Open in app

Sign in

Write

Sign in

Change Asset Criticality(ACR) by Tag in Tenable.io

Casey Reid a.k.a Packet Chaos
5 min readDec 15, 2022

--

The asset criticality rating, better known as ACR, is one of the most important aspects of a Risk based vulnerability management program. If you are not taking into account the criticality of the asset its akin to covering your eyes during a shooting contest; A waste of time if you’re measuring the outcome by impact and not by bullets shot.

Severity is NOT Risk

If you are simply running your program by the aggregate severity numbers, you’re not doing Risk based Vulnerability Management, you’re gambling at best since severity is NOT risk.

If you have a visceral reaction to that statement or challenge my sanity please take a look at the NIST website; I’ve taken a screenshot below:

https://nvd.nist.gov/vuln-metrics/cvss

There are too many vulnerabilities being found at such a high pace; No organization in the world can eliminate them all. There is no choice but to focus on what matters most to an organization and asset criticality should be the main focus.

Tenable does the heavy lifting by automatically adjusting the criticality of an asset by a number of factors found on the asset:

https://docs.tenable.com/tenableio/Content/Lumin/LuminMetrics.htm#ACR

However, as a vendor there is no technical way to understand business context. This is where bulk changing the ACR becomes your new best friend!

Dynamic Asset Criticality Rating

There are a handful of ways to accomplish bulk changing ACR in the UI but none are dynamic. The focus of this article is to help those with more advanced use cases who want to unlock dynamic ACR based on asset or vulnerability information.

The modern attack surface is changing so rapidly that it is an understatement to call it difficult. Automation is one of the major tools to help combat the complicated nature of rapid change. Let’s go over how to accomplish this with Tenable’s API, pytenable and navi!

Advanced Tagging via Plugin Data

Tagging on Plugin data is relatively advanced but necessary in some organizations with distributed remediation teams. To simplify this concept I’m going to use a very easy example; Docker Hosts.

Note: I’m going to create a series on Advanced tagging in Tenable.io so I won’t cover how this is done under the hood in this article.

Find and Tag all Docker Hosts

To demonstrate changing the ACR in bulk let’s assume that all Docker Hosts are more important than most other assets; And as such we want to change their ACR to 9.

Luckily Tenable has a plugin that identifies docker hosts: Plugin 93561. This is not a vulnerability but an informational plugin that indicates if the Docker Service is running:

https://www.tenable.com/plugins/nessus/93561

Manually searching for plugin 93561 and using the in-app tagging option may be more than enough for a small organization, especially one that doesn’t have rapid change. However, if you are looking to dynamically tag assets it can be done with a few commands:

Update the navi database

If you are not familiar with navi check out the “Getting started with Navi” article and check out the navi wiki.

navi update full
navi update full

Tag assets by plugin ID

navi tag --c "Tag by Software" --v "Docker Hosts" --plugin 93561
navi tag — c “Tag by Software” — v “Docker Hosts” — plugin 93561

Tagging in Tenable.io can take a few minutes for large asset counts, so don’t be alarmed if your are watching this in real-time and assets don’t show up immediately.

As shown below, the tag method is saved in the tag description so you don’t have to make it apart of your tag naming convention.

docker tag screenshot

The Solution

Finally, let’s get to the solution. Before we can change the ACR by tag, we need to download the new tag relationships. We don’t need the vulns table updated so we will update the asset table to speed things up a bit.

navi update assets
navi update assets

Now that we have the tag relationships we can run the navi lumin command.

navi lumin options
navi lumin --acr 9 --c "Tag by Software" --v "Docker Hosts" -business --note "Automaticly changed by navi"

Asset criticality rating changes can take some time to be visible in the UI and it can take a few hours recalculate the Asset Exposure Score with the new ACR score. As shown below, the ACR will be changed for each asset in the tag, so if this is on hundreds or thousands of assets, the process will take some time.

Conclusion

Now I have near immediate visibility into what assets are most important to my business and with Tenable One I can get amazing metrics to go along with the extra visibility.

To make this dynamic you will need create a simple script and add it as cronjob. Take a look at my example script on my github page that accomplishes the following:

  • Creates Users
  • Creates User groups
  • Adds Users to the User Groups
  • Creates Tags based on vulnerability information
  • Creates permissions based on those tags and assigns them to each User Group

Thank you for reading; More to come on Tenable.io Automation!

Tenable Io
Advanced Tagging
Navi
Tenable One
Risk Based Vm

--

--

Casey Reid a.k.a Packet Chaos
Casey Reid a.k.a Packet Chaos

Written by Casey Reid a.k.a Packet Chaos

66 Followers
29 Following

I'm a perpetually curious avid learner and athletic hacker/tinker who dabbles in python development, tenable integrations, philosophy, and writing

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams