REDHUNT LABS
DISCOVER. ATTACK .REPEAT
NVADR Documentation
This documentation will give you a detailed understanding of the features of NVADR and illustrate the various third party integrations that come along with it.
NVADR is a SAAS-based ASM platform that allows users to continuously discover and track their attack surfaces.
The platform continuously tracks and discover assets related to your organization and identify security
risks/exposures before attackers do. This is achieved by using the billions of asset-owner relationships
created by hundreds of our bots deployed across the internet.
NVADR is a combination of six modules that provide a complete attack management solution. Each module is provided with an array of features. This document will give you a detailed understanding about the NVADR, also covers the actions that can be performed in the platform.
TERM | DEFINITION |
---|---|
Asset | Whenever we refer to the term assets in NVADR that implies digital (software-defined) assets. Assets are operational entities - Domains, IP address, Docker containers, cloud keys, associated buckets, and more |
Tags/Asset Tags | Tags provide information about certain data/item/responses related to an asset. |
Possible Risks | The vulnerabilities in the discovered attack surfaces. Ex: security misconfiguration, outdated systems, etc. |
First Seen | The scan date at which the asset was first discovered. |
Last Seen | The scan date at which the asset was last seen. |
Ports | It is a logical construct (specific numbers) that are reserved to identify a particular process or service (assets). |
Severity | NVADR identifies the severity of a discovered security risk instance. Based on the severity the instances can be filtered. |
The first paragraph text
Attack surfaces are the digital assets of an organization, accessible through the internet. With
the evolution in technology, the extent of an organization's assets has also increased, thus
increasing the attack surfaces. The first step in protecting attack surfaces is to identify them.
NVADR's attack surface module discovers all the assets of an organization and lists them based on
the pre-defined asset types. The asset types are decided based on the most common assets that
can be discovered.
The attack surface module is further divided into:
Third-party assets are services or tools of an organization used by another organization
with or without a contract. We can also define it as assets of an organization that is
owned by a third-party vendor.
Cloud-based software services, cloud web hosting services, project management tools.
CRM tools, communication tools, etc are a few examples of third-party assets.
Identifying an organization's own assets itself is a tedious task, so it can be quite challenging
to discover third-party assets. NVADR discovers all the attack surfaces that your organization is
connected to and lists then under this module.
Screenshots are images of unexpected responses/contents from different ports of the
discovered assets. The screenshot module include two tabs asset application screenshots
and possible third-party associations.
Asset application screenshots include the screen responses of the assets belonging to the
organization.
Possible third-party associations are the screen images of the discovered third-party assets.
Data leaks are unintentional information disclosure. When sensitive data is accidentally
exposed on the internet or any other third-party platform it is considered a data leak.
The main cause of data leaks is poor data security practices. It is crucial to detect and
resolve data leaks before they are discovered by any unauthorized user. Data leaks also
increase the risk of data breaches.
NVADR’s data leak detection feature looks throughout the organization’s network and identifies
all the data leaks. With continuous scans and identification of data exposure, this feature
helps in improving an organization’s data security.
NVADR has a set of pre-defined filters to identify and list the most commonly occurring data leaks.
The pre-defined filters fasten the process.
Security risks are the vulnerabilities found in the discovered assets. These security risks
are to be resolved at the earliest as they can be the cause of data breaches and cyber threats.
NVADR has a list of pre-defined security risks for fast and easy identification. These pre-defined
categories range from exposed sensitive data to expired licenses.
Actions
To mute an instance, click on the bell icon.
The mute instance pop-up appears. The pop-up contains a re-confirmation message and a link to unmute the instance.
The link directs the user to settings where the muted instances can be deleted (to unmute).
Click OK to confirm. The user is notified with a success pop-up notification.
Once an instance has been muted the user will not be notified about the same during the upcoming scans.
Send to Issue Tracker: The security risks module is provided with an option, where the users can send a security
risk instance to the issue tracker. The issue tracker is a feature in NVADR that allows the admin users to assign an
issue (to resolve the issue) to other defined users.
In the list layout, at the right end corner of each security risk instance, is an arrow icon.
Click on the arrow icon to send an instance to the issue tracker.
Once the user clicks on the icon, the send to issue tracker pop-up appears.
The pop-up contains the category of the selected security risk instance and a field to assign priority.
Priority indicates the importance level at which the issue is to be resolved.
Once the priority level is selected click on Add.
All the instances with higher risks are send to the issue tracker.
In table layout, multiple instances can be sent to the issue tracker at once.
Select the checkboxes of the security risk instances that are to be tracked.
Click on send to issue tracker button provided at the top right corner of the
screen. The pop-up appears.
Now, assign the priority and click on add. This will successfully send the selected
instances to the issue tracker.
Note: The security risk instances already present under the issue tracker cannot be
sent again.
Issue tracker allows the user to monitor the progress in resolving a discovered security risk.
