Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware
Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 and CVE-2024-9474 (Updated Nov. 19)
FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications
See all Unit 42 Threat Research
Table of Contents
Cloud Security

What Is Vulnerability Scanning?

5 min. read
Table of Contents

Vulnerability scanning supports risk-based cybersecurity by proactively identifying security issues and potential vulnerabilities in IT systems and software. A key part of a vulnerability management program, vulnerability scans can be used across an organization’s extended attack surface to detect security weaknesses. Security teams use vulnerability scanning tools to find known vulnerabilities inside an organization and those associated with a connected third party, such as partners or customers with access to sensitive data.

Automated tools scan for known vulnerabilities, misconfigurations, and outdated software versions, providing a snapshot of an organization's security posture and highlighting areas that need immediate attention.

Regular scans are crucial as they help identify potential entry points for cyberattackers, allowing organizations to address issues before they escalate into serious breaches.

Vulnerability Scanning Explained

Vulnerability scanning is a component of vulnerability management and serves as the primary method for identifying and cataloging security weaknesses across an organization's digital infrastructure. Using automated tools, it systematically probes systems, networks, and applications to uncover potential vulnerabilities before malicious actors can exploit them.

What Is a Security Vulnerability?

A vulnerability, according to Microsoft and MITRE, it's “a weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, OR availability.” In other words, vulnerabilities can exist in source code, system configurations, or trust relationships between components.

Common Cloud Security Vulnerabilities

  • Misconfigurations: Errors in security settings of cloud resources, often due to administrative oversights or lack of awareness.
  • Poor access control: Insufficient identity and credential management, including weak passwords and overprivileged accounts.
  • Insecure APIs: Weaknesses in cloud service interfaces that can expose sensitive data or enable unauthorized access.
  • Inadequate data sanitation: Neglecting to validate data can allow invalid data submitted to an application in a SQL injection, buffer overflow, or other attack to go undetected.
  • Lack of visibility: Limited oversight of cloud environments, making it difficult to detect vulnerabilities across complex infrastructures.
  • Zero-day vulnerability: An attacker-discovered vulnerability exploited before a patch is available (e.g., Log4j).
  • Unpatched systems: Failure to keep cloud infrastructure components and software up to date.
  • Shared technology vulnerabilities: Issues arising from the multitenant nature of cloud environments.
  • Insufficient encryption: Inadequate protection of data at rest or in transit.
  • Inadequate logging and monitoring: Lack of comprehensive activity tracking and alert systems.
  • Unsecured storage: Improperly configured storage resources like open S3 buckets.
  • Shadow IT: Use of unauthorized cloud services by employees introducing unknown security risks.

Role of Vulnerability Scanning in Vulnerability Management

With regular vulnerability scans, organizations can maintain an up-to-date inventory of their assets and associated vulnerabilities, enabling them to prioritize remediation efforts effectively. Proper vulnerability management allows security teams to address weaknesses before they can be exploited, fortifying the security posture of the organization. To this end, vulnerability scanning provides the data to make informed decisions in the context of vulnerability management.

Addressing vulnerabilities promptly, of course, will prevent data theft, financial loss, and damage to an organization's reputation.

How Vulnerability Scanning Works

Vulnerability scanning technology identifies security weaknesses through a multistep process that includes discovery, enumeration, and detection.

Traditional IT Environments

In traditional IT environments, the scanner begins with network reconnaissance to discover active devices within the defined scope. Techniques such as ping sweeps and port scans help identify live hosts and open ports. Once the scanner identifies active devices, it collects detailed information about operating systems, installed software, running services, and configuration settings using protocols like SNMP, SSH, and WMI.

During the detection phase, the scanner cross-references the collected information against a database of known vulnerabilities. It checks for potential security weaknesses, such as missing patches, outdated software versions, and misconfigurations. For example, the scanner might look for default or weak passwords, open ports that should be closed, or services running with known vulnerabilities. Specific tests for common vulnerabilities, such as SQL injection or cross-site scripting (XSS), are also performed.

Cloud Environments

In cloud environments, the scanning process adapts to the unique characteristics of virtualized infrastructure and dynamic resource allocation. The scanner uses API calls to cloud service providers and network scans to discover active cloud instances, containers, and services. Cloud-native tools and integrations facilitate this discovery process.

