Zero-Day Vulnerabilities and CVEs

On November 8, 2022, Microsoft released patches for six zero-day vulnerabilities that were active.

Lucidum can help you quickly determine if assets in your environment are at risk from active vulnerabilities and CVEs like the six zero-day vulnerabilities from Microsoft.

How Does Lucidum Help? #

Lucidum can monitor the status of all assets and users in your environment to ensure you meet the requirements for cyber insurance.

Requirement

Lucidum Response

Perform automated asset discovery to discover all assets and users in the environment

  1. Configure Lucidum connectors for:

    • endpoint management

    • endpoint detection and response or endpoint protection

    • Directory services

    • DHCP

    • VPN

    • Cloud services (AWS, Azure, Google Cloud, Oracle Cloud)

  2. Query Lucidum for all assets

  3. Query Lucidum for all users

Find assets that are missing vulnerability scanning

  1. Configure one or more Lucidum connectors for vulnerability tools (for example, Burp Suite, Cycognito, Greenbone, Kenna, MS Defender, Qualys, Rapid7, Tenable, Vulcan)

  2. Query Lucidum to see all assets without vulnerability scanning.

  3. Remediate those devices.

Find specific recent vulnerabilities across all discovered assets, including all discovered nomadic/roaming devices (e.g., mobile devices and laptops)

  1. Configure one or more Lucidum connectors for vulnerability tools (for example, Burp Suite, Cycognito, Greenbone, Kenna, MS Defender, Qualys, Rapid7, Tenable, Vulcan)

  2. Query Lucidum to see all assets with specific vulnerabilities.

  3. Remediate these assets

Find all vulnerabilities across all discovered assets, including all discovered nomadic/roaming devices (e.g., mobile devices and laptops)

  1. Configure one or more Lucidum connectors for vulnerability tools (for example, Burp Suite, Cycognito, Greenbone, Kenna, MS Defender, Qualys, Rapid7, Tenable, Vulcan)

  2. Query Lucidum for all assets where vulnerabilities exist

  3. Query Lucidum for all assets where vulnerabilities exist and vulnerabilities have not been mitigated. Remediate those assets

Connectors #

Connectors allow Lucidum to ingest data from your environment and discover, identify, and classify assets, data, and users.

Lucidum includes pre-built connectors for the most commonly used solutions.

Find All My Assets #

To find all the assets in your network, including nomadic/roaming devices and mobile devices:

  1. To discover all assets in your environment, Lucidum recommends you configure Lucidum connectors for:

    • The Endpoint Management solutions in your environment (for example, Jamf, Intune, Citrix Endpoint Management, Symantec Endpoint Management, Hexnode)

    • The Endpoint Protection solutions in your environment (for example, Trellix Endpoint Security, Symantec Endpoint Protection, SentinelOne, Crowdstrike Falcon, Microsoft Defender for Endpoint )

    • The Mobile Device Management solutions in your environment (for example, Addigy, Citrix Endpoint, Jamf Pro, Kandji)

    • The directory solutions in your environment (for example, Azure AD, Microsoft AD, Jump Cloud, PingOne, OpenLDAP,)

    • The DHCP solutions in your environment (for example, Infoblox, Efficient IP, BlueCat)

    • The VPN solutions in your environment (for example, Cisco AnyConnect, FortiClient, Palo Alto VPN, Citrix Gateway, Zscaler Private Access)

    • The cloud solutions in your environment (for example, AWS, Azure, Google Cloud, Oracle Cloud)

  2. After Lucidum ingests data from these solutions, Lucidum uses graph data, machine learning, and predictive analytics to detect and classify all assets and users, even those not detected by the solutions in your environment.

  3. You can then create queries to find a list of all assets in your environment.

    • In this case, our query is as simple as “Lucidum Asset Name exists”, meaning Lucidum has found the asset.

  4. The query results display all the assets in your environment.

  5. You can easily filter and sort the query results and create dashboards.

    asset_overview_os_details.png
  6. To see new assets that have been added in the last week:

    • You can create a query “Lucidum Asset Name exists AND First Time Seen was within the past 7 days”

  7. The query results show all assets that have been seen for the first time in the last week:

    assets_last_7_days.png

Are the Assets in My Environment Protected? #

To find assets that are not being scanned for vulnerabilities:

  1. In addition to the Lucidum connectors in the previous section, you must configure Lucidum connectors for:

    • All the vulnerability Management solutions in your environment (for example, Burp Suite, Cycognito, Greenbone, Kenna, MS Defender, Qualys, Rapid7, Tenable, Vulcan)

  2. After Lucidum ingests data from these solutions, you can then create queries and dashboards that display information about vulnerabilities.

  3. To find assets without vulnerability scanning, you can write a query like:

    • Lucidum Asset Name exists AND Vuln Scan is not Yes

  4. The query results show all assets that are not being scanned for vulnerabilities:

    assets_w_no_vuln_scans.png
  5. You can then remediate by adding vulnerability scanning to these assets without vulnerability scanning.

Do Specific Vulnerabilities Affect My Environment? #

For our example, we are looking at the following “zero-day” vulnerabilities from Microsoft:

  • CVE-2022-41040

  • CVE-2022-41082

  • CVE-2022-41128

  • CVE-2022-41073

  • CVE-2022-41125

  • CVE-2022-41091

To determine if specific vulnerabilities affect your environment:

  1. In addition to the Lucidum connectors in the previous section, you must configure Lucidum connectors for:

    • All the vulnerability Management solutions in your environment (for example, Burp Suite, Cycognito, Greenbone, Kenna, MS Defender, Qualys, Rapid7, Tenable, Vulcan)

  2. After Lucidum ingests data from these solutions, you can then create queries and dashboards that display information about vulnerabilities.

  3. After ensuring that all assets are scanned for vulnerabilities, you can search for assets that have specific vulnerabilities. To do this, you can write a query like:

    • For all assets, CVE list matches CVE-2022-41040 OR CVE-2022-41082 OR CVE-2022-41128 OR CVE-2022-41073 OR CVE-2022-41125 OR CVE-2022-41091

  4. The query results display assets with one or more of the vulnerabilities:

    query_results.png
  5. You can use the query results to create dashboards about the assets:

    dashboard_ms_vulnerabilities.png
  6. You can then take steps to mitigate those vulnerabilities on those assets.

Find All Vulnerabilities in My Environment #

To audit the vulnerabilities on all assets in your environment and find unmitigated vulnerabilities on all assets in your environment:

  1. In addition to the Lucidum connectors in the previous section, you must configure Lucidum connectors for:

    • All the vulnerability Management solutions in your environment (for example, Burp Suite, Cycognito, Greenbone, Kenna, MS Defender, Qualys, Rapid7, Tenable, Vulcan)

  2. After Lucidum ingests data from these solutions, you can then create queries and dashboards that display information about vulnerabilities.

  3. After ensuring that all assets are scanned for vulnerabilities, you can search for assets that have vulnerabilities. To do this, you can write a query like:

    • For all assets, CVE list exists OR Vulnerabilities exists

  4. The query results display all assets with one or more CVEs or one or more vulnerabilities:

    assets_w_vulns.png
  5. You can also create dashboards that display information about CVEs:

    info_about_cves.png
  6. To find any assets with unmitigated vulnerabilities, you can write a query like:

    • Lucidum Asset Name exists AND CVE list exists OR Vulnerabilities exist AND Mitigated Vulns are less than 1

  7. The query results display all assets with unmitigated vulnerabilities:

    unmitigated_vulns.png
  8. You can then take steps to mitigate those vulnerabilities on those assets.