CompTIA CYSA+ CS0-002 – Analyzing Output from Vulnerability Scanners Part 1

  • By
  • March 21, 2023
0 Comment

1. Scan Reports (OBJ 1.4)

Scan reports. In this lesson we’re going to start looking at some scan reports from our different vulnerability assessment tools. Now these scan reports are going to contain colorcoded vulnerabilities in terms of their criticality. This allows you to very quickly identify what is the most important things that need to draw your attention. For example, here on the screen you can see a list of several different vulnerabilities that are being discussed. Displayed here are just the first six vulnerabilities we’re going to look at and you can see the severity of them. These are all classified as high because they have a 10. 0 or 9. 3 rating as far as criticality is concerned. Now if I clicked on that specific vulnerability it will actually give me additional details about that vulnerability such as how it’s detected, what can be done to fix it and what could be used to exploit it.

All of this is valid information that you should be reviewing so you can make a determination of what you’re going to do to mitigate this risk. Now at any time if you want to look at your previous scan reports, you can do that by going back through your dashboard of your vulnerability assessment tool. Now again, these reports should be treated as highly confidential and you should limit the access to them to a specific group of administrators that have the rights to look at them because these are the keys to the kingdom. These scans have now already told the attacker what is on your network that is vulnerable. So if an attacker got their hands on this scan report they would know exactly what to attack and how easily to get into your network. Now one of the things I see a lot of people do is they try to use automation for everything in the network.

Now automation is a great thing to use and it can really free up a lot of your analyst time but automation by itself cannot do everything for you. For example, one of the things I see commonly done is that people will set up these tools to automatically scan the network, which is a good thing, and then automatically send out those reports via email or send an alert via email or text message if the scan finds some non compliant item. Now this is a good thing to do in theory but you have to be careful here because this automatic distribution of these scan results does make it harder for you to preserve confidentiality. It’s harder to maintain control over all of those scan reports when you start sending them out to everyone. And so you want to make sure that if you’re using automation you really think through who’s getting that, how you’re protecting it and are you encrypting that data as you start sending it out.

For this reason a lot of organizations will do automated scans but those reports will stay in a centralized location and then will have to be looked at manually, and those will be sent out additionally to the right people in a secure method so they can look at them. Now, this brings us to the idea of manual distribution. When you’re dealing with manual distribution reports, this can allow you to have better control over the contents of those reports because you’re making sure only what you want is being seen by others. And in addition to that, it gives your analysts a chance to explain the results. Now, what I mean by this is you can take that report and you can go brief. It up to the senior leadership. This might be your existing executives or your managers or whoever it is that you need to brief now instead of just giving them a report with facts and figures you can explain to them. Yes, there is this vulnerability. It affects 50% of our systems, and it’s really critical because of this reason. And here’s what I recommend we do to fix it. This gives you a chance to start getting that narrative and be able to control exactly what’s going to be done as you move forward into the future.

2. Common Identifiers (OBJ 1.2)

Common identifiers. In this lesson we are going to talk about some specific common identifiers that we can use when we’re talking about specific vulnerabilities. Now there are many different scanning tools out there, but they all use the same ways to identify these same vulnerabilities. This allows us to have a consistent method as we look across different tools. So regardless of whether using Nessus or Qualis or Open Vos, they’re all going to be able to report on the same vulnerabilities and identify those using the same methods. Now, when I talk about this, there are really six main things that we’re going to use to commonly identify vulnerabilities on the different platforms that we’re going to look at. These include things like the Common Vulnerabilities and Exposures, or CVE’s, the National Vulnerability Database, or NVD, the Common Weakness, Enumeration or CWE, the Common Attack Pattern Enumeration and Classification, or CAPEC, the Common platform Enumeration, the CPE, and the Common Configuration Enumeration or CCE.

