Real-time Enterprise Exploitability Trending

Penetration tests are typically a point-in-time exercise to determine if a remote adversary or malicious insider can compromise systems that contain sensitive data. Most organizations do not conduct penetration tests on a daily basis. Instead they schedule them annually, quarterly, or in some cases monthly. Penetration tests procured on a consulting engagement are often limited to key systems and assets rather than the entire network of systems. This diminishes the value of the penetration test as the results quickly become outdated and may not be relevant to new systems or recent network changes. However, by correlating the availability of exploits with a continuous monitoring program to identify vulnerabilities, an organization can have a better idea of how “exploitable” they are on a real-time basis.

Consider the following graph generated by six months of Nessus vulnerability scanning and continuous network monitoring with the Tenable Passive Vulnerability Scanner:

This graph, produced by a Tenable SecurityCenter dashboard, shows the number of exploitable client-side and exploitable server vulnerabilities that were present over time.

For the servers on this network, it is much more likely that a penetration test during the month of July would have found exploitable vulnerabilities. Any other month, a penetration testing team would have had to be more creative in how they performed the attack, perhaps using social engineering, a zero-day exploit, or trying to find a web application flaw in custom software. Clients of this network have been consistently exploitable for the entire period of monitoring.

Taken by itself, a simple graph like this inspires a series of questions:

• Were the clients and the servers on the same network? If so, this could represent a direct threat to key servers.
• Were any of the clients used by server administrators? If so, an administrator’s computer could have been compromised and then had keystroke loggers installed, or used to compromise a server via other types of techniques that abuse trust relationships.
• Is there a monthly patching or scanning program for the servers? If daily monitoring and patching were performed, it is unlikely there would be such a flat step function graph for the vulnerable servers. The flat graph indicates that the servers are patched monthly, which may be in violation of a patch management policy that could mandate a more aggressive patching schedule.
• Last, this is a single graph. If we were to try to monitor 5,000 desktops and 500 servers spread across different DMZs, networks, and data centers with a single graph, it would not have as much impact as if it were by business unit or function (or what Tenable refers to as “assets” in SecurityCenter).

To illustrate this, I’ve taken the same data from the initial six month trend and graphed it over six different assets – two Internet facing DMZs and four internals LANs. Following are the results: 

The two DMZs are in the left column. They had very few exploitable vulnerabilities compared to the number on the LANs. However, any type of exploitable vulnerability on a DMZ is of some concern if anyone on the Internet can potentially exploit one of your services. DMZ #2 also had an exploitable client in the month of June. If this were targeted with a social engineering attack, it’s possible the client could have been exploited, further compromising the server.

On the inside of the network, the LANs have the bulk of the “server” vulnerabilities. Laptops and workstations often run services, such as, RDP, VNC, and SMB file sharing. These can be exploited remotely even though the workstation isn’t necessarily a dedicated server like an email, DNS, or web server.

Trending the availability of exploitable vulnerabilities for key assets on your network over time helps you understand how much risk they may have been exposed to currently or in the past. This should factor into how your organization manages risks and what type of precautions you use to mitigate it.

For More Information

Previous Tenable Blog Entries

• If an exploit falls in the forest, does anyone hear it being patched?
• Passively Detect all of your Exploitable Vulnerabilities – PVS 3.4 released
• Using Nessus and Metasploit Together

Tenable SecurityCenter Dashboards which track exploits

• Tracking Risk By Graphing Exploitable, Unsupported and Vulnerable Software
• Asset-based 25-Day Exploitability trends
• Trending New, Exploitable, CVSS 10 and Internet Facing Vulns