Vulnerability Management Training
Vulnerability Management Training
M OPERATION CHIMERA
VULNERABILITY MANAGEMENT // SECURITY BLUE TEAM
OPERATION CHIMERA -
CONTENTS VULNERABILITY MANAGEMENT
[1] What is Vulnerability Mgmt?
[2] Why is it Useful?
[3] Associated Roles
[4] A Day in The Life This document is not 100% finished and will be updated throughout
[5] Vulnerability Scanning Chimera. Thank you for your patience.
[6] Module Challenge
This module is designed to give a look into the world of Vulnerability
This information has been gathered Management. It is aimed at individuals who are moving in to Cyber, so the
from public sources and combined with material is aimed at an entry-level student. We strongly encourage further
my own knowledge and experiences reading using the provided sources and any that you find yourself. Want to talk
for the purpose of Operation Chimera, to other hackers about this specific module? Join the discussion in the “vuln-
an online, live blue-team training mgmt-module” channel within the “Operation Chimera” category in the SBT
operation conducted by myself under
Discord server. There is also a Chimera mega-thread on Reddit. Please make
the alias Known Divide, for the
use of this to ask questions and talk to other participants!
SecurityBlueTeam community.
Useful Links:
[1] https://securitytrails.com/blog/top- WHAT IS VULNERABILITY MANAGEMENT?
20-intel-tools
[2]
https://www.sans.org/course/open- Vulnerability Management is the process of remediating vulnerabilities in
source-intelligence-gathering software to reduce the risk and impact of cyber-attacks. The process includes
[3] the following steps:
https://securitytrails.com/blog/what-is-
osint-how-can-i-make-use-of-it • Identification – Using vulnerability scanners, manual techniques,
and asset discovery methods to identify and record systems, along
Anything we’ve missed? Please let us with any security issues they have.
know, so we can add it in here, and • Reporting – Reporting these issues to appropriate stakeholders (such
create a useful resource for security
as system owners) so they can be addressed, and eventually
professionals worldwide!
resolved.
• Remediation – Having the security issues fixed by the system owner
If you’ve enjoyed this event, or technical owner.
please consider donating • Reassessment – Scanning or manually checking to ensure the
whatever you can spare to buy security issues have been successfully fixed.
me pizza, coffee, and help fund
future events! (even £5/$5 will
make a huge difference, and it only WHY IS IT USEFUL?
takes a few seconds).
Vulnerabilities are announced constantly, and most of them affect software that
is used on a mass scale. Examples include security flaws in Google Chrome,
Windows operating system, and other programs such as Adobe Flash Player,
and Adobe Shockwave Player. Being able to keep on top of these issues, and
https://paypal.me/KDMentoring
make sure products are patched as soon as possible (usually after testing, to
V.M OPERATION CHIMERA
VULNERABILITY MANAGEMENT MODULE // SECURITY BLUE TEAM
ensure there’s no unwanted effects from the patch), means that hackers have
less time to attempt exploitation. By ensuring internet-facing systems are
secure, it’s harder for attackers to get in, and by ensuring internal systems are
secure, it’s harder for attackers to move around, and complete the actions they
want to.
ASSOCIATED ROLES
The below roles generally contain work that includes aspects of Vulnerability
Management:
Over the past year we’ve had some pretty nasty vulnerabilities. Arguably the
most important has been CVE-2019-0708, a zero-day vulnerability in Windows
Remote Desktop Services (RDP). This remote code execution vulnerability
could allow a hacker to bypass any authentication over RDP and connect
directly to a system over the internet without valid credentials. This was BIG. I
read some of the first public announcements on Twitter, and immediately set
up some Tweetdeck columns to monitor for keywords such as “CVE-2019-
0708”, “RDP”, “zeroday”. I turned to the other analysts in the Vulnerability
V.M OPERATION CHIMERA
VULNERABILITY MANAGEMENT MODULE // SECURITY BLUE TEAM
Management team and said, “guys, take a look at this”, and sent them the
details. At this point we genuinely laughed, because we knew this would be
huge and we’d be very busy. I send an email to the wider Security Operations
team providing everyone with a situational awareness update and inform the
SOC Manger and SecOps Director. Next we draft up an email notification that
is going to essentially every department we have, informing them to apply the
Microsoft-issued security patches for everything back to Windows XP (yeah, it
was so bad Microsoft brought out patches for end-of-life systems). Our email
also mentioned that if anything didn’t need RDP open, disable the service
ASAP. We got our global DMZs patched the same day, and people began
queueing patches for internal assets. Over the next few days we ran
vulnerability scans against our internet-facing systems to see if RDP was still
present anywhere. Other OSINT sources like Shodan helped us check for
exposure. Throughout the week we also had Threat Intelligence analysts
looking to see if any Public Exploit Code (also known as Proof of Concept
code) or exploits were detected in the wild. I also shared any intelligence I
discovered myself via a government-owned information sharing platform.
Although events like this aren’t common, there’s always work to do.
