- 27 Jun 2022
- 3 Minutes to read
- Print
- DarkLight
- PDF
Discovering Cloud Instances Not Being Scanned For Vulnerabilities
- Updated on 27 Jun 2022
- 3 Minutes to read
- Print
- DarkLight
- PDF
Discovering Cloud Instances Not Being Scanned for Vulnerabilities
Today’s assessment tools do an exceptional job of recognizing known vulnerabilities. However, due to the elastic and ephemeral nature of cloud workloads and the increasing adoption of DevOps methodologies, cloud workloads are spun up and down without security tools ever being aware of their existence. Because of this, tools like VA Scanners are often not aware of any new instances to scan, and therefore they remain prone to known vulnerabilities.
Challenges of Finding Cloud Instances Not Being Scanned for Vulnerabilities
VA Scanners only know to scan IPs they have been given to scan, and the dynamic nature of the cloud makes it impossible for these tools to anticipate new IPs. Simply specifying an IP range will not work.
Data Sources Required to Find Cloud Instances Not Being Scanned for Vulnerabilities
To find cloud instances not being scanned by VA tools, the following data sources are needed:
Vulnerability scanner console — Connecting to the admin console of the vulnerability scanner allows you to see all cloud instances that are known and being scanned.
Cloud Infrastructure — Connecting to the cloud infrastructure admin console allows you to see all instances in the environment.
Discovering Cloud Instances Not Being Scanned for Vulnerabilities with Axonius
To identify cloud instances not being scanned for vulnerabilities with Axonius, there are simple queries you can build, ranging from the broadest possible scenario to the most detailed.
First, let’s take a look at the most basic query: finding AWS instances not being scanned for vulnerabilities (note: AWS is just one of several popular cloud providers we support and is used for the purpose of the following examples.)
This query can be represented in the Axonius Query Wizard as:
This query can also be represented as an AQL (Axonius Query Language) expression:
(adapters_data.aws_adapter.id == ({"$exists":true,"$ne":""})) and not (adapters_data.qualys_scans_adapter.id == ({"$exists":true,"$ne":""}))
This query finds Amazon instances not being scanned by any tool categorized as a Vulnerability Assessment Tool.
In larger enterprises, the result set may be very large. To cull the list and prioritize the most urgent instances needing attention, let’s take a look at how to find just those AWS instances not being scanned that also have a public IP Address.
This query can also be represented in the Axonius Query Wizard as:
This query can also be represented as an AQL (Axonius Query Language) expression:
(adapters_data.aws_adapter.id == ({"$exists":true,"$ne":""})) and (adapters_data.aws_adapter.public_ips == ({"$exists":true,"$ne":""})) and not specific_data.data.adapter_properties == "Vulnerability_Assessment"
We can also filter the results further to show only AWS instances that have known Common Vulnerabilities and Exposures (CVE®) and are not being scanned for vulnerabilities.
This query can be represented in the Axonius Query Wizard as:
This query can also be represented as an AQL (Axonius Query Language) expression:
(adapters_data.aws_adapter.id == ({"$exists":true,"$ne":""})) and not specific_data.data.adapter_properties == "Vulnerability_Assessment" and (specific_data.data.software_cves.cve_id == ({"$exists":true,"$ne":""}))
We could also choose to show only those instances that have a CVE severity of “Critical” by changing the query.
This query can be represented in the Axonius Query Wizard as:
This query can also be represented as an AQL (Axonius Query Language) expression:
(adapters_data.aws_adapter.id == ({"$exists":true,"$ne":""})) and not specific_data.data.adapter_properties == "Vulnerability_Assessment" and (specific_data.data.software_cves.cve_id == ({"$exists":true,"$ne":""})) and specific_data.data.software_cves.cve_severity == "CRITICAL"
Taking Action On Cloud Instances Not Being Scanned For Vulnerabilities
The Axonius Security Policy Enforcement Center allows customers to determine which automated action to execute when a cloud instance is found that is not being scanned.
Highlighted Actions Include:
- Notify - Let someone know about the unscanned cloud instance via email, Slack, Syslog, or by CSV
- Create Incident - Create an incident using a ticketing system like ServiceNow, Jira, or Zendesk
- Enrich Device or User Data - Enrich data with Shodan, Censys, or Portnox to show what is publicly known
- Update VA Coverage - Add the cloud instance to the next scheduled vulnerability assessment scan
For more details, see Action Library.