Axonius
How to Find Cloud Instances Not Being Scanned for Vulnerabilities
Top  

How to Find Cloud Instances Not Being Scanned for Vulnerabilities

Discovering Cloud Instances Not Being Scanned for Vulnerabilities

Today’s assessment tools do an exceptional job of recognizing known vulnerabilities. However, due to the elastic and ephemeral nature of cloud workloads and the increasing adoption of DevOps methodologies, cloud workloads are spun up and down without security tools ever being aware of their existence. Because of this, tools like VA Scanners are often not aware of any new instances to scan, and therefore they remain prone to known vulnerabilities.

Challenges Of Finding Cloud Instances Not Being Scanned For Vulnerabilities

VA Scanners only know to scan IPs they have been given to scan, and the dynamic nature of the cloud makes it impossible for these tools to anticipate new IPs. Simply specifying an IP range will not work.

Security Implications OF FINDING CLOUD INSTANCES NOT BEING SCANNED FOR VULNERABILITIES

Much like Devices Not Being Scanned For Vulnerabilities, cloud instances not being scanned are at risk of being exploited. Furthermore, publicly accessible cloud instances not being scanned add another layer of risk. A simple Google search shows just how often breaches occur due to publicly accessible cloud instances.

Data Sources Required To Find Cloud Instances Not Being Scanned For Vulnerabilities

To find cloud instances not being scanned by VA tools, the following data sources are needed:

  • Vulnerability scanner console — Connecting to the admin console of the vulnerability scanner allows you to see all cloud instances that are known and being scanned.
  • Cloud Infrastructure — Connecting to the cloud infrastructure admin console allows you to see all instances in the environment.

The delta between known cloud instances and those known to the VA Scanner yields those not being scanned.

Discovering Cloud Instances Not Being Scanned For Vulnerabilities With Axonius

To identify cloud instances not being scanned for vulnerabilities with Axonius, you can build simple queries ranging from the broadest possible scenario to the most detailed.

First, let’s take a look at the most basic query: finding AWS instances not being scanned for vulnerabilities. (Note: AWS is just one of several popular cloud providers we support and is used in the following examples.)

(adapters_data.aws_adapter.id == ({"$exists":true,"$ne":""})) and not (adapters_data.qualys_scans_adapter.id == ({"$exists":true,"$ne":""}))

This query can also be represented in the Axonius Query Wizard as:

This query finds Amazon instances not being scanned by any tool categorized as a Vulnerability Assessment Tool. Here’s an example of the results:

In larger enterprises, the result set may be very large. To cull the list and prioritize the most urgent instances needing attention, let’s take a look at how to find just those AWS instances not being scanned that also have a public IP address.

(adapters_data.aws_adapter.id == ({"$exists":true,"$ne":""})) and (adapters_data.aws_adapter.public_ips == ({"$exists":true,"$ne":""})) and not specific_data.data.adapter_properties == "Vulnerability_Assessment"

This query can also be represented in the Axonius Query Wizard as:`

Here is an example of the returned results:

We can also filter the results further to show only AWS instances that have known Common Vulnerabilities and Exposures (CVE®) and are not being scanned for vulnerabilities.

(adapters_data.aws_adapter.id == ({"$exists":true,"$ne":""})) and not specific_data.data.adapter_properties == "Vulnerability_Assessment" and (specific_data.data.software_cves.cve_id == ({"$exists":true,"$ne":""}))

This query can also be represented in the Axonius Query Wizard as:

This query returns the following result:

With the following known vulnerabilities:

We could also choose to show only those instances that have a CVE severity of “Critical” by changing the query to:

(adapters_data.aws_adapter.id == ({"$exists":true,"$ne":""})) and not specific_data.data.adapter_properties == "Vulnerability_Assessment" and (specific_data.data.software_cves.cve_id == ({"$exists":true,"$ne":""})) and specific_data.data.software_cves.cve_severity == "CRITICAL"

This query can also be represented in the Axonius Query Wizard as:

This query returns the following result:

With the following known vulnerabilities severity:

Taking Action On Cloud Instances Not Being Scanned For Vulnerabilities 

The Axonius Security Policy Enforcement Center allows customers to determine which automated action to execute when a cloud instance is found that is not being scanned.

Highlighted actions include:

  • Add Device to VA Scan — Add the cloud instance to the next scheduled vulnerability assessment scan
  • Enrich Device or User Data — Enrich data with Shodan, Censys, or Portnox to show what is publicly known
  • Notify — Let someone know about the unscanned cloud instance via email, Slack, Syslog, or by CSV
  • Create an Incident — Create an incident using a ticketing system like ServiceNow, Jira, or Zendesk

LEARN MORE ABOUT Discovering Cloud Instances Not Being Scanned for Vulnerabilities

With that said, we’ve created a video that outlines Discovering Cloud Instances not Being Scanned for Vulnerabilities here:

And as always, if you’d like to see a custom demo to better understand how Axonius can help your organization solve the asset management challenge, request a demo here.

See for yourself.

Interested in seeing what Axonius can do for your organization?

Schedule a demo and let us show you