VRM Automation Use Case #1: Vulnerability Intelligence Gathering
At Rapid7, we've been collecting vulnerability data for over 20 years (shoutout to our faithful Nexpose customers!), and we have always found sharing actionable vulnerability data is crucial to our customers' success. Vulnerability and remediation information can be shared through reports, dashboards, ticketing systems, spreadsheets, and many, many other mediums. Lately, we’ve found Chat tools, like Microsoft Teams and Slack, have helped improve remediation efforts between security and IT remediation teams more than all those other mediums put together. They’re already a part of almost everyone’s day-to-day, they’re checked frequently, they encourage collaboration, and they interface well with automation tools.
Our first use case in this Quick Start guide is focused on setting up some simple automation workflows that will push vulnerability notifications to a channel of your choosing and allow members of the channel to retrieve details about any host that has been assessed by InsightVM. We call this use case Vulnerability Intelligence Gathering.
This vulnerability intelligence gathering use case covers implementation of three workflows:
Workflow 1: Receive CISA Alerts in Chat
Staying up-to-date with the latest vulnerability disclosures and security news has become a round-the-clock effort. There are simply too many disclosures to keep track of, and security events seem to make the news weekly, if not daily. But fear not! Automation can help!
The Cybersecurity Infrastructure and Security Agence (CISA) National Cyber Awareness System provides timely information about security issues, vulnerabilities, and exploits. InsightConnect can poll CISA’s RSS feed for new alerts, format them, and deliver them as messages in a Microsoft Teams or Slack channel. This can help keep you and your colleagues up to date on the latest breaking security events and give you easy access to all the details you need to understand impact and blast radius in your environment.
Import and configure the workflow
Import the Receive CISA Alerts to Microsoft Teams / Slack workflow to get started (choose the appropriate chat tool for your environment).
- Click the Import button on the workflow page in the Extension Library.
- Proceed through the import process and select or create the following plugin configurations:
- Select or create a connection for Microsoft Teams or Slack
- Create a new RSS connection called CISA Alert Feed using the following URL:
https://us-cert.cisa.gov/ncas/alerts.xml
- Leave the HTML plugin configured to “Run on Cloud”
After importing the workflow, you will find the Workflow Control Panel page, which contains some workflow statistics like the step count, plugins, and creator. Set the Time Saved value to 5 minutes (or any length of time of your choosing). This will help track automation time savings and return on investment.
The last configuration items needed are your Microsoft Teams team and channel name or your Slack channel name. These parameters can be changed from this Control Panel page, making it easy to update your workflow without entering the Workflow Builder. Enter the name of your team and/or channel where you would like alerts to be delivered and click Save.
👉 Remember, you may want to start with a test channel and then switch this parameter to a production channel later!
Don't forget to add InsightConnect to your chat channel!
- If you use Microsoft Teams, add the user associated with your Teams connection to the channel.
- If you use Slack, then add your chatbot to the channel.
Congratulations, your workflow is configured and ready for activation!
Activate the workflow
Use the slider at the top of the Control Panel page to switch your workflow to Active
! This means your workflow will run automatically anytime the trigger condition is met. This workflow uses an RSS trigger and checks for new CISA alerts every 15 minutes. You can learn more about triggers here.
Test the workflow
Once your workflow is active, you'll see new CISA alerts delivered to your Chat channel! Since these alerts are delivered infrequently, you may want to run the workflow manually. To do so:
- Copy the code snippet below, which was taken from a real CISA alert event.
- From the workflow control panel page in InsightConnect, click the
...
menu, then clickRun
. - Paste the JSON data into the
Results
field. - Click
Run
!
