September 04, 2019 / by Lenora Agnel / In threat-intelligence /

CVE-based Analysis Using vFeed

Vulnerabilities are programming errors that attackers use as stepping stones to gain access to a network or system and perform unauthorized activities, often while posing as an authorized user. In contrast, exposures are system configurations or states that could facilitate a successful attack. For example, exposures may allow attackers to gain information or hide their actions.

CVE, which stands for Common Vulnerabilities and Exposures, is a database whose purpose is to standardly identify all publicly known security vulnerabilities and exposures. Every CVE entry has a unique identifier consisting of the year it was published in, and a four-digit serial number. vFeed, a threat intelligence company, offers technology that makes a plethora of both reactive and preventive vulnerability information available using these CVEs. Using the _lookup directive in DNIF, we’re going to be using some functions in vFeed to incorporate these CVE entries into a security workflow.

_fetch * from event where $LogName=CHECKPOINT AND $Duration=5h limit 10
>>_field $Keyword string "OpenSSL"
>>_lookup vfeed-pro keyword_to_cve $Keyword
>>_agg count_unique $CVE

We begin by retrieving the Checkpoint logs from the past seven days. From those logs, we choose a keyword to run a vFeed lookup against. For this particular use case, we’ve chosen “OpenSSL” as our keyword. We use the _field directive in DNIF in order to add the string “OpenSSL” to the logs in the $Keyword field. We then use the _lookup directive along with the keyword_to_cve function in vFeed, and we run a lookup against $Keyword. Lastly, we list all of the unique CVE entries associated with our keyword using the _agg directive.

threat validation with v-feed

In practice, this keyword could be any word, not just one specific to the contents of the logs. For instance, using the previous query as a starting point, we can use an arbitrary word such as “Excel” as the keyword. On running this query, vFeed gives us a list of CVE entries regarding the various vulnerabilities and exposures associated with Microsoft Excel.

_fetch * from event where $LogName=CHECKPOINT AND $Duration=5h limit 10
>>_field $Keyword string "Excel"
>>_lookup vfeed-pro keyword_to_cve $Keyword
>>_agg count_unique $CVE
cve entries associated with microsoft excel

Another vFeed function, get_capec, can be used to retrieve information related to a given CVE entry. The Common Attack Pattern Enumeration and Classification (usually shortened to CAPEC) database catalogs known patterns of attack that bad actors are known to use to exploit known weaknesses in software and hardware.

We can use DNIF’s context menu to run this query. First, we list unique CVE entries from the logs. Then, all we have to do is right-click on a CVE identifier to display a menu of actions that can be performed with the CVE value. In this case, we want to choose Get CAPEC Info.

using dnif context menu

In the search box, the existing query will be replaced with the query from the context menu for the specific field. In this example, the query uses the _lookup directive along with the get_capec function from vFeed.

_fetch * from event where $Duration=30d AND $CVE=_KEY_ group count_unique $CVE limit 1 >>_lookup vfeed-pro get_capec $CVE

context query as seen in search box

All of the CAPEC-related information is shown in the results. This includes the attack methods, suitable mitigations, the title of the CAPEC entry and its CWE ID. CWE stands for Common Weakness Enumeration, a means of categorizing software weaknesses through a common vocabulary. While CVE entries refer to product-specific security issues (e.g., a bug in Windows that makes remote code execution possible), CWE entries have a greater scope. They describe the programming oversights that can result in vulnerabilities. Using the CWE IDs, we can further investigate the nature of a given security weakness.

enrichment with capec

Another one of DNIF’s use cases involving vFeed includes raising an alert and creating a ticket for a CVE ID on Freshdesk.

The query we use for this use case is as follows:

_fetch * from event where $LogName=CHECKPOINT AND $Duration=30d group count_unique $CVE, $LogName, $SrcIP, $AtkDesc limit 10
>>_lookup vfeed-pro get_cvss3_score $CVE
>>_checkif int_compare $VFCVSS3Base > 7 include
>>_raise module dnif_konnect high_severity_vulnerability_detected $CVE 4 12h
>>_trigger api freshdesk create_ticket High Severity Vulnerability detected : , $CVE , CVE.txt

From the Checkpoint firewall logs, we list all the unique CVE IDs, their attack pattern descriptions and their source IPs from the past 30 days. We run a lookup with vFeed using the get_cvss3_score function against each unique CVE ID. CVSS stands for Common Vulnerability Scoring System, a system that assigns severity scores to vulnerabilities. These scores allow responders to prioritize responses according to threat severity. An entry with a score from 7 to 9 is considered a high-severity vulnerability. We use _checkif directive to list all the CVE entries with a score greater than 7 and raise alerts for each of them.

create incident using soar

Then, we use the _trigger directive to create a ticket on Freshdesk. Freshdesk helps organize tickets in order to track them efficiently.

We set the ticket’s title to “High-severity vulnerability detected,” followed by the ID of the CVE entry for which the alert was raised. We also use a text file called CVE.txt as a template for the ticket. CVE.txt contains values specific to this use case that will be displayed in the Freshdesk ticket. You can easily create different files for different applications and substitute in the names of these text files in your own queries. The values in CVE.txt include the CVSS Base Metric score, the Exploit score (which rates the ease of exploitation), the Impact score (which rates the impact of exploitation) and other relevant details regarding the alert. You can choose which values you want to include in the generated ticket depending on your use case by changing the contents of the text file.

ticket as seen as freshdesk

Additionally, Freshdesk has its own dashboard that helps visualize ticket trends. For example, you can monitor the volume of tickets received on a weekly basis or display the oldest tickets that are yet to be resolved.

Incorporating CVE entries into your security workflows with the help of vFeed helps you figure out how severe the vulnerabilities in your network are. In the process, you can create tickets for high-risk vulnerabilities to ensure that your team can resolve critical issues rapidly.