Security Assessment Techniques
Security assessments are an integral part of an organization's cybersecurity. They aim to evaluate if and how the company's security policies match its actual infrastructure implementation, suggesting small or significant improvements. An assessment is not necessarily passive data collection. It can often be active, and organizations must be mindful of its impact on their daily operations.
A vulnerability scan is an assessment that seeks system, network, and application vulnerabilities, misconfigurations, or a lack of security controls. There are three main categories of vulnerability scans:
- Network scanners: perform network enumeration, collecting information on users, groups, services, and open ports;
- Application scanners: statically test application binaries (Static Application Security Test [SAST]), which means they don't run the code. They aim to discover potential code vulnerabilities;
- Web application scanners: dynamically test the web application (Dynamic Application Security Test [DAST]) but do so without access to the web application source code. They aim to detect vulnerabilities to SQL injection and XSS.
Following the logic presented above, although vulnerability scans tend to be relatively unobtrusive, they can be active, i.e., they can actively exploit a vulnerability to measure its potential impact. These might lead to operation disruption if the assessment needs to be planned appropriately.
A central issue of vulnerability scans (and actually in all assessment processes) is the occurrence of false positives and false negatives. The former refers to a result indicating a vulnerability where there's not. Conversely, the latter happens when the scan doesn't come up with an alert when it should do so. The occurrence of both may depend on the perspective from which the scan is performed:
- Uncredentialed scans take an outsider's perspective, being less disruptive but prone to false positives and negatives since they lack detailed information and insights;
- Credentialed scans can be more intrusive but generate good insights since they collect data inside the network and the applications. This aspect reduces the occurrence of false positive and false negative results.
After a vulnerability scan is performed and gaps are detected, an organization may remediate, mitigate, or accept the risk associated with those gaps. Remediation involves patching the vulnerability. Mitigation means putting controls in place to reduce the likelihood of vulnerability exploitation. Finally, acceptance may be an option for particularly low-risk vulnerabilities.
Vulnerability scans rely fundamentally on two primary databases for data collection and analysis:
- Common Vulnerabilities and Exposures (CVE) is a standard for communicating vulnerabilities between databases. It contains relatively simple information, such as a unique identifier for each vulnerability, a brief description, and a date of discovery;
- Common Vulnerability Scoring System (CVSS) is a framework for vulnerability analyses. It gathers data on prerequisites for exploitation, such as targeted systems, attack complexity, and privileges required. From that, it attributes a severity score ranging from 0 to 10.
Threat hunting is another modality of security assessment. Instead of seeking to harden systems, networks, and applications, acting with a statically defensive posture, the assessor assumes that an attack has been or is being executed. From this, it establishes a hypothesis on which places or processes may be compromised and tests it by checking those. When the hypothesis is proven false, the analyst elaborates a new one, pivots in the network, and proceeds with new data collection and analysis.
From an intelligence point of view, the threat hunter's task is to block the attackers from proceeding into the cyber kill chain (as described in Lockheed Martin's model), i.e., to infiltrate, establish a foothold, pivot, extract information, and erase its tracks.
As noted, threat hunting is heavily centered on the security analyst's knowledge and abilities on cybersecurity and the organization's infrastructure and processes. It's typically a more dynamic approach when compared to most vulnerability assessment procedures.
Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) systems support security assessment teams. SIEM is a system that collects and consolidates data from different sources on the network, such as IDS/IPS, firewalls, and access control appliances. It can also execute a similar process with external intelligence data (e.g., OSINT). This integration is often named intelligence fusion. It then provides sound visualization of security-relevant information with essential alerts. Logically, SIEM includes support for security assessment, such as vulnerability scans or threat hunting, and audits, compliance reports, and incident response efforts.
Fine-tuning a SIEM system represents a complex but fundamental task. This is necessary since all data aggregation and organization, pattern-matching, and anomaly detection depend upon correlation rules applied by the system, such as Boolean logic and machine learning, which, if not correctly calibrated, lead to unnecessary alerts and unclear information visualization. The security analyst must apply sound judgment when establishing those rules.
SOAR systems represent a significant evolution from SIEM since they provide security workflow management and integration with threat intelligence platforms (TIP) and incident response platforms (IRP). Consequently, aside from adequate visualization and monitoring, SOAR provides automated incident response support during an attack.
