Host Discovery
"You can't protect what you can't see"
Default host discovery Template Good For:
- Great starting point
- Quickly identifies assets for running VA (vulnerability assessment) only on live targets
- Minimal network impact
A simple scan to discover live hosts and open ports.
Best Practice
- daily - run scan on the network to discover new hosts
- use scan scheduling to automatically discover assets
- do not scan through firewall
- if icmp is not disabled on network devices, a discovery scan can cause false positives and other issues
- If has to scan through firewall
- ensure firewall is correctly configured to allow Scanner
- Disable ICMP in Discovery scan
Host Discovery Options
- customize host discovery scans based upon network need
- Configurate a host discovery scan to perform OS identitifation and port scanning
- Ping/scanning customization: Adjust Ping settings to avoid false positives and prevent interfering with hosts
- Tune a scan to improve performance
- For port scan tuning, if it is for speed, choose only SYN, leave TCP and UDP disabled.
- based on scanner's hardware resources, tune Advanced-Max simultaneous checks (various options) for speed, accuracy and thoroughness
- Nessus Global Scan settings - Nessus Scanner settings can impact performance
Analysis
User information from plugin 19506 to see what options were used in the scan:
- Port scanner information
- Details about the Nessus scanner used
- more
Create a tag
Tags:
- Asset Assessed - True/False
- OS : is equal to (Use Wildcards!)
- Source : is equal to
Alternative Host Discovery
- Third Party Integrations (ServiceNow, FireMon, Noetic)
- CMDB
- Asset Discovery
- Cloud Connectors
- AWS, Azure, GCP
Alternative Host Discovery - Tenable Nessus Network Monitor (NNM)
Main Steps:
- Deploy Tenable Nessus Scanner (Internal) or Cloud Scanner (Public IP)
- Policy : Discovery Scan
- Scan targets
- Scan schedule (Optional)
There are several options when using the Host Discovery Scan Template.
● Cloud connectors can be used to identify assets in cloud environments.
● Tenable Nessus Network Monitor can be used in networks to identify assets, as well as gather cyber risk data.
● Third-party data can be imported for purposes of identify assets within an organization.
Vulnerability Assessment
A comparison between "Basic Network Scan" and "Advanced Scan"
https://community.tenable.com/s/article/What-are-the-differences-between-the-Basic-Network-Scan-and-Advanced-Scan?language=en_US
Settings | Basic Network Scan | Advanced Scan |
| Allows plugins to be enabled or disabled | No | Yes |
| Allows audits to be added to the scan | No | Yes |
| Default Max simultaneous hosts per scan | 30 | 5 |
| Default Network Timeout | 5 | 5 |
| Default Simultaneous checks per hosts | 4 | 5 |
| Default Port scan range | Common ports | Default ports |
| Default CGI scanning | Disabled | Disabled |
| Default methods for Host Discovery |
|
|
| Default Paranoina level (a.k.a. Override normal accuracy) | Normal | Normal |
The Basic Network Scan performs:
● Traditional vulnerability assessment on targets
○ This scan can be used for both credentialed and non-credentialed assessment
● This is the best template to use for most vulnerability assessment scans
Advanced Network Scan is created to fulfill specific needs:
● Network configuration
● Resolve specific scanning problems
● Generate additional data/reporting
Credentialed Scans vs. Non-Credentialed
- Credentialed Scan (internal misconfigurations and hidden vulnerabilities)
- Non-Credentialed Network Scan (external details and externallyviewable vulnerabilities only)
Table 1: Summary of capabilities between Web Application Scanning and legacy Nessus WAS scans.
