- Vulnerability Management Lifecycle
- Vulenrability Assessment Tools
- CVSS
- CVE
- NVD
- Vulnerability Identification
- Vulnerability Remediation
- Creating Recommendations Based on Vulnerability Assessments
- Baseline
- Vulnerability Assessment
- Risk Assessment
- Remediation
- Understand the business processes, applications & services, which of them are criticial, and what technologies support those.
- Identify and prioritize assets.
- Identify controls and policies in place.
- Define the scope of the assessment so we are not touching/damaging things we shouldn't.
- Physical security.
- Misconfigurations.
- Identify & prioritize vulnerabilities based on business.
- Intelligence to identify real world exploits of found vulnerabilities.
- Given the found vulnerabilities, what is the potential impact? (shutdown, lose assets, data breach?)
- What kind of impact is more critical to the busines?
- i.e, if we get attacked with a ransomware, but we periodically create backups, then the impact would be more bearable.
Recomendations to management/stakeholders to fix vulnerabilities.
Dynamical analysis and reviewing attack surfaces after remediation.
Implement some of the following:
- Logs.
- Policies and procedures for controls.
- SOC
- Host-Based: testing for known OS vulnerabilities.
- Scope: testing for known applications vulnerabilities.
- Depth: look for previously unknown vulnerabilities.
- Application layer; focusing more on web servers, databases, specific technologies.
- Active/Passive: active scanners are actively checking for services consuming system resources, where as passive scanners don't have that much impact in system resources.
Open framework to communicate characteristics and actual impact of different vulnerabilities, through a scoring system that goes from 0 to 10 based on criticial level.
It explains what are some of the reasons of behind a particular score.
Dictionary of public identifiers around common vulnerabilities/exposures.
Database of security checklists, software flaws, misconfigurations, etc, and what kind of impact does that vulnerability has.
- Nessus
- Qualys
- Nikto (web)
- OpenVAS
- RetinaCS
First scan current subnet and look for open services.
ifconfig // validate correct network
nmap -sT -F 192.168.0.0/24 -oG Target_List
// -sT for TCP scan
// -F for "fast" scan
// -oG to save in specified file in present directory
// another alternative
nmap 192.168.0.0/24 | tee QuickScanResults.txt
Then go to OpenVAS and upload targets (Configuration -> Targets -> New Target) and then perform scan (Scans -> Tasks -> New Task) on those targets.
If we want to target an specific host (i.e 192.168.0.20), first scan host's network:
nmap -v 192.168.0.20 | tee 192.168.0.20_scanresults.txt
leafpad 192.168.0.20_scanresults.txt &
Then, conduct an OS Fingerprint scan to determine associated OS.
nmap -A 192.168.0.20 | tee 192.168.0.20_OSFINGERPRINT.txt
You can find information of which services are running on OS, and on what ports.
ipconfig // determine system IP and subnet mask
Run CORE Impact and:
- Create workspace.
- On the left panel, go to Network Vulnerability Test.
- Target IPv4 network range (192.168.0.0/24 or 192.168.0.*).
- On the left panel, go to Network Report Generation -> Network Vulnerability Report.
We can use CORE Impact's Local Information Gathering tool for this.
After running scan on desired host, we can generate a report in Network Report Generation -> Network Host Report.
We can use CORE Impact's Network Attack and Penetration tool.
First, perform a network scan with Network Information Gathering as explained before.
Then perform vulnerability scanning with Attack and Penetration tool.
You will need to select an Attack Method having identified the targets to scan. Use Launch exploit modules to identify core execution vulnerabilities. Make sure you uncheck the Exploit selection if your main goal is to identify vulnerabilities and not exploit a target.
One first step towards vulnerability remediation, is allow for Audits, by identifying what objects are being accessed and what operations are done through logs.
All applications can log their operations. For example, Splunk server can be configured to log actions.
In C:\program_files\Splunk\bin\splunk.exe, you can right click on the splunk.exe executable and select Properties. Select the Security tab, and Advanced -> Auditing -> Edit.
Then click the Add button and type Everyone in the search area. Once finished, click the Ok button.
Before anything, make sure we can audit objects.
- Run
secpol.msc. - Local Policies -> Audit Policy -> Audit Object Access, make sure everything is checked under Audit These Attemps.
- Confirm devices in provided IP range and create target list.
- Run vulnerability assessment.
- Perform risk assessment on findings and determine mitigation actions.
- Review previous vulnerability audit findings.
- Fill out a vulnerability audit report to document recent finds.
Reports like these are crucial for providing actionable details on what to do about known vulnerable systems and networks. They can serve as documentation to help free up funding (newer devices, operating systems or applications), provide data to back up stats concerning long-running issues, and can provide a historical detail that should be used to push for overdue changes.
nmap -sT -F 192.168.0.0/24 -oG Target_List.txt
leafpad Taget_List.txt // clean file to only have IPs
openvas-start
At this point follow already explained process to create new targets and run scan...
After scan has finished, we can view the results in the Scans tab, and then Reports link, by clicking on the Hyperlinked Date.
This report will show vulnerabilities found, their severity, what host they are on, and the location of the vulenrabilities.
From here you can export data in multiple available formats.