Key Points
Proactively check systems for weaknesses exploited in the wild and reduce your time-to-fix
The time between a critical exploit going public and a patch being released can leave you exposed for days. This might not sound long, but it’s more than enough time when it comes to the big-hitting CVSS 9.5-10.0 weaknesses.
Hackers are always looking for these exploits and scanning entire internet ranges for boxes to exploit. Within a week, they’re done exploiting and have already moved onto the next vulnerability. Wait too long and you could be too late to patch. Is the wait worth the risk? Close the gap with Rapid Response – a manual screening service that proactively scans for weaknesses when automated scanners don’t have checks available yet.
How does it work?
Our team continuously monitors security and news feeds for emerging critical risks. New information on these weaknesses is then used for manual scanning to discover hosts that could be vulnerable. This bridges the gap until our automated scanners have checks for these weaknesses, and uncovers more hosts where automated scanners can be less effective than manual detection.
Why is there a delay?
The process from CVE being published to scan is reactive by nature. It can take time for scanners like Tenable (one of the powerful scanners under the hood of Intruder) to analyze the weakness and write a robust plugin for detection. As soon as a plugin is created and released, we can run the relevant scans.
We call these Emerging Threat Scans (ETS), and as soon as we identify a new vulnerability that could critically affect your systems, we automatically kick-off a scan on all your external targets (license permitting). Regardless of the outcome, we'll notify you (in numerous ways) that an ETS has completed.
But there can still be a delay between the release of a new vulnerability and ETS scans in the Intruder portal. This is where Rapid Response comes in. Rapid Response goes above and beyond Emerging Threat Scans, because if there aren’t automated checks for highly critical, headline vulnerabilities yet, our team will run manual checks to check targets for the specific vulnerability. Rapid Response starts from the earliest possible information sources, kicking off before information about the vulnerability hits the mainstream media.
What happens next?
Where exposed servers are discovered, you’ll receive advisories with details and recommendations. This helps reduce your time-to-fix for the most serious weaknesses.
When attackers are alerted to emerging vulnerabilities, so are we, and we’re already checking your systems for them. Rapid Response focuses on weaknesses being exploited in the wild, where you have a small window of opportunity to act to reduce your risk before mass exploitation takes place.
Rapid Response in action
Intruder Head of Security, Dan Andrew, explains how Rapid Response has discovered critical weaknesses for customers…
ProxyNotShell (CVE-2022-41040)
ProxyNotShell (CVE-2022-41040) was a resurgence of an earlier vulnerability in Microsoft Exchange servers (ProxyShell) that allowed a remote unauthenticated attacker to get remote code execution on Microsoft Exchange servers when combined with CVE-2022-41082.
What happened: this vulnerability affected the latest versions of Microsoft Exchange, and a full patch wasn’t available for over a month. Microsoft provided steps to help prevent exploitation before releasing a patch, but researchers produced new payloads which easily bypassed these mitigation steps. This continued for several days, with Microsoft changing their remedial advice daily, and researchers finding new ways to bypass their mitigations. It was very confusing for defenders - if they acted on the initial advice, but didn't follow up, they would still be vulnerable. Microsoft changed their mitigation advice every day, without warning! Rapid Response stepped in and advised customers with outdated mitigations or no mitigations at all on where they were vulnerable.
Why Rapid Response was required: there was no automated external check available when the weakness was first made public so detecting the vulnerability with Rapid Response was faster than using a scanner alone. Microsoft’s moving goalposts meant the Rapid Response team’s additional help and tracking of the weakness was essential to customers who don’t have time to read security news all day.
Impact of the vulnerability: Server-Side Request Forgery, leading to Remote Code Execution.
How we helped: Our team acted fast, writing first checks before the scanner had external checks available. Customers got additional value from updates around Microsoft's changing advice, making sure they were aware that patching advice was changing. After each update to Microsoft’s article, the Rapid Response team manually scanned and found servers which didn't have the latest mitigations in place and pointed them out to customers.
Fortinet FortiOS & FortiProxy, Remote Code Execution / Buffer Underflow (CVE-2023-25610)
What happened: this one was simple; a new vulnerability in Fortinet products was disclosed, and the scanner only had an internal (agent-based) check. The Rapid Response team stepped in to discover vulnerable hosts exposed to the internet in place of the scanner's lack of an external check for this weakness.
Why Rapid Response was required: not all customers have installed the internal (agent-based) scanner on all their targets, so Rapid Response adds an additional external check for hosts the scanner wouldn’t be able to detect. In practice, this means finding vulnerabilities which would remain undetected without Rapid Response.
Impact of the vulnerability: Remote Code Execution or Denial of Service
How we helped: the Rapid Response team ran manual scans for affected products, and pointed out external facing servers where the affected product was in use. This notification provided customers with a list of exposed targets to review for patching. Customers would not have been able to detect these with the scanner alone unless they were using internal scanning on all their targets (which many choose not to do). Rapid Response helped identify several critical weaknesses in Fortinet products over the past year – including CVE-2022-42475 and CVE-2022-40684.
5 reasons you need Rapid Response
- It’s not always practical to install an agent on everything - for example if you have thousands of targets - so you can’t scan for the vulnerability using an internal check
- Rapid Response is (usually) faster than the scanner alone. Faster means better for critical vulnerabilities, and the time from public disclosure to exploit is typically very low for vulnerabilities in the wild. But our scanner is fast, so we’ll see if it already checks for this issue, and Rapid Response will only kick in if or when it’s needed.
- Manual efforts can be more effective when the code is too generic or misses some edge cases. If so, we’ll write a more robust check to provide extra assurance.
- You can talk to our Security team and get advice on how to fix the issue.
- Our team can re-test the issue after it’s been fixed, or check mitigations you’ve put in place to give you the assurance you need.
Rapid Response: all you need to know
What is it?
Manual scanning to check for the latest critical weaknesses hitting the news, including some that our core scanners don't have checks for yet, or ones that are better detected by a human.
Why do you need it?
The delay between a critical exploit hitting the news and a patch being released can leave you exposed. Close the gap with manual screening that proactively scans for weaknesses when automated scanners don’t have checks ready.
How does it work?
We continuously monitor security threat feeds for emerging critical-risk vulnerabilities. When a threat is identified, we’ll scan your targets and identify any affected systems. If we think a target could be susceptible, we’ll notify you with details and advice.
What does it cover?
High risk weaknesses with a CVSS score of 9.5+, and weaknesses remotely exploitable over the internet.
Who’s it for?
Rapid Response is available to anyone with a Premium or Vanguard subscription.
If you’d like to see Intruder in action, take our Pro plan for a spin with a free 14-day trial or get a demo of our Premium plan.