To Heck with Vulnerability - 2020

Once each year closes it can be nice to take a step back and at the end of 2020, as if a viral pandemic wasn’t bad enough, we had to deal with digital weaknesses that left us open to more human attacks against our digital infrastructure.  

One of the things I’d like to point out about vulnerability is that the vulnerabilities reported for a current year may or may not be the ones that the the most frequent top attacks are actually using to actively exploit targets for that year.

The grand majority of top vulnerabilities reported by the US Cybersecurity & Infrastructure Agency that were used by attackers for exploit in 20202 were not reported in 2020 but earlier.  Which proves that the longer organizations take to patch, the longer the vulnerability will be useful to attackers thereby increasing the general global attack surface.

The vulnerabilities disclosed by year is looking like a Bull Market. Something tells me there won't be any crash in this trajectory line.

CVE stands for Common Vulnerabilities and Exposures.  CVE numbers are assigned by a CVE Numbering Authority (CNA) - MITRE is the primary CNA now.    The names of each vulnerability follow a naming convention of CVE-[Year Reported]-[Arbitrary Digits].

The vulnerabilities that I cover in my video CVE Rogues Gallery [2020 Edition] - Vulnerabilities and Exposures can be seen here:

Based on government data reported by the US Cybersecurity Infrastructure Security Agency, (CISA), in their exciting and newly revised Alert (AA21-209A) (as of August 2021), the majority of top vulnerabilities that were identified as used by attackers for exploit in 2020 were not reported in 2020 but earlier.  

In 2020, more than 66 percent of the top CVEs used were reported in previous years.  Only about 33% of the top CVEs targeted for attack that fell onto this list were actually reported in 2020.   Patching quickly and remediating ahead of the curve is still extremely important.  Attackers can easily discover your weak spots.  And the point is, those threat actors don’t care when the CVEs were published or released, they just hope you are late to remediate.

Top Routinely Exploited Vulnerabilities 2020: CISA Alert (AA21-209A): https://us-cert.cisa.gov/ncas/alerts/aa21-209a 

But make no mistake, it isn’t just Critical and High severity CVEs that you need to worry about,  - even low and medium severity vulnerabilities, when chained together can lead to full compromise.  

General recommendations that are in-line with protecting against these vulnerabilities are:

• Don’t leave services on if you don’t need them

• Make patching and upgrading a priority 

• Don’t allow users administrative credentials just because they want it.  Make sure there is a business need.  Their primary login should be a standard user account and not an administrator account

• Train users to understand that they are part of the security stack of your organization.  The security controls that you have implemented in your organization don’t have magic powers and still require users to act cautiously, with mindful deliberation and with security in mind.

The best advice is to have a serious and responsive upgrade and patching program, a dedicated Vulnerability Management practice, Incident Response Management, a solid implementation of defense-in-depth with your Security Stack and cyber hygiene.

Building a Common Language - CVSS (Common Vulnerability Scoring System)

As our complex societies, business environments and economies work together to exchange and secure data, build ideas and solve problems so that we may protect and improve quality of life, our human workflows are often thwarted by not using a common industry language.   Sometimes we do not even have a common language to use. 

When we think of risk, vulnerability management and threat intelligence, the standard frameworks in active development come to mind.  

In Vulnerability Management, the Common Vulnerability Scoring System (CVSS) has become the widely adopted standard, solidified in 2005 (now almost 17 years ago) by the National Infrastructure Advisory Council (NIAC). Initially, the NIAC passed ownership of the CVSS standard to the Forum of Incident Response and Security Teams (FIRST), a non-profit organization established in 1990 in response to the cyber risk exposed by the Wank Worm just a few years earlier.

Now FIRST Maintains and grows this standard and encourages feedback from the information security community. 

A link to the final report by the NIAC can be accessed from the Cybersecurity & Infrastructure Security agency (CISA):  https://www.cisa.gov/publication/niac-common-vulnerability-scoring-final-report 

Since 2007, Europe has, year over year has taken the lead in FIRST membership growth.  Asia and the United States membership grow have both been increasing but at different rate.  As of this year Asia has caught up with the United States in membership numbers.  South America has also dramatically increased its regional membership numbers year after year.  Asia and Europe have had the most impressive increased since 2015.  

FIRST Membership growth by year:  https://www.first.org/about/history

CVSS Industry Use Cases 

To onlookers outside of the industry, there is much needed translation.  Use cases are often the best ways to help in our understanding something that initially seems so abstract.