Once the scanner identifies active resources, it collects information about operating systems, installed software, running services, and configuration settings. The scanner leverages APIs provided by cloud service providers (such as AWS, Azure, and Google Cloud) to gather this data.

Agentless scanning in cloud environments involves the scanner communicating directly with cloud resources over the network and through cloud provider APIs. This method avoids deploying software agents on the target systems, making it suitable for dynamic cloud environments. In contrast, agent-based scanning involves installing lightweight agents on cloud instances or containers. These agents gather detailed information about the system's configuration, software, and security settings, reporting back to the central scanning server or cloud management console.

Detection Phase

During the detection phase in both traditional and cloud environments, the scanner cross-references the collected information against a database of known vulnerabilities. It performs various checks to identify potential security weaknesses, such as missing patches, outdated software versions, and misconfigurations. The scanner might check for default or weak passwords, open ports that should be closed, or services running with known vulnerabilities. It may also execute specific tests designed to exploit common weaknesses, such as SQL injection or XSS vulnerabilities in web applications.

The vulnerability database, which the scanner relies on, is continuously updated with the latest threat intelligence. This database contains information about known vulnerabilities, including their characteristics, potential impacts, and remediation steps. By comparing the cloud resource attributes against this database, the scanner can accurately identify security weaknesses.

The scanner assigns severity scores to identified vulnerabilities, often using the Common Vulnerability Scoring System (CVSS). These scores help prioritize issues based on their potential impact and the likelihood of exploitation. Higher severity scores indicate more critical vulnerabilities that require immediate attention.

Evaluation of Risk

Vulnerability scanners assess the risk level of identified vulnerabilities by analyzing their potential impact and exploitability. They then prioritize risk based on business criticality and context or the existence of attack paths (vulnerabilities and risks linked in a manner that increases their criticality), as well as on standardized frameworks such as the Common Vulnerability Scoring System (CVSS).

Like the CVSS, vulnerability prioritization generally involves categories that range from low to critical based on ease of exploitation and damage potential. Critical vulnerabilities, which could allow attackers to gain control over affected systems, require immediate remediation. Risk evaluation enables organizations to allocate resources effectively.

Reporting and Analysis

Throughout the scanning process, the scanner logs all findings. It then generates a detailed report that includes a list of identified vulnerabilities, their severity scores, and recommended remediation actions. Security teams use the report to understand the organization's security posture and to take corrective actions.

Analysts review the scan results to ensure accuracy. They filter out false positives, where the scanner incorrectly flags a nonexistent issue, and verify that identified vulnerabilities are genuine threats.

In this systematic, multistep approach, vulnerability scanning technology effectively identifies vulnerabilities across the organization's digital infrastructure.

Types of Vulnerability Scanning

Types of vulnerability scans can be categorized by their targets and methodologies, as each type serves a distinct purpose and aspects of an organization's IT security.

Network Vulnerability Scans

Network vulnerability scans focus on identifying vulnerabilities in an organization's network infrastructure. They check for open ports, misconfigurations, and potential entry points that attackers could target. Network scan essentially diagnose the security posture of network devices such as routers, switches, and firewalls.

Use Cases

  • Regular Security Audits: Organizations perform network vulnerability scans periodically to ensure their network infrastructure remains secure against new threats and vulnerabilities.
  • Post-Deployment Checks: After deploying new network devices or configurations, IT teams use network scans to verify that no security issues have been introduced.
  • Compliance Requirements: Companies needing to comply with standards such as PCI DSS or HIPAA use network scans to demonstrate adherence to required security controls.

Host-Based Vulnerability Scans

Host-based vulnerability scans target individual systems or devices within a network. By examining servers, workstations, and other endpoints, host-based scans look for missing patches, outdated software, and configuration issues. Host-based scans help to ensure that each device complies with security policies and is protected against known threats.

Use Cases

  • Patch Management: IT departments use host-based scans to identify systems that need software updates or patches, ensuring all endpoints are protected against known vulnerabilities.
  • Configuration Audits: Organizations verify that system configurations align with security policies and best practices, minimizing the risk of misconfigurations.
  • Incident Response: During a security incident, host-based scans help identify compromised systems and vulnerabilities that may have been exploited.

Application Vulnerability Scans

Application vulnerability scans scrutinize the security of web applications and software, identifying flaws that open doors to SQL injection, XSS, and insecure authentication mechanisms. Developers and IT teams should conduct application scans before and after application deployment.

