Effective vulnerability management starts with understanding what matters most. That means assessing every asset based on its criticality and value to your organization’s infrastructure.
In this article, I will cover:
– Why assessing asset criticality is essential.
– What criterias to use when evaluating asset criticality.
– Which tools and approaches can support this process.
Why Asset Assessment Matters
In addition to the vulnerability rating, the criticality of the asset where the vulnerability is found is a key factor in prioritizing remediation.
The same vulnerability may carry different levels of risk depending on the context, including the asset’s function, the sensitivity of the data it processes, and its exposure to potential attackers. It makes asset criticality assessment a crucial step in effective vulnerability management.
CVSS Vulnerability Rating plus Threat Intelligence
Combining Threat Intelligence with CVSS vulnerability rating enables the creation of a more accurate and risk-based prioritization of vulnerability remediation. This approach is a vulnerability management enhancement because it enables mapping and prioritizing trending vulnerabilities.
Trending vulnerabilities are high-risk security flaws that are currently gaining attention due to active exploitation or widespread impact.
Tactical Evaluation of Asset Criticality
However, this is not enough to prevent targeted and sophisticated attacks. In my opinion, it is important to assess assets’ criticality more tactically. By word tactically I mean assessing from the attacker’s perspective and focussing on what matters first as a priority.
Ask yourself: How would an attacker engage(HWAE)?
It’s a good idea to review the history of previous penetration tests conducted across the infrastructure and highlight their remediation recommendations for specific assets. Such a strategy, when combined with CVSS metrics and threat intelligence, leads to predictive prioritization.
The Infrastructure Attackers Love: Key Asset Types to Watch
I’ve decided to outline the asset types that are important from a tactical perspective. Identifying and tracking these assets in the vulnerability management platform will help prioritize and streamline remediation efforts.
Internet-Facing Servers and Services
These assets are constantly exposed to external threats and are typically the first targets in attack chains. Mapping them should be a top priority. You can discover Internet-facing assets using tools like nmap, whatweb, asnmap, httpx and platforms – Shodan, Censys.
Wireless Local Area Network(Wi-Fi) Assets
To identify and assess wireless networks from an attacker’s perspective, tools like Kismet and Airodump-ng can be used.
IT Personnel Endpoints
We can identify these endpoints by analyzing Active Directory group memberships and computer configurations. For example, the presence of administrator tools like PuTTY SSH client, often indicates that this endpoint is used by IT staff.
Email servers
On an Exchange server, you can run the following PowerShell command to list servers:
Get-ExchangeServer | Format-List
To discover machines offering email services on your network, scan for common mail ports with Nmap:
nmap -P0 -p 143,993,110,995,25,587 -sV --open 192.10.10.0/24
DNS Servers
Use nslookup to resolve the name servers for a domain:
nslookup -q=ns example.com
Discover hosts listening on TCP port 53:
nmap -P0 -sT -p 53 -sV --open 192.10.10.0/24
Discover hosts listening on UDP port 53 (with verbose output):
nmap -P0 -sU -p 53 -vv -sV --open 192.10.10.0/24
Domain controllers (DC)
In PowerShell, retrieve all DC hostnames in the current Active Directory domain:
Get-ADDomainController -filter * | Select-Object Hostname
Discover DCs offering LDAP and Global Catalog services:
nmap -P0 -p 88,389,636,3268,3269 -sV --open 192.10.10.0/24
DHCP servers
In PowerShell, retrieve all DHCP servers authorized in Active Directory:
Get-DhcpServerInDC
Use Nmap to discover hosts offering DHCP services on UDP port 67:
nmap -P0 -sU -vv -p 67 -sV --open 192.10.10.0/24
Active Directory Certificate Services (AD CS) Servers
Retrieve the names, statuses, and configurations of the Certificate Authorities:
certutil
certutil -CA
certutil -ADCA
System Center Configuration Manager (SCCM) Servers
Query the SCCM client WMI class on an endpoint to check for the installed agent:
Get-WmiObject -Namespace "root\ccm" -Class SMS_Client
Use the sccmhunter script to discover SCCM infrastructure in your domain:
python3 sccmhunter.py find -u 'lowpriv' -p 'P@ssw0rd' -d internal.lab -dc-ip 192.10.100.100
Windows Server Update Services (WSUS) Servers
Query WSUS configuration in the registry:
reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v wuserver
wuserver REG_SZ https://xx.example.com:xxxx
List WSUS servers via PowerShell:
Get-WsusServer
Get-GPOReport -All -ReportType Xml | Select-String -Pattern 'WSUS'
Scan Group Policy Objects for WSUS URLs:
Get-GPO -All | ForEach-Object { Get-GPOReport -Guid $_.Id -ReportType Xml } | Select-String -Pattern 'http[s]?://[^"]*/(WSUS)'
AD objects with Kerberos delegation
List all computer accounts with unconstrained delegation enabled:
Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} -Properties trustedfordelegation,serviceprincipalname,description
Use the impacket-findDelegation tool to discover delegation-enabled objects in the domain:
impacket-findDelegation example.com/username --dc-ip 192.168.1.1
Windows servers with Print Spooler service
Print Spooler uses MS-RPRN (Microsoft Print System Remote Protocol), and it is possible to trick a host to authenticate with another host over the network and use its request for NTLM Relay attacks or capture hashes.
After mapping priority assets, I usually prioritize them as highly critical. In some vulnerability management platforms, this is easily done and its criticality is automatically calculated.
Keep track of attack history and see if the asset has been targeted or involved in past incidents or security breaches.
What if vulnerability is impossible to remediate?
Then, it is better to consider compensation controls – any technical or organizational measure that mitigates the exploitation of this vulnerability.
Tactical assessment and automated prioritization will allow the team to focus on truly critical assets, where risk is highest and response time is crucial.
