What You Need to Know About Vulnerability Scanners

July 22, 2020 • The Recorded Future Team

It’s never been easier for threat actors to plan, prepare, and execute their attacks using automated tools. Successfully defending your organization against automated threats requires automated intelligence.

A vulnerability scanner is defined as an automation tool that enables you to combat several risks that stem from vulnerabilities. However, vulnerability scanners may present more false positives than answers when they lack real-time, contextual security intelligence.

What Does a Vulnerability Scanner Do?

A vulnerability scanner is an automated tool that searches an entire network and provides an asset inventory (firewalls, servers, switches, clients, etc.) and a list of the operating systems on the network — as well as any exposed ports and exposed vulnerabilities.

Types of Vulnerability Scanning

Vulnerability scans can be performed externally or internally. However, regardless of how they are performed, scans can be either authenticated or unauthenticated.

Internal and External Vulnerability Scans

Many security teams begin their scanning strategies with external scans. Several external vulnerability scan providers offer free trials online. However, illegitimate scanning attempts are a regular occurrence, so be sure to identify and self-assess external gateways, external-facing web applications, firewalls, and open ports.

Performing scans from inside a network is important to determine what is exposed to a threat actor who circumvents a firewall. In addition, internal scans generally provide more actionable results than external scans — but with that benefit comes increased deployment complexity. Scanning internally may cause an unintended denial-of-service or trigger security monitoring alerts, which tend to send the SOC into a frenzy.

Authenticated and Unauthenticated Vulnerability Scans

Unauthenticated scans will attempt to check for vulnerabilities without usernames, passwords, installed agents, or other pre-approved credentials. External scans are typically performed unauthenticated, simulating the illegitimate behavior that any device is subject to when exposed to the internet. This enables quicker deployment, without the need for credential allocation or agent installation.

With an authenticated scan, the vulnerability scanner features a mechanism to authenticate. Larger solutions typically use an agent installed on each asset, providing the ability to go beyond a scan and test for vulnerabilities within an application or system. Authentication scans should be performed either internally or securely. They offer a greater depth of checking and a reduced false positive rate. An authentication approach requires planning and configuration, and a slower, complex approach — especially when compared to external unauthenticated scans.

Limitations of the Vulnerability Scanning Process

One of the major criticisms of vulnerability scanners are false positives — an incorrect detection of a vulnerability present on an asset. There are various reasons why a vulnerability scanner may produce a false positive, so it is ill-advised to completely trust a scanner’s results without additional context.

To gain the greatest benefit of a vulnerability scan, it is essential to plan appropriately and have clarity on where the function resides within your organization’s processes. Scans that are rushed and not fully understood will provide substantial unnecessary workloads — 43% of organizations believe prioritizing remediation is their biggest hurdle. If you plan and configure correctly, your scans will provide actionable beneficial outputs.

Legal Risks to Consider

It is vital to understand that vulnerability scanners operate in a grey area within the law and there is some debate around the legalities of port scanning. As a rule, it’s best to obtain appropriate permission from the asset owner to scan any network or device. Complexity occurs for assets leased or managed by a third party and explicit consent is likely required from multiple parties. Always engage with your organization’s legal representatives for formal legal advice.

Download this short e-book today to explore five ways security intelligence makes vulnerabilities manageable — beyond patching prioritization. In it, you’ll discover how to close vulnerability gaps across your entire ecosystem and better defend your organization.

New call-to-action