CVE-based Analysis Using vFeed
Vulnerabilities are programming errors that attackers use as stepping stones to gain access to a network or system and perform unauthorized activities, often while posing as an authorized user. In contrast, exposures are system configurations or states that could facilitate a successful attack. For example, exposures may allow attackers to gain information or hide their actions.
CVE, which stands for Common Vulnerabilities and Exposures, is a database whose purpose is to standardly identify all publicly known security vulnerabilities and exposures. Every CVE entry has a unique identifier consisting of the year it was published in, and a four-digit serial number. vFeed, a threat intelligence company, offers technology that makes a plethora of both reactive and preventive vulnerability information available using these CVEs. Using the _lookup directive in DNIF, we’re going to be using some functions in vFeed to incorporate these CVE entries into a security workflow.
_fetch * from event where $LogName=CHECKPOINT AND $Duration=5h limit 10 >>_field $Keyword string "OpenSSL" >>_lookup vfeed-pro keyword_to_cve $Keyword >>_agg count_unique $CVE
We begin by retrieving the Checkpoint logs from the past seven days. From those logs, we choose a keyword to run a vFeed lookup against. For this particular use case, we’ve chosen “OpenSSL” as our keyword. We use the _field directive in DNIF in order to add the string “OpenSSL” to the logs in the $Keyword field. We then use the _lookup directive along with the keyword_to_cve function in vFeed, and we run a lookup against $Keyword. Lastly, we list all of the unique CVE entries associated with our keyword using the _agg directive.
In practice, this keyword could be any word, not just one specific to the contents of the logs. For instance, using the previous query as a starting point, we can use an arbitrary word such as “Excel” as the keyword. On running this query, vFeed gives us a list of CVE entries regarding the various vulnerabilities and exposures associated with Microsoft Excel.
_fetch * from event where $LogName=CHECKPOINT AND $Duration=5h limit 10 >>_field $Keyword string "Excel" >>_lookup vfeed-pro keyword_to_cve $Keyword >>_agg count_unique $CVE
Another vFeed function, get_capec, can be used to retrieve information related to a given CVE entry. The Common Attack Pattern Enumeration and Classification (usually shortened to CAPEC) database catalogs known patterns of attack that bad actors are known to use to exploit known weaknesses in software and hardware.
We can use DNIF’s context menu to run this query. First, we list unique CVE entries from the logs. Then, all we have to do is right-click on a CVE identifier to display a menu of actions that can be performed with the CVE value. In this case, we want to choose Get CAPEC Info.
In the search box, the existing query will be replaced with the query from the context menu for the specific field. In this example, the query uses the _lookup directive along with the get_capec function from vFeed.
_fetch * from event where $Duration=30d AND $CVE=_KEY_ group count_unique $CVE limit 1 >>_lookup vfeed-pro get_capec $CVE
All of the CAPEC-related information is shown in the results. This includes the attack methods, suitable mitigations, the title of the CAPEC entry and its CWE ID. CWE stands for Common Weakness Enumeration, a means of categorizing software weaknesses through a common vocabulary. While CVE entries refer to product-specific security issues (e.g., a bug in Windows that makes remote code execution possible), CWE entries have a greater scope. They describe the programming oversights that can result in vulnerabilities. Using the CWE IDs, we can further investigate the nature of a given security weakness.
Another one of DNIF’s use cases involving vFeed includes raising an alert and creating a ticket for a CVE ID on Freshdesk.
The query we use for this use case is as follows:
_fetch * from event where $LogName=CHECKPOINT AND $Duration=30d group count_unique $CVE, $LogName, $SrcIP, $AtkDesc limit 10 >>_lookup vfeed-pro get_cvss3_score $CVE >>_checkif int_compare $VFCVSS3Base > 7 include >>_raise module dnif_konnect high_severity_vulnerability_detected $CVE 4 12h >>_trigger api freshdesk create_ticket High Severity Vulnerability detected : , $CVE , CVE.txt
From the Checkpoint firewall logs, we list all the unique CVE IDs, their attack pattern descriptions and their source IPs from the past 30 days. We run a lookup with vFeed using the get_cvss3_score function against each unique CVE ID. CVSS stands for Common Vulnerability Scoring System, a system that assigns severity scores to vulnerabilities. These scores allow responders to prioritize responses according to threat severity. An entry with a score from 7 to 9 is considered a high-severity vulnerability. We use _checkif directive to list all the CVE entries with a score greater than 7 and raise alerts for each of them.
Then, we use the _trigger directive to create a ticket on Freshdesk. Freshdesk helps organize tickets in order to track them efficiently.
We set the ticket’s title to “High-severity vulnerability detected,” followed by the ID of the CVE entry for which the alert was raised. We also use a text file called CVE.txt as a template for the ticket. CVE.txt contains values specific to this use case that will be displayed in the Freshdesk ticket. You can easily create different files for different applications and substitute in the names of these text files in your own queries. The values in CVE.txt include the CVSS Base Metric score, the Exploit score (which rates the ease of exploitation), the Impact score (which rates the impact of exploitation) and other relevant details regarding the alert. You can choose which values you want to include in the generated ticket depending on your use case by changing the contents of the text file.
Additionally, Freshdesk has its own dashboard that helps visualize ticket trends. For example, you can monitor the volume of tickets received on a weekly basis or display the oldest tickets that are yet to be resolved.
Incorporating CVE entries into your security workflows with the help of vFeed helps you figure out how severe the vulnerabilities in your network are. In the process, you can create tickets for high-risk vulnerabilities to ensure that your team can resolve critical issues rapidly.