• National Vulnerability Database Analysts: These analysts use the CVSS to attribute scores to newly disclosed and discovered vulnerabilities.  The vulnerabilities and their assigned CVSS score can be found in the National Vulnerability Database (NVD).
• Security Analysts, Security Researchers, Auditors, Pen-testers, Threat Actors:  Red-teamers, blue-teamers, and threat actors alike have access to rely on CVSS scoring in order to understand system vulnerability, plan attacks and implement countermeasures.  (choose the light)
• Makers and providers of vulnerability scanning, and  Endpoint Detection and Response Platforms:  They can leverage the NVD feed to provide CVSS scoring for host and device scans.
• Makers, providers, users of SIEM and Log Collection platforms:  They can attempt to detect CVEs being actively exploited and apply a severity score that correlates to a perceived vulnerability to address countermeasures during and after attack.

A link to resources to detailed information can be found here:

• CVSS Current Specification: https://www.first.org/cvss/specification-document 
• CVSS User Guide: https://www.first.org/cvss/user-guide

CVSS Versions and Release Dates 

Like some people say, "Nothing is perfect".  I think we all know by now, how right that is.  It definitely goes without saying, but I'll say it anyway!

Historically CVSSv1-3 however, seem to lack the ability to describe, in sufficient detail, vulnerabilities related to Internet-of-Things (IoT) like medical devices, grid, automobile, aircraft, drone and generally -  embedded systems.  In CVSSv3.1 released in 2019 contains a framework for extending CVSS.

The CVSS does not have specialized scoring for industry verticals, thus does not have the language or the scope to accurately measure risk, only severity ratings of software vulnerabilities.

CVSS Version	Year Released	Limitations
CVSSv1	2005	Had not been peer reviewed when released.
CVSSv2	2007	Questions of accuracy due to lack of granularity in several metrics, weak definitions that resulted in less accurate scoring. Slow to accommodate the changing landscape of modern risk. Of a scoring range that had levels 0-10, only had 3 levels of severity - Low/Medium/High.
CVSSv3.0	2015	Accounted for the physical attack layer, but still did not address major issues with scoring for confidentiality of data amongst other unresolved issues. Levels of severity increased from 3 to 5 levels of a 0-10 scoring range - None/Low/Medium/High/Critical.
CVSSv3.1	2019	Includes updates to the user guide, a framework for extending the CVSSv3 to provide flexibility for industry verticals including healthcare, automotive and industrial sectors. Formulation and scoring improvements.

Mapping CVSS to MITRE ATT&CK

The intertwining of  Vulnerability Management and Cyber Threat Intel is uncontestable.  It is natural when thinking about security weaknesses that we should easily imagine that lurking in the obfuscated digital shadows is a threat actor, an attacker, waiting to exploit those weaknesses. 

The great work that MITRE has accomplished in describing the tactics, techniques and procedures (TTPs) of real-world attacks, and then being able to corelate those with attack groups (nation state attackers, cybercriminals and hacktivists) builds a dossier that allows us, the security community,  to threat map based on victim-profile (Industry Segment) to anticipate the anticipated modus operandi of attack groups that typically target a given industry.

Some brilliant work from Aditya Kuppa, Lamine Aouad, Nhien-An Le-Khac that can be found on the ACM Digital Library describes in detail about how to programmatically correlate CVSS to MITRE Att&ck techniques.  

A link to their work can be found here:  https://dl.acm.org/doi/fullHtml/10.1145/3465481.3465758 

Additionally, in October 2020, MITRE released a rubric (xlsm on github)  for effectively applying CVSS to medical devices.  The U.S. Food and Drug Administration has officially qualified this rubric as one of several Medical Device Development Tools (MDDTs) on its website.   

MITRE CVSS Rubric for Medical Devices:  https://github.com/mitre/md-cvss-rubric-tools 

US FDA MDDTs: https://www.fda.gov/medical-devices/science-and-research-medical-devices/medical-device-development-tools-mddt 

Common Languages Change and Evolve

As common languages like CVSS and ATT&CK continue to evolve and change to meet industry requirements they don't need to be perfect, they just need to be adaptive.  

 

TryHackMe: Nessus Room Writeup

On TryHackMe, the Nessus room not only introduces us to vulnerability scanning but it is a reminder that even the home user, student and hobbyist can run a cybersecurity vulnerability scanner at home with Tenable Nessus Essentials.