Use Cases

  • Development Lifecycle: Developers integrate application vulnerability scans into the software development lifecycle (SDLC) to identify and fix security issues during development.
  • Predeployment Testing: Before launching new web applications, organizations conduct application scans, such as static code analysis testing (SAST), dynamic application security testing (DAST), and software composition analysis (SCA) to ensure applications are free from critical vulnerabilities.
  • Continuous Monitoring: Application scans run continuously on deployed applications to detect new vulnerabilities and ensure ongoing security.

Database Vulnerability Scans

Database vulnerability scans aim at discovering security weaknesses in database systems. These scans check for misconfigurations, weak passwords, and unpatched vulnerabilities in database management systems. Protecting databases is essential, as they often store sensitive and critical information.

Use Cases

  • Data Protection: Organizations scan their databases to identify and address vulnerabilities that could lead to data breaches or unauthorized access to sensitive information.
  • Compliance Audits: Organizations subject to PCI DSS, HIPAA, GDPR, and other regulations use database scans to ensure their databases meet security and compliance requirements.
  • Performance Tuning: Database administrators use scans to identify and resolve misconfigurations that could impact database performance and security.

Credentialed Scans

Credentialed scans involve using valid login credentials to perform a more in-depth analysis of the target system. By accessing the system with legitimate credentials, these scans can provide a comprehensive view of the security state, uncovering issues that might not be visible in noncredentialed scans.

Use Cases

  • Comprehensive Security Assessments: IT teams use credentialed scans to gain a deep understanding of the security posture of their systems, including configuration settings and installed software.
  • Insider Threat Detection: By using legitimate credentials, organizations can identify vulnerabilities that could be exploited by malicious insiders or compromised accounts.
  • Policy Enforcement: Credentialed scans help ensure systems comply with internal security policies and standards.

Noncredentialed Scans

Noncredentialed scans, on the other hand, don’t use any login credentials and perform the scan from an external perspective. These scans simulate an attacker with no prior access to the system and are useful for identifying perimeter vulnerabilities.

Use Cases

  • External Threat Simulation: Security teams simulate external attacks to identify vulnerabilities that could be exploited by attackers without prior access to the system.
  • Perimeter Security Assessment: Organizations use noncredentialed scans to evaluate the security of their network perimeter and identify potential entry points for cyberthreats.
  • Initial Reconnaissance: Noncredentialed scans provide an initial assessment of the organization's security posture before conducting more in-depth analyses.

Internal Vulnerability Scans

Internal vulnerability scans are conducted within the organization's internal network. These scans help identify vulnerabilities that could be exploited by internal threats or compromised devices. They provide a realistic view of the risks present inside the network perimeter.

Use Cases

  • Insider Threat Mitigation: Internal scans help identify vulnerabilities that could be exploited by employees or compromised devices within the network.
  • Network Segmentation Verification: Organizations use internal scans to ensure that network segmentation controls are effective in limiting the spread of potential attacks.
  • Routine Security Maintenance: IT teams perform regular internal scans to maintain a secure internal environment, addressing vulnerabilities before they can be exploited.

External Vulnerability Scans

External vulnerability scans are performed from outside the organization’s network, simulating an attack from an external source. They may focus on the outward-facing systems and services, such as web servers and email servers, to identify vulnerabilities that could be exploited over the internet.

Use Cases

  • Internet-Facing Asset Protection: Companies scan their external-facing systems to identify and mitigate vulnerabilities accessible from the internet.
  • Third-Party Risk Assessment: Organizations assess the security of third-party services and partners by conducting external scans on their exposed systems.
  • Regulatory Compliance: External scans help organizations meet compliance requirements by demonstrating the security of their internet-facing assets.

Vulnerability Scanning Vs. Penetration Testing

While automated vulnerability scans are designed to detect issues such as missing patches, misconfigurations, and outdated software, penetration testing involves a combination of automated tools and manual techniques to simulate an attacker's actions. In other words, ethical hackers simulate a real-world attack to identify security gaps and potential entry points, complex issues an automated scan might miss.

 

Vulnerability Scans

Penetration Testing

Goal

Identify known vulnerabilities within a system, network, or application.

Determine the real-world impact of vulnerabilities by actively exploiting them.