Features | Web Application Scanning | Legacy Nessus WAS |
| VM & WAS Unified Visibility | Yes | - |
| Safe Scanning | Yes | - |
| Advanced Authentication | Yes | No |
| Manual Crawling | Yes | No |
| OWASP Top 10 Project Support | Yes | No |
| Known Vulnerability Detection | - | Yes |
| Unknown Vulnerability Detection | Yes | - |
| Modern Framework Support | Yes | No |
| High Detection Accuracy | Yes | - |
Table 2: Details of capabilities between Web Application Scanning and legacy Nessus WAS
https://community.tenable.com/s/article/What-s-the-difference-between-Tenable-io-WAS-and-Legacy-Nessus-WAS?language=en_US
Features | Web Application Scanning | Legacy Nessus WAS |
| VM & WAS Unified Visibility | Web application assets are integrated with the same dashboards as other assets automatically for unified visibility. | Web application assets can be integrated into Tenable.sc by creating additional filters to customize the dashboard. |
| Safe Scanning | Users can create a list of blocked URLs to exclude from scans and define customized scan performance thresholds to avoid application disruption. | Users need to define customized scan performance thresholds to avoid application disruption. |
| Advanced Authentication | Supports a broad range of authentication options such as forms, cookies, NTLM, and Selenium scripts to address most web application requirements. Automatically detect when authentication is required and validate when authentication has been successfully configured. | Supports only login forms and cookie-based authentication. The product is unable to automatically detect or validate successful authentication. |
| Manual Crawling | Records manual crawling of web applications using Selenium to assess and validate user-defined workflows. This is an important capability for assessing Single Page Applications. | Manual crawling is not available. |
| OWASP Top 10 Project Support | The product is purpose-built for the OWASP Top 10 and provides out-of-the-box vulnerability assessment and reporting aligned to OWASP risk categories. | OWASP Top 10 is not supported out-of-the-box. Users can create custom dashboards to manually align specific vulnerabilities to OWASP risk categories. |
| Known Vulnerability Detection | Detects known or specified vulnerabilities related to Content Management Systems (WordPress, Joomla!, And Drupal). CVE plugins supporting web application servers, language engines, web frameworks, and JavaScript libraries are also available. | Supports a leading range of known or specified vulnerabilities based on CVE plugins. |
| Unknown Vulnerability Detection | Detects unknown or generic vulnerabilities in support of OWASP Top 10 without the need for specific CVE plugins. | Provides detection of generic cross-site scripting and injection vulnerabilities in support of OWASP Top 10. |
| Modern Framework Support | Supports web applications built with modern web frameworks such as HTML5, JavaScript, AJAX, and Single Page Applications, as well as traditional web frameworks. | Modern web framework support is not available. |
| High Detection Accuracy | Leading vulnerability detection accuracy with minimal false positives and negatives across all web applications. | Strong vulnerability detection accuracy across web applications built using traditional frameworks. |
Best Practice
- Credentialed scanning (with credential vaults if possible) should be performed whenever possible
- Credentialed vulnerability scans should be performed at least weekly, and more often if possible
- Basic Network Scan policy with credentials; weekly or more frequently
Advanced Network Scan Discovery Options
Expanded options for host discovery:
● Fragile devices
● Wake on LAN
● Service detection (SSL) Fragile Devices
Fragile Devices
If item is unselected, the scan will stop when it identifies a particular category of assets:
● Network printers
● Novell NetWare
● Operational Technology (OT)
Wake on LAN (WOL)
● Upload a media access control (MAC) address list to send WOL "magic packets" to a host
Service Detection/SSL
● Test common or all ports for Secure Sockets Layer (SSL)
● Certificate expiration
● Certificate Revocation List (CRL) checking
Advanced Network Scan - Assessment Options
Advanced options for vulnerability assessment:
● Scan accuracy
● Brute force settings
● Malware assessment
● Windows settings
Scan Accuracy
● Override normal accuracy
○ Enabling this can lead to false positives
● Thorough tests
○ Causes various plugins to work harder
○ Enabling this can slow your scan down significantly
Malware Assessment
● Requires credentialed scan
● Requires that Tenable Nessus scanner has internet access
● Uses MD5 hashes of running process to identify malware
● Allow list/block list options
Brute Force Settings - Credentials
Only use credentials provided by the user (if disabled):
● Attempts to login with default credentials
Oracle database:
● Test default Oracle credentials
● Slows down scans
Windows Information
● Domain information
● User enumeration
○ Security Account Manager (SAM) registry
○ Active Directory Service Interfaces (ADSI)
○ Windows Management Instrumentation (WMI)
○ Relative Identifier (RID) brute forcing
Advanced Network Scan Policy - Reporting and Advanced Options
Advanced Options
● Safe checks
- Some vulnerabilities require that the scan actually launches a potentially harmful payload at the target.
- ACT_DESTRUCTIVE_ATTACK
- ACT_DENIAL
- ACT_KILL_HOST
- ACT_FLOOD
● Stop scanning a host if it becomes unresponsive
● Max Simultaneous Hosts per scan
● Max Simultaneous Checks per host
● Fast network discovery
● Slow down the scan when network congestion is detected
● Use Linux kernel congestion detection
Reporting Options
On by default
● Show missing patches that have been superseded
Disabled by default
● Hide results from plugins initiated as a dependency
● Display unreachable hosts
What is a Plugin?
● Specialized piece of code that is a tool for detection and assessment
● Addresses specific security issue or vulnerability, or gives specific information
● Constantly updated
Compliance Assessment
Compliance assessment measures whether a given set of hosts are configured to align with a specific benchmark.
Regulatory and Internal Compliance
Organizations perform regulatory compliance assessment to fulfill legal obligations, and can perform
internal compliance to enforce internal policies.
Tenable Vulnerability Management uses a schema called Audit to describe a given benchmark.
Content Auditing
● Windows and Linux hosts only
● Search “text-like” files for specific content
● Can take a significant amount of time
● Can put load on systems
Credential Requirements
Custom Audit File Creation
1. Check Type Line – Indicates type of device being audited
2. Group Policy – Name of the audit
3. # – Comments
4. Items
a. Predefined checks (password length, etc.)
5. Custom Items
a. Examine registry keys, security policy or configuration files for specific settings
6. Conditionals are supported in some contexts
Common Fields in a Windows Control
1. Type – Type of control
2. Description – Used to create name in UI
3. Value_type – Structure of the data (number, string, etc.)
4. Value_data – Defines passing value (numbers allow range)
5. Info – Put in the body of the UI
Summary
● Custom audit files can be created using any plain text editor.
● The .audit file format is similar to XML.
● check_type is always the first line of code, defining the type of system to be audited.
● Audit items can be conditional.
Compliance Assessment - Analysis
Vulnerability Analysis
Vulnerability Analysis — Prioritization with VPR
The Failure of CVSS Scoring
- ⅔ of all vulnerabilities are high or critical
- Many vulnerabilities are unlikely to be exploited
- No real analysis of business impact
- All assets are identical
Predictive Prioritization Using VPR
- Threat recency
- Threat intensity
- Exploit code maturity
- Age of vulnerability (newer is more likely)
- Product coverage
- Threat sources
- + CVSS v3 impact score
Threat
- Recency — How recently have there been attacks utilizing this vulnerability?
- Intensity — Number and frequency of recent events (very low to very high)
- Sources — What data was used?
- Parallels CVSS: Unproven → High
- Number of unique products: Low → Very High
Impact Analysis
- Availability
- Integrity
- Confidentiality
Dashboard
✔ Dashboards provide access to key cyber risk data in an easy to understand format.
✔ Each dashboard consists of a series of widgets.
✔ Widgets can be created from existing templates or customized.
✔ A user can create multiple dashboards.
✔ Each Tenable Vulnerability Management user has their own set of dashboards that can be shared with other users or user groups.
Summary
● Tenable Vulnerability Management provides pre-built dashboards to display cyber risk data.
● Assets can be filtered for an entire dashboard, and for individual widgets.
● Dashboards are shareable with other users or user groups.
● Dashboards can be exported once or on a schedule, and delivered as an encrypted attachment via email to appropriate personnel.
You can create custom dashboards to display cyber risk data in a useful format. You can set also set a default dashboard view to see when you sign in.
Reports
Similar to Dashboards, Tenable Vulnerability Management has pre-designed report templates that
update automatically.
Report Features
● PDF format
● Share with users/groups
● Filter on tags, or custom
● Add/remove chapters
● Add a logo
Summary
● Tenable Vulnerability Management provides pre-built report templates to display cyber risk data.
● Customize reports for specific assets, as well as upload an organization’s logo.
● Reports can be exported on a one-time or scheduled basis, shared with other users, and delivered via email to appropriate personnel.
Report Components
● Name
● Description
● Executive Summary
● Additional Chapters
Exports
● Maintain export schedules in Tenable Vulnerability Management
● Demonstrate where to locate exported data, dashboards and reports
● Exported data can be found in different places depending on the type of data.
