How To Build An Effective Vulnerability Management Program with BAS?

Vulnerability management is a critical aspect of maintaining an organization’s cybersecurity posture. It involves using advanced scanning tools to identify potential security flaws within an organization’s IT infrastructure. These programs enable organizations to systematically analyze scan results, allowing them to rank and prioritize the remediation of vulnerabilities by severity, business-critical impact, and likelihood of exploitation. To further refine the urgency and necessity of patching these vulnerabilities, organizations often leverage Breach and Attack Simulation (BAS) technologies. 

BAS tools conduct simulations of real-world cyberattacks to test whether existing security measures are effective. This helps determine if vulnerabilities are merely theoretical in nature or if they pose a real, exploitable threat. Consequently, this can inform decisions on whether immediate remediation is necessary or if existing defenses are sufficient to mitigate the risk, potentially allowing some vulnerabilities to remain unpatched without compromising the organization’s security posture.

In this blog, we’ll discuss how organizations can use BAS technology to strengthen their vulnerability management programs. We'll cover how BAS helps validate and prioritize vulnerabilities, enhancing overall cybersecurity effectiveness.

Exposure Assessment and Exposure Validation

To understand the benefits that a BAS solution can introduce to your organization’s vulnerability management program, we first need to understand the difference between exposure assessment and validation. 

Exposure Assessment is the process of identifying and understanding the vulnerabilities within an organization's digital environment. This step is about creating a comprehensive picture of potential security weaknesses before any attack has occurred.

For instance, with Vulnerability Management (VM) tools, the exposure assessment involves tools that scan systems to detect known vulnerabilities. These could be unpatched software, insecure configurations, or outdated components that are susceptible to exploitation. The outcome of this process is a list of vulnerabilities that have been identified within the system. The list itself does not indicate whether these vulnerabilities are currently being exploited, only that they exist and represent potential security risks.

Exposure Validation is the process of validating whether identified vulnerabilities can be exploited in a real-world attack scenario. This critical step determines the actual risk posed by the vulnerabilities to the business, assesses their exploitability, and evaluates if the vulnerabilities are being exploited in malware or threat group campaigns targeting the organization's sector and region. Additionally, it checks whether current defensive measures are preventing potential attacks that could leverage these vulnerabilities as a foothold. This proactive approach helps organizations prepare for potential attacks and prioritize remediation efforts in a non-chaotic and non-disruptive manner.

In summary, exposure assessment identifies "what could go wrong," and exposure validation tests "what can actually go wrong" by simulating an attack. Exposure Assessment is about potential vulnerabilities, while Exposure Validation is about actual exploitability and impact.

In the upcoming section, we are going to deep dive into the theoretical steps of implementing a more efficient vulnerability management program leveraging a BAS tool. If you want to skip this part, and follow a real-life example, jump into the last section of this blog.

Seven Steps to a More Efficient Vulnerability Management Program Using BAS

Here are the seven steps for building an efficient vulnerability management program using BAS technology. This section introduces the concept. If you wish to skip ahead and dive into a real-life example, please proceed to the next section.

• Step 1: Scoping 

Vulnerability management begins with a critical step known as “scoping”, which involves defining and identifying the assets that need protection within an organization. This process uses tools and frameworks such as Microsoft System Center Configuration Manager, which helps in managing, deploying, and ensuring compliance across all devices within the network. 

Similarly, Active Directory can be used to catalog and administer network resources like servers, endpoints, and user profiles. In situations where automated tools are not sufficient or available, a manual list may be compiled to ensure all critical assets are included. Proper scoping is essential as it sets the stage for subsequent stages of vulnerability management, ensuring that efforts are targeted and effective.

• Step 2: Vulnerability Scanning

The second step in vulnerability management involves conducting comprehensive vulnerability scanning across the predetermined scope of assets. This crucial phase utilizes advanced scanning tools such as Tenable Nessus, Rapid7 Nexpose, Qualys, OpenVAS, Burp Suite Enterprise Edition from Portswigger, Languard by GFI Software, Frontline VM, etc. There are many commercialized tools, as well as free ones, to choose from

These tools are designed to systematically identify, assess, and report vulnerabilities that could potentially be exploited by attackers. By deploying these scanners, organizations can detect security weaknesses early, prioritize risks based on severity, and prepare appropriate remediation strategies to fortify their defenses.

