Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Shell Detection Dashboard

by Cody Dumont
February 3, 2015

Shell Detection Dashboard screenshot

Shell related threats, such as the recently released Shellshock vulnerability, are on the rise.  Detecting unauthorized shell access can become a full-time job.  Customers with Tenable.sc Continuous View (CV) can use this dashboard to easily identify shell related vulnerabilities.  The systems and vulnerabilities identified in this dashboard allow system admins to quickly identify the threats related to shell access and quickly identify the source of the notification.  This dashboard contains components that utilize active, passive, compliance, and event vulnerability detection.  Additionally, there are two components that assist with log analysis.

The dashboard and its components are available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The dashboard can be easily located in the Tenable.sc Feed under the category Threat Detection & Vulnerability Assessments.

The dashboard requirements are:

  • Tenable.sc 4.8.2
  • Nessus 8.6.0
  • LCE 6.0.0
  • NNM 5.9.0

By understanding the detection method, system administrators can better determine if a shell session has been exploited or is a potential method of exploitation.  For example, there are several passive detections of “Shell Attacks” and “Generic Shell” detection. When these plugins are triggered, an attacker is actively exploiting the system.  When the active or compliance vulnerabilities are detected, the system is at risk of being exploited.  The event types are logs, which may indicate an exploit in the past.

Several of the indicator components provide saved queries of both vulnerability data and log data collected by the Log Correlation Engine (LCE).  These searches aid analysts in detecting vulnerabilities related to shell access, backdoor, and botnet activities.  The “Shellshock” indicator uses several CVEs to quickly identify vulnerable systems. The vulnerability indicators use a keyword search combined with plugin type to identify vulnerable systems, while the event indicators use a keyword combined with event type to identify logs that should be reviewed.

Tenable provides continuous network monitoring to identify vulnerabilities, reduce risk, and ensure compliance. Tenable.sc Continuous View (CV) includes Nessus for active detection, Nessus Network Monitor (NNM) for passive vulnerability detection, and LCE for in-depth log analysis and event vulnerability identification.  Tenable.sc CV’s proactive continuous monitoring identifies an organizations biggest risk across the entire enterprise.  Nessus is continuously updated with information about advanced threats and zero-day vulnerabilities to allow for continuous identification of shell based vulnerabilities.  LCE performs deep log analysis and correlation to continuously discover and track users, applications, cloud infrastructure, trust relationships, and vulnerabilities.  NNM conducts deep packet inspection enabling discovery and assessment of operating systems, network devices, and other critical infrastructure devices.

Shell Detection - Exploitable Shell Summary: The systems and vulnerabilities identified in this component allow the system admin to quickly identify if a threat related to shell access is based on active, passive, compliance, or event vulnerabilities. By understanding the detection method,  system administrators can better determine if a shell session has been exploited or is potential method of exploitation.  For example, there are several passive detections of “Shell Attacks” and “Generic Shell” detection  When these plugins are triggered, an attacker is actively exploiting the system.  When the active or compliance vulnerabilities are detected, the system is at risk of being exploited.  The event types are logs, which may indicate an exploit in the past.

Shell Detection - Shell Vulnerability Indicators: Shell Vulnerability Indicators provides indicators for the most effective shell-related search within the vulnerability data.  This aids in the detection of vulnerabilities related to shell access, backdoor, and botnet activities.

Shellshock - Vulnerabilities By Type: This component displays information about systems on the network with vulnerabilities related to bash. The first row contains detected general bash vulnerabilities, the second row contains detected Shellshock specific vulnerabilities, and the third row calculates the percentage of the general bash vulnerabilities that are Shellshock vulnerabilities.

Shell Detection - Shell Events by Type: This component provides indicators for normalized events related to shell usage.  The saved queries provide a targeted view into log analysis.  The indicators use the normalized event phrase of “*Shell*”  by a specific event.  When combining the event type and normalized event name, the LCE query is more efficient.

Shell Detection - Shell Vulnerabilities by Subnet: This chart provides a shell vulnerability summary by subnet.  When analyzing risk in an organization, the security team needs to understand where the highest risks are detected.  This component provides a view into the top 10 networks with a summary bar for each severity, informational through critical.

Shell Detection - Shell Vulnerability Summary: This table provides a list of shell vulnerabilities sorted by severity.  This view provides a quick overview of the current shell vulnerabilities on the network.  The analyst will need to drill down into each vulnerability to fully understand the associated risk.

Shell Detection - Shell Normalized Event Summary: This table provides a list of shell events sorted by event count.  The table displays a trend line of events over the past 24 hours and the count of the normalized events.  This data provides analysts with a recent historic view of events. The hourly trend also allows the analyst to see if there are issues during office hours or after hours, which could also indicate a security breach.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training