Category Archives: Productology

PHDays 10: U.S. Sanctions, My Talk on Vulristics, Other Great Talks Related to VM

Today I will talk about the Positive Hack Days conference, which took place on May 20 and May 21 in Moscow. I can say that this was and remains the main event for Information Security Practitioners in Russia.

First of all, I have to say a few words about the sanctions. The organizer of the event, Positive Technologies, is under the sanctions of the US Treasury Department since April 2021 among the “COMPANIES IN THE TECHNOLOGY SECTOR SUPPORTING RUSSIAN INTELLIGENCE SERVICES”. In a press release, the Treasury Department wrote that Positive Technologies hosts large-scale conventions that are used as recruiting events for russian special services. Well, I don’t know exactly what they mean. Maybe they mean PHDays or maybe not. But to say this about PHDays is like saying that any major international conference, Black Hat or RSA, is a recruiting event. This is ridiculous. In my humble opinion, these are some dirty political games. It is sad that reputable information security companies and security researchers are suffering from this.

Now let’s talk about my speech at PHDays 10. This year I had the opportunity to talk for an hour about my pet project – Vulristics. This project can help you prioritize known vulnerabilities. Anything that has a CVE id. There is a full video of my speech. I have uploaded this to my YouTube channel.

Russian version.

And a version that was dubbed into English.

So, if you’re interested, I recommend watching the full video. Here I will simply repeat the main points.

Continue reading

Getting Hosts from Microsoft Intune MDM using Python

Today I want to talk about Microsoft Intune. It is a Mobile Device Management platform.

Well, I think that the importance of MDM systems has become much higher than it was before the days of covid-19. Simply because a lot more people now work remotely using corporate laptops. And if these people don’t connect to the corporate network using a VPN, you most likely won’t see any activity from their devices in Active Directory. This means that you will not understand whether the device is active or not. And it will be impossible to get the correct security metrics for these devices.

Mobile device management is a solution to this problem as it maintains a connection between the laptop and the cloud server. MDM can collect various parameters from hosts, but for me the most important parameter is the timestamp. I will not describe all the features of Microsoft Intune here. Simply because at this stage they are not very interesting to me. The task I needed to solve was how to get the timestamp of the last activity for all hosts in Microsoft Intune using the official API. And since this is poorly documented, I want to share it with you.

Continue reading

AM Live Vulnerability Management Conference Part 2: What was I talking about there

Hello all! It is the second part about AM Live Vulnerability Management conference. In the first part I made the timecodes for the 2 hours video in Russian. Here I have combined all my lines into one text.

What is Vulnerability Management?

Vulnerability Management process is the opposite of the admin’s saying “If it works – don’t touch it!”. The main idea of this process is to somehow fix the vulnerabilities. How do you achieve this is not so important. Maybe you will have a nice Plan-Do-Check-Act process and strict policies. Maybe not. The main thing is that you fix vulnerabilities! And the main problem is to negotiate this regular patching with system administrators and service owners.

Continue reading

AM Live Vulnerability Management Conference Part 1: Full video in Russian + Timecodes in English

Hello all! 2 weeks ago I participated in the best online event fully dedicated to Vulnerability Management in Russia. It was super fun and exciting. Thanks to all the colleagues and especially to Lev Paley for the great moderation! I have talked out completely. Everything I wanted and the way I wanted. It seems that not a single hot topic was missed.

AM LIve: Vulnerability Management conference

You can see the two hours video below. It is in Russian. And it’s pretty complicated to translate it all. I won’t event try. ? If you don’t understand Russian you can try auto-generated and auto-translated subtitles on YouTube, but the quality is far from ideal.

To give you the idea what we were talking about I added the timecodes in English.

Timecodes

Section 1. Vulnerability Management Process and Solutions

  • 5:18 Vulnerability Management Process Definition
  • 10:53 Vulnerability Management is the opposite of the admin’s saying “If it works – don’t touch it!” The main thing in the process is to somehow fix the vulnerabilities. (Leonov)
  • 12:30 Sometimes a basic vulnerability scanner and Jira is already a Vulnerability Management solution (Leonov)
  • 13:30 Difference between Vulnerability Management Solutions and Vulnerability Scanners
  • 17:09 Vulnerability Management and Vulnerability Scanners: in our restaurant we call rusks “croutons”, because a rusk cannot cost $8, but crouton can” (Leonov)
  • 23:00 Licensing schemes, delivery options and costs
  • 28:48 Module-based licensing and the situations when modules can be excluded from the subscription (Paley)
  • 30:24 Commercial Vulnerability Management solutions are expensive, especially when licensed per host (Leonov)
  • 31:00 Maxpatrol unlimited licenses (Bengin)
  • 34:08 Perimeter scanning: very critical, low reliability of banner-based detections, it’s better to assess hosts accessible from the Internet with internal authenticated scans. Criticality of the network as an element of scoring. (Leonov)
  • 36:50 The impact of Regulators on the Vulnerability Management Market, a free ScanOVAL tool
  • 39:10 What to do with vulnerabilities in local software products that are not supported by foreign VM vendors?
  • 44:00 When it’s enough to use a free scanner? Could there be a full-functional and free vulnerability scanner? In theory, yes, but it is not clear how the vendor will finance the maintenance of the knowledge base. In practice, we see how such stories collapse. You need to understand the limitations of free products (such as OpenVAS). Including the completeness of the scan results and the ease of building the VM process. (Leonov)
  • 47:19 Poll: what is used in your organization?
Continue reading

Vulristics: Microsoft Patch Tuesdays Q1 2021

Hello everyone! It has been 3 months since my last review of Microsoft vulnerabilities for Q4 2020. In this episode I want to review the Microsoft vulnerabilities for the first quarter of 2021. There will be 4 parts: January, February, March and the vulnerabilities that were released between the Patch Tuesdays.

I will be using the reports that I created with my Vulristics tool. This time I’ll try to make the episodes shorter. I will describe only the most critical vulnerabilities. Links to the full reports are at the bottom of the blog post.

Continue reading

Vulristics: Beyond Microsoft Patch Tuesdays, Analyzing Arbitrary CVEs

Hello everyone! In this episode I would like to share an update for my Vulristics project.

For those who don’t know, in this project I am working on an alternative vulnerability scoring based on publicly available data to highlight vulnerabilities that need to be fixed as soon as possible. Roughly speaking, this is something like Tenable VPR, but more transparent and even open source. Currently it works with much less data sources. It mainly depends on the type of vulnerability, the prevalence of vulnerable software, public exploits and exploitation in the wild.

Elevation of Privilege - Windows Win32k

I started with Microsoft PatchTuesday Vulnerabilities because Microsoft provides much better data than other vendors. They have the type of vulnerability and the name of the vulnerable software in the title.

Elevation of Privilege - Windows Win32k MS site

But it’s time to go further and now you can use Vulristics to analyze any set of CVEs. I changed the scirpts that were closely related to the Microsoft datasource and added new features to get the type of vulnerability and name of the software from the CVE description.

Elevation of Privilege - Sudo (CVE-2021-3156) - High [595]
Continue reading

Microsoft Defender for Endpoint: Why You May Need It and How to Export Hosts via API in Python

Hello everyone! In this episode, I want to talk about Microsoft Defender for Endpoint. It’s not a well-known free Defender antivirus built in Windows 10, but an enterprise level solution with the similar name. Yes, the naming is pretty confusing.

I will not repeat Microsoft’s marketing thesis. Just the basic idea. The Windows endpoints on your network have built-in agents that can send some data to the Microsoft cloud. In the cloud, they process this data into security events. Users can see these events in the web interface on the Microsoft website.

Continue reading