Using Dynamic Asset Groups to Detect 0-Day Vulnerabilities

Last updated at Mon, 24 Jul 2017 18:02:51 GMT

With the addition of the new Metasploit module for the Internet Explorer 8 0-day vulnerability (CVE-2013-1347) that affected the U.S. Department of Labor, and you can find a great writeup on the module on the Metasploit blog here, we felt that it was an opportune time to highlight how you can use the power of Dynamic Asset Groups in Nexpose to find the assets within your environment that are vulnerable.

0-Day Vulnerabilities are always difficult to manage from a vulnerability management standpoint. However, even though there is no patch yet available from Microsoft, it is important for most organizations to determine what they have, so they can easily determine which assets within their environment are at risk to potential exploitation. Once an organization has determined where their risks are, they can then think through a mitigation plan.

The problem is that even though "What do I have?" is a simple question to ask, most organizations have no idea on where to start. An organization might have a Configuration Management Database (CMDB) that is in use, or the IT guy might just have a spreadsheet of everything they know about, but there always challenges in trusting that the data is completely up to date. What if there is an asset on the network that an IT Admin forgot to add to the CMDB database?

Thankfully, Nexpose can help. Nexpose is used to scan all the assets within an organization for vulnerabilities and report on them. One of the great features within Nexpose is the ability to create Dynamic Asset Groups. A Dynamic Asset Group allows users to create a grouping of discovered assets based on a set of user defined criteria across the entire organization. In addition, the lists are dynamic. Therefore, every time Nexpose runs any scan in your environment, the list of assets in the Dynamic Asset Group are dynamically updated based on the filter criteria that you have chosen. This Dynamic Asset Group can then be used in reporting, so that you can tailor your reports based on the asset filter criteria that you have developed.

So, this is great and all, but how can you use this to check to see which assets are related to 0-days? One of the criteria that a user can use to create a Dynamic Asset Group is the Installed Software discovered on an Asset. Going back to the Internet Explorer 0-day vulnerability linked above, that would mean all we have to do is create a Dynamic Asset Group that looks for assets that have Internet Explorer 8 installed. The great part about this is that you don't have to scan your assets again to determine this information. Nexpose will use the information discovered in the last scan, so you can easily start the mitigation process instantly after the creation of the Dynamic Asset Group. You can scan your assets again if you so choose, as the asset information will be updated with any new information after every scan.

So, let's create a new Dynamic Asset Group that looks for assets that have Internet Explorer 8 installed. The first step is to click on the "New dynamic asset group" button on the main page. The button is highlighted below in red. You can also see some other examples of Dynamic Asset Groups that are already created.

You are the taken to a new Dynamic Asset Group Wizard. In the Example below, I have created an asset filter based on "Software Name." I am looking for any software that matches "Internet Explorer 8". Once I hit search, it will return all assets that have been discovered that have Internet Explorer 8 installed.

In addition, you can expand the search criteria with other filters if you so choose, so that you can further narrow down my list of assets based on what you am looking for. Once you are happy with that search criteria, you can save the asset group by clicking on the "Create asset group" button.

Once the filter is saved, it gets permanently added to your Asset Group List. Therefore, you can continue to track the assets that you have. In the example below, you can see that there are 36 assets that still have Internet Explorer 8 installed that you need to worry about.

You now have an understanding of the scope of the risk in your environment, and access to all the related information about those assets in the asset group. Once you have chosen your action plan, you can continue to track the overall number of assets as you continue to run scans in to the future. As an example, let us assume that you want to upgrade all your Internet Explorer 8 assets to Internet Explorer 10. As you continue through this process across the 36 assets above, you will track the trend toward zero as you upgrade the version of Internet Explorer on each of these assets. You will always have a real time view into the scope of IE8 risk in your environment.

While this example used the IE8 vulnerability that was just discovered, you can use this easy workflow in Nexpose to detect any new 0-day vulnerability that comes out, allowing your organization to proactively discover which assets are at risk to core 0-day vulnerabilities.