In this lesson we’re going to dive into each one of these first CVE or Common Vulnerabilities and Exposures. This is a commonly used scheme for identifying vulnerabilities that was developed by Mitre and adopted by NIST. Now, because this was one of the first ones that was really widely accepted, this goes back a long way in history and so when you look up CVE’s you can find a long history of all the different CVE’s that were out there. Now when we talk about a CVE, each vulnerability is going to have a unique identifier known as a CVE. And the format looks like this CVE, the year, the number. So for example, if I want to pull up this CVE, I can go to the website and I can look at it and this one is identified as CVE 20 17 44. This tells me this common vulnerability was identified first in 2017 and it was the 144th vulnerability identified for this manufacturer.

Now if I look in the description of this I can see that this was for Microsoft Windows and it’s associated with SMB vulnerabilities. If I actually dig into this and read more, you can see there’s a description, there’s references. If I scroll down the page it would tell you what things can exploit it and what you can do to fix it. Now this CVE is actually a really well known one. If you’ve been in cybersecurity for a while you might have heard of it. It’s actually known as Eternal Blue. Well, technically Eternal Blue is the tool we use to exploit this vulnerability. But this is the vulnerability that’s being exploited by Eternal Blue. Now. Why is Eternal Blue so important? Well, because it was used by WannaCry, the ransomware that took hold in 2017 and spread all over the internet. The WannaCry Ransomware and Eternal Blue both exploited the same vulnerability, CVE 2017.

One, four, four. And that’s how these CVE’s work. So you could start figuring out what exploit goes with what CVE. And when you’re detecting things, what mitigations you can find are being detected. And when you’re trying to detect these vulnerabilities, which CVE’s those are associated with. Because if you know the CVE you can look it up, you can find out what patches exist and how you can mitigate it. Now the next one we’re going to talk about is NVD, which is the National Vulnerability Database. This is a superset of the CVE database. So it contains all that information from the CVE database that’s maintained by NIST.And then it also adds additional information such as some analysis, some criticality metrics like CVSS scores, which we’ll talk about later, and any appropriate fix information or instructions for remediating these issues. So NVD takes all that CVE information and adds more to it.

Now the next one we’re going to talk about is CAPEC, which is the common attack pattern enumeration and classification. This is a knowledge base maintained by Mitre that classifies specific attack patterns focused on application security and exploit techniques. Now at first glance, this might sound a lot like the Miter attack framework that we’ve talked about previously, but there is a big difference when we’re talking about the attack framework. That’s a tool for understanding adversary behaviors within a network intrusion. But when we’re talking about the common attack pattern, enumeration and classification tool, we’re talking about the attack patterns focused on the application security itself. So we’re looking more at the technical details, not the person like we are when we’re dealing with attack.

The next one we want to talk about is CPE, which is the common platform enumeration. This is a scheme for identifying hardware, devices, operating systems and applications. When you’re dealing with CPE, it’s going to be shown in the format that looks like this CPE part, vendor colon, product colon, version colon, update, colon edition, colon, language notice this is all essentially a key pair that we can use to be able to identify the CPE with that particular piece of hardware. Now the one piece in here that is something that should be noted is that most of these are pretty self explanatory, right? Like the part, the vendor, the product, the version, the update, the addition and the language. But there is this one part that is called part that you may wonder what is that really referring to? Well, that first thing part will actually have either an O if it’s an operating system, a if it’s an application, or H if it’s a piece of hardware.

And this is the three main categories that we would support. So for example, if I was looking at Windows, I might be looking at CPE for operating system colon, microsoft for vendor colon, Windows for product colon, ten for version and so on. As you go through this will allow us to uniquely identify that particular Windows variant inside the Microsoft operating system, inside of that family as a unique CPE. The next one we’re going to talk about is CCE and this is our final one. CCE is our common configuration enumeration. This is a scheme for provisioning secure configuration checks across multiple sources. Now, essentially CCE is a collection of configuration best practice statements. It allows us to have these and go through those with an automated tool. The CCE is going to provide us with unique identifiers for the different system configuration issues.