json
1{2"author": "CISA",3"author_detail": {"name": "CISA"},4"authors": [{"name": "CISA"}],5"guidislink": false,6"id": "16791 at https://us-cert.cisa.gov",7"link": "https://us-cert.cisa.gov/ncas/alerts/aa21-209a",8"links": [{"href": "https://us-cert.cisa.gov/ncas/alerts/aa21-209a","rel": "alternate","type": "text/html"}],9"published": "Wed, 28 Jul 2021 12:00:00 +0000",10"published_parsed": [2021,7,28,12,0,0,2,209,0],11"summary": "Original release date: July 28, 2021<br/><h3>Summary</h3><p>This Joint Cybersecurity Advisory was coauthored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI). </p>\n\n<p>This advisory provides details on the top 30 vulnerabilities—primarily Common Vulnerabilities and Exposures (CVEs)—routinely exploited by malicious cyber actors in 2020 and those being widely exploited thus far in 2021. </p>\n\n<p>Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations worldwide. However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system. </p>\n\n<p><a href=\"https://us-cert.cisa.gov/sites/default/files/publications/AA21-209A_Joint%20CSA_Top%20Routinely%20Exploited%20Vulnerabilities.pdf\">Click here</a> for a PDF version of this report.</p>\n<h3>Technical Details</h3><h3>Key Findings</h3>\n\n<p>In 2020, cyber actors readily exploited recently disclosed vulnerabilities to compromise unpatched systems. Based on available data to the U.S. Government, a majority of the top vulnerabilities targeted in 2020 were disclosed during the past two years. Cyber actor exploitation of more recently disclosed software flaws in 2020 probably stems, in part, from the expansion of remote work options amid the COVID-19 pandemic. The rapid shift and increased use of remote work options, such as virtual private networks (VPNs) and cloud-based environments, likely placed additional burden on cyber defenders struggling to maintain and keep pace with routine software patching.</p>\n\n<p><strong>Four of the most targeted vulnerabilities in 2020 affected remote work, VPNs, or cloud-based technologies. </strong>Many VPN gateway devices remained unpatched during 2020, with the growth of remote work options challenging the ability of organization to conduct rigorous patch management.</p>\n\n<p>CISA, ACSC, the NCSC, and FBI consider the vulnerabilities listed in table 1 to be the topmost regularly exploited CVEs by cyber actors during 2020. </p>\n\n<p class=\"text-align-center\"><em>Table 1:Top Routinely Exploited CVEs in 2020</em></p>\n\n<table align=\"center\" border=\"1\" cellpadding=\"1\" cellspacing=\"1\" class=\"general-table\" style=\"width: 907px; height: 312px; margin-left: auto; margin-right: auto;\">\n\t<thead>\n\t\t<tr>\n\t\t\t<th scope=\"col\">\n\t\t\t<p>Vendor</p>\n\t\t\t</th>\n\t\t\t<th scope=\"col\">\n\t\t\t<p>CVE</p>\n\t\t\t</th>\n\t\t\t<th scope=\"col\" style=\"width: 296px;\">\n\t\t\t<p>Type</p>\n\t\t\t</th>\n\t\t</tr>\n\t</thead>\n\t<tbody>\n\t\t<tr>\n\t\t\t<td scope=\"col\" style=\"text-align: left;\">\n\t\t\t<p>Citrix</p>\n\t\t\t</td>\n\t\t\t<td scope=\"col\" style=\"text-align: left;\">\n\t\t\t<p>CVE-2019-19781</p>\n\t\t\t</td>\n\t\t\t<td scope=\"col\" style=\"text-align: left; width: 296px;\">\n\t\t\t<p>arbitrary code execution</p>\n\t\t\t</td>\n\t\t</tr>\n\t\t<tr>\n\t\t\t<td scope=\"col\" style=\"text-align: left;\">\n\t\t\t<p>Pulse</p>\n\t\t\t</td>\n\t\t\t<td scope=\"col\" style=\"text-align: left;\">\n\t\t\t<p>CVE 2019-11510</p>\n\t\t\t</td>\n\t\t\t<td scope=\"col\" style=\"text-align: left; width: 296px;\">\n\t\t\t<p>arbitrary file reading</p>\n\t\t\t</td>\n\t\t</tr>\n\t\t<tr>\n\t\t\t<td scope=\"col\" style=\"text-align: left;\">\n\t\t\t<p>Fortinet</p>\n\t\t\t</td>\n\t\t\t<td scope=\"col\" style=\"text-align: left;\">\n\t\t\t<p>CVE 2018-13379</p>\n\t\t\t</td>\n\t\t\t<td scope=\"col\" style=\"text-align: left; width: 296px;\">\n\t\t\t<p>path traversal</p>\n\t\t\t</td>\n\t\t</tr>\n\t\t<tr>\n\t\t\t<td scope=\"col\" style=\"text-align: left;\">\n\t\t\t<p>F5- Big IP</p>\n\t\t\t</td>\n\t\t\t<td scope=\"col\" style=\"text-align: left;\">\n\t\t\t<p>CVE 2020-5902</p>\n\t\t\t</td>\n\t\t\t<td scope=\"col\" style=\"text-align: left; width: 296px;\">\n\t\t\t<p>remote code execution (RCE)</p>\n\t\t\t</td>\n\t\t</tr>\n\t\t<tr>\n\t\t\t<td scope=\"col\" style=\"text-align: left;\">\n\t\t\t<p>MobileIron</p>\n\t\t\t</td>\n\t\t\t<td scope=\"col\" style=\"text-align: left;\">\n\t\t\t<p>CVE 2020-15505</p>\n\t\t\t</td>\n\t\t\t<td scope=\"col\" style=\"text-align: left; width: 296px;\">\n\t\t\t<p>RCE</p>\n\t\t\t</td>\n\t\t</tr>\n\t\t<tr>\n\t\t\t<td scope=\"col\" style=\"text-align: left;\">\n\t\t\t<p>Microsoft</p>\n\t\t\t</td>\n\t\t\t<td scope=\"col\" style=\"text-align: left;\">\n\t\t\t<p>CVE-2017-11882</p>\n\t\t\t</td>\n\t\t\t<td scope=\"col\" style=\"text-align: left; width: 296px;\">\n\t\t\t<p>RCE</p>\n\t\t\t</td>\n\t\t</tr>\n\t\t<tr>\n\t\t\t<td scope=\"col\" style=\"text-align: left;\">\n\t\t\t<p>Atlassian</p>\n\t\t\t</td>\n\t\t\t<td scope=\"col\" style=\"text-align: left;\">\n\t\t\t<p>CVE-2019-11580</p>\n\t\t\t</td>\n\t\t\t<td scope=\"col\" style=\"text-align: left; width: 296px;\">\n\t\t\t<p>RCE</p>\n\t\t\t</td>\n\t\t</tr>\n\t\t<tr>\n\t\t\t<td scope=\"col\" style=\"text-align: left;\">\n\t\t\t<p>Drupal</p>\n\t\t\t</td>\n\t\t\t<td scope=\"col\" style=\"text-align: left;\">\n\t\t\t<p>CVE-2018-7600</p>\n\t\t\t</td>\n\t\t\t<td scope=\"col\" style=\"text-align: left; width: 296px;\">\n\t\t\t<p>RCE</p>\n\t\t\t</td>\n\t\t</tr>\n\t\t<tr>\n\t\t\t<td scope=\"col\" style=\"text-align: left;\">\n\t\t\t<p>Telerik</p>\n\t\t\t</td>\n\t\t\t<td scope=\"col\" style=\"text-align: left;\">\n\t\t\t<p>CVE 2019-18935</p>\n\t\t\t</td>\n\t\t\t<td scope=\"col\" style=\"text-align: left; width: 296px;\">\n\t\t\t<p>RCE</p>\n\t\t\t</td>\n\t\t</tr>\n\t\t<tr>\n\t\t\t<td scope=\"col\" style=\"text-align: left;\">\n\t\t\t<p>Microsoft</p>\n\t\t\t</td>\n\t\t\t<td scope=\"col\" style=\"text-align: left;\">\n\t\t\t<p>CVE-2019-0604</p>\n\t\t\t</td>\n\t\t\t<td scope=\"col\" style=\"text-align: left; width: 296px;\">\n\t\t\t<p>RCE</p>\n\t\t\t</td>\n\t\t</tr>\n\t\t<tr>\n\t\t\t<td scope=\"col\" style=\"text-align: left;\">\n\t\t\t<p>Microsoft</p>\n\t\t\t</td>\n\t\t\t<td scope=\"col\" style=\"text-align: left;\">\n\t\t\t<p>CVE-2020-0787</p>\n\t\t\t</td>\n\t\t\t<td scope=\"col\" style=\"text-align: left; width: 296px;\">\n\t\t\t<p>elevation of privilege</p>\n\t\t\t</td>\n\t\t</tr>\n\t\t<tr>\n\t\t\t<td scope=\"col\" style=\"text-align: left;\">\n\t\t\t<p>Netlogon</p>\n\t\t\t</td>\n\t\t\t<td scope=\"col\" style=\"text-align: left;\">\n\t\t\t<p>CVE-2020-1472</p>\n\t\t\t</td>\n\t\t\t<td scope=\"col\" style=\"text-align: left; width: 296px;\">\n\t\t\t<p>elevation of privilege</p>\n\t\t\t</td>\n\t\t</tr>\n\t</tbody>\n</table>\n\n<p> </p>\n\n<p>"12}
You should see a workflow job open in a new tab. Jobs are individual instances of workflow execution and provide an audit log of all the things done by InsightConnect workflows. You can learn more about Jobs here.
