Where am I using AI?

One of the timeless questions in security is “where am I using fill-in-the-blank-software or technology?”

It’s been one of the most important critical controls(#2) since the CIS Top 20, now the CIS Top 18, was released in 2008. Below is a handy graphic for the latest Center for Internet Security(CIS) critical controls:

For those not in the organized-chaos of running a large network of servers or compute resources; this is not an easily answered question as it may seem on the surface.

Software isn’t easily detected from simply scanning assets externally or hitting a cloud API. Many software components take privileged access to detect which is where Nessus comes in handy.

Nessus has been aiding accurate authenticated network scanning for over 26 years. For the uninitiated, Nessus can be used as a single scanner in a “pentest” type of a fashion or it can be deployed at scale using Tenable’s enterprise products; Security Center for an on-prem experience and Vulnerability Management as a cloud-hosted solution.

Regardless of your chosen deployment, Nessus utilizes over 221,000 plugins to detect software, open ports and of course vulnerabilities. I go into detail how to get a good software inventory in my article: “Building a Software inventory with Nessus”, which is now built into navi.

How to detect AI

In the sea of over 200,000 plugins are groups of plugin families; these plugin groups help categorized different types of plugins for a variety of use cases.

In our case, we are going to be utilizing the plugin family “Artificial Intelligence”. This plugin family detects software and software components known to use AI; 36 plugins at the time of this article.

How to make use of plugin information at scale

If you have read any of my prior articles you know that I love to Tag assets to begin a workflow or to identify a unique group of assets. It’s one of the only truly scalable and effective ways to group your assets for remediation and reporting. Here are a few articles on tagging assets:

• My guilty Obsession: Tagging by Plugin Output , which tags assets by any searchable text in any plugin output.
• “You’re Fired! Now, where do you have local accounts? , which tags assets by usernames.
• “Tag assets by CISA Known Exploits Released April 7th”, which tags assets using a list of CVEs; in this case the April 7th release.
• “Tagging Agents by Agent Group in Tenable.io”, which goes over the simple process of tagging assets by agent groups in Tenable Vulnerability Management.

Tagging assets by Plugin Family — “Artificial Intelligence”

To answer the question, “Where am I using Artificial intelligence”, we need navi. Navi can complete this task in a single command!

The below example makes use of the tag — query command to query the navi database directly. In this case we want the distinct UUIDs of those assets that have plugins in the plugin family “Artificial Intelligence”.

navi tag --c "AI assets" --v "AI plugins" --query "select distinct(asset_uuid) from vulns where plugin_family='Artificial Intelligence';"

When this command is triggered, navi searches the navi database and then schedules tag updates for every 2000 assets.

If you want to just see the assets on screen rather than tagging those assets in the UI, you can use the below command:

navi find --query "select distinct(asset_uuid) from vulns where plugin_family='Artificial Intelligence';"

Next Navi Release

While you can do this today with navi, I am adding a few new capabilities in the coming weeks:

• Navi display ai — To display assets with Artificial Intelligence
• Navi tag — byfam — To tag assets by a plugin family
• Navi deploy ai — To deploy the docker container automatically tagging assets with AI plugin family detections.

Conclusion

The data that Nessus finds is powerful beyond just finding vulnerabilities, if used properly it can help enrich your entire security eco system. I hope you found this short solution based article helpful.

Now go find where you are using AI and complete your mission!