This way we can very quickly and rapidly and accurately get a correlation of the configuration data across multiple information sources and tools because we’re all speaking the same language. Just like I mentioned in a previous lesson where a lot of our checklists used to be manual processes and assistant manager had to go look at different tools and check all this information manually. Well, this is another way to make things easier and allows us to automate because if we’re all talking the same language and using the same Identifiers, we can correlate all that data across all the systems to give us a better picture of what we’re doing.

3. CVSS (OBJ 1.2)

CVSS or the Common Vulnerability Scoring system. We very briefly touched upon this when I started talking about the NVD, the National Vulnerability Database, because I mentioned that this includes information including the CVSS score. In this lesson, we’re going to break down exactly what is that score? Well, first, let’s talk about the Common Vulnerability scoring system or CVSS. This is a risk management approach to quantifying vulnerability data and then taking into account the degree of risk to different types of systems or information. Essentially it’s going to allow us to put a number against something. So instead of just saying this is a low risk or this is a high risk, I can actually quantifiably measure it. Now, CVSS can be useful in prioritizing your response actions because if I have something that has a 9. 3 versus a ten, I should probably fix the ten first, or so you would think because it’s a higher number, right? That’s the basis of using a CVSS score.

But for you to really be able to use these, you have to understand what they mean and that’s why we’re going to break these things apart in this lesson. Now, at their most simple form, a CVSS score is a number with a description. If I have a score of zero, that means none. There is no risk. It’s not a very threatening thing. If I have a number that’s between zero one and 3. 9, this is considered a low threat. If I’m dealing with something between 40 and 6. 9, this is a medium threat. If I’m dealing with 7. 0 to 8. 9, this is a high threat. And if I’m dealing with a 9. 0 to 10. 0, this would be a critical threat. Now, these numbers are baseline numbers. You’re going to be able to adjust these based on your own circumstances and your own mitigations as well. For this reason, it’s really important that you look at how these numbers are constructed.

Now, coming directly from the NVD website, you can see this graphic. We have three things that actually are added into making up that CVSS score. First, we start with a base metric. This includes things like the exploit or the impact. And then we take that and we can actually feed that in to some optional metrics including temporal metrics and environmental metrics. And all of those combined will give you this final CVSS score. Now, what we’re going to do in the rest of this lesson is break down all of the components of these base metrics because that is really where the bulk of this score is going to come from and it’s really important for you to understand it. Now, when I talk about base metrics, these are comprised of things like the access vector, the access complexity, the privileges required, the user interaction, the scope, the confidentiality, integrity and availability and if they’re being modified by this particular exploit or vulnerability.

Now, in addition to that, we have to start looking at each of these individually. As we start looking at the access vector, this is going to tell us, does the attacker need to have physical access, local access, adjacent network access, or network access? If they need physical access, it’s probably less of a threat to you than if they need network access, which means they can get to you over the Internet. And so again, depending on the access vector, this is going to be either more or less dangerous to us. And so that’s going to affect our score. Then we have to consider our access complexity. Is this a high complexity or a low complexity? If this is a high complexity exploit, that means it’s going to be less of a threat because less people will be able to do it.

If it has a low complexity to that exploit, it’s going to be more dangerous to us, right, because more people will be able to do it. It’s easier for an attacker to use and so complexity is important as well. And this will affect our number. Then we have to consider the privileges required. Can they run this exploit with no privileges, low privileges or high privileges? Again, no privileges or low privileges are going to be more dangerous than high privileges. The reason for this is if you could do it with no privileges, that means you don’t have to log in. If you do it with low privileges, that means a standard user or a guest user could do this exploit. If you’re dealing with high privileges, that means they need something like administrative or a service account to be able to run this exploit. And so again, this is going to affect our base score.