The security risk instances with critical and high severity are by default sent to the issue
tracker. Under the security risk module, the users are given the option to send any listed security
risk instance to the issue tracker.
All the issues are displayed in a list format.
Each security risk issue can be assigned to a defined user under the organizations.
Assign:
Based on the progress in resolving the issue, the status can be updated to open,
in progress, closed and won't fix.
The priority level of an issue can also be assigned based on the severity of the
vulnerability.
Kanban board provides a more user-friendly and easy approach to update the status of an issue.
The user can simply drag and drop an issue card to its corresponding status container.
NVADR requires very less information from any organization to discover their assets, and to identify
all the data leaks and security risks. This minimum information is called seed information. The
parent domain of an organization is the required seed information.
Actions:
Data leaks and security risks modules are provided with the mute instance option. The user
can mute any instance, the muted instances will not appear in the future scans.
Under this module all the muted instances (from the data leaks and security risks module) are
displayed in a list format. The instances are displayed under their corresponding sections
i.e., security risks and data leaks.
Actions
Communication channels used at your organization can be integrated with NVADR. Currently NVADR
supports integration with Slack. By integrating slack, you will receive notifications on the
platform for the events that you have selected. Events can be customised under preferences,
which is explained later in this document.
Learn more about slack integration, here.
Integrate your JIRA account with NVADR to track the progress in resolving any assigned issue.
Learn more about JIRA integration, here.
Public API is an application programming interface provided to the clients by the owner of the platform.
API is used to transfer certain information from one interface to another.
Actions
In simple words, Team & Org module is your organization profile settings. The organization
details are displayed here. The organization admin can add other members (of the organization)
to the NVADR platform. The existing and new member details are displayed under this module.
Actions
Note:
We have already discussed on how to integrate the communication channels with NVADR.
Under preferences you can customise the events for which you wish to receive notifications.
Actions
Once all the details are provided, click on send details.
You will be required to select an Issue Type to complete the integration.
After the JIRA account is added to the NVADR platform, the next step is to configure the JIRA board.
Click on the configure option provided.
Drag and drop statuses to map your JIRA status with your NVADR status.
Click on update to save the changes.
Now you can easily track your issue status through your JIRA account.
In order to extract the resources from client-side, the tool expects the users to follow the below steps in order to provide the necessary permissions and input.
Open the Roles section from the IAM page of the AWS Console
Click on Create Role
Choose the AWS Account box
Click on the "Another AWS Account" radio button
Enter the following 12 digit Account ID (647087456535)
Choose the Require external ID checkbox
Provide it with a random string (eg: dijasduoheuhsoifh)
Click on Next
In Permission Policies section, click on the Create Policy button which will open a new page
Click on the JSON tab
Paste the following JSON:
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": ["eks:*","lightsail:*"],"Resource": "*"},{"Action": ["mediastore:Get*","mediastore:List*","mediastore:Describe*"],"Effect": "Allow","Resource": "*","Condition": {"Bool": {"aws:SecureTransport": "true"}}},{"Effect": "Allow","Action": "ec2:Describe*","Resource": "*"},{"Effect": "Allow","Action": "elasticloadbalancing:Describe*","Resource": "*"},{"Effect": "Allow","Action": ["cloudwatch:ListMetrics","cloudwatch:GetMetricStatistics","cloudwatch:Describe*"],"Resource": "*"},{"Effect": "Allow","Action": "autoscaling:Describe*","Resource": "*"},{"Effect": "Allow","Action": ["route53:Get*","route53:List*","route53:TestDNSAnswer"],"Resource": ["*"]},{"Effect": "Allow","Action": ["s3:Get*","s3:List*","s3-object-lambda:Get*","s3-object-lambda:List*"],"Resource": "*"},{"Effect": "Allow","Action": ["apigateway:*"],"Resource": "arn:aws:apigateway:*::/*"},{"Effect": "Allow","Action": ["acm:ListCertificates","cloudfront:DescribeFunction","cloudfront:Get*","cloudfront:List*","iam:ListServerCertificates","route53:List*","waf:ListWebACLs","waf:GetWebACL","wafv2:ListWebACLs","wafv2:GetWebACL"],"Resource": "*"},{"Effect": "Allow","Action": "elasticloadbalancing:Describe*","Resource": "*"},{"Effect": "Allow","Action": ["ec2:DescribeInstances","ec2:DescribeClassicLinkInstances","ec2:DescribeSecurityGroups"],"Resource": "*"},{"Effect": "Allow","Action": "arc-zonal-shift:GetManagedResource","Resource": "arn:aws:elasticloadbalancing:*:*:loadbalancer/*"},{"Effect": "Allow","Action": ["arc-zonal-shift:ListManagedResources","arc-zonal-shift:ListZonalShifts"],"Resource": "*"},{"Sid": "AllowAPIs","Effect": "Allow","Action": ["acm:ListCertificates","autoscaling:DescribeