Deploy a CVE Watch List for Preemptive Monitoring of Potential Threats
Each day, more and more vulnerabilities are publicly disclosed to illustrate the various methods and tactics used to infiltrate and compromise networks. For example, the National Security Agency (NSA) recently released a list of the top 25 most common vulnerabilities being used in cyberattacks.
While it is easy to look for assets with specific existing CVE’s using Axonius, it might also be beneficial for your team to leverage the Query Wizard and Enforcement Center capabilities to monitor your network by creating a watch list.
By creating a CVE watch list query, you can continuously add to, refine, and update the entries relevant to your ever changing environment.
Once you create this baseline list, augment your security posture by adding an Enforcement Center action to TAG or NOTIFY necessary stakeholders.
Let’s use the recent list released by the NSA as an example on putting this approach into practice.
For the complete list and more detailed information regarding the CVE's we will be using for the template, click here.
First, using a text editor, we will take the list of CVE’s and divide them by year.
Using regular expression, we will add the final vulnerability ID number into the capturing group within the parenthesis, and separate the entities within each group using pipe.
These lists are now ready to be imported in the Axonius Query Wizard.
Create an Aggregated 'Last Seen' query with the desired time frame (in this example we used ‘Last Days 30'.)
Add a Complex Field search (Aggregated Data would also work) for ‘Vulnerable Software’ and add a row for each year we will be entering.
Choose ‘CVE ID’ for the field, ‘regex’ for the function, and copy and paste the information from the text editor into the correct row. Make sure you use the ‘OR’ operator as well.
Search and Save the Query.
Now, let’s work to automate the execution and notification of the watch list query.
Go to the Enforcement Center tab and click, ‘Add Enforcement’. We will first add a tag to the assets (Top25).
Next, we will choose our Saved Query to trigger on, and then configure the schedule for the automation to occur.
Lastly, add a Post Action to email the report to notify the correct team or stakeholders of the existence of these vulnerabilities.
Choose from multiple options for attaching CSV results. If ‘Attach CSV with query results’ is checked, the email being sent will include an attached CSV file with the query results.
If ‘Attach CSV with changes in query results’ is checked, the email being sent will include an attached CSV file with the changes in the query results when compared to the previous Enforcement run. If no changes were identified, no CSV will be generated.
SHORTCUT: To quickly look for these CVE’s in your environment, paste the following Axonius Query Language expression below into your Search Bar.
("specific_data.data.last_seen" >= date("NOW - 7d")) and ("specific_data.data.software_cves" == match([(("cve_id" == regex("CVE-2015-(4852)", "i")) or ("cve_id" == regex("CVE-2017-(6327)", "i")) or ("cve_id" == regex("CVE-2018-(6789|4939)", "i")) or ("cve_id" == regex("CVE-2019-(11510|19781|0708|1040|3396|11580|18935|0803)", "i")) or ("cve_id" == regex("CVE-2020-(5902|8193|8195|8196|15505|1472|1350|0688|2555|10189|0601|3118|8515)", "i")))]))
Thanks for reading - Happy hunting!
Great article! I helped a customer implement this solution with a few more CVEs and thought I'd share.
Here is a list combining the NSA top 25 CVEs with CISA's 2021 top exploited vulns, in the Vulnerable Software: CVE ID [regex] format you outlined in the article:
Additionally I found a list of the top exploited CVEs for 2022 from Outpost24 (updated May 2022), for which you can add this as another regex line:
Just a quick note to add: the above is great for finding affected devices, but with Axonius version 4.6+ you can also use the Vulnerabilities Module to view specifically what CVEs are present, and the associated devices for each.
In the Vulnerabilities Module, open the Query Wizard and in the Show Vulnerabilities section just plug in the same strings each on their own line as an Asset Entity query using Aggregate data (or a specific adapter if you like), using the same CVE ID [regex] 'string' format as we did in the Devices Module.
You can use this vulnerabilities query on all devices by leaving the Devices Query section blank/default, or look at a these vulnerabilities and the affected devices only for a specific subset of devices by building an on-the-fly devices query or using a saved device scope baseline query you are already using, e.g. 'All Windows Servers'.
Teamwork makes the dream work!
Please sign in to leave a comment.