CISA's Known Exploited Vulnerabilities & CrowdStrike Spotlight

CISA Known Exploited Vulnerabilities with CrowdStrike's Falcon Spotlight data

CISA's Known Exploited Vulnerabilities & CrowdStrike Spotlight

In this blog you will:

  1. Learn about CISA's Known Exploited Vulnerabilities
  2. Learn how to leverage the CrowdStrike Falcon Spotlight feature to fuse your endpoint telemetry with CISA's
  3. Learn how to use the CrowdStrike Falcon console to further investigation and take action

CISA's Known Exploited Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has been publishing a list of known exploits used in attacks that it responds to, many of which could be in response to nation state actors.

These known vulnerabilities are also CVEs, so there is nothing magical happening where CISA is disclosing previously unknown vulnerabilities. It is possible that CISA, with its mission partners within the US Gov't, do stumble upon these vulnerabilities--either reactively as part of an incident response, or proactively via red-teaming--inform vendors on newly discovered vulnerabilities, but this list is not that. This list is taking CVEs and prioritizing them for US Gov't customers to based on seeing these be used in the wild.

Not everyone will be pressed to mitigate/patch these vulnerabilities since not all entities are under the purview of CISA. CISA does make it a requirement to patch these vulnerabilities within 90 days for Department of Homeland Security (DHS), the larger Fed Civilian agencies, sometimes referred to as "the .gov".

However, everyone should care about these. Critical infrastructure companies. Defense Industrial Base (DIB) companies. Companies outside the US even. If a nation state is known to exploit and take advantage of a certain CVE, you probably should prioritize it as well.

Enter CrowdStrike Falcon Spotlight

As CrowdStrike gets more and more traction inside the US Government, thanks to new authorizations of CrowdStrike's cloud-services, more and more have been asking how we can leverage this data and have informed decisions on exposure to this list.

Luckily, Falcon Spotlight has all CVE data on endpoints and has awareness and context of CISA Known Exploited Vulnerabilities. Also cool, since CrowdStrike is an API-first company, everything has an API to interface and automate tasks and workflows. Cooler, there are two major clients to doing this, Falconpy (python) and PsFalcon (powershell).

We are going to introduce a sample workflow, fusing our Spotlight data against CISA Known Vulnerabilities. All of this is published and made available to the cybersecurity community.

falconpy/samples/spotlight/CISA_known_exploited_vulns at main ยท CrowdStrike/falconpy
The CrowdStrike Falcon SDK for Python. Contribute to CrowdStrike/falconpy development by creating an account on GitHub.

First things first, in order to do API fun, we need the right authorizations. Make sure within CrowdStrike's API, you have a client id and secret that can read the Spotlight Vulnerabilities data. Without this, you won't be able to grab the data we need!

Using that client id and secret, and by following instructions on the readme.md, which includes how to quickly create a python environment with the dependencies needed, we can quickly focus on the fused events:

./python main.py --client_id <client_id> --client_secret <secret>

If you are a government customer and using CrowdStrike's GovCloud-1, which as of this writing is FedRAMP Moderate and Impact Level 4 (IL-4) authorized by leveraging the --base_url usgov1 tag:

./python main.py --client_id <client_id> --client_secret <secret> --base_url usgov1

Note that this code can take some time to work since it's actively assessing your environment against every CVE on the CISA list.

This will assess our Spotlight data, looking for matches against the CISA Known Exploited Vulnerabilities list. It will also create a few CSV files which can help us prioritize what to do next.

List of output CSV files

For example, it will show you the most pressing CISA Known Exploited Vulnerabilities in your environment based on date CISA wishes you to patch them by. Note that this should always be done as-soon-as-possible.

It also produces a list of top offending assets.

Raw CSV of <date>_RawDhsCve.csv file

By taking the above, we can see all the CVEs, the details of that CVE, the date when CISA requires the vulnerability to be patched, the total assets who are impacted by that CVE, and the specific CrowdStrike Agent ID (AID) who have illustrate those issues. Importing this into Excel, we could very quickly play with this data to prioritize it to our liking.

Here I'm showing the list in ascending order based on total number assets impacted by the given vulnerability.

Note that this does not provide you with the applications causing the issue or exposure to begin with, however, we can use the CrowdStrike UI to do just that. Mapping to the application is helpful if you have Program of Record (PoR) where applications are maintained by an outside body and who have the responsibility to patch the application on your behalf.

For example, let's look at one of these CVE's we have a finding for in our environment, CVE-2013-3900.

Using the filter, focus only on the particular CVE ID we care about

If we click on the ExPRT rating, we can filter down, finding out we have 2 products causing 39 vulnerabilities.

Clicking on the products, we can then further drill in, seeing the fact that CrowdStrike is aware this is being actively exploited (part of the ExPRT rating system, which includes CISA's Known Exploited Vulnerabilities list plus other sources including dark-web recon):

We can see that it certainly comes from the CISA Known Exploited Vulnerabilities list in this case:

Relevant links to vendor and external data sources to help give context to the CVE at question

And we get attributing artifacts, like Microsofts Security Response Center (MSRC) link on the exploit itself.

We can then see the vendor's (Microsoft) recommended remediation, which is to patch as well as what product(s) are impacted. Here we can see its Windows Server 2019 1809.

Additional data provided via Falcon Spotlight's dashboard

There you have it.

We discussed CISA's Known Exploited Vulnerabilities catalog, albeit quickly. We saw how we can merge it with CrowdStrike Falcon Spotlight data. And we also extended that into the Spotlight User Interface.

The API method is a great way to build reports on how you're doing. We'd also recommend creating a Spotlight Scheduled Task where you get emailed, or another notification, whenever a vulnerabilities opens up on your systems that is actively exploited. That however, is another post for another time, but in the meantime, use this reference since it's pretty straight forward.

Andrew