What we’ll be learning
In this article, we’ll be learning about vulnerability scans including what they are, how we use them, and what options there are for different types of scans. We’ll also discuss how vulnerability scans get the information they use to search for vulnerabilities.
What is a vulnerability scan?
A vulnerability scan is an automated scan that searches for vulnerabilities in a network or application. As with many tools, they can be used ethically or maliciously, but we’ll be focusing primarily on their ethical uses today. Vulnerability scanning is a very useful tool for defenders to find potential vulnerabilities within their environment before a threat actor does.
Vulnerability scans are most often used for vulnerability assessments, as opposed to threat hunting or penetration testing. Some types of vulnerability scans can be loud and easily detected, and this can be an important consideration when trying to remain stealthy.
Types of vulnerability scans
Network vs. application
The two main types of vulnerability scanning are Network Vulnerability Scanning and Application Vulnerability Scanning. Network vulnerability scanners are designed to scan hosts on a network, such as computers, smartphones, and networking equipment. Overall, network scanning can be considered a “general-purpose” type of vulnerability scanning.
Application scanning is more specific, designed to search for vulnerabilities within specific applications or types of applications, such as web applications or database software.
Intrusive vs. non-intrusive
One important attribute to consider in vulnerability scans is how Intrusive the scan is. Non-Intrusive Scanning (or Passive Scanning) is passive and doesn’t directly interact with its targets, while Intrusive Scanning (or Active Scanning) does actively interact with its targets.
Passive scanning involves things like analyzing network traffic, looking for signs that something is configured incorrectly. This approach is less disruptive than active scanning but provides less information. Passive scanning can be used in situations where stealth is important, such as penetration testing, or by threat actors.
Active scanning involves actively querying the scan targets to obtain information. This approach provides more information than passive scanning, but consumes network resources and can cause malfunctions in the devices it scans. It can also set off security alerts, even when used for legitimate purposes, because of how similar it is to automated attacks.
Credentialed vs. non-credentialed
Network scans can also be Credentialed or Non-Credentialed: A non-credentialed scan has no special access to hosts: It may be able to send, receive, or inspect packets, but it cannot do anything an unprivileged user on the network couldn’t do. A credentialed scan is when the scanner is given extra access, similar to the access an insider would have.
Credentialed scans usually reveal more vulnerabilities, since they have more access, but the vulnerabilities revealed by non-credentialed scans are likely to be more serious since they are accessible even to unprivileged users.
False positives and false negatives
Vulnerability scanners generate reports of the vulnerabilities they find, but before we discuss how these reports are used, we must discuss False Positives and False Negatives.
Both false positives and false negatives are errors in the results of a scan.
A false positive is when the scanner says there is a vulnerability, but there actually isn’t a vulnerability. This can waste the time of security personnel trying to fix a vulnerability that simply doesn’t exist.
A false negative is when the scanner says there isn’t a vulnerability, but there actually is. This means that even if a scan says it found 0 vulnerabilities, that doesn’t mean there are no vulnerabilities present.
Both these types of errors can cause problems when trying to identify vulnerabilities that need attention. It’s important to properly investigate reported vulnerabilities and verify their existence before we take steps to fix them. One of the easiest ways to do this is a process called log review, where a reported vulnerability is validated by examining relevant system and network logs.
For example, if a scanner reports that a router has a software issue that, among other things causes packets to be duplicated, then you could check network logs for duplicated packets that passed through the router.
CVEs and CVSS
If you want to scan for vulnerabilities, you need to know what those vulnerabilities are. One way we define and track vulnerabilities is with CVE (Common Vulnerabilities and Exposures). CVE is a list of vulnerabilities, with each entry consisting of a unique identifier, a description of the vulnerability, a list of references for more information, and when the entry was added. This allows us to have a list of vulnerabilities, but it doesn’t tell us much about them by itself.
For more detailed information about vulnerabilities, we have resources like CVSS (Common Vulnerability Scoring System), which consists of supplemental information provided by NIST. Entries in CVSS are assigned a score based on their severity, ranging from 0 to 10, with 10 being the most severe. This score is based on how easy the vulnerability is to exploit, and how much damage can be done by exploiting it. The most dangerous vulnerabilities are those that are easy to exploit and can do lots of damage.
CVE and CVSS are useful tools not just for defenders, but also for attackers: To a defender, a CVE is a resource that can be used to learn about a vulnerability reported by a scanner, but to an attacker, it can be a catalog of options for how to compromise a target.
Vulnerability scanners don’t just look for known exploits, they also look for configuration issues. In a previous article, we discussed how weak configuration can compromise the security of an environment, and can be just as dangerous as directly vulnerable software. This type of scanning usually requires a credentialed scan and requires the scanner to have information about best practices for configuring the software being scanned.
Vulnerability scans are a very useful tool, for both attackers and defenders. They can be used to quickly identify and address weaknesses in networks or software or used to determine possible methods of attack on those same networks and software. When used ethically, vulnerability scanners are a powerful tool that should not be ignored.