Vulnerability detection

The ThreatLockDown Vulnerability Detection module performs a software audit. It identifies vulnerabilities in the operating system and installed applications in monitored endpoints. The module queries our Cyber Threat Intelligence (CTI) API for vulnerability content documents. We aggregate vulnerability information into the CTI repository from external vulnerability sources indexed by Canonical, Debian, Red Hat, Arch Linux, Amazon Linux Advisories Security (ALAS), Microsoft, and the National Vulnerability Database (NVD). We also maintain the integrity of our vulnerability data and the vulnerabilities repository updated, ensuring the solution checks for the latest CVEs. The Vulnerability detection module correlates this information with data from the endpoint application inventory.

The Vulnerability Detection module helps to implement the following NIST 800-53 controls:

  • RA-5 Vulnerability monitoring and scanning: “Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automation Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).”

  • SC-38 Operations security: “Operations security (OPSEC) is a systematic process by which potential adversaries can be denied information about the capabilities and intentions of organizations by identifying, controlling, and protecting generally unclassified information that specifically relates to the planning and execution of sensitive organizational activities. The OPSEC process involves five steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and the application of appropriate countermeasures. OPSEC controls are applied to organizational systems and the environments in which those systems operate. OPSEC controls protect the confidentiality of information, including limiting the sharing of information with suppliers, potential suppliers, and other non-organizational elements and individuals. Information critical to organizational mission and business functions includes user identities, element uses, suppliers, supply chain processes, functional requirements, security requirements, system design specifications, testing and evaluation protocols, and security control implementation details.”

The ThreatLockDown Vulnerability Detection module assists with the above requirements by checking for vulnerable applications/packages and missing OS updates in an endpoint.

Use case: Detect vulnerabilities on a Windows endpoint

This use case shows how ThreatLockDown helps meet the NIST RA-5 Vulnerability monitoring and scanning requirement using the Vulnerability detection module to identify system vulnerabilities.

In this use case, you make sure that a monitored Windows 10 endpoint is properly configured and the ThreatLockDown Vulnerability detection module enabled. The Vulnerability Detection module of the ThreatLockDown dashboard shows the result of the vulnerabilities detection.

Windows endpoint

  1. Check that the following highlighted options are within the syscollector wodle block of the /var/ossec/etc/ossec.conf file of your ThreatLockDown agent:

    <!-- System inventory -->
    <wodle name="syscollector">
       <disabled>no</disabled>
       <interval>1h</interval>
       <scan_on_start>yes</scan_on_start>
       <hardware>yes</hardware>
       <os>yes</os>
       <network>yes</network>
       <packages>yes</packages>
       <ports all="no">yes</ports>
       <processes>yes</processes>
    
       <!-- Database synchronization settings -->
       <synchronization>
          <max_eps>10</max_eps>
       </synchronization>
    </wodle>
    

ThreatLockDown server

  1. Edit the <vulnerability-detection> block within the /var/ossec/etc/ossec.conf file and make sure <enabled> is set to yes. This enables the vulnerability detection module.

    <vulnerability-detection>
      <enabled>yes</enabled>
      <index-status>yes</index-status>
      <feed-update-interval>60m</feed-update-interval>
    </vulnerability-detection>
    
    <indexer>
      <enabled>yes</enabled>
      <hosts>
        <host>https://0.0.0.0:9200</host>
      </hosts>
      <username>admin</username>
      <password>admin</password>
      <ssl>
        <certificate_authorities>
          <ca>/etc/filebeat/certs/root-ca.pem</ca>
        </certificate_authorities>
        <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
        <key>/etc/filebeat/certs/filebeat-key.pem</key>
      </ssl>
    </indexer>
    
  2. If you made changes, restart the ThreatLockDown server to apply them.

    # systemctl restart wazuh-manager
    
  3. Go to Vulnerability Detection on the ThreatLockDown dashboard. Select the Windows agent to find vulnerable applications and packages.

The alert details include the CVE number and severity, amongst other information.