🦖💻 Cyber ​​relics: Why vulnerability scanners should end up in a museum 💻🦖

Image generated by OpenAI's DALL·E

The title may seem bold, but it hits the nail on the head: Companies spend millions on vulnerability testing of their environments, with what success?

In the ever-evolving world of Cyber Security, organizations should always be on the lookout for the most effective methods to protect their digital assets. While vulnerability scanners were once the ultimate solution, it is increasingly apparent that these tools are no longer up to the task.

Firstly, performing a vulnerability scan based on known vulnerabilities is almost worthless.

It is assumed that an attacker can successfully exploit any vulnerability found - is that the case? NO.

Can just one vulnerability with a CVSS score of 9.8 be enough to cause massive damage and a vulnerability with a CVSS score of 5.4 not? NO.

Do traditional vulnerability scanners find "configuration problems" in an Active Directory or on a device/server? NO.

Do all of these "configuration problems" have a CVE and are therefore found in vulnerability scanners? NO.

Does a traditional vulnerability scanner connect the vulnerabilities and build an attack tree? Each individual step has its own CVE (and therefore its own CVSS score) and is shown individually - is it shown that together they can cause a disaster? NO.

What are vulnerability scanners?

After the somewhat detailed introduction, let's take a neutral look at the topic.

Vulnerability scanners are automated tools that scan networks, systems and applications for known security vulnerabilities. These scanners scan the IT infrastructure and identify potential vulnerabilities in named systems based on a database of known security vulnerabilities.

These tools have played an important role in Cyber Security in the past by enabling companies to regularly check their systems for vulnerabilities. They are fast and automated, making it easier for companies to regularly scan their networks without significant manual effort.

Limitations of vulnerability scanners

Despite their usefulness, vulnerability scanners have significant limitations:

1. Superficial analysis: Vulnerability scanners typically only detect known vulnerabilities that are recorded in their database. They often cannot identify new or specially tailored attacks.
   

2. Lack of context assessment: Vulnerability scanners provide little to no insight into the context of the vulnerabilities they find. They do not assess how critical a vulnerability is in the specific context of an organization.
   

3. Frequent false positives: Vulnerability scanners tend to generate a lot of false positives, which can cause security teams to spend time and resources on irrelevant or incorrect threats.
   

4. No exploitation of vulnerabilities: Vulnerability scanners can identify vulnerabilities but are unable to exploit them to assess the true impact, leaving it unclear which vulnerabilities actually pose a high risk.
   

   
   

5. Predefined scope: Vulnerability scanners often work within a defined scope, meaning that unknown assets are not found or scanned. This can result in unknown parts of the infrastructure going undetected.
   

6. Limited scanning: Scanning is based solely on defined patterns of CVEs (Common Vulnerabilities and Exposures). This means that no configuration vulnerabilities or in-memory attacks are detected, nor does it leave stored passwords unprotected.
   

7. Lack of vulnerability correlation: Vulnerability scanners are unable to correlate different vulnerabilities with each other, meaning that two smaller vulnerabilities that together could enable a catastrophic attack may be missed.
   

8. Inadequate prioritization: Vulnerabilities are prioritized based on CVSS (Common Vulnerability Scoring System) ratings, not based on the criticality of the environment or the potential impact of an attack.
   

What are penetration tests (pentests)?

Penetration testing is a comprehensive security audit in which ethical hackers test a company's systems through controlled attacks. The goal is to identify and assess security vulnerabilities by attempting to actually exploit those vulnerabilities. Pentests can take a variety of forms, including:

• Black Box Testing: The testers have no information about the target systems.

• White Box Testing: The testers have complete information about the target systems.

• Grey Box Testing: The testers have limited information about the target systems.

The Future of Cyber ​​Security: Why Vulnerability Scanners Are Dying

Companies spend millions of dollars on the security of their environments, is simply "replacing" a vulnerability scanner enough to increase security? Absolutely not - even a dinosaur can increase security.

However, in a current situation where IT staff are scarce and IT security staff are even scarcer - resources must be used efficiently - thus the management perspective must also change.

The twist...

If you're thinking that I'm recommending "classic" penetration testing, you're wrong.

Performing penetration tests on known vulnerabilities is almost worthless. It's safe to assume that an attacker can exploit any known vulnerability. After all, it was identified as a vulnerability for a reason! Are you interested in whether someone can exploit the hole in my systems? No, not really. You don't need proof that lateral movement is possible within my network because of this vulnerability. What you're interested in is that this vulnerability is plugged. While it's fun for penetration testers to exploit these vulnerabilities, it proves nothing and ultimately just costs money.

If you give a trained and skilled pentester as much time and resources as you want, he or she will deliver a perfect performance - but hardly any company can afford this today. Planned pentests, however, always have a certain scope and time frame. An apt comparison would be a pentester standing in front of three doors: one door is welded shut, one is locked and one has only slammed shut. Of course, the pentester will first choose the door that has only slammed shut. Whether there is anything valuable behind the welded door remains unclear afterwards - assuming the pentester is trained enough. This situation shows that even with pentests, not all possible vulnerabilities can be discovered if the scope and time are limited. The focus is often on the obvious and easily accessible vulnerabilities, while deeper, more complex problems may remain undiscovered. Whether a pentester has this skill and time often remains hidden from the company.

What advantages do we need over a vulnerability scanner?

1. In-depth analysis: The ability to identify both known and unknown CVE vulnerabilities. Deliver accurate results through inspection and the ability to exploit vulnerabilities.
   

2. Realistic testing: Reviewing real attack vectors and assessing the true impact of vulnerabilities. This gives the security team a clearer picture of what a real attack might look like and the damage it would cause.
   

3. Contextual results: Considering the specific context of an organization and prioritizing vulnerabilities based on actual risk. This helps to use resources more efficiently and focus on the most critical threats.
   

4. Comprehensible reports and recommendations: detailed reports that not only list the vulnerabilities found, but also provide concrete recommendations for remediation. This is particularly valuable for the long-term improvement of the security landscape.
   

5. Unknown asset detection: Identifying and reviewing unknown assets, leading to a more comprehensive security assessment.
   

6. Comprehensive testing: Broader scope than just known CVE's - configuration errors and human errors must also be included.
   

7. Vulnerability correlation: Pentesters are able to correlate different vulnerabilities and identify potential attack chains that would otherwise go undetected.
   

8. Risk-based prioritization: Prioritization is based on the criticality of the environment and the potential impact of an attack, not just static assessments.

Technological developments such as artificial intelligence and machine learning will play an even greater role in cybersecurity in the future. Pentests that integrate these technologies offer companies the opportunity to respond proactively and efficiently to new threats. In addition, the importance of human expertise in cybersecurity will continue to grow, as automated tools alone are unable to fully capture and assess the complexity of modern attacks.

Conclusion

Vulnerability scanners have their place in cybersecurity history, but their time is up. The challenges of the modern threat landscape require deeper and more comprehensive security assessments that can only be achieved through penetration testing. Companies that want to effectively protect their digital assets should turn to pentesting and move beyond the limitations of vulnerability scanners.

Investing in pentesting is not only a response to current threats, but also a proactive measure to ensure a company's long-term security and resilience. In a world where cyberattacks are becoming increasingly sophisticated, it is crucial to stay one step ahead - and the best way to do that is with modern pentesting.