Cyber Threat Hunting & Vulnerability Scans | CompTIA Security+ SY0-601 | 1.7a

In this video you will learn about cyber threat hunting aspects such as: intelligence fusion, threat feeds, & security advisories & bulletins. Also you will learn about various aspects of vulnerability scans such as: false positives, false negatives, log reviews, credentialed vs. non-credentialed scans, intrusive vs. non-intrusive scans, application scanners, web application scanners, network scanners, & the Common Vulnerability Scoring System.

Cyber Threat Hunting

Cyber threat hunting is an active cyber defense activity.  It is the process of proactively & iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.[1]  This is in contrast to traditional threat management measures, such as firewalls, intrusion detection systems, malware sandboxes and SIEM systems, which typically involve an investigation of evidence-based data after there has been a warning of a potential threat.[2]  When it comes to cyber threat hunting aspects, what you need to be concerned about for the CompTIA Security+ SY0-601 certification exam are:

  • Intelligence Fusion:  this is an approach to cybersecurity that unifies all security functions such as threat intelligence, security automation, threat response, security orchestration, incident response, and others into a single connected unit with the capability to coalesce all comprising units for detecting, managing, and responding to threats in an integrated and collaborative manner.[3]
  • Threat Feeds:  this is an ongoing stream of data related to potential or current threats to an organization’s security.  Threat feeds provide information on attacks, including zero-day attacks, malware, botnets, & other security threats.
  • Security Advisories & Bulletins:  in section 1.5d we discussed how vendors, coordination centers, security researchers, & others publish security advisories and bulletins to disclose vulnerabilities to where most of these vulnerabilities are disclosed to the public via the Common Vulnerability and Exposure (CVE) identifiers.  CVE is a standard that provides a mechanism to assign an identifier to vulnerabilities so that you can correlate the reports of those vulnerabilities among sites, tools, and feeds.[4]

Vulnerability Scans

A vulnerability scanner is a computer program designed to assess computers, networks or applications for known weaknesses.  They are utilized in the identification and detection of vulnerabilities arising from misconfigurations or flawed programming within a network-based asset such as a firewall, router, web server, application server, etc.  Modern vulnerability scanners allow for both authenticated and unauthenticated scans.  Modern scanners are typically available as software-as-a-service and most of them have the ability to customize vulnerability reports as well as the installed software, open ports, certificates and other host information that can be queried as part of its workflow.  Some aspects about vulnerability scans that you need to know are the following:

  • False Positives:  a situation or false alarm that incorrectly indicates the presence of a condition, such a security device triggering an alarm but there is no malicious activity taking place.
  • False Negatives:  a security device fails to detect an actual security event under certain circumstances such as a malicious activity actually taking place, but it is not detected by the network security device.
  • Log Reviews:  log reviews can be used by vulnerability scanners on target systems to check for information pertaining to activities that have taken place on the system.
  •  Credentialed vs. Non-Credentialed Scans:  To reduce the number of false positives, some vulnerability scanners have the capability to log into a system to perform additional tests & see what programs, applications, and open-source software may be running on a targeted system.
    • They can also perform configuration reviews to determine if a system may be configured in an unsecure way.[4]
  • Intrusive vs. Non-Intrusive:  Vulnerability scanners sometimes can send numerous IP packets at a very fast pace (intrusive) to a target system.  These IP packets can potentially cause negative effects & even crash an application or system.  Some scanners can be configured in such a way that you can throttle the probes & IP packets that it sends to a target system in order to be non-intrusive and to not cause any negative effects in the system.[4]
  • Application Scanners:  used to access application-specific vulnerabilities and operate at the upper layers of the OSI model.[4]
  • Web Application Scanners:  used for crawling websites for vulnerabilities within web applications.  After analyzing all the discoverable web pages & files, the scanner then builds a software structure of the entire website; however, the web application scanner doesn’t have access to the source code.[5]
  • Network Scanners:  help to detect all the active hosts on a network and map them to their IP addresses.  Network scanners send a packet or ping to every possible IP address & waits for a response to determine the status of the applications or devices.  The responding hosts are considered active, while others are considered inactive.  These responses are then scanned to detect inconsistencies.[6]
  • Common Vulnerability Scoring System (CVSS):  an industry standard used to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.  The numerical score can then be translated into a qualitative representation (such as low, medium, high, & critical) to help organizations properly assess & prioritize their vulnerability management processes.[7]

References

  1. Kassner, M. (2016). Cyber Threat Hunting: How This Vulnerability Detection Strategy Gives Analysts an Edge. TechRepublic.
  2. Metin, O. (2020). Comodo MITRE Kill Chain. Comodo Cybersecurity.
  3. What is Cyber Fusion? Cyware.
  4. Santos, O.; Taylor, R.; Mlodziannowski, J. CompTIA Security+ SY0-601 Cert Guide.
  5. Web Application Scanning. White Hat Sec.
  6. What Are Network Scanning Tools? Tek-Tools.
  7. Common Vulnerability Scoring System SIG. First.