Wondering what tools folks use for routine internal scanning for vulnerabilities and what's most recommended. There seems to be a plethora of solutions available just now so which is the best/most effective/cheapest?
I have Trend Micro Deep Security Manager which is pretty good at what it does but I'm looking to supplement it with something like Nessus. It's part of a drive to incrase our internal capabilities rather than having to rely on independent scrutiny all of the time.
We do a fair bit of development and I'd like to do some internal testing on apps before they go into production (they will always be tested independently before going live but I'm trying to reduce the re-testing).
Any advice would be most welcome
We use multiple solutions. But for the scanning side of things we use Nessus, nmap, Hydra, Bursuite, etc with some custom scripts. We also do manual testing of systems on top of what we have automated. I don't beleive automatic scanners to be the end all as it only scans what it knows.
Wire Shark, Nmap, Nessus ... you may want to look at the tools that are offered as part of the Kali Linux download. Also, for some training on how to use them Udemy has soom good videos out there for relatively cheap. I also watched youtube videos on how to use tools like aircrack-ng ...
I'd second the recommendations for port scanners listed above.
A number of the products on the market do this work very well.
Take a look at Metasploit!
Many organisations fall in to the trap of spending too little time/resources on web application hardening.
As these are often public-facing services; that is a mistake you don't want to make.
OWASP have some great resources on the subject. - They also touch on automated source code analysis tools... well worth a look.
I've always been a fan of Nessus but lately, I've been playing with OpenVAS. As most of you probably know, OpenVAS is open source and was created from the free Nessus version over a decade ago. Nessus costs $$$, but you get support, slick(er) looking reports and it's pretty easy to setup out of the "box" with plenty of features. OpenVAS takes a bit more patience and tuning, but can do the job if you play around with it and have the time and patience to help config and adjust from false-positives.
We use Nessus Professional for internal vulnerability scanning. It's free for higher eds so that factored into the decision. Prior to that we used NMap. In general, I'd say it does what we need it to do but we also use other tools to get the full picture. For example, we use Shodan to get a look from the outside. We also use Nagios to do things like check that packages are up to date. VMWare also tells us a lot.
Things to consider:
* Nessus report formats are PDF, HTML, and CSV. There is also a proprietary Nessus format that I've never used. CSV is useful enough but I would prefer output in JSON.
* Whatever tool you use you will need to process the results somehow (see above) and turn those results in useful information. For example, you may want to open tickets in some kind of tracking system. So think about how well the tool can feed into whatever system you are using.
* Consider what it would take to do authenticated scans in your environment. Unauthenticated scans can sometimes yield false positives where it simply flags vulnerable packages by version listed in the banner text. Typically linux package maintainers will patch the version in the repo rather than roll to the next version. So you really need to look at apt to know if a package is vulnerable. This sometimes happens with our linux VMs. Not a big deal just don't believe everything it tells you. Not sure how things work in Windows world but it may be similar...
* It's also worth thinking about how big your network is. If it's only a /24 then NMap and a reasonable amount of Python might be the simplest and most flexible thing. For larger nets (/16 or /8) that may prove unwieldy. But define what you want to know and then select the tool. For example, certain Nagios checks are basically identical to an authenticated internal scan (e.g check_apt, check_apache, check_nginx, and so on). YMMV but you may already have tools on hand that will tell you what you want to know.
I second the use of openvas since its free and can be useful as a second set of scanning eyes when added to a paid scanner.
The free Alienvault OSSIM requires more setup but comes with openvas inbuilt in addition to network scanning, open source threat intelligence and some correlation directives to detect threats in your environment. They have a paid version too just like Nessus/Openvas.
Alienvault is actually a budget "SOC" tool with asset discovery, vulnerability assessment, behavioral monitoring, intrusion detection, and SIEM funcationalitiy.
Thanks to everyone for their input - it's most welcome. We're currently evaluating OpenVas to see if it fits the bill for us and we've been dipping in and out of Metasploit in a lab environment for some time.
I'm keen that we now move things on and start to build our internal skills and capabilities. I will post some updates if people would find it useful.
Thanks again for all the replies
Qualysguard is something I have used for years and that'll cover the lower layers of your cake plus will identify any devices on your network.....and you want to know what is on there, trust me.
Qualys formed an essential part of the onboarding of new technology. Things you never think about like MFD printers, network-connected sensors, physical security boxes, your CCTV..... the list is endless.
I would add to it with automated tools and never forget that skills and time will always be necessary....
Now, if your are happy to find only activities which are supposed to be visible on network layer, you can try to survive with any network level scanner.
On the other hand they say that most attacks (breaches) today happen on the application level, so I would consider to do something there too.
After a while you are bored with scannings anyhow and will try to automate that to get meaningful results that you can act upon. And then it might be time for other tools, like a proper SIEM...