● The Exports page is for grid page exports.
● Many grid pages such as Assets, Findings, Users, Tags and more can be exported.
TenableCore Tenable NNM - Nessus Network Monitor
Tenable Nessus Network Monitor (NNM) - Schedule: Automatic
- Operates 24x7
- Requires access to a SPAN/mirror port for data
- Scans network traffic for cyber risk data
- Two operational modes: Host Discovery or Full
Host Discovery
● Assets discovered while in this mode do not count against your license
● Safest option to start with to ensure sensor setup is correct
Full
● In this mode, NNM will report on vulnerabilities it sees via the network
● This is a good option for vulnerability assessment for fragile devices that can not be scanned
Identifying Unscanned Assets
● Source is equal to (Cloud Discovery Connector, NNM, ServiceNow, etc.) AND Source is not (Nessus Scan, Nessus Agent)
● Assessed vs. Discovered Only
Tenable Nessus Network Monitor Installation
What is Tenable Nessus Network Monitor?
● Monitors network traffic for cyber risk data
● NNM identifies:
○ Assets
○ Services
○ Vulnerabilities in services and applications that generate network traffic
○ Traffic between hosts
● Supports IPv4 and IPv6
● Tenable Nessus Network Monitor is limited to monitoring 1 Gbps
● Can be licensed at an additional cost for 10 Gbps operations (high performance)
Summary
● Tenable Nessus Network Monitor identifies assets, services, vulnerabilities and traffic between hosts.
● NNM requires two network interfaces, one of which is a SPAN port set in promiscuous mode.
● NNM instances can run in two modes: Discovery mode and Full mode.
● NNM offers two performance levels: 1 Gbps for monitoring small networks and network segments; and 10 Gbps, for high-performance data centers and internet ingress/egress points.
- RHEL, Windows and other operating systems
- Install using the appropriate package manager.
- Tenable Core + NNM is also available
- Install on virtual platforms.
- Connect to NNM using a web browser on port 8835 (https)
- Sign in with username "admin" and password "admin"
- Reset password
- Use “Cloud” as activation code
- Provide linking key
- Give scanner a name
- Select Network Interface
- Provide managed range
- Set exclusion range(s) – optional
Certificates for NNM
Place the SSL certificates in appropriate location. Refer to:
https://docs.tenable.com/nessus-network-monitor/Content/ConfigureNNMForCertificates.htm
Troubleshooting NNM Installation
● Sufficient hardware (RAM, core, HD)
● Connectivity
● Local firewall rules
● Local malware/antivirus application
● Can NNM connect to cloud.tenable.com on port 443?
● Is the SPAN port configured properly?
Summary
● NNM sensors can run on a variety of platforms.
● Use the package manager for the operating system to install NNM, or use Tenable Core.
● Connect with a web browser and complete the configuration.
● Custom SSL certificates can be uploaded, if required.
● Additional CAs can also be created.
Tenable Core
You can use the Tenable Core operating system to run an instance of Tenable Nessus in your environment. After you deploy Tenable Core + Tenable Nessus, you can monitor and manage your Tenable Nessus processes through the secure Tenable Core platform.
Core Considerations
Deployment Process
1. Download image2. Install (ISO or virtual image)
3. Connect to core using web browser on port 8000
4. Initial username and password: wizard/admin
5. Create admin account
6. Continue with sensor configuration
To deploy Tenable Core + Tenable Nessus as a VMware virtual machine:
Download the Tenable Core Nessus VMware Image file from the Tenable Downloads page.
- Open your VMware virtual machine in the hypervisor.
- Import the Tenable Core + Tenable Nessus VMware .ova file from your computer to your virtual machine. For information about how to import a .ova file to your virtual machine, see the VMware documentation.
- In the setup prompt, configure the virtual machine to meet your organization's storage needs and requirements, and those described in System and License Requirements.
Launch your Tenable Core + Tenable Nessus instance.
The virtual machine boot process appears in a terminal window.
Core Interface
- Operating System (OS) level configuration Networking + storage + updates
- Start and stop sensor
- Command line access
- Resource utilization
Remote Storage
Remote storage can be enabled:
● Uses Secure File Transfer Protocol (SFTP)
● Username + private key
● Allows for automated backups
Updates can be scheduled to run at boot time, on a schedule, or both.
