Scanning assets for known vulnerabilities is a mandatory process in many organisations. This topic comes in the third position of the CIS Top-20. The major issue with a vulnerability scanning process is not on the technical side but more on the process side. Indeed, the selection of the tool and its deployment is not very complicated (well, in not too complex environments, to be honest): Buya solution or build a solution based on free tools, define the scope, schedule the scan and it’s done. Then start the real problem: How to handle the thousands of vulnerabilities reported by the tool? Yes, be sure that you’ll be flooded by alerts like this:
Amongst this huge amount of reported vulnerabilities, how to spot the important ones and eliminate the noise? The process must implement a review of the vulnerabilities and analyse them in the context of your organisations. Indeed, a vulnerability reported in “red” or “critical” by the tool does not mean that it is really critical in YOUR context or at THIS time. All vulnerabilities must be addressed and fixed but we lack of resources and time so we need to prioritize our actions. To make this task easier, I would like to show you an interesting classification that I read from a vendor’s powerpoint slide. Vulnerabilities were classified into six categories:
|Not Active||By correlating the scan results with network traffic (flows), you can detect if the vulnerable application is active or not. The classic case is a default service that has been kept running (like a web interface).
The affected system must be hardened.
If you have a tool to automatically deploy patches, it may happen that the scan occurred while the patch which addresses the vulnerability is not yet fully deployed
|Rescan to ensure that patches were deployed.|
|Blocked||The vulnerability is verified but protections are already in place to mitigate it (thanks to a firewall, an IPS or a web application firewall).
||Patch as soon as possible.|
|Critical||The application is used and there is at the moment no mitigation in place.
||Patch now or deploy another defence layer.|
|At Risk||An exploit is available online or threat intelligence reports that the vulnerable assets are searched by attackers.
||Monitor carefully access to the vulnerable application (via logs, network flows) and patch as soon as possible.|
|Exploited||Based on logs from other tools or your SIEM solution, we have evidence that the vulnerability has already been exploited.
||Launch your incident response plan.|
This is a very quick overview of how to perform triage on vulnerabilities to put the focus on the real critical ones. To easily extract information from other defence layers and correlate them with the vulnerability scan results, I recommend you to not use the scanner alone but to integrate it into your SIEM.
Xavier Mertens (@xme)
ISC Handler – Freelance Security Consultant