May 29, 2013

Vulnerability Validation with Metasploit

In today's Whiteboard Wednesday, Joe Dubin talks about how you can get the most out of your security programs by integrating your vulnerability scanner with penetration testing software.

This allows you to prioritize the vulnerabilities that are exploitable in your environment. By using a product like Metasploit for vulnerability validation, you can become much more efficient in remediating vulnerabilities by focusing on the vulnerabilities that actually matter to you.

Read Video Transcript

Hi, I'm Joe Dubin product manager for Metasploit and this week's Whiteboard Wednesday I'm going to talk to you about vulnerability validation. When you do vulnerability assessment you get a long list of vulnerabilities. You want to find the ones that are exploitable and give those extra special attention. I'm going to tell you a little bit about that.

First of all, as you know the goal of doing a vulnerability assessment is to lower the risk of compromise. So you really want to focus on the essential vulnerabilities and the usual cycle for it is you want to run them fairly regularly. We recommend on a weekly basis. Then you most importantly get a prioritized list of all the vulnerability that come out. You'll need to find out which ones are the most critical, hand those off to the different system administrators responsible for the various systems and have them do remediation on it, whether that's shutting off the software, patching the software that's on there or changing some of the compensating controls. Maybe changing a firewall rule or an IDS rule, whatever that is. But the important thing is in determining that priority.

Now, there are a lot things that go into the priority determination. It's ultimately a measure what's the risk and what's the cost of fixing it. And for some of those vulnerabilities there will be some that will be considered acceptable use. Like let's say it flags an anonymous FTP server, but that's a conscience decision on your part. You'd flag that as acceptable use. Some things would be acceptable risk. You might be something you'd be willing to live with. And you also need to look at the significance of the machine that it's on. Is it in a critical system that holds credit card data or other significant data?

And then lastly, but not least, is can this vulnerability be exploited? And that's where the rule pen testing tools comes in and they can really help. What you can do is take the list of vulnerabilities, feed that into a pen testing tool and do a sort of in vivo test where you actually firing live exploits at it and seeing which of those exploits succeed.

If an exploit succeeds, then there's an excellent chance you should consider this to be high priority vulnerability that needs some special attention. Obviously, you still factor that into some of the other things to determine how important that is. If it fails, you can look at why that is. Was there, was it being caught by anti-virus, was there some other compensating control, maybe your IDS caught it, in which case you can flag those as exceptions that you don't need to take into account and say that those are acceptable risks because you have a control in place for them.

Now, you might ask, "Isn't that risky because you're firing exploits at you production systems?". Well, make sure that when you do this you can have your pen testing tools determine what level of risk you're willing to accept in doing this testing. Most of the pen testing tools will have something that shows for the different exploits what the safety of those exploits are. And for example, in Metasploit we have that set up in default that is would only do the safest exploits possible.

Some customers like to lower that and throw the book at them. Some people will do it during a maintenance window and so they're willing to accept possible downtime in exchange for throwing more exploits at it because let's face it, the bad guys aren't going to care. They're going to throw the nastiest exploits at it that they can.

A few other things to look for in making sure you have good closed loop integration. So, does your pen testing tool report back to your vulnerability assessment tool? You want this to be a two-way street where the vulns scanner hands the list of vulns off to the pen testing tool. The pen testing tool can try out the different exploits. You can record which ones succeed, which ones fail and why and get that information back into the vulnerability scanner.

You want to look at how good the support is. Are they from two different companies or the same companies You don't want to get into the finger pointing situation that could arise sometimes when you have two different companies, so make sure they are integrated in well.

So to summarize this, it's all about if you have vulnerabilities that are exploitable you need to know that because if you're not exploiting them, the bad guys might be. Pop those to the top of the list. Give them special treatment on your prioritized list.

Thanks again and see you next week.

Free Metasploit Download

Download Metasploit for Vulnerability Validation

Download Now