What Is Passive Vulnerability Detection?

What Is Passive Vulnerability Detection?

In this article, we explain what Passive Vulnerability Detection (PVD) is, provide an overview on the PVD methodologies and discuss its relative strengths and weaknesses as compared to the Active Vulnerability Scanning (AVS).

Contents of The Article hide
1 What is a Security Vulnerability?
2 Vulnerability Detection Methods
3 AVS vs. PVD
4 Final Remarks

What is a Security Vulnerability?

In cyber security, a vulnerability is a flaw or weakness in a system that could be exploited by a threat vector and lets the adversary bypass the implemented protection mechanisms with respect to confidentiality, integrity and availability. Vulnerabilities can allow attackers to gain unauthorized access to resources, steal, modify or destroy data, install malware etc.

Other definitions of security vulnerability as described in standards or other resources are as follows:

  • National Institute of Standards and Technology (NIST): A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.
  • ISO 27005: A weakness on an asset or group of assets that can be exploited by one or more threats, where an asset is anything that has value to the organization, its business operations and their continuity, including information resources that support the organization’s mission.
  • IETF RFC 4949: A flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy.
  • European Union Agency for Cybersecurity (ENISA): The existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event compromising the security of the computer system, network, application, or protocol involved.

Vulnerability Detection Methods

Vulnerability identification is an indispensable process of every cyber security program. There are two methods to identify vulnerabilities on a system: Active Vulnerability Scanning (AVS) and PassiveVulnerability Detection (PVD).

AVS involves scanning hosts on the networks intrusively to detect known flaws or weaknesses that could be exploited by malicious actors. To help in detecting vulnerabilities in anautomated way, tools known as vulnerability scanners are used. Just like an antivirus software, vulnerability scanners include a database of known security issues and check the systems being scanned against this database.

For detecting vulnerabilities, network-based AVS usually follow the steps described below:

  1. Identify the hosts that are up and running.
  2. Conduct port scans on the identified hosts to determine open ports and the transport layer protocols.
  3. Identify the operating system or the firmware of the host via fingerprinting.
  4. Identify the running services and installed software using a variety of methods such as banner grabbing, behavior analysis or reading system file/configuration data.
  5. Use signature matching to determine presence of known vulnerabilities.

Depending on the scanning configuration, AVS can further probe the hosts via exploiting the identified vulnerabilities to reduce their false positive results.

Passive Vulnerability Detection (PVD) on the other hand, is a technique that relies on the data captured via passively to determine running services and installed software on a system, rather than actively interacting or probing the hosts on the network. Upon discovery of the running services and installed software on the hosts, vulnerabilities are identified via comparing each existing product or service against a vulnerability database, such as National Vulnerability Database (NVD.)

There are 3 methods to identify open ports, runnings services and installed software in a system using the PVD approach. These are:

  1. Passive Network Monitoring
  2. Reading System Logs and Configuration Files
  3. Reading Data from Inventory Management Systems

In the first method, data is captured via a number of techniques, such as connecting to the span ports of the switches or via integrating with Intrusion Detection Systems. This method is limited to detect only software or services that generate traffic on the networks and requires considerably long monitoring durations for high coverage rates. For this reason, passive network monitoring method can miss existing vulnerabilities on the scanned systems if an installed application is not run or or do not generate traffic on the network during the monitoring period.

In the second PVD method, operating system and application logs and configuration files are analyzed to determine the running services and the installed software on the hosts.

In the last PVD method, inventory management systems are leveraged as a data repository for the installed applications on the host in a given network.

AVS vs. PVD

In this section, we provide a comparison of AVS and PVD methods, and discuss their relative strengths and weaknesses. As discussed previously, AVSs send transmissions to the nodes on the networks and examine the responses they receive to determine the existence of vulnerabilities and identify the weak points in the network. PVD on the other hand, allows security practitioners to assess the vulnerabilities on a system without interfering with the client or server. It facilitates already available asset and product information on the inventory and patch management systems to deduce the existing vulnerabilities. In this regard, PVD potentially offers significant advantages over AVS. These advantages are explained in more detail below:

Coverage: A vulnerability assessment tool’s capability is based solely on its database of known exploits. At the time of writing of this post, there exists 161,000+ CVEs at theNVD. However, one of the leading vulnerability scanners, i.e. Nessus, as an example of AVS tools, declares on its official website that only 58,000+ CVEs (35% of all the CVEs available at the NVD) are covered by the scanning scripts. PVD on the other hand, can cover all the known vulnerabilities that are contained at the vulnerability databases or vulnerability intelligence repositories.