Nessus Scanner requires about 30GB of initial disk space. That disk space requirement will grow over time because Nessus will store the results from each scan into its database. Also as Nessus plugins get released and updated, that will also cause the data storage size to increase.

The Nessus room consists of 5 tasks:

Introduction - where you learn about Nessus scanner’s basic purpose
Installation - where you learn how to install Nessus on Kali Linux
Navigation and Scans - where you learn to move about the console
Scanning! - Lab with a target machine that you can run scans against
Scanning a Web Application! - Lab where you perform a specialized web app scan

The last 3 of the above tasks are those that require responses in the room. Make sure that when you work in this lab you are using your own Kali Linux machine (or VM) and connecting to the Nessus room labs with openVPN. This is because the minimum Hardware Requirements (https://docs.tenable.com/nessus/Content/HardwareRequirements.htm) for Nessus is 30GB of disk space for Nessus itself. The AttackBox on TryHackMe has 25GB of disk space (at the time of publishing this writeup) in total which will not accommodate the Nessus installation.

Navigation and Scans

THM: What is the name of the button which is used to launch a scan?




THM: What side menu option allows us to create custom templates?




THM: What menu allows us to change plugin properties such as hiding them or changing their severity?




THM: In the 'Scan Templates' section after clicking on 'New Scan', what scan allows us to see simply what hosts are alive?




THM: One of the most useful scan types, which is considered to be 'suitable for any host'?




THM: What scan allows you to 'Authenticate to hosts and enumerate missing updates'?




THM: What scan is specifically used for scanning Web Applications?

Scanning!

THM: Create a new 'Basic Network Scan' targeting the deployed VM. What option can we set under 'BASIC' (on the left) to set a time for this scan to run? This can be very useful when network congestion is an issue.

New Scan button > Basic Network Scan > Settings > Schedule



THM: Under 'DISCOVERY' (on the left) set the 'Scan Type' to cover ports 1-65535. What is this type called?




After the scan completes, which 'Vulnerability' in the 'Port scanners' family can we view the details of to see the open ports on this host?




If you click on the above line-item, you will navigate to a detail page that shows which ports have been detected:



THM: What Apache HTTP Server Version is reported by Nessus?

To find the version of Apache HTTP Server click on the below line-item:



You will find the version in the following detail view:

Scanning a Web Application!

This scan you will set up like the Basic Network Scan but you will select the Web Application Tests as the Scan Type.

1. New Scan button > Web Application Tests
2. Enter the ip into the target text field
3. Click Save
4. Launch the scan and wait for results

THM: What is the plugin id of the plugin that determines the HTTP server type and version?


In the vulnerabilities Tab of the scan you will notice a grouping of 2 vulnerabilities:




Click on the HTTP (Multiple Issues) line-item and you will see the following:




Then click on the line item “HTTP Server Type and Version” and you will see the plugin ID as shown below:




THM: What authentication page is discovered by the scanner that transmits credentials in cleartext?


Click on the line item “Web Server (Multiple Issues)”.




Then click on the line-item “Web Server Transmits Cleartext Credentials:



Under the Output section you will see the page that transmits cleartext Credentials:



THM: What is the file extension of the config backup?


Click on the “Backup Files Disclosure” vulnerability line-item:



The extension can be found under the Output section in the vulnerability detail:




THM: Which directory contains example documents? (This will be in a php directory)




THM: What vulnerability is this application susceptible to that is associated with X-Frame-Options?

Passing the CompTIA PenTest+ and What Helped Me

This past January 2021, I passed the CompTIA PenTest+ after failing the test in October 2020. It had been a long time since attempting any certificates and I was determined to jump over another hurdle. I notice that the methods of learning that work best for me is to leverage a variety of materials. 

 I ended up using 4 books and 2 online training modules and I held myself to a daily schedule.  I put these videos together to tell my story in the event that this will help motivate and help others who are on that PenTest+ journey.

Pulling from a variety of study resources like online flashcards, study-guide books, practice test books with online modules, complete digital training with videos, practice test and hands on labs will help.  Understanding the test psychology was a key component of succeeding on passing the test.  The test psychology is best understood by using the practice tests from Cybex and McGraw Hill.

This is the longer version of my advice in this video: 

For those of you who want the condensed version, I did my best to package up the most important elements into this 5 minute video:

   

Good luck on your PenTest+ study journey, friends!