Wednesday, October 2, 2024

Vulnerability Management - Categorization of vulnerabilities in OS and Non-OS for reporting purpose in Rapid7 InsightVM

Not sure who would benefit with this but don't want to keep it to myself.


Disclaimer: Only for Rapid7 InsightVM report

Problem Statement:
For Rapid7 InsightVM, you can categorize vulnerabilities in OS and Non-OS category based on “Vulnerability ID” field in Rapid7 report. Primarily in case of vulnerabilities related to Microsoft products, if “Vulnerability ID” field value starts with “msft” or "microsoft-windows", we are considering it as OS patch. But this logic is not perfect and has false positives.

Mostly in case of vulnerabilities related to Microsoft products, presence of FPs is because of Rapid7 considering any Microsoft patch, OS or Non-OS, as “msft” or "microsoft-windows".

Solution:
You can use “Vulnerability Title” field in Rapid7 report to minimize FPs. So why not use “Vulnerability Title” field in the first place itself? Practically not possible. Why? Homework for you!!

Typically, values in “Vulnerability ID” field values looks like the below ones:
--> microsoft-windows-cve-YYYY-NNNNN
--> msft-cve-YYYY-NNNNN
--> wireshark-cve-YYYY-NNNN
--> 7-zip-7-zip-cve-YYYY-NNNN

Note: “Vulnerability ID” field values to refer for Linux systems --> linux

Algorithm:
1. Identify "Vulnerability ID" field in Rapid7 InsightVM report.
2. Extract string before "-cve-YYYY-NNNN".
3. If the extracted value is one of ("microsoft-windows", "msft", "linux", "hotfix") then OS else Non-OS.
4. Identify "Vulnerability Title" field in Rapid7 InsightVM report.
5. Use “Vulnerability Title” field to minimize FPs.

Please find the below keywords used to classify vulnerabilities as non-OS where “Vulnerability ID” field value starts with “msft” (field referred in Rapid7 report – “Vulnerability Title”) as if now:
1. SQL Server
2. Office
3. Visual Studio
4. Microsoft SQL
5. .NET Framework
6. ASP.NET
7. Adobe Flash Player (I observed few Microsoft patches for Flash player)
8. Microsoft ODBC
9. Microsoft OLE DB
10. execution side-channel

I have used a combination of MS Excel formulas and VBA to achieve this for one of our clients, but the core logic remains same as explained above.
Happy Learning !!
VulnerabilityManagement CyberSecurity
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Vulnerability Management - Understanding vulnerability posture

Understanding the vulnerability posture of an organisation at a basic level helps you drive remediation efforts. So, I don't know what t...