Deploy a CVE Watch List for Preemptive Monitoring of Potential Threats
Each day, more and more vulnerabilities are publicly disclosed to illustrate the various methods and tactics used to infiltrate and compromise networks. For example, the National Security Agency (NSA) recently released a list of the top 25 most common vulnerabilities being used in cyberattacks.
While it is easy to look for assets with specific existing CVE’s using Axonius, it might also be beneficial for your team to leverage the Query Wizard and Enforcement Center capabilities to monitor your network by creating a watch list.
By creating a CVE watch list query, you can continuously add to, refine, and update the entries relevant to your ever changing environment.
Once you create this baseline list, augment your security posture by adding an Enforcement Center action to TAG or NOTIFY necessary stakeholders.
Let’s use the recent list released by the NSA as an example on putting this approach into practice.
For the complete list and more detailed information regarding the CVE's we will be using for the template, click here.
First, using a text editor, we will take the list of CVE’s and divide them by year.
Using regular expression, we will add the final vulnerability ID number into the capturing group within the parenthesis, and separate the entities within each group using pipe.
These lists are now ready to be imported in the Axonius Query Wizard.
Create an Aggregated 'Last Seen' query with the desired time frame (in this example we used ‘Last Days 30'.)
Add a Complex Field search (Aggregated Data would also work) for ‘Vulnerable Software’ and add a row for each year we will be entering.
Choose ‘CVE ID’ for the field, ‘regex’ for the function, and copy and paste the information from the text editor into the correct row. Make sure you use the ‘OR’ operator as well.
Search and Save the Query.
Now, let’s work to automate the execution and notification of the watch list query.
Go to the Enforcement Center tab and click, ‘Add Enforcement’. We will first add a tag to the assets (Top25).
Next, we will choose our Saved Query to trigger on, and then configure the schedule for the automation to occur.
Lastly, add a Post Action to email the report to notify the correct team or stakeholders of the existence of these vulnerabilities.
Choose from multiple options for attaching CSV results. If ‘Attach CSV with query results’ is checked, the email being sent will include an attached CSV file with the query results.
If ‘Attach CSV with changes in query results’ is checked, the email being sent will include an attached CSV file with the changes in the query results when compared to the previous Enforcement run. If no changes were identified, no CSV will be generated.
SHORTCUT: To quickly look for these CVE’s in your environment, paste the following Axonius Query Language expression below into your Search Bar.
("specific_data.data.last_seen" >= date("NOW - 7d")) and ("specific_data.data.software_cves" == match([(("cve_id" == regex("CVE-2015-(4852)", "i")) or ("cve_id" == regex("CVE-2017-(6327)", "i")) or ("cve_id" == regex("CVE-2018-(6789|4939)", "i")) or ("cve_id" == regex("CVE-2019-(11510|19781|0708|1040|3396|11580|18935|0803)", "i")) or ("cve_id" == regex("CVE-2020-(5902|8193|8195|8196|15505|1472|1350|0688|2555|10189|0601|3118|8515)", "i")))]))
Thanks for reading - Happy hunting!