• Step 3: Prioritization

The third step in an effective vulnerability management program is prioritization. This phase involves sorting identified vulnerabilities based on their severity to determine the urgency of remediation efforts. Utilizing the Common Vulnerability Scoring System (CVSS), vulnerabilities are typically classified into categories: Critical, High, Medium, Low, and Informational. This classification helps organizations focus their resources and efforts on patching the most severe vulnerabilities first—those that pose the greatest risk to their network and data—while lesser threats are scheduled for later resolution based on their potential impact and exploitability. 

• Step 4: Validation with BAS Tools 

The fourth step in vulnerability management, often regarded as the most critical, is validation. While vulnerability scanners are skilled at detecting CVEs on networks, systems, or hardware, their primary role is to catalog potential issues without assessing exploitability in a specific environment. 

Validation requires a deeper analysis to determine if a vulnerability is not only present but also exploitable under real-world conditions. 

• For example, some vulnerabilities may not be actively exploited by adversaries, or exploitation could demand high-level privileges mitigated by effective network segmentation and authentication strategies. 

• Additionally, a vulnerability might require the compromise of another system or software initially, which if segregated effectively, can halt an attacker's lateral movement.

• It is also crucial to determine if a CVE is actively being used in malware, ransomware, or APT campaigns. This step might reveal that existing preventative measures, such as next-generation firewalls and web application firewalls, can effectively block or prevent an attack, thereby negating the need for immediate and possibly disruptive patches. Instead, organizations might choose to implement targeted defensive enhancements, like updating firewall signatures to block known malicious actors. This strategy allows organizations, even if a vulnerability is potentially exploitable, to buy time and plan remediation in a structured, non-disruptive manner.

This is where BAS solutions become invaluable. 

Organizations can use this cutting-edge technology to assess how well their defenses hold up against exploitation attacks leveraging the CVE. Whether they need to implement a new vendor-based mitigation signature or require immediate patching can be determined through BAS simulations. The results provide solid data for decision-makers and security professionals to allocate their limited resources and time to the remediations that require urgent attention.

Through validation, businesses perform a critical impact analysis and refine their responses based on the specific threat landscape and business criticality, categorizing vulnerabilities as critical, high, or medium priority. This focused approach ensures that resources are optimally allocated to mitigate the most pressing threats efficiently.

• Step 5: Patching 

The fifth step in vulnerability management is patching. After vulnerabilities have been identified, validated, and prioritized, the most critical step is to apply patches to the affected systems. This process involves installing updates from software vendors that address the security flaws, thereby closing the vulnerabilities. Patching is crucial as it directly mitigates the risks of exploitation and secures the organization's assets against potential attacks. Timely execution based on prioritization ensures that the most dangerous vulnerabilities are remedied first, maintaining the integrity and security of the IT infrastructure.

• Step 6: Monitoring

The sixth step in vulnerability management is continuous monitoring. After patching vulnerabilities, it is crucial to regularly monitor the IT environment to ensure that patches have been successfully applied and are effective. Monitoring also involves detecting new vulnerabilities as they emerge, tracking changes in the threat landscape, and reassessing the security posture of systems. 

• Step 7: Reporting 

The final step in vulnerability management is reporting. This crucial phase involves creating and disseminating regular reports to decision-makers and managers. These reports, typically generated on a weekly, monthly, and quarterly basis, provide vital information on the status of vulnerabilities, effectiveness of the patches applied, and ongoing monitoring insights. Reporting ensures that the management team stays informed about the cybersecurity health of the organization, the effectiveness of the vulnerability management strategy, and any critical actions needed. It also aids in compliance, helps in auditing processes, and supports strategic decisions related to IT security investments and policy adjustments.

Example Scenario: How to Prioritize Patching Vulnerabilities with BAS?

Imagine you're the security administrator in a mid-sized tech company using VMware ESXi servers in your virtualized environment. One day, while conducting vulnerability scans with Nessus, you discover several instances of CVE-2021-21972 across different ESXi server versions 6.5, 6.7, and 7.0 in your network. This critical vulnerability, which allows unauthenticated remote code execution, was notably exploited by the ESXiArgs ransomware [1].

