Vulnerability Management
HOW IT WORKS.
Vulnerability management involves the identification, classification, remediation, and mitigation of vulnerabilities within an organization’s systems and software. By regularly scanning for and patching vulnerabilities, organizations can significantly reduce the attack surface available to cybercriminals, thereby disrupting the early stages of the kill chain. This makes it harder for attackers to find and exploit vulnerabilities, preventing the delivery and exploitation of malware.
HOW PROAXIOM DOES IT
We follow the industry standard Discover, Assess, Report, Remediate, Verify vulnerability management phases in our service delivery, as follows:
Discover: Proaxiom leverages cutting-edge tools such as runZero for Cybersecurity Asset Attack Surface Management (CAASM) to thoroughly map out and inventory all networked assets. This process is complemented by vulnerability scanners like Microsoft Defender Vulnerability Management, Greenbone OpenVAS, and Shodan, which collectively help to unearth potential vulnerabilities across the organization’s digital infrastructure.
Assess: Once vulnerabilities are identified, they’re assessed for risk during the Assess phase. Proaxiom uses the FIRST’s EPSS (Exploit Prediction Scoring System), which predicts the likelihood of a vulnerability being exploited in the wild. This system takes into account current threat intelligence and environmental context, such as the criticality of the system and any assigned sensitivity labels. This information is crucial in prioritizing vulnerabilities based on the specific risk they pose to the customer’s environment.
Report: Detailed reporting is then conducted within Proaxiom’s vulnerability management platform, Nucleus Security. Here, vulnerabilities are consolidated and contextualized with specific customer environment information to provide a clear overview of the security posture and prioritized recommendations for remediation.
Remediate: The implementation of remediations involve a variety of different approaches, including patching the vulnerability with a vendor supplied update or introducing a compensating control. These activities can vary widely in the effort and planning required and can often be undertaken directly by the customer, so Proaxiom assists clients with remediation efforts on a time and materials basis rather than including it as part of the standard managed service. This allows clients to have flexible and expert support available for the complex task of remediating identified vulnerabilities.
Verify: The final phase involves verification to ensure that remediation efforts were successful and that the vulnerabilities have been effectively resolved, maintaining the integrity and security of the environment. Any vulnerabilities that persist are added to a risk register.
HOW DO WE REPORT?
Each month, we’ll generate a report that details newly discovered vulnerabilities, current vulnerability risk exposure, the state of remediation efforts and the state of verification relating to remediated vulnerabilities.
How would this mitigate a threat actor like a Blackcat ALPHV affiliate?
EXPLOITATION
The industry standard way of explaining vulnerability management is with this simple verbal illustration. Threat actor uses exploit on vulnerability to create impact. If the exploit doesn’t work because the vulnerability doesn’t exist, then the threat actor can’t create the impact.
A sophisticated Blackcat ALPHV affiliate may exploit a variety of vulnerabilities in order to undertake their attack. For example, threat intelligence indicates that UNC4466 exploits a vulnerability in a backup service called Veritas Backup Exec version 21 to gain initial access.
Our threat intelligence-based approach to vulnerability management improves the probability of preventing threat actor activity by prioritising the remediation of actively exploited vulnerabilities in our customer’s networks.
In this particular example, Proaxiom’s CAASM toolset based on runZero would identify if the backup server was not in scope for vulnerability scans. The Defender Vulnerability Management platform would identify the vulnerability and it would be registered with the Nucleus Security vulnerability management platform. Then, threat intelligence integration would flag the vulnerability as exploited in the wild by UNC4466. The vulnerability management platform would then prioritise the vulnerability for urgent remediation, mitigating the risk.