Scope and Depth

These scans provide a broad overview of potential vulnerabilities across a wide range of assets. They’re comprehensive but generally don’t delve deeply into the exploitation of each vulnerability.

Penetration tests focus on depth rather than breadth, thoroughly investigating specific vulnerabilities to assess their exploitability and potential damage. This often includes attempting to gain unauthorized access, escalate privileges, or exfiltrate data.

Automation Vs. Manual Effort

Mostly automated processes that use predefined databases of known vulnerabilities. They require minimal human intervention and can be scheduled to run regularly.

Involves manual effort by skilled security professionals (ethical hackers). It combines automated tools with human ingenuity to uncover complex vulnerabilities that automated scans might miss.

Frequency

Conducted regularly, such as weekly, monthly, or quarterly, to ensure ongoing identification of new vulnerabilities.

Usually performed less frequently, such as annually or biannually, or after significant changes to the system or network, to provide a point-in-time assessment of security posture.

Outcome

Generate detailed reports listing detected vulnerabilities, their severity ratings, and general remediation recommendations. These reports help prioritize which issues need attention.

Produce reports that include identified vulnerabilities and the methods to exploit them, the impact of successful exploitation, and detailed remediation steps. These insights are valuable for understanding real-world risks and improving defensive strategies.

Expertise Required

Can be operated by IT staff with a basic understanding of security, as the tools are user-friendly and automated.

Requires expertise from experienced security professionals with deep knowledge of attack techniques, system internals, and the latest threat landscape.

Regulatory and Compliance

Often mandated by regulatory frameworks and industry standards to ensure continuous monitoring and management of vulnerabilities.

May be required by regulations but typically serves as a more rigorous form of security assessment.

Vulnerability Management Best Practices

Vulnerability scanning, though automated, isn’t without challenges. Security teams will need to manage false positives and ensure coverage of all assets — in addition to keeping pace with emerging threats. Best practices designed to maximize the effectiveness and accuracy of vulnerability assessments go far in preempting complications. Consider adopting the following practices:

  • Regularly schedule scans to maintain continuous monitoring of systems and networks.
  • Use both authenticated and unauthenticated scans to gain a comprehensive view of vulnerabilities.
  • Prioritize the scanning of all critical assets and systems to ensure the most significant risks are identified and addressed promptly.
  • Use a risk-based approach to prioritize remediation efforts based on the severity and potential impact of identified vulnerabilities.
  • Maintain an updated vulnerability database to ensure scans detect the latest threats.
  • Integrate vulnerability scanning into the development lifecycle to identify and address security issues early in the software development process.
  • Document and track all identified vulnerabilities and remediation efforts to maintain a clear security posture.
  • Collaborate with different departments to ensure all stakeholders are aware of vulnerabilities and involved in remediation efforts.
  • Validate the effectiveness of remediation actions by performing follow-up scans.
  • Ensure compliance with relevant regulatory requirements by incorporating mandatory scans into the security policy.
  • Train staff on the importance and use of vulnerability scanning tools to maximize their effectiveness.
  • Regularly review and update scanning policies and procedures to adapt to the evolving threat landscape.

Vulnerability Scanning FAQs

Vulnerability scanning systematically examines systems, networks, and applications to identify security weaknesses, misconfigurations, and vulnerabilities. It’s important because it provides a snapshot of an organization's security posture, helping IT teams to prioritize remediation efforts, prevent breaches, and ensure compliance with industry regulations.
The frequency of vulnerability scans depends on the organization's size, industry, and specific security needs. It’s generally recommended to perform scans weekly or monthly. Additionally, scans should be conducted after significant changes to the network or systems, such as new software installations, patches, or system configurations.
Vulnerability scanning is a requirement for some regulations and standards. For others, vulnerability scanning isn’t required but is considered a best practice for meeting cybersecurity, data protection, and data privacy requirements. Regulations and standards that require vulnerability testing include PCI DSS, ISO 27001, CMMC, FISMA, and SOX. Others are supported by vulnerability scans but don’t require them, including SOC 2, HIPAA, GDPR, and NIST SP 800-53.
Credentialed scans use valid access credentials to perform in-depth examinations of target systems, providing detailed insights into vulnerabilities that require authenticated access. On the other hand, noncredentialed scans operate without access credentials and simulate an unauthenticated attacker’s view. This provides an outside-in perspective of the security posture and helps identify externally accessible vulnerabilities.
While vulnerability scanning tools are highly effective at identifying known vulnerabilities and misconfigurations, they could be more foolproof. They might miss zero-day vulnerabilities (unknown vulnerabilities) and issues requiring specific business logic assessments. For comprehensive security, vulnerability scanning should complement manual testing, penetration testing, and continuous monitoring.
The role of vulnerability management is to reduce the risk of security breaches and protect sensitive data by systematically identifying, assessing, and addressing security vulnerabilities. This proactive approach helps maintain a strong security posture, ensures compliance with industry standards and regulations, and minimizes potential damage from cyberthreats. By continuously monitoring and improving the security of cloud environments and IT systems, vulnerability management contributes to the overall resilience and stability of an organization's infrastructure.
Organizations across all industries — government agencies, financial institutions, healthcare providers, and technology companies — utilize vulnerability management programs, as they’re essential for protecting sensitive data, ensuring compliance with regulations, and maintaining a strong security posture.
In cybersecurity, a threat refers to any potential malicious activity or event that aims to exploit vulnerabilities in systems, networks or applications, with the intent to compromise the confidentiality, integrity, or availability of data and resources. Threats can originate from various sources, such as hackers, cybercriminals, nation-states, or even insiders, and can manifest in various forms — malware, phishing attacks, denial-of-service attacks, ransomware, or social engineering schemes.
The Common Vulnerability Scoring System (CVSS) is a widely adopted, standardized framework for assessing and rating the severity of security vulnerabilities in IT systems and cloud environments. CVSS provides a numerical score between 0 and 10, taking into account factors such as the ease of exploitation, impact on confidentiality, integrity, and availability, and the level of required user interaction. Higher scores indicate more severe vulnerabilities, enabling organizations to prioritize remediation efforts and allocate resources effectively.
A code security vulnerability refers to a weakness or flaw within the source code of a software application, resulting from programming errors, insecure coding practices, or misconfigurations. Exploiting such vulnerabilities can enable attackers to compromise the application, gain unauthorized access to sensitive data, or perform malicious actions, potentially causing significant harm to the affected organization.
Vulnerabilities are scored for severity using standardized frameworks like CVSS, which considers factors such as the potential impact on confidentiality, integrity and availability, the complexity of exploitation, and the required level of user interaction. The resulting numerical score allows organizations to rank vulnerabilities based on their severity, helping to prioritize remediation efforts and allocate resources in a risk-based manner.
Organizations should scan all components of their IT environment for vulnerabilities, including network devices, servers, workstations, applications, databases, and cloud infrastructure. Regular scanning of both internal and external systems, as well as the integration of vulnerability scanning into the software development lifecycle, ensures comprehensive coverage and helps to maintain a strong security posture.

Responsibility for vulnerability management typically falls on a combination of IT security teams, network administrators, system administrators and security engineers, and to a lesser extent, application developers.

Effective vulnerability management requires collaboration and coordination across these teams, with individuals responsible for identifying, assessing, and remediating vulnerabilities, as well as implementing security best practices and ensuring compliance with industry standards and regulations. In some organizations, a dedicated vulnerability management team or a chief information security officer (CISO) may oversee the process.

The most common type of vulnerability scan is the automated network vulnerability scan, which utilizes vulnerability scanning tools to identify and assess security weaknesses within an organization's network devices, servers and workstations. These scans typically cover a wide range of known vulnerabilities, including those related to outdated software, misconfigurations and insecure network protocols, helping organizations maintain a secure and compliant IT environment.
A CVE (Common Vulnerabilities and Exposures) vulnerability scan is a process that uses a vulnerability scanning tool to identify known security vulnerabilities within IT systems, based on the CVE database. The CVE database is a publicly accessible, standardized repository of known security vulnerabilities, maintained by the MITRE Corporation. CVE vulnerability scans help organizations detect and address known vulnerabilities in their systems, reducing the risk of security breaches and improving security posture.
Vulnerability scanning in NIST refers to the process of identifying security vulnerabilities in IT systems, following the guidelines and recommendations provided by the National Institute of Standards and Technology (NIST). NIST offers best practices, such as those found in NIST Special Publication 800-53 and 800-115, to help organizations implement effective vulnerability scanning processes, maintain a strong security posture and ensure compliance with federal regulations and industry standards.

Related content

Get the latest news, invites to events, and threat alerts