Researching publicly announced vulnerabilities, checking them against the
estate, getting systems patched, vulnerability scanning, manually checking
and exploiting vulnerabilities, threat simulation attacks, analyzing reports
generated by OSINT sources such as Shodan and ShadowServer,
communicating with teams in other organizations, helping investigate SIEM
alerts regarding vulnerability/system exploitation, web-app pentesting our
sites, and much more.
VULNERABILITY SCANNING
In this section, we’ll be teaching you how to use Nessus Essentials, a free
version of the enterprise-grade vulnerability scanning platform, Nessus.
Please remember you may only use this version for personal projects at home,
and using it in a business environment is a breach of Tenable’s licensing. This
tool is great to use during certification exams (if it’s permitted! Check before
using it), and pentesting systems on platforms such as HackTheBox.
V.M OPERATION CHIMERA
VULNERABILITY MANAGEMENT MODULE // SECURITY BLUE TEAM
Next you’ll need to run the Nessus service (also referred to as the Nessus
Daemon), which starts everything up. Run service nessusd start, and once the
service is running, go to your browser, and visit https://kali:8834/ - this is the
local web GUI for Nessus. If you get an error similar to the below, you need to
add an exception so you can view the site. Click “Add Exception” in the
bottom right corner:
V.M OPERATION CHIMERA
VULNERABILITY MANAGEMENT MODULE // SECURITY BLUE TEAM
(If you’ve previously used Nessus, you may get an error stating you have a
corrupt database. To fix this, you need to kill the service (use service nessud
stop), remove all Nessus files, download the latest version, and install it again.
To delete all files for a clean re-install, use the command:
rm -rf /opt/nessus (recursively remove everything) (in opt/nessus).)
You should now be asked what product you want to use, select Nessus
Essentials. You can either register here, or if you did it earlier, skip this step to
submit your activation code which should’ve been emailed to you. Finally,
you’ll be asked to create a username and password to access Nessus locally
within your VM. This form should inherit you Kali account details (in my case,
‘root’ and ‘toor’) however you are able to change them to anything you wish.
Now Nessus will download plugins and other crucial files that it needs to
function properly, so let it complete. Once that’s done, you’ll be presented
with the Nessus dashboard. From here we can launch scans, create policies,
review plugins, and more. For the scope of this module, we will only be
looking briefly at plugins, and focusing on using a premade scan template. We
strongly encourage you to explore Nessus, as it is widely used in industry and
hands-on experience is a great thing to have.
V.M OPERATION CHIMERA
VULNERABILITY MANAGEMENT MODULE // SECURITY BLUE TEAM
On the left-hand side we have a navigation menu, the following sections are
interesting to us:
2. All Scans – Any scans that have been conducted by any users within
an organisation. This includes completed, scheduled, pending, and
failed scans.
3. Trash – Once you’ve got a scan template, you can send it to the Trash,
so that it is no longer in the “My Scans” or “All Scans” tabs.
5. Plugin Rules – Plugins are the part of Nessus that actually conduct
the scanning and enumeration. Using different ones will provide
different results, so this is where you can fine tune the scan to look for
specific security issues.
V.M OPERATION CHIMERA
VULNERABILITY MANAGEMENT MODULE // SECURITY BLUE TEAM
Next we’re going to perform a simple scan of own our machine to demonstrate
how scans work, and what the results look like. You can use the following steps
to scan any other hosts on your network (provided you have permission to do
so).
1) Head over to the Policies tab on the left, and click “Scan Templates”
in the description text (as seen above). We will now be able to choose
from a list of pre-defined templates that can be used for specific
actions, such as vulnerability scanning, and host discovery. We will
be using the Basic Network Scan for this example.
For this example, you can name the scan anything you like, and we want to
enter the localhost (127.0.0.1) as the target.
3) Click Save in the bottom left-hand corner, and you’ll be taken to the
“My Scans” page. From here, we can launch our scan by pressing on
the play icon to the right. Once clicked, the scan will get to work.
Once it’s finished, a tick will appear, and we’ll be able to take a look
at the results.
4) This is the results pane and provides us with all of the information the
scan collected. On the left we have a list of hosts scanned, along with
a summary of any vulnerabilities discovered. This would be full of
different hosts if we were scanning an entire network and is arranged
by criticality of vulnerability by default. On the right we have the Scan
V.M OPERATION CHIMERA
VULNERABILITY MANAGEMENT MODULE // SECURITY BLUE TEAM
Details, and below it we have a donut chart for the security issues
identified. Click on the Vulnerabilities tab to see exactly what the
scanner identified.
6) This page shows us a description of the issue, the plugin that was used
to detect it, and risk information. Below the description is a solution
for how to address the issue. When contacting system owners after a
scan, it is good practice to attach an export of the scan as a PDF, but
also provide a concise summary in an email with a quick overview of
the hosts, any issues, and how to fix them.
V.M OPERATION CHIMERA
VULNERABILITY MANAGEMENT MODULE // SECURITY BLUE TEAM
MODULE CHALLENGE
If you think you’re ready for the module challenge, head over to the website
and click on the ‘Challenge Brief’ under the Threat Intelligence module!
Good luck.