Zero Days Do Not Wait for CVEs

Learn why an attack surface map can provide invaluable and unique help in detecting zero day vulnerabilities.

What if I were to tell you that an up-to-date attack surface map can improve your ability to find critical vulnerabilities in some cases in places where traditional network vulnerability scans can’t? Crazy to think about, I know. To understand why it is crucial, you must first understand that CVEs are only a subset of the total of all vulnerabilities.

Consider these key points:

• The creation of a CVE often lags behind zero days because the exploits are known before anyone can properly categorize and write up the relevant CVE release for these new vulnerabilities. That is not always true, but it happens frequently.

• CVEs are often a categorization of issues, not the issue itself. Think clickjacking – not every clickjacking vulnerability on every site has a CVE associated with it, yet it is pretty easy to find them with even a cursory glance. Have developers not attempted to report exploits in websites or in IoT devices’ web front ends? Of course, they have, but not every vulnerability gets a CVE. Why? I am not sure – but I promise you not every vulnerability that has been disclosed on every mailing list has been added, despite being publicly known. 

So what?

This has huge implications for vulnerability scanners and for how companies deal with zero days. Let’s say there is a new zero day that just popped up in “XYZ Printer,” and you want to find where you are vulnerable. There are different possibilities:

1. It has a CVE and a signature, as the exploit is made public.
2. It does not have a CVE yet, but it will soon. A signature may or may not be available.
3. It does not have a CVE and will not for whatever reason. A signature may or may not be available.

In the first example, where it is public and has a signature, you are in relatively good shape if the scanner is fast enough to scan all your websites for said issue prior to an attacker doing the same. It’s a footrace but one you can and likely will win at this point if the asset is known and under service. To be successful with this path, the asset needs to be under service.

In the second and third examples, where you do not have a CVE, but you know what the issue is and you know what the signature is, or at least you know what the underlying vulnerable technology is, you have at least some information to use. Having an up-to-date attack surface map allows you to query against things that might indicate the presence of said vulnerability.

The CVE may never be written. Or the attacker might find the vulnerability before a scanner rule can be written in the case where an adversary starts with the zero day before the rest of us get to see it. Or worse yet, what if you find that you simply aren’t scanning for the vulnerability on half of your company because you don’t even know those assets exist?

How Tenable can help

Tenable does not hide the information it gathers about service banners, CPE data, HTTP headers, HTML data, and so on. These data sets can be queried in real time to quickly identify dangerous technologies without necessarily knowing what the vulnerability is in them. For instance, in the vulnerability mentioned above in our example “XYZ Printer,” there may be no easy signature for the vulnerability. However, identifying the printer may be possible by finding anything listening on printing ports, some unique string in the banner data, or some HTML string unique to that printer model.

Why is the printer online on the public internet in the first place? If you can remove said service/hardware from the public internet, that might solve your problem immediately. Or maybe you can quickly put it behind a WAF or add a firewall ACL to hide it so that only the employees who need it can access it from their IPs. That kind of mitigating control can quickly reduce risks without necessarily knowing how to find the vulnerability in question.

That is very important when assessing the overall value of having an up-to-date attack surface map. It is not just about finding your assets; it is also about giving you the ability to look deep within your attack surface map and identify risky assets at a moment’s notice. That is an enormous value-add without an additional hidden cost since – in Tenable’s case – the data is already in the attack surface map and already designed to be queried.

In this way, an up-to-date attack surface map that can be actively queried against the details of the asset metadata is an incredibly powerful first line of defense against zero days. Not knowing where your vulns are doesn’t mean they don’t exist - you have to know the asset exists and get it scanned regularly to have any hope of knowing where your issues lie. The alternative is waiting for the adversary to show you how vulnerable you really were.

Visit the Tenable.asm product page to learn more about attack surface management.