Thursday, July 26, 2012

Vulnerability Assessment versus Exploitation

The release of SWARM has occasioned a few questions (on ArsTechnica, for example) that we wanted to address - in particular: What is the difference between SWARM and tools like Nessus.

One of the underlying technologies behind SWARM is Immunity's CANVAS exploitation engine. CANVAS scans and exploits small groups of hosts and then further penetrates into networks via MOSDEF, a Python C compiler.

Exploitation in this case means running buffer overflows, PHP include attacks, brute force attempts, or other techniques that will get the user a foothold on the remote machine to execute commands. The advantage here is that once you've broken into a machine, you know for a fact that it is vulnerable - not only is it definitively unpatched, but CANVAS will have shown that any secondary protective measures (Firewalls, IPS, IDS, HIPS, AV, etc.) were bypassed.

Vulnerability assessment tools (such as Nessus, OpenVAS, Qualys, etc.) have a different technique, which is largely based on light touches, plus a huge database of known vulnerabilities that match certain banner strings or protocol responses. This, while extremely fast, generates very high numbers of false positives. To supplement this, most vulnerability assessment tools offer a mode where you can, as an enterprise, give them an authenticated user and password and they will remotely log into your machines and look at files and registry keys directly. However, this does not adequately test for secondary protective measures such as AV or firewall rules.

The balance is simple: When testing a small number of hosts, any false negative is painful and you may find that vulnerability assessment tools will give you the most leads possible for your follow-on investigations. Often, these leads are followed up with an exploitation tool like CANVAS (Immunity sells a popular bundle with CANVAS and Nessus together at a discount). Here at Immunity we call this process "Vulnerability Verification".

For testing millions of hosts, as SWARM does, any false positive percentage is completely unacceptable. There simply isn't time for any human to post-process the results to narrow down what is really vulnerable and what is not.

There are, of course, many many other differences in the two kinds of technologies. But we wanted to clarify at least the difference in goals. Of course, if you have any questions on SWARM, or want to see a WebEx demo, please email us at

No comments: