We are very excited to announce a new major release of our award-winning threat hunting software, Infocyte HUNT. This 3.0 release expands on our foundation of threat hunting by bringing together capabilities to assess all three of the most important aspects of cybersecurity risk: vulnerabilities, assets, and threats.
Vulnerability scanning is a recommended best practice within any IT organization, but knowing if your network is vulnerable alone is not enough, you have to know if any of those vulnerabilities have been exploited. At the same time, when hunting, vulnerabilities help us focus on those systems that have exposed vulnerabilities can help us focus on systems which may be more prone to being attacked.
With HUNT 3.0, we now have:
- Collection and display of all installed applications and version information
- Matching of installed applications to known vulnerabilities (aka CVEs)
The first step of both compliance and threat hunting is knowing what assets are in the network. Compliance officers want to know what assets, devices, their types, and statistics on deployed software while hunters want to identify any devices that may serve as a beachhead into the network.
With 3.0, we’ve expanded our Discovery capabilities beyond devices and their OS version with:
- Improved layout of discovery data
- Metrics on installed applications for identification of legitimate but unauthorized applications or simply to know your coverage of endpoint protection tools.
Refreshed User Interface
The user interface has been completely refreshed with usability improvements, better reporting, and additional auditing and visibility of under the hood actions throughout the app. A key change you will see is re-arrangement of the object detail pages within Analysis – screens have been consolidated for easier analysis and access to data points.
- Completely refreshed UI
- Significant performance improvements
- Analyze page has a new Summary screen
- Threat object detail views have been streamlined
- Vulnerability detection for Windows installed applications
- Improved support for scanning Red Hat Linux Enterprise
- Improved performance of overlapping scheduled scans
- And more!
What are vulnerabilities?
When applications are written, there are often exploitable weaknesses available for bad actors to use against a system, such as to executing code on the system remotely, gaining administrative privileges or creating new accounts with administrative privileges, modifying system files, etc. These exploitable weaknesses are called “vulnerabilities.”
What is a CVE?
Vulnerabilities are identified and shared as CVE advisories. CVE stands for “Common Vulnerabilities and Exposures”. A CVE advisory includes a description of the issue and steps to resolve (patch) the vulnerability. A single application can have many CVEs. Some CVEs will apply to multiple versions of an application.
How do I assess or understand a vulnerability?
Each CVE is rated on a scale of 0-10 and are often labeled as low, medium, high, and critical. This rating scale is called CVSS, or Common Vulnerability Scoring System. In the HUNT interface, you’ll see that each CVE has a CVSS v2 score, and sometimes CVSS v3 score.
These scales are very similar, with three key differences:
- CVSS v3 is a newer specification
- CVSS v3 is more descriptive, involving temporal and environmental factors to contribute to the score
- Some CVEs won’t have a v3 score because they predate CVSS v3, so we show both.
A CVSS score is composed of three values: Impact, Exploitability, and Base.
- Impact measures the harm that could happen to an organization if the vulnerability were exploited. For instance, a vulnerability that allows a bad actor to gain administrative rights and run arbitrary code will have a higher Impact score.
- Exploitability measures the level of effort involved in exploiting the vulnerability. For instance, a vulnerability that requires physical access to the endpoint will have a low Exploitability score.
- Base is the derived score from both the impact and exploitability.
PCI-DSS (the set of regulations that govern the payment card industry) defines a CVE with a CVSS over 4 to be “high-risk” (can be either v2 or v3). It also recommends that organizations that process credit card data perform a vulnerability scan at least once per quarter.
Things to consider:
- Not all vulnerabilities will have a CVE. “Zero day” vulnerabilities will not have a CVE because these are vulnerabilities that have not been disclosed. These are concerning because it provides bad actors the opportunity to exploit undisclosed vulnerabilities, create and sell exploits, or collect them for future profit.
- Not all vulnerabilities will have an available patch. Some vulnerabilities are publicly known, but a patch has not yet been released. This is common for older, end-of-life software and software that is developed by individuals or very small teams.
The best defense against zero day and unpatched vulnerabilities is a layered defensive strategy that includes threat hunting to identify the use of any stealthy zero day attacks or exploitation of unpatched vulnerabilities.
CVE data represented in Infocyte HUNT is provided by the NIST National Vulnerability Database (NVD), https://nvd.nist.gov/.
Infocyte has launched a “Beta Testing” program to continuously improve the quality of the product. We are looking for more customers/partners to help us with the program. If you are interested in having a preview of the release candidate builds or would like to request new features, please send a note to: email@example.com.
More from our blog
Despite the rich data provided by SIEMs, organizations find themselves drowning in false positives, making it difficult to focus on high-priority events. This problem of alert fatigue prevents cyber security teams from identifying and addressing real threats – impacting small teams with no SOC, large enterprise teams with a SOC, and MSSPs overseeing the security for many SOCs/customers.Read More »
In 2018, the U.S. Healthcare Industry Remained a Hot Target for Data Breaches. Last year alone, over 15 million patient records were affected with an average of one data breach occurring every 24 hours in the healthcare industry. It goes without saying that hackers and cyber attackers are finding ways around/through/past security defenses—exploiting vulnerabilities and…Read More »
A Brief History of Forensic State Analysis Prior to starting Infocyte, our co-founders, Chris Gerritz and Russ Morris, created the first enterprise-scoped threat hunting team for the entire U.S. Department of Defense. Their teams were responsible for hunting, detecting, and responding to highly sophisticated attacks across an 800,000-node network. With virtually unlimited resources and access…Read More »