Figure 1. Tenable Plugin Scanning for CVE-2021-21972 [2]

The Nessus report underscores that this vulnerability is particularly severe because it has been actively used in ransomware campaigns targeting outdated and unpatched VMware ESXi servers. Realizing the immediate risk, you understand the urgency of an attacker potentially exploiting this flaw to gain control over your virtual machines and deploy ESXiArgs ransomware, leading to significant data encryption and system disruption.

Given its use in ransomware campaigns and the urgency highlighted by CISA (2021 Top Routinely Exploited Vulnerabilities) [3], you may consider adopting a systematic approach to manage the threat:

Step 1 - Isolate Affected Systems: First, segregate the affected ESXi servers from the network to prevent any unauthorized access that could exploit the vulnerability.

Step 2 - Review Advisory Information: You examine the detailed advisories from VMware and CISA, which provide specific patching instructions and highlight the urgency due to the vulnerability’s exploitation in ransomware attacks.

Step 3 - Utilize BAS Technology: You leverage your BAS tool to automatically access its attack/threat library and locate the simulation for CVE-2021-21972. This step is crucial for testing how well your current defenses can handle an attack exploiting this specific vulnerability.

Figure 2. Picus Security Control Validation Module Threat Library: ESXi Args 

Step 4 - Run the Simulation: Execute the attack scenario within the secure environment of your BAS system. This test will help determine the effectiveness of existing security measures against a potential exploit, specifically designed to mimic attacks observed in the wild.

Step 5 - Analyze the Results:

If the Defenses Hold: Should the simulation show that your defenses successfully block the attack, you can plan to patch and update the systems during a regularly scheduled maintenance window. This minimizes disruption while still addressing the security risk in a timely manner.

If the Defenses Fail: If the simulation reveals vulnerabilities in your current defense setup, immediate action is required. You should:

• 5.a. Implement Vendor-based Mitigation Suggestions: Deploy any available intrusion prevention signatures or rules that could specifically mitigate the impact of CVE-2021-21972. This step provides a temporary safeguard while you prepare for a more permanent solution.

Figure 3. Mitigation Signatures for ESXi Args Ransomware Threat 

• 5.b - Accelerate Patching Processes: Prioritize and expedite the patching of the affected ESXi servers by applying the updates provided by VMware.

Step 6 - Continuous Monitoring and Adjustment: Keep monitoring the network and systems for any signs of compromise or further vulnerabilities. Adjust your security measures and configurations as needed based on ongoing threat analysis and intelligence updates.

This structured approach using BAS technology not only verifies the effectiveness of your current security measures but also ensures that your response is measured, informed, and aligned with the best practices and recommendations from authoritative sources like VMware and CISA. This method minimizes downtime and maximizes protection against potential exploits.

Conclusion

In summary, effective vulnerability management is crucial for safeguarding an organization's digital infrastructure from sophisticated threats. The process begins with careful scoping to identify which assets are critical and warrant protection, followed by comprehensive vulnerability scanning using sophisticated tools to detect security weaknesses.

However, simply identifying vulnerabilities isn't sufficient; it's imperative to validate these vulnerabilities to assess whether they are exploitable and pose a real threat to the environment. This validation involves evaluating the exploitability of the vulnerabilities, their potential impact on business-critical systems, and understanding whether they are currently being exploited in attack campaigns, particularly those targeting the organization’s specific region or sector.

Through the use of BAS technologies, organizations can simulate attacks to test the effectiveness of their defenses against these validated threats. Once vulnerabilities are confirmed as significant risks—due to factors like exploitability, relevance to the operational environment, and their inclusion in active threat campaigns—they must be prioritized. This prioritization process ensures that remediation efforts focus first on vulnerabilities that could have the most severe impact on the organization, optimizing resource allocation and strengthening the organization’s security posture against the most probable and damaging threats.

References

[1] H. C. Yuceel, “CISA Alert AA23-039A: ESXiArgs Ransomware targets vulnerable ESXi servers,” Feb. 23, 2023. Available: https://www.picussecurity.com/resource/blog/cisa-alert-aa23-039a-esxiargs-ransomware-targets-vulnerable-esxi-servers. [Accessed: Apr. 17, 2024]

[2] “CVE-2021-21972.” Available: https://www.tenable.com/cve/CVE-2021-21972 [Accessed: Apr. 17, 2024]

[3] “2021 Top Routinely Exploited Vulnerabilities,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a. [Accessed: Apr. 17, 2024]