Last updated at Mon, 31 Jul 2017 14:44:03 GMT
Today I'd like to highlight an often overlooked but very handy analysis option in Nexpose - filtering assets based on their discovered vulnerability CVSS Impact Metrics (Confidentiality, Integrity, Availability).
We will use RealContext tags and Filtered Asset Search to answer the following questions:
- Are there any Availability Impact findings on High Availability systems? (i.e. web servers, authentication servers)
- Are there any Confidentiality Impact findings on systems with Highly Confidential data? (i.e. HR systems, finance systems)
- Are there any Integrity Impact findings on systems which should be High Integrity? (i.e. security systems, credential management systems, domain controllers)
[RELATED: Impact Driven Risk Analysis [VIDEO] | Rapid7 ]
Filtered Asset Search
You can get to the Filtered Asset search feature using the Filter icon in the upper right of the UI or by selecting "Dynamic Asset Group" in the Create menu at the top.
The Filtered Asset search feature allows you to search for assets based on the specific CVSS Impact Metrics of the asset's discovered vulnerabilities. The same goes for CVSS Exploitability Metrics. Take a look:
RealContext Tagging
RealContext asset tagging allows you to add your specific business context information to the technical data gathered by Nexpose. All you need to do is get a list of all High Availability (or High Confidentiality, or High Integrity) systems in your environment and tag those assets accordingly in Nexpose.
Putting It Together - High Availability Risk Analysis
When you combine the RealContext tag data with the CVSS Impact Metric filtering option in Nexpose, things get really interesting. You can set up a search to explicitly find High Availability assets which have Availability Impact findings on them, like this:
You can save your search results in an Asset Group (either Dynamic or Static) or as a dynamic RealContext tag for ongoing analysis. I would call this group 'High Availability Risk' myself, but you can choose any name you like. If you configure a Dynamic Asset Group, this list will automatically update with each new scan.
High Availability Risk Reporting
Nexpose provides the ability to filter vulnerability findings in a report. This is a great feature which lets you filter by severity and vulnerability category. Unfortunately for our immediate purposes, the report filtering does not let us filter on CVSS Impact Metrics. But don't worry!
For advanced reporting needs, Nexpose has a flexible SQL Query Export option. You can find this by going to "Create a report" and selecting the Export tab within the Reports view.
Here's a query that lists all vulnerabilities with Partial or Complete Availability Impact findings, and the solutions for those vulnerabilities. Note the use of the cvss_availability_impact_id field from the dim_vulnerability table and the use of the dim_cvss_availability_impact table:
SELECT dsite.name AS "Site", da.ip_address AS "Asset IP", da.host_name AS "Asset Hostname", dv.title AS "Vulnerabiltiy", ds.summary AS "Solution", dcai.description AS "CVSS Availability Impact"
FROM fact_asset_vulnerability_instance AS fav
JOIN fact_vulnerability AS fv ON fav.vulnerability_id = fv.vulnerability_id
JOIN dim_vulnerability AS dv ON fav.vulnerability_id = dv.vulnerability_id
JOIN dim_site_asset AS dsa ON fav.asset_id = dsa.asset_id
JOIN dim_site AS dsite ON dsa.site_id = dsite.site_id
JOIN dim_asset AS da ON fav.asset_id = da.asset_id
JOIN dim_vulnerability_solution AS dvs ON fv.vulnerability_id = dvs.vulnerability_id
JOIN dim_solution AS ds ON dvs.solution_id = ds.solution_id
JOIN dim_cvss_availability_impact AS dcai ON dv.cvss_availability_impact_id = dcai.type_id
WHERE dv.cvss_availability_impact_id = 'P' OR dv.cvss_availability_impact_id = 'C'
GROUP by dsite.name, da.ip_address, da.host_name, dv.title, ds.summary, dcai.description
ORDER by dsite.name ASC
If you save this Custom SQL Export query and set the scope using the 'High Availability Risk' asset group from earlier, you will get a targeted list of the Partial and Complete Availability Impact vulnerabilities on your High Availability assets.
To learn more about working with SQL Query Exports in Nexpose, and some example queries, see this Nexpose Reporting area of the Rapid7 Community site.
Success!
One of the initial questions posed was, "are there any Availability Impact findings on High Availability systems?" By leveraging the Filtered Asset Search and RealContext Tag features, we are able to create a 'High Availability Risk' asset group and a 'High Availability Risk' CSV report - with solutions included. This definitively answers the question and provides remediation recommendations. I call that a win!
You can apply the same approach for High Confidentiality and High Integrity risk analysis following the steps below:
- Tag your High Confidentiality or High Integrity assets accordingly
- Use the Filtered Asset Search feature to create 'High Confidentiality Risk' and 'High Integrity Risk' Dynamic Asset Groups
- Set up a SQL report for your findings. Adjust the query above - swap out the 'availability' fields and tables for the corresponding 'confidentiality' and 'integrity' fields and tables.
If you'd like to see this reporting capability baked in to the vulnerability filtering possible in the Nexpose Reporting UI - so would I! I've created an idea in our Idea Portal. All you have to do is click here, log in with your customer (or employee) support credentials, and vote!
Custom Targeted Analytics
If your organization wants deep analytics customized to your priorities, the Rapid7 Applied Engineering team is always happy to help! We develop targeted analytics for: custom reports, custom SQL queries, custom dashboards, custom integrations (i.e. ticketing systems, asset management systems), and more. Your Customer Success Manager (CSM) can get the conversation started about requirements, scoping, and all that fun stuff.
Thanks, and stay tuned for more!