SNMP v2 and v3 can be enabled.
Tenable Nessus
Traditional Tenable Nessus application installed on OS that you manage : For scanning private IPs
Tenable Cloud Scanner : Managed by Tenable For scanning public-facing IPs
Tenable Core + Tenable Nessus is a pre-built virtual image for:
● VMware
● Hyper-V
● Dedicated hardware
Tenable Nessus is also available for a variety of platforms including:
● Windows
● RHEL/CentOS
● OS X and others
Nessus Installation
- Connect to Nessus scanner using a web browser on port 8834 (https).
- On the Welcome screen, select “Managed by.”
- Select "Tenable.io" and provide the linking key.
- Create a username and password.
- Sign into Tenable Nessus to confirm username and password work.
Certificates for Nessus
Place SSL certificates in the appropriate location. Refer to:
https://docs.tenable.com/nessus/Content/CustomSSLCertificates.htm
Agents
Agent Considerations
● Scan using lightweight, low-footprint programs installed locally on hosts
● Collect vulnerability, compliance and system data, and report back to Tenable Vulnerability Management
● Minimal impact on system and network
○ Direct access to all hosts
○ Minimal disruption to end users
Agent Considerations — Benefits
● Extended scan coverage and continuous security
● Deploy where impractical or unable to run networkbased scans
● Assess off-network assets and endpoints with intermittent internet access (ex. laptops)
● Extended scan coverage and continuous security
● Deploy where impractical or unable to run networkbased scans
● Assess off-network assets and endpoints with intermittent internet access (ex. laptops)
Agent Considerations — Efficiency
● Reduces overall network scanning overhead
● Relies on local host resources with minimal performance overhead
● Reduces network bandwidth need; important for slow networks
● Removes challenge of scanning systems over segmented or complex networks
● Updates automatically without reboot or end-user interaction
Agent Considerations — Limitations
Network checks
● Agents are not designed to perform network checks, so certain plugins items cannot be checked or obtained.
○ Combining traditional scans with agent-based scanning eliminates this gap.
Remote connectivity
● Agents may miss items performed through remote connectivity
○ Logging into a database (DB) server
○ Trying default credentials (brute force)
○ Traffic-related enumeration
How an Agent Works
Agent periodically connects to cloud.tenable.com (Tenable Vulnerability Management) via
port 443, and queries for work to be completed.
If there is work, the Agent completes the work and returns the results.
Types of Work
● Software updates
● Plugin updates
● Scans (Vulnerability, Compliance)
Leading Practices — Golden Image
● Include the Tenable Nessus Agent in your gold images
● Configure connections to Tenable Vulnerability Management/Tenable Nessus Manager instance
Consider smaller agent group size to reduce volume of data imported into Tenable Vulnerability Management
● Limit agent groups to 1,000
Scanning
1. Create agent scan.
2. Select group(s).
3. Select scan window/trigger.
4. Set scan schedule.
Deployment Process
1. Download agent.
2. Retrieve linking key.
3. Install agent (manual, or with software management).
4. Configure with linking key.
5. Create groups and assign agents.
Summary
● A linking key is needed to install the agent and connect it to Tenable Vulnerability Management.
● After installation, agents need to be placed into an Agent Group prior to assessment.
Possible Scanning Challenges
- Lack of reliability in network infrastructure
- Large number of assets in a network partition
- Active assessment is mission critical
- Scanners difficult to identify when configuring scans
Solution — Scanner Groups
● Easy to understand name for scanner(s)
○ Less difficult to locate the appropriate scanner
● Multiple scanners allowed in group
○ Creates high availability/speeds up scans
● Load balancing between scanners
○ Good for large network partitions
○ Good for demand for fast assessment
When to Use Scanner Groups
● Large network partitions
● Hard-to-identify scanners
● High availability scanning requirements
● Network reliability issues
Summary
● Scanner groups can be used for large network partitions to:
○ Provide for high availability of scanners and make it easier to identify the appropriate scanner
○ Speed up scans
The Challenge of Crossover IP
Question: What should the response be when there are two assets that are in different NAT’d subnets, but have the same IP address?
Answer: Define Networks + Scanners and Groups in Tenable Vulnerability Management
Age Out Option
Activating the “age out” option will prompt for a number of days.
Any assets in this network that have not been seen within X days will automatically be deleted.
When To Use Networks
Networks can make it complicated to scan properly.
Do not use networks unless you are in an environment that contains assets with the same IP address.
Summary
● Networks should be used in environments where there are two assets with the same IP Address,
due to Network Address Translation (NAT).
● Networks can complicate the scanning process, so they should be avoided unless necessary.
Access Control Components
The Importance of Access Control
● Improve overall security posture
● Simplify use of Tenable Vulnerability Management
● Improve reporting
● Reduce overall risk of internal threat
Permissions
● Rule-based criteria, based on tags
● What assets can be viewed?
● Scanning of existing, or new, assets
● User groups and/or individual users are assigned permissions
Plan Your Tags
Every tag you create automatically creates a new corresponding Permission!
User Groups
● Individually assigned
● Common permission
● Users can be in multiple groups
Roles vs. Permissions
● Roles control what a user can DO.
● Permissions control what a user can SEE.
Summary
● Access control components are Users, User Groups, Permissions, and Roles.
● Permissions define which assets can be viewed, and scanned.
● User groups and roles can give users common capabilities within Tenable Vulnerability Management.
Setting Up Permissions with Tags
Tags
● Create groups of assets that have common criteria for permissions, reporting, etc.
● Manual or rules-based criteria are available.
Default Permissions
● Administrators: All admin users can see all assets and perform all functions. This cannot be changed.
● Access All Assets: By default, all users can see all assets! This should be changed.
Summary
● Permissions define which assets can be viewed, and whether those assets can be scanned. They also
allow users to use the associated tags for analysis and reporting.
● For every tag, a new corresponding permission is added.
● Be very aware of the default "Access all Assets" permission. Best practice is to either delete or edit it,
to limit your cyber risk.
User Group
● Best practice for assigning permissions
● Common permissions
Single User
● Need to re-assign every permission if user leaves, or another user needs to be added
Summary
● When assigning permissions, it is best practice to assign to a user group instead of an individual user.
● Roles can be used to give users common capabilities
within Tenable Vulnerability Management. Check online documentation for the latest role descriptions.
● To reduce cyber risk, plan out requirements first by ensuring that a user is assigned a role and permissions with the least privilege.
Object User Permissions
- Access to functions
- Access to assets
- Access to objects
What is an Object?
- Scanner Group
- Agent Group
- Managed Credential
- Scan
Permissions Vary by Object
Scan:
● No access*
● Can view
● Can execute
● Can edit
Linked Scanner and Scanner Group:
● Can use*
● No access
● Can manage
Role Access always overrides user permissions:
● Regardless of assigned user permissions, all users with an Administrator role have the
highest permissions for an object by default.
● Other roles limit access (e.g., if you assign ‘Can View’ permissions for a scan to a user
with a Basic role, the user will still not be able to view that scan.)
Summary
● Many objects such as scans, credentials, agent groups and scanner groups allow you to assign
specific permissions to users and user groups.
● The functions of an assigned role will always overrides user permissions.
● Administrators can use the User Assist function to ensure permissions are set correctly.
References
- What are the differences between the "Basic Network Scan" and "Advanced Scan"
- What's the difference between Web Application Scanning and Nessus Legacy WAS?
- Troubleshooting credentialed scanning on Windows
What ports are required for Tenable products? - How to check the SSL/TLS Cipher Suites in Linux and Windows
- Useful plugins to troubleshoot credential scans
- www.tenable.com/webinars
- youtube.com/TenableProductEducation
- community.tenable.com
- university.tenable.com
- docs.tenable.com
![[5 Mins Docker] Deploy FreshRSS Using Docker Run Command and Deploy To Fly.io](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uzNMdKE0WJbzjXK0-x-uGPvYNQuBQsqrE6cwYkEq4J1d9Zb9B1mfN5ub0smrGVs4_8uRLEzucuegcvig39vLB1-09YcZKV_WBkcXTo_TtOHw)
No comments:
Post a Comment