Timeliness: AVS needs to use the most recent vulnerability database to cover the latest vulnerabilities. However, even in this case, the completeness of the scanning results is questionable as the creation of test scripts for recently disclosed vulnerabilities takes time. A similar issue also exists for PVD when using NVD for CVE feeds. This is due to the fact that there is a variable period of delays between when a product identifier (Common Product Enumeration – CPE) is reserved for a vulnerability and when it gets published on the NVD.

Visibility: Incomplete or inaccurate network visibility is another issue that the security professionals often experience when conducting AVSs behind the firewalls. In this case, AVSs will often miss running services (false negatives) when TCP probing packets are blocked and will return false positives in the case that firewalls do not respond to UDP probes. Similarly, systems that are offline during the scanning can not be detected by AVS. In contrast to AVS, PVD is not affected from such visibility issues as there is no interaction with the network

Speed: AVSs perform a multitude of tests to enumerate installed applications and running services in order to identify the relevant vulnerabilities. This could could take considerable amount of time, depending on the size of the network and the configuration of the scans, i.e. how detailed the scanning is. However, using PVD, overall performance of detection could be increased significantly since PVD can identify vulnerabilities without the additional scanning effort.

Scalability: For the AVS, the larger the network size is, the longer the scanning period. However, deducing vulnerability information passively from a database of CVEs and CPEs is not as sensitive to the network size in the case of PVD.

Side Effects: AVS needs to send packets on the network in order to communicate with or probe the nodes on the network. In doing so, AVS consumes considerable amount of network bandwidth, potentially slowing the network’s performance. Additionally, scanning scripts can alter the current state of the scanned hosts and the active network devices, which in turn may disrupt the services running on them, such as taken out switches, routers or malfunctioning servers etc. PVD eliminates such network interruption issues as no host is ever touched or probed since all the required data are retrieved from the existing inventory/patch management solutions.

Scanning Intervals: As a result of the long scanning periods and undesired potential side effects, AVS are usually carried out in intervals, such as weekly or monthly. This time intervals between the scans are critical because they prevent security professionals from seeing the current and up-to-date network vulnerability status (a.k.a. the outdated results problem) and leave networks exposed to new threats during these intervals. In contrast, PVD allows for continuous monitoring and offers live vulnerability and host information on the network.

Insecure Configuration Vulnerabilities: Sometimes, a vulnerability is caused by an improper security configuration, rather than the inherent security flaws inthe product. Such vulnerabilities could exist due to default product configurations or could be introduced later by users via changes made to the default configurations. Not changing the default product passwords or using weak passwords are two classical examples for insecure configuration vulnerabilities. The PVD techniques that leverages passive network monitoring and inventory management systems are not capable of detecting insecure configuration vulnerabilities. However, incorporating the PVD technique that inspects configuration files for vulnerability detection can eliminate this deficiency. AVS on the hand, can detect such vulnerabilities via intrusive probes on the targets as long as such scanning scripts exist in their libraries.

Reliability: Both AVS and PVD can potentially return CVE results that actually do not exist on the hosts (false positives) or can overlook existing CVEs (false negatives). For the AVS, inaccurate vulnerability results mostly stem from the coverage and visibility issues discussed previously. Additionally, the reliability of AVS is significantly affected depending the scans being conducted with credentials (authenticated) or without credentials (unauthenticated). For the PVD, the reliability of the results mostly depends on the discovering the product inventory accurately. Additionally, correctness and completeness of the data in the vulnerability databases contributes significantly to produce reliable results.

Quote by James Snook
Quote by James Snook

My message to companies that think they haven’t been attacked is: ‘You’re not looking hard enough.’

James Snook

Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.

Final Remarks

In article, we explained what Passive Vulnerability Detection (PVD) and compared it against the traditional approach of Active Vulnerability Scanning (AVS) to discuss their relative strengths and weaknesses. In general, PVD has several advantages over AVS, such as being non-intrusive, very fast and more trustable with respect to the results it generates. However, they are two different techniques and PVD is not a replacement for AVS. Rather, it should be viewed as a separate, but complementary technique that can be used to increase the coverage and the reliability of the vulnerabilities that can be detected on the networks.

If you would like to learn more about vulnerabilities, you could also read our articles What Is a Security Vulnerability? or Why We Need to Change Our Current Vulnerability Scanning Practice?