A deep dive into Vulnerability Analysis

Introduction

1- Key Vulnerability concepts

1.1 Vulnerability Research

  • Discovering the system design faults and weaknesses that might allow attackers to compromise a system
  • Staying updated about new products and technologies and reading news related to current exploits
  • Exploit Database: Here you can learn how to exploit different vulnerabilities and if there are automated scripts to perform the attack
  • Dark Reading: This is a place to keep up to date about the latest threats and attacks!
  • Security Magazine: A security world magazine, same as Dark Reading.
  • MITRE: The latest about TTP (Tactics, techniques, and procedures) used by the threat actors!

1.2 Vulnerability Assessment

  • The OS version running on computers or devices
  • IP and Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports that are listening
  • Applications installed on computers
  • Common WebServer vulnerabilities (Path Traversal, SlowLoris, etc)
  • Accounts with weak passwords
  • Missing patches
  • Risky ports and weak network configurations

1.2.1 Scanning types

  • Passive Scanning: This means to find the information available on the internet, in which we are not interacting with the target host, for example using OSINT (Open Source Intelligence), the ExploitDB, or finding public information about the target which can be an organization (If we are performing a pen-testing).
  • Active Scanning: This scan refers to the one in which we interact with the target, for example, the servers and the applications running on those servers. Here is very likely to generate alerts to the monitoring systems such as IDS (Intrusion detection system), IPS (Intrusion Prevention System), and a WAF (Web Application Firewall).

1.2.2 Types of vulnerability alerts

  • True Positive (Attack — Alert): The system raises an alarm when a legitimate attack occurs
  • False Positive (No Attack — Alert): The system raises an alarm when no attack has taken place (Most common)
  • False Negative (Attack — No Alert): The system does not raise an alarm when a legitimate attack has taken place (Worst!) We were attacked and no alarm was raised.
  • True Negative (No Attack — No Alert): The system does not raise an alarm when an attack has not taken place

1.2.3 Limitations of Vulnerability Assessment

  • Human judgment is needed to analyze the data after scanning and identifying the false positives and false negatives
  • Vulnerability-scanning software itself is not immune to software engineering flaws that might lead to it missing serious vulnerabilities, extra actions are needed to avoid this.
  • Vulnerability-scanning software is limited in its ability to detect vulnerabilities at a given point in time security controls

1.2.4 Vulnerability Assessment Techniques

  • Active: Uses a network scanner to find hosts, services, and vulnerabilities (interacts with our target servers)
  • Passive: Here we sniff the network traffic to discover present active systems, applications, and payloads, usually we create custom scripts to track specific encoded values.
  • External: Assess the network from a Hackers perspective (Red Team) to discover vulnerabilities from the outside.
  • Internal: Scans the internal infrastructure to discover exploits and vulnerabilities
  • Host-based: Conducts a configuration-level check to identify system configurations, file systems, etc in the host.
  • Network-based: Determines possible network security attacks.
  • Application: Test and analyzes all elements of the web infrastructure for any misconfiguration, outdated content, or known vulnerabilities.
  • Credentialed / Non-Credentialed: Assess the network accessing (login) the systems or not, like from the attacker’s perspective.
  • Manual: Checking the CVE, the CVSS.
  • Automated: Running tools such as Nessus, Qualys, or GFI languard, Nikto

1.3 Common Vulnerability Scoring Systems (CVSS) & Common Vulnerabilities and Exposures (CVE)

2- Vulnerability Management Life Cycle

  • Identintify and understanding the current business process
  • Understand the applications, data, and services that support the business process and perform code reviews
  • Identify controls already in place
  • Understand the network architecture
  • Define the scope of the assessment
  • Identify Assets and create a baseline: This phase identifies critical assets and prioritizes them to define the risk based on the criticality and value of each system in order to develop and maintain a system baseline.
  • Vulnerability Scan: This phase is very crucial in vulnerability management. In this step, the security analyst performs the vulnerability scan on the network to identify the known vulnerabilities in the organization’s infrastructure.
  • Risk Assessment: Here are the serious uncertainties that are associated with the system that are assessed and prioritized. Summarizes the risk level identified for each of the selected assets. It determines whether the risk level for a particular asset is high, moderate, or low.
  • Remedation: Planned based on the determined risk level. Here is where we apply the fixes on vulnerable systems in order to reduce the impact.
  • Verification: The security team performs a re-scan of systems to assess if the required remediation is complete and whether the individual fixes have been applied to the impacted assets.
  • Monitor: Regular monitoring to maintain system security

3- Types of Vulnerabilities

  • Misconfiguration: Mostly caused by human error, and allow hackers to gain unauthorized access. Some examples are debugging mode enabled by default, unnecessary services on the machine, incorrect permissions, default accounts, etc.
  • Default Installations: When the system is used for the first time when the primary concern is usability rather than security. The risk is not in the content but the machine might be connected to the corporate network.
  • Buffer Overflows: Due to coding errors, the attackers try to take control of the system by writing content beyond the allocated size of the buffer.
  • Unpatched Servers: Servers not running the latest security patches.
  • Design Flaws: Poor encryption and poor validation.
  • Application Flaws: Vulnerabilities in applications that are exploited by the attackers (OWASP top 10) are an example of those.
  • Open Services: Open ports, vulnerable services exposed in those ports.
  • Default Passwords: Default credentials to critical systems, easy to get in using a dictionary attack.

4- Vulnerability assessment tools and criteria for choosing them

  • Supports multiple networks
  • Automatically scans against continuously updated databases
  • Ensures correct outcomes by testing the network (low false-positive rate)
  • Suggests appropriate remedies and workarounds correct vulnerabilities
  • Matches your environment and expertise
  • Generate reports
  • Contains several hundred different attack signatures
  • Types of vulnerabilities being assesed
  • Test run scheduling
Source JCSHIELD

4.1 Comparing solutions

4.2 How do the vulnerability tools works?

  • Locating nodes: The first step in vulnerability scanning is to locate live hosts in the target network using various scanning techniques. It is like checking all the different places in which it can scan.
  • Performing service and OS discovery on them: Enumerate the open ports and services along with the operating system on the target systems. Like performing a manual map…
  • Check for known vulnerabilities: Finally, after identifying the open services and the operating system running on the target nodes, they are tested for known vulnerabilities.

5- Vulnerability Reports

Purple Sec — Example of the vulnerability scan report

--

--

Sr. Security software engineer working in the DevSecOps area. CompTIA Sec+, C|EH

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Josué Carvajal

Sr. Security software engineer working in the DevSecOps area. CompTIA Sec+, C|EH