Vulnerability Scanning
Vulnerability Scanning [T1595.002]
Last updated
Vulnerability Scanning [T1595.002]
Last updated
Name: Vulnerability Scanning
ID: T1595.002
Tactics:
Technique:
Vulnerability Scanning (T1595.002) is a sub-technique within the MITRE ATT&CK framework under the Reconnaissance tactic. Attackers utilize vulnerability scanning to systematically identify weaknesses or vulnerabilities in target systems, networks, or applications. These scans typically involve automated tools that probe for known vulnerabilities, misconfigurations, outdated software versions, or weak security controls. The goal is to gather actionable intelligence that attackers can exploit in subsequent stages of an attack campaign.
Attackers perform vulnerability scanning by systematically probing target infrastructure using automated scanning tools and scripts. These tools typically rely on large, frequently updated vulnerability databases to identify known weaknesses. Common execution methods and mechanisms include:
Port Scanning: Attackers scan open ports to determine which services are running and potentially vulnerable.
Service Identification and Fingerprinting: Identifying specific software versions and configurations to match against known vulnerabilities.
Automated Vulnerability Scanners: Utilizing tools such as Nessus, OpenVAS, Qualys, Nikto, and Nmap scripts to automate the detection of vulnerabilities.
Web Application Scanners: Scanning web applications to detect vulnerabilities such as SQL injection, cross-site scripting (XSS), and insecure configurations.
Credentialed and Non-Credentialed Scanning: Attackers might perform authenticated scans (credentialed) to gain deeper insight into internal vulnerabilities, or unauthenticated scans (non-credentialed) to quickly identify externally facing weaknesses.
Cloud Infrastructure Scanning: Targeting cloud environments and APIs to identify misconfigurations, weak permissions, or vulnerable cloud services.
Real-world procedures typically involve:
Initial enumeration of target assets (IP ranges, domains, cloud endpoints).
Selection of appropriate scanning tools and scripts based on target technology stack.
Execution of automated scans to identify vulnerabilities and weaknesses.
Analysis and prioritization of identified vulnerabilities for potential exploitation.
Vulnerability scanning typically occurs in the early reconnaissance stages of an attack. Attackers utilize this technique to:
Perform initial reconnaissance and enumeration of potential entry points.
Identify security weaknesses to exploit during initial access attempts.
Gather intelligence to facilitate privilege escalation and lateral movement.
Continuously scan compromised networks to discover additional vulnerable systems.
Validate potential targets before launching more sophisticated attacks.
Conduct regular scans to monitor vulnerability remediation status or detect newly introduced vulnerabilities.
Attack scenarios include:
Pre-attack reconnaissance by advanced persistent threats (APTs).
Opportunistic scanning performed by cybercriminals targeting publicly exposed services.
Internal scanning after initial compromise to identify further lateral movement opportunities.
Continuous vulnerability scanning in long-term campaigns to maintain persistent access.
Detection of vulnerability scanning activities typically involves monitoring network traffic, analyzing logs, and deploying specialized security tools. Common detection methods and tools include:
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS): Detecting port scans, unusual traffic patterns, or known vulnerability scanning signatures.
Network Traffic Analysis: Monitoring network flow data to identify anomalous scanning activity.
Log Analysis and SIEM Tools: Analyzing logs from firewalls, web servers, and application servers to detect suspicious scanning behaviors.
Endpoint Detection and Response (EDR) Solutions: Monitoring endpoint activities for scanning processes and suspicious enumeration scripts.
Honeypots and Honeynets: Deploying decoy systems to detect scanning attempts and gather attacker intelligence.
Specific Indicators of Compromise (IoCs):
Sudden increase in network traffic directed at specific ports or services.
High volume of failed authentication attempts across multiple systems.
Logs indicating repeated, systematic requests for known vulnerable URLs or endpoints.
User agents or request headers associated with known scanning tools (e.g., Nmap, Nikto).
Detection of traffic originating from known malicious IP addresses or scanning services.
Early detection of vulnerability scanning is crucial due to its role as a precursor to more damaging attack phases. Importance and potential impacts include:
Early Warning of Attacks: Identifying scanning activity allows organizations to proactively mitigate vulnerabilities before exploitation occurs.
Preventing Initial Access: Early detection and response can prevent attackers from gaining initial access to systems and networks.
Reducing Attack Surface: Identifying and mitigating vulnerabilities reduces the organization's overall attack surface.
Protecting Sensitive Data: Preventing exploitation of vulnerabilities helps protect sensitive data from unauthorized access and compromise.
Maintaining Operational Continuity: Early detection and remediation prevent disruptions to business operations caused by successful attacks.
Compliance and Regulatory Requirements: Detection and management of vulnerabilities are often mandated by regulatory frameworks, making timely detection essential for compliance.
Real-world examples highlighting vulnerability scanning include:
WannaCry Ransomware (2017):
Attackers utilized automated scanning tools to identify vulnerable SMB services (MS17-010 vulnerability).
Rapid scanning and exploitation led to large-scale ransomware infections impacting thousands of organizations globally.
Tools used: EternalBlue exploit scanner, Nmap scripts.
Impact: Massive operational disruption, data loss, and financial damage worldwide.
Equifax Data Breach (2017):
Attackers performed vulnerability scanning to detect unpatched Apache Struts web application frameworks.
Identified CVE-2017-5638 vulnerability and subsequently exploited it to gain initial access.
Tools used: Web vulnerability scanners, custom enumeration scripts.
Impact: Exposure of sensitive personal information of approximately 147 million individuals, resulting in significant financial and reputational damage.
Mirai Botnet (2016):
Automated scanning of IoT devices to identify default credentials and vulnerable firmware versions.
Tools used: Custom-built scanning modules integrated into Mirai malware.
Impact: Massive DDoS attacks causing disruptions to major internet service providers and websites.
Operation Cloud Hopper (APT10, 2016–2018):
Attackers conducted extensive vulnerability scanning to identify weakly secured cloud infrastructure and managed service providers (MSPs).
Tools used: Commercial and open-source vulnerability scanners, custom scripts.
Impact: Long-term espionage campaign compromising intellectual property and sensitive data from multiple global organizations.
These examples illustrate the critical role vulnerability scanning plays in facilitating large-scale cyberattacks and emphasize the importance of proactive detection and mitigation strategies.