded under the runZero name.
What's New at RunZero
The early effort at runZero on the technology front has focused on asset discovery through active scanning. The goal, said Moore, was to expand to areas of discovery beyond the same-old, same-old of nmap scanning.
"Back in 2018 or even slightly before, anybody who had the word 'scanner' in their product was either using nmap or had a vuln scanner, and that's pretty much it, nothing really in between," he says. "While nmap is great — I licensed it three times at three companies — it changes how you approach network discovery if everyone is using the same tooling."
So the approach was to build from scratch and do things differently.
"Most of the folks who built the early scanning tools 20 years ago, they were really building it for vulnerability scanning. They want to find exposure so you can either patch or exploit them. We don't care so much about that," he explains. "We really just care about identifying an asset in the first place and doing a really good job of identifying if you physically see a box on the wall, can we tell you what you think that box looks like — not is it Linux 2.416, but is it a Roku media player? Is it a printer?"
In that process of developing fingerprinting asset discovery on the active scanning front, runZero was running into the limits of what active scanning can do.
"What we found though is that there's a lot of things that active scanning just doesn't do," he says. "You can't do an active scan for a device where you can't route a packet to it. So if there's no way for you to even talk to that IP address, you can't get any response from it. So active scanning and our active scanner, in particular, is probably one of the best ways to get the information, but if you don't have that, what's the next step?"
Today the company is exploring that next step with a new release of its platform that adds passive discovery into the mix. Not only does it help expand the discoverability of certain devices, but it also treads more lightly in operational technology (OT) environments like power plants, where the risk of active scanning disrupting uptime could well outweigh the risk of not knowing about certain assets.
"We basically took the scanner and then inverted it," Moore explains. "So we took the same packet parsing engine that we have for doing active scanning and now basically apply that to passive traffic flowing through it, and it will basically give you the output of a scan, but from a passive network flow."
Meantime, he hopes to keep leaning on the lessons learned from his long career of building exploratory security software to make the platform more functional and accessible. One of the big ones is the democratization of tooling. As part of the new platform launch, the company introduced a new free version of the platform designed for small businesses, individuals, and security researchers with 100 or fewer assets. The free version is fully functional for these use cases.
"We just feel like the folks in this space are really stingy about offering demos and free trials because it's so expensive for them to operate it. We've taken a different approach where we really want everyone to use it, and we want more people to actually get involved with it," Moore says. "This isn't just something that just your large enterprise should be able to use. We feel like everybody from your home lab to your SMB should be able to leverage it."
About the Author
You May Also Like
Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024Safeguarding GitHub Data to Fuel Web Innovation
Nov 21, 2024The Unreasonable Effectiveness of Inside Out Attack Surface Management
Dec 4, 2024