Use API to find Most Common Actively Targeted Vulnerabilities

richard_davidsson · December 4, 2020, 7:04pm

Hi everyone!

We are working on getting rid of our backlog of vulnerabilities in our environment and the idea is to first get the Most Common Actively Targeted Vulnerabilities under control.

Now I know that we have a default dashboard card that highlights these and that we can create remediation projects out of the information from that card. That gives a really good overview for the follow up but it is not always good for working with.

We would like to be able get a list of each solution and all devices where it needs to be applied. That list we then could read into our patch deployment tool for a more aggressive patch approach.

I have been reading through the documentation of the IVM API v3 and can see that there is no way of querying the Insight Platform stuff from here.

So my question is if this would be possible to do in any other way.
In my head these “Most Common Actively Targeted Vulnerabilities” would have some sort of a tag or similar on them - does anyone know if they actually do and what that tag is in that case?

I’m thinking if I can query for the vulnerabilities with that tag, then with that list I will then check for each solution and all machines the vulnerability is present on.

Cheers and happy Friday
/Richard

holly_wilsey · December 7, 2020, 10:42pm

This is a good question - I’m looking to get some feedback from the team regarding the best way to go about this. My understanding is that there’s currently not a great way to retrieve info surrounding the Most Common Actively Targeted vulnerabilities via the API. This is because we use info from Project Heisenberg and other points of research to actually identify those types of vulns, and that data isn’t accessible via the API.

There may be another alternative approach here though, so I’m checking to see if the team has any good suggestions.

richard_davidsson · December 8, 2020, 12:21pm

Hi Holly!

Thanks for your feedback, holding my thumbs that there will be some kind of possibility to work around that and find the information within the API

holly_wilsey · December 8, 2020, 4:22pm

I confirmed with the team that there’s no good way to pull those particular types of vulns via the API. (Unless you had the ID of every one of those vulns and wanted to loop through those, but I don’t think that’s a great option )

I know you mentioned this before, but an option here is to create a static remediation project for these vulns since that’ll show the associated assets and solutions for remediation. You can drive action there or via a ticketing platform that you tie in to, like Jira or ServiceNow. Remediation projects also have an option for exporting their contents to CSV, if that’s an easier way to view the solutions data.

richard_davidsson · December 8, 2020, 6:21pm

Alrighty then.
Yeah I know it is possible to export assets per each solution to a csv from the remediation projects, have started like that but really hoped it would be possible to do it programable so to speak to be able to save some time.

From what I have seen it is possible to create two types of csvs from the remediation projects:
One csv listing the solutions, the amount of assets it applies to, risk reduction etc.
And the second within each specific solution list effected assets.

Are there any option in the remediation projects to export a full list ex like this:
solution a, asset x
solution a, asset y
solution b, asset z
solution c, asset x
solution c, asset y
solution c, asset z

Thanks in advance

philipp_behmer · December 9, 2020, 10:17am

Hey Richard,

is this top remediations action of our InsightVM plugin for InsightConnect maybe a solution for your problem?

The output looks like this:

{
  "remediations": [
    {
      "solutionId": 50460,
      "nexposeId": "mozilla-firefox-upgrade-latest",
      "summary": "Upgrade to the latest version of Mozilla Firefox",
      "fix": "Install the latest version of Mozilla Firefox from the Mozilla Products (http://www.mozilla.org/products/firefox/) page.",
      "assetCount": 1,
      "vulnerabilityCount": 689,
      "riskScore": 595588,
      "assets": [
        {
          "id": 44,
          "hostName": "hostname",
          "ip": "10.0.0.1",
          "mac": "00:00:00:00:00:00",
          "os": "Windows Server 2012 R2 Standard Edition",
          "riskScore": 2116158,
          "criticalityTag": "Very High"
        }
      ],
      "vulnerabilities": [
        {
          "id": 73213,
          "title": "Obsolete Version of Mozilla Firefox",
          "description": "\n    \n<p>\n      Versions of Mozilla Firefox prior to 57.0.x are no longer supported. Unsupported\n      versions of Firefox may contain unpatched security flaws. It is recommended to \n      upgrade to the latest version.\n    </p>\n  ",
          "cvssScore": "10",
          "severity": 10,
          "riskScore": 871
        }
      ]
    }
  ]
}

holly_wilsey · December 11, 2020, 4:35pm

I was just messing with the CSVs and I don’t think there’s a great way to correlate the solution + asset info like that right now. We’ve just passed some feedback to the team on this though, regarding a better way to retrieve remediation project info via SQL/API.

richard_davidsson · December 13, 2020, 11:27am

Hmm, maybe something that could work. Since it is a plugin for InsightConnect I guess we would need to have the license for that as well and we don’t unfortunately.

richard_davidsson · December 13, 2020, 11:28am

Thanks for checking and thanks for passing on the feedback, much appreciated!