The next one we’re going to look at is user interaction. Are we going to have none or required? Now, again, this is going to make things either more or less dangerous. If there is no user interaction required, that means that the exploit can run without the user doing anything. If the user interaction is required, that means the user has to run the program or launch the exploit. And so you’re going to have to use some kind of social engineering component to trick the user into doing that, making it more of a complex attack. So again, it becomes more or less risky based on if you need no interaction or required interaction. The next category is scope. The scope can either be unchanged or changed. Now, when I talk about this, this is referring to whether or not the exploit affects only the local security context, meaning unchanged, or the entire security context, which means it would be changed.

So changed is more of a risk for us than unchanged. In this case. The next one we have is confidentiality. Now, here we’re going to talk about the next three is confidentiality, integrity and availability. Those three tenets of CIA. Now, as we start looking at these, if somebody is able to run this exploit, there are different measures that have impact to the CIA triad. And so if I run this exploit, am I affecting confidentiality? Am I affecting integrity? Am I affecting availability? And for each of these, we’re going to be looking at high, medium, and low. So if this exploit has a high change to confidentiality, that’s more risky for us than something that has a low change to confidentiality. The same thing we talk about integrity, high, medium, and low. How much is being changed or altered? And then availability high, medium, and low.

And so we take all of these components, we add them together, and that gives us our base metric. Now, in addition to that base metric, though, we can then feed that into this optional metrics, which include temporal and environmental. Now, when I talk about temporal metrics, these are composed of things like exploit code, maturity, remediation level, and report confidence. All of these have to do with time. How timely is this information? How much do I trust it? How long has this exploit been available? And how many versions of this exploit exist? Because that would mean it’s more mature and harder for us to detect necessarily. The next one we want to talk about is the environmental metrics. And these are composed of modifying those base metrics. So we’re still going to be looking back into things like your access vectors.

We’re going to be looking into things like integrity and confidentiality. And based on the environment you’re dealing with, you can then modify the base score to make it more or less threatening. Now, I want to give you a quick word of warning. CVSS metrics are really, really helpful. All of our tools that we use for vulnerability assessment do rely on these CVSS metrics, but you as an analyst should not rely on them exclusively. After all, the whole reason that we have analysts is for you to think your job is not just to look at a number and say, ah, that’s a 9. 3. That must be critical because that’s not always true. For example, as you start looking at some of these things, you might go, this is something that affects anybody who’s connected to the internet. And then you look at your system, you go, oh, I’m talking about a manufacturing plant, and my manufacturing plant isn’t connected to the internet, so I mitigated from that vulnerability.

So while it might be a 9. 3 because it’s really critical and tied to the internet, if your system isn’t tied to the internet, you need to adjust that down to something more reasonable, because for you it might be a low threat. So I want you to remember, you have to be thinking about these things. Don’t just blindly accept the numbers. They’re there to help you. They are not the end all, be all. Now, the other thing I want to remind you of is that inside of CVSS there are multiple versions. The most current version as of this recording is 3. 1 and that is what you’re going to see on the exam. Now, as I mentioned, you can adjust these metrics and one of the easiest ways to do that is by using an online calculator such as the one here at first orgcvsscalculator three one.

If you go in here, you can put in the different metrics for each of those areas based on the threats you’re seeing and then you can adjust them based on your unique circumstance and calculate a new CVSS score directly for you. Remember, when you look at these tools and you look at the National Vulnerability Database, they’re going to give you the base score based on what the manufacturer thinks it is as far as how dangerous it is. So what they think is a 9. 3 in their environment may only be a 5. 0 in yours or something you think is a 2. 3 might be a 10. 0 in their environment. It just depends on the environment you’re using. So you can use these calculators to modify your score and have yourself a baseline that matches your particular environment so you can make better decisions.

Comments
* The most recent comment are at the top

Interesting posts

The Growing Demand for IT Certifications in the Fintech Industry

The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »

CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared

In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »

The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?

If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »

SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification

As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »

CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?

The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »

Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?

The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »

img