Lately, cyber-attacks are successful due to one or more reasons but in most cases, reasons are either unpatched systems or holes in the configuration of IT systems, especially Active Directory (AD) and Azure Active Directory (AAD). In this article we will outline why vulnerability management procedures play a crucial role in securing organizations, how we can successfully detect vulnerabilities and how we can assess security posture of our organization.
Change in Vulnerability Management
Every week we read about new vulnerabilities but the most important thing which has changed in the last years is that vulnerabilities which are publicly known are already most likely being exploited for some months. A very well-known example is Hafnium attack which exploited vulnerabilities in Microsoft Exchange server, but there are also many others like CVE-2022-22965 (Spring4Shell).
The Chinese state-sponsored threat group started exploiting vulnerabilities in Exchange servers in January 2021, but vulnerabilities were publicly disclosed in March 2021 when Microsoft also released security updates and mitigation guidelines. The Hafnium attack targeted Exchange servers opened to internet via Outlook Web Access (OWA). Even though Microsoft released security update it did not help in case your organization was one of 21’000 which were believed to be affected.
Due to a change in the timeline of vulnerability exploitation, public disclosure and mitigation/patch, organizations must have a well-developed vulnerability management procedure so they are able to identify all vulnerabilities on their systems, including IoT and network devices, a threat hunting team which can find artifacts of already exploited vulnerabilities and a comprehensive incident response plan, so damage to organization can be limited and systems can be restored.
Guidelines for Vulnerability Management program
To find and remediate vulnerabilities in the environment organizations must have a developed vulnerability management process. The process must include all steps – identification, classification/risk evaluation and remediation.
Vulnerabilities can be most easily identified using a dedicated Vulnerability Assessment (VA) solution such as Tenable or Rapid7 or leverage the Endpoint Detection & Response (EDR) solution such as Microsoft Defender for Endpoint or Palo Alto Networks Cortex XDR. When deciding which approach to take organizations must consider that all devices must be scanned, including network and IoT devices which do not support agent installation but must be scanned using credential or uncredentialed scanning techniques.
Once vulnerabilities are identified they will automatically have a CVSS score assigned. The Common Vulnerability Scoring System (CVSS) score shows criticality of specific vulnerability. It is composed of multiple metrics such as access requirement of exploitation, complexity, required privileges, user interaction, scope of impact, … More information about CVSS scoring can be found on the following NIST website.
After vulnerabilities are classified, each organization must assess the vulnerabilities’ impact on the environment. Results of this step will also impact the remediation process of each vulnerability. To assess the vulnerability’s impact organizations must verify which systems are impacted, how those systems are protected, are there already full or partial controls in place which prevent exploitation of vulnerability and what impact successful exploitation of the vulnerability might have on the organization.
The last step of vulnerability management is remediation, which can be done in multiple ways such as patching, host isolation or implementation of other controls like firewall rules. Remediation process will defer based on the system’s version, criticality of vulnerability, potential patching impact on organization and internal patching policies. For example, some companies patch devices only once per month if for example extensive tests are needed for each patch, and in case vulnerabilities are discovered between pathing days they must be mitigated using other controls. If the system is out-of-support or has components which require vulnerable version of software to be installed one of the best ways to remediate threat is to isolate the system and look for replacement.
Remediation part of vulnerability management usually includes collaboration between applications/deployment and cyber security team. The collaboration process must be simple and well defined, so each party knows the responsibilities. Microsoft Defender for Endpoint (MDE) for example offers an integration with Microsoft Endpoint Manager (MEM) so that when a vulnerability is found cyber security team can easily send a request for patching to applications/deployment team with a vulnerability explanation and comment. This integration allows teams to be agile and collaborate in a quick and efficient way.
Determining Cyber Security posture of organization
The second most common reason for a successful breach is misconfigurations in systems, especially the domain itself. The most common reasons for misconfigurations are complexity of IT environments, as they include multiple systems, platforms and applications which need to be integrated, configured correctly and up-to-date, human error, lack of standardization between regions or sites company has, struggle with keeping up with the latest development and insufficient testing of configurations.
Misconfigurations are most often not immediately apparent as there are no indicators in IT environments about them and in case organizations do not perform assessments of environments, misconfigurations can stay hidden for a long time and introduce unknown additional risk. To keep IT environment in an optimal state, assessments must be performed continuously, multiple times per year.
We see misconfigurations as a big risk, that is why we suggest organizations to regularly assess environments and we also offer a free security assessment. Assessment of environment can either be done using custom scripts or by leveraging professional solutions such as Ping Castle or Purple Knight. On the other hand, customers which have already implemented Microsoft security solutions such as Microsoft Defender for Endpoint, Microsoft Defender for Identity or Microsoft Defender for Cloud already receive a good assessment of the environment as part of Secure score and recommendations Microsoft provides to customers.
Once misconfigurations are identified organizations must prepare plans to mitigate them. Mitigation of some misconfigurations such as Kerberos Unconstrained delegation can be challenging as many organizations have old systems which were setup by previous employees and are often not documented. Changing delegation setting might also have a big effect on availability of systems in the environment. Because of challenges which might arise it is recommended to ask a professional for some advice instead of changing configuration without knowing potential effects.
Keeping environment secure with a developed vulnerability management program can be challenging. Besides that, organizations must also assess configurations of systems deployed and improve it in case issues are identified.
In case you need assistance with developing vulnerability management program or are interested in seeing the security posture of your environment, reach out to Premrn Security, and our experts will help you.