In this video, we demonstrate how to search for data and information of interest within the ActOn interface. An example we present reveals a current cybersecurity vulnerability (CVE) affecting an open SSH instance and demonstrates how we may go deeper to examine necessary signals, identify linked assets, and analyze why the assets are accessible to the internet.
From the ActOn screen, we can search and identify information and look for data that may be of interest. For example, in this case, I'm going to search for an SSH problem. If I scroll down, I can see that I've got a current CVE that's affecting an open SSH instance. I can look through the relevant signals and determine where this is coming from, and even determine what assets are associated with it. Normally, this would be an opportunity to patch it where we would simply go through, patch the service, and correct the action. However, this does not solve the root problem.
When we start talking about root cause analysis, we start having to ask the question, why is this exposed to the internet in the first place? What is the business use or what is the business case? Now we can take a closer look and see if there's anything else in the attack surface exposures that's similar. Turns out we have not one, but two different servers that are exposed to the internet and that have this vulnerability. So yes, you could patch them.
But the larger problem, the root cause analysis here, is that we have these two servers exposed to the internet. Now, from a business use case perspective, we most likely do not want these exposed and should instead, correct the problem by pushing administrators or users to access these systems through a VPN and closing the servers off from the internet. That way, we've improved our overall capabilities from the security perspective because we've reduced the exposure surface.