So I was talking to a colleague of mine today who says they run Admin/Admin Scans as username/password to see if they pop devices they have vulnerabilities while doing manual scans and suggested that as a way forward with us. The issue with that methodology is we are 100% agent deployment in our internal environment. Doing manual scans while agents are on the device during testing periods shows it will corrupt the vulnerability data reported on the device.
Any outside the box thinking on this for the need requested?
I like the admin/admin idea actually. Small effort to do but in case of exploitation it could be large.
Also I think running manual scans in combination with agents is the way to go.
In my world we have our system operations who do the patching. So if they are working on a server they want to see the result directly. They use Slack (ICON workflow) to run a specific credential scan to see their result almost directly instead of having to wait 4-6 hours.
So the idea is a good one. But to clarify the problem
Agent data will show 47 vulnerabilities on a machine
If you run a scan and let’s say the machine doesn’t pop Admin/Admin, the vuln count will drop to 0
Then when Agent resyncs it will go back to 47 Vuln count
Agents only scans will limit what you see. There are a number of limitations to what the agents can do. You can read about it in the docs but as an example if won’t show you any network based vulnerability issues etc so advise you do both. Network wise for auth it will try various username/pwd combos for anything it has a default check for. Hopefully you use scan agents for auth where possible.