If your job completes successfully, then you should see a new CISA alert in the Chat channel you specified in the workflow configuration!
What if my job failed?
If your job did not run successfully, then find the step that failed and view the error log to determine the issue. The most common reason this workflow might fail is due to a bad connection to your chat tool. Be sure your chat user is in the channel and your channel name is spelled correctly in the parameter configuration. For Teams users, check for permission-related errors in the error log. If all else fails, open a support ticket so we can help!
Workflow 2: Lookup Vulnerability from Chat
Have you ever read a vulnerability title and wondered, "What does that mean?" Have you had to describe a vulnerability to a colleague? It's not easy! The Lookup Vulnerability from Chat workflows outlined here make it quick and easy to get and share information about a vulnerability. Just use the lookup-vuln
command and enter the name or CVE ID of a vulnerability. Within seconds, your friendly neighborhood InsightConnect Chat Bot will reply with the title, severity, publish date, solution, and detailed description of the vulnerability. If multiple vulnerabilities match your search term, the bot will reply with information on each matching vulnerability. This is a quick and easy way to get more information about any vulnerability. Even better, it's a great way to help remediators better understand the risk a vulnerability presents in their environment.
Import and configure the workflow
Import the Lookup Vulnerability from Microsoft Teams / Slack workflow to get started (choose the appropriate chat tool for your environment).
- Click the Import button on the workflow page in the Extension Library.
- Proceed through the import process and select or create the following plugin configurations:
- Select or create a connection for Microsoft Teams or Slack
- Leave the other plugins configured to “Run on Cloud”.
After importing the workflow, you will find the Workflow Control Panel page, which contains some workflow statistics like the step count, plugins, and creator. Set the Time Saved value to 5 minutes (or any length of time of your choosing). This will help track automation time savings and return on investment.
Microsoft Teams users will need to configure the Team Name
and Channel Name
parameters to the channel where the workflow may be triggered from. These parameters can be changed from this Control Panel page, making it easy to update your workflow without entering the Workflow Builder. Enter the name of your team and/or channel where you would like to be able to lookup vulnerabilities and click Save
.
👉 Remember, you may want to start with a test channel and then switch this parameter to a production channel later!
Slack users may run this workflow from any channel where the Slack Bot is a member.
Don't forget to add InsightConnect to your chat channel!
For this workflow to run, InsightConnect needs to be in the channel(s) where you run the lookup-vuln
command.
- If you use Microsoft Teams, add the user associated with your Teams connection to the channel specified in your
Channel Name
parameter. - If you use Slack, then add your chatbot to the channel(s) where you would like to use this workflow.
Congratulations, your workflow is configured and ready for activation!
Activate the workflow
Use the slider at the top of the Control Panel page to switch your workflow to Active
! This means your workflow will run automatically anytime the trigger condition is met. This workflow uses a Chat (either Microsoft Teams or Slack) trigger that is set to run anytime the trigger command is mentioned. You can learn more about triggers here.
