Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Predicting Attack Paths Report

by Josef Weiss
September 11, 2014

This report supports the Tenable document titled ‘Predicting Attack Paths’, and the dashboard collection of the same name. A series of chapters are provided to assist the analyst in identifying systems on the network that can be exploited in a variety of methods. Methods include both passive and active reporting of exploits, trust relationships, and reporting of internet browsing hosts. This data can be leveraged to rapidly identify vulnerabilities that are subject to attack and exploitation.

Tenable provides continuous network monitoring to identify vulnerabilities, reduce risk, and ensure compliance. SecurityCenter Continuous View allows for the most comprehensive and integrated view of network health. Nessus is the global standard in detecting and assessing network data.

Tenable’s Log Correlation Engine (LCE) provides deep packet inspection to continuously discover and track users, applications, cloud infrastructure, trust relationships, and vulnerabilities.

Tenable’s Passive Vulnerability Scanner (PVS) provides deep packet inspection to continuously discover and track users, applications, cloud infrastructure, trust relationships, and vulnerabilities.

The following chapters are included in the report:

  • Trust Relationships - This chapter contains three components to assist in reporting trust relationships. The first component graphs data on internal client trusted client and server connections over a 90-day period. Data is presented via an area chart for Client/Server relationships. The table Client/Server Relationships graphs data on internal client trusted client and server connections over a 90-day period. The table Most Trusted Servers, leverages plugin #15 (Internet server trusted connection), to present data on clients which have connected to a given server, and what port the connection has taken place on.
  • Vulnerability Details - This chapter contains four components to assist in vulnerability reporting. The line chart component displays information on event trends over time. Displayed is a line chart comparison over the last 24 hours of total normalized events versus unnormalized events. This provides the analyst with a quick overview of any current event spike activity. Vulnerabilities by Common Ports – Hosts by Common Ports, contains six columns that enumerate the number of hosts with vulnerabilities on a specific port. The columns provide a count of vulnerable hosts based on a specific ports and severity level. The last column provides a percentage of hosts with an exploitable vulnerability on that port. The colors used in this matrix have a transparent background and change the color based on the severity level. The color green represents low severities, yellow is for medium severity, high severity vulnerabilities are orange, and critical severities are red. The last column in purple shows exploitability but makes no reference to severity level. The Compliance Vulnerabilities table presents a vulnerability summary sorted by plugin type Compliance. The final component of this chapter is a summary of the Most Prevalent Vulnerabilities. Vulnerabilities sorted by total, and severity.
  • Connections Details - The Connection Details chapter contains four components that provide a summary of connection details. The first component, Hosts That Accept External Connections utilizes data from plugin #14 named “Accepts external connections”. This includes UDP and TCP services, to present data via IP Summary tool on host IP address, NetBIOS, MAC address, and DNS of hosts that are passively found to accept external connections. Internet Browsing Hosts utilizes plugin #16, which specifically tracks which systems connect to the Internet and on which ports. To produce lists of internal systems that connect to the Internet, a dynamic or static asset list can be created by listing all of the IP addresses that matched PVS plugin #16. To produce a more detailed list of internal systems that connected to the Internet on specific ports, consider adding port filters for common ports such as 21, 22, 25, 80, 443, 465, and so on. Netstat Analysis utilizes Nessus credentialed scans that report all of the active network connections for a given host or server. SecurityCenter can use the output from these scans to help categorize hosts as clients, servers, Internet browsers, or systems that offer active connections to the Internet. This component utilizes plugin 58651 (Netstat Active Connections) and the IP Summary Tool to display netstat information on scanned hosts. Drilling into the data for each system presents the analyst with a list of active Internet connections for each host. The final component uses information from plugin #14 “Accepts external connections”, and the Port Summary tool to present a table that is sorted by the most commonly observed active ports. This allows the analyst to determine which ports are open externally.
  • Exploitability Details - This chapter contains three components, and a section on Ease of Exploit to assist in exploitability reporting. The first component filters on five different plugin types and presents data based on the number of vulnerabilities per plugin type, the percentage of those vulnerabilities that are known to be exploitable. Regex is used to further determine what products can take advantage of the exploits. The counts presented in the additional columns are the number of vulnerabilities exploitable by Metasploit, Core Technologies, Canvas, or Malware. The second component reports the top exploitable hosts. The third component utilizes a function within PVS, where PVS tags any vulnerability it finds with the ‘External Access :’ string. This component uses this string as a filter, in conjunction with plugin id 14, exploits available set to true, and ports greater than or equal 1, to identify internet facing devices that have exploitable vulnerabilities.
  • Exploitability Details - Section: Exploits by Ease of Exploit - This section contains a Class C summary component with filters for the vulnerability text AC: as well as the type of Active Vulnerabilities and exploit set to yes. Exploit data is presented by three tables that provide details on the exploits that have been identified in the environment, as well as the ease at which those exploits can be exploited, using the AC:H, AC:M and AC:L vulnerability text filter.
  • Recommended Remediation - This chapter summarizes remediation actions across a series of hosts. Rather than just counting the number of vulnerabilities, applications are listed which need to be upgraded, or patched. The remediation table also highlights systems missing one or more Microsoft patches. This not only is much easier for an IT administrator to consume, but also provides a measure of how much 'work' is required to secure a network, as well as the amount of risk reduced when certain patch efforts are taken.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training