This time we would like to discuss one of the most crucial concepts in every IT environment and as you can guess by this title that is vulnerability management. Based on experience and different ways to approach security matters, we believe that this service is a must in every IT Security (especially in SOC) Environment.
In every organization there are undefined number of vulnerabilities starting from physical security, hardware vulnerabilities that every pc manufacturer faces daily or Operating System vulnerabilities which are often being exploited because of the lack of patch management, or even the most popular software applications that we often use daily (for example WinRAR or Chrome).
Unpatched or legacy level applications often become the first target for hackers and the way they get their foothold on any organization.
A lot of people, even the experienced engineers often say that their infrastructure is secure only because there is no direct connection from the outside, but they do not even consider that the source of the modern attacks mostly come directly from the inside infrastructure devices which have already been compromised. This can happen due to various reasons:
1. The company permits users to work remotely or even use their own devices (BYOD) which obviously lacks the security hardening. Remote storage device management should be a separate topic for discussion.
2. Even if there is no access from the internet. There always is the connection to the internet and outbound firewall filters are less effective or we can even dare say “useless” against constant internet surfing risks.
3. A lot of organizations do not have the policies and the possibility to control the installed applications for every end-user which often results in someone unintentionally installing malicious/suspicious app which later becomes the starting point of the infection.
4. The lack of training on the security awareness topic is the most common thing that makes users click suspicious links, open email attachments from untrusted senders and visit unsecure websites and get their credentials stolen/confidential information leaked and their device unsuspectedly compromised. Even the most qualified person in this field cannot be protected from daily interactions with their devices.
The primal use-case of vulnerability management solutions is to seek, analyze, report, recommend and verify the remediation of such vulnerabilities, which will surely remove extensive risks from any IT environment and make it safer.
In the security field we have 2 approaches, Re-active and Pro-active.
Re-active is when we set up out various detection solutions (SIEM, EDR, IDS etc.) across the company infrastructure and wait for the hacker or any sign of compromise to show up. This is considered the more traditional approach compared to the second one but based on our experience its detection & prevention mechanism is not instant magic and there will surely be a small portion of data leaked/corrupted. We should also consider the amount of time/money/effort it requires in order to set up and get on the production side.
When it comes to Pro-active approach, we have different tools for threat-hunting cyber-attacks, which are conducted based on our theories, risk analysis or the popular cyber threat publishers and of course our vulnerability scanner which will periodically scan the environment (preferably during least production period) for any possible loopholes for the attacker to exploit or take advantage of and help us close it before it causes us any troubles, thus the amount of risk is severely decreasing in constant manner. As the name of this approach implies, we do not have to wait for the attacker to show up, we simply make the odds of this happening become close to zero.
The specifications for the scanner to detect vulnerabilities vary, for example the most basic ones can be directly scanned without giving it any credentials and it will check for the basic things such as weak encryption algorithms, default passwords, open port responses etc.
The most effective way to get the full vulnerability data is to perform this vulnerability assessment with target system’s credentials. In this case during the scan besides basic assessment it will also remotely log in to the system in order to get the full visibility from the inside, thus the amount of information it will generate will also be significantly increased.
Also, a lot of security solution vendors (even the open-source ones) nowadays offer end-user agent solutions which will perform the scan from the inside the system and send the report to the management console without the need to externally give credentials to the scanner node.
One of the important factors for consideration is the location of the vulnerability scanner node. Whether only a specific type of network is permitted on this segment or if it scans through firewall (which is usually not recommended due to significant amount of packet drops) and if you wish to scan the external web application (which also takes a lot of time to scan due to WAF or DDOS protection).
The vulnerability reporting and priority analysis should also require a separate knowledge of the infrastructure because the severity measures are directly taken from the MITRE database or any other external resource which only measure them objectively without considering the client’s internal structure and business impact.
In conclusion we would like to add that even if there are no known publicly available exploits for some vulnerabilities it does not mean that you should ignore it, because there will always be attackers with their zero-day attack exploits lurking in the dark web and waiting for the potential profitable attack.
Have a good vulnerability hunt 😊.