- For Microsoft Teams users: Trigger your workflow starting a new conversation in the channel specified in your workflow Channel Name parameter, followed by the
!lookup-vuln
trigger command- Your message may look like
!lookup-vuln printnightmare
or!lookup-vuln ms08-067
- Your message may look like
- For Slack users: Trigger your workflow by calling your Slack Chat Bot with the @ command, followed by the
lookup-vuln
command- Your message may look like
@Rapid7 InsightConnect lookup-vuln printnightmare
or@Rapid7 InsightConnect lookup-vuln ms08-067
- Your message may look like
Test the workflow
Once your workflow is active, you'll be able to trigger it from your Chat tool! Try running one of the above commands to get vulnerability results in Chat.
The Microsoft Teams trigger may take a minute to activate. Please be patient and remember you can always check your Jobs page in InsightConnect to see if your workflow is running!
Workflow 3: Lookup Host from Chat
How many devices are on your network? Probably more than you or your IT colleagues can keep track of. Fortunately, you have a vulnerability and asset management tool in InsightVM that records and updates all sorts of asset details with every assessment! This workflow will make the information gathered in those assessments easily accessible from Chat tools. This can help you quickly fetch details about a system by either hostname or IP address, see when it was last assessed for vulnerabilities, and check which ports and services are open and running on the system.
Import and configure the workflow
Import the Lookup Host with InsightVM from Microsoft Teams / Slack workflow to get started (choose the appropriate chat tool for your environment).
- Click the Import button on the workflow page in the Extension Library.
- Proceed through the import process and select or create the following plugin configurations:
- Select or create a connection for Microsoft Teams or Slack
- Select or create a connection for your InsightVM Console
Be sure to follow the connection configuration instructions for the VM Console Plugin! This allows InsightConnect to access detailed host information that is only available from your InsightVM console.
After importing the workflow, you will find the Workflow Control Panel page, which contains some workflow statistics like the step count, plugins, and creator. Set the Time Saved value to 5 minutes (or any length of time of your choosing). This will help track automation time savings and return on investment.
Microsoft Teams users will need to configure the Team Name
and Channel Name
parameters to the channel where the workflow may be triggered from. These parameters can be changed from this Control Panel page, making it easy to update your workflow without entering the Workflow Builder. Enter the name of your team and/or channel where you would like to be able to lookup vulnerabilities and click Save
.
👉 Remember, you may want to start with a test channel and then switch this parameter to a production channel later!
Slack users may run this workflow from any channel where the Slack Bot is a member.
Don't forget to add InsightConnect to your chat channel!
For this workflow to run, InsightConnect needs to be in the channel(s) where you run the lookup-vuln
command.
- If you use Microsoft Teams, add the user associated with your Teams connection to the channel specified in your
Channel Name
parameter. - If you use Slack, then add your chatbot to the channel(s) where you would like to use this workflow.
Congratulations, your workflow is configured and ready for activation!
Activate the workflow
Use the slider at the top of the Control Panel page to switch your workflow to Active
! This means your workflow will run automatically anytime the trigger condition is met. This workflow uses a Chat (either Microsoft Teams or Slack) trigger that is set to run anytime the trigger command is mentioned. You can learn more about triggers here.
- For Microsoft Teams users: Trigger your workflow starting a new conversation in the channel specified in your workflow Channel Name parameter, followed by the
!lookup-host
trigger command- Your message may look like
!lookup-host workstation123
or!lookup-host 10.1.2.3
- Your message may look like
- For Slack users: Trigger your workflow by calling your Slack Chat Bot with the @ command, followed by the
lookup-vuln
command- Your message may look like
@Rapid7 InsightConnect lookup-host workstation123
or@Rapid7 InsightConnect lookup-host 10.1.2.3
- Your message may look like
Test the workflow
Once your workflow is active, you'll be able to trigger it from your Chat tool! Try running one of the above commands to get vulnerability results in Chat.
The Microsoft Teams trigger may take a minute to activate. Please be patient and remember you can always check your Jobs page in InsightConnect to see if your workflow is running!
End of VM Automation Use Case 1!
That wraps up our Vulnerability Intelligence Gathering use case! If you've worked through this guide, then you now have activated automation workflows that:
- Push critical security and vulnerability alerts to a Chat channel,
- Allow users to fetch vulnerability information from Chat, and
- Allow users to fetch asset information from Chat.
Our second use case, which will feature workflows to deliver high-severity vulnerability alerts and vulnerability exception alerts in Chat, is coming soon!