Automate Tagging by Open Ports
Open ports are like open windows in your home, while they don’t pose a direct immediate threat, they provide an opportunity for a real threat to occur.
In vulnerability management, open ports are typically aligned with a vulnerability which makes it a real threat given the context of the asset and the finding(vuln). At the finding level, this is obvious. However, in a sea of findings the depth of the open port problem can be easily misunderstood or somewhat invisible.
For instance, it may not be obvious that the asset you are working on is full of holes unless you go analyze it from that perspective. Consider the picture above though, this pulls the sea of data into something more visible on the asset.
What if there was an easy way to decorate the data to be more aware of the open ports on a system?
Tagging in Tenable.io is probably one of the most powerful solutions to Exposure Management and its predecessor Vulnerability Management. Tagging allows you to group assets for reporting, Role Based ACcess, remediation workflows and dashboarding.
How?
Navi has a built-in function that unlocks the tagging by port solution which I wrapped in a clever for-loop. The simple command to enable it per port is below:
navi tag --c "Open Ports" --v "Port: {port number}" --port {port number}Navi uses a SQLite Database and populates it with the vulnerability and asset data exports. The tagging function searches the navi.db for the open ports and uses the tagging assignments endpoint to tag each asset.
What is the value?
It may not be obvious to those who don’t live and breath vulnerability management or exposure management. However, an asset can have 100s of vulnerabilities and 100s more findings - and there is no easy way to indicate what ports are open on a given system, without cycling through each vulnerability/finding and keeping a tally.
Quoting Esteban Borges in his Article “Open Ports”:
Ports are always one of the first doors knocked on by attackers. If found open, they can become a real threat if the services you’re running on them aren’t properly hardened from a network, operating system and app point of view.
To address the concern, you first need to understand what ports are open on what systems. What better way than to decorate the data so you don’t have to dig for it. If something looks off, you can dig deeper. Otherwise, you can have the confidence the ports open are normal.
Introducing a Automated Solution
This docker service is a simple script wrapped up in a docker container for ease of use and deployment. A single command can automatically tag all your assets by the ports found open.
Docker Command
docker run -d -e access_key="your access key" -e secret_key="your secret key" packetchaos/port_taggingResults
After the tagging solution runs, you easily see how many open ports you have and which ports are the most prevalent.
In addition, each asset will have greater visibility for open ports.
Last, you can get risk insights by ports in Tenable One. This can be used as a difference lens on the same data. Consider also, that it is very common for software to run on a standard port like 8834 and 8000 for Tenable’s Nessus Scanner and Hardened virtual appliance.
Meaning this could be a viable method to finding custom or well known applications internally and tagging by port for Risk visibility.
I hope this little Proof of Concept can help provide greater visibility into what ports are open in your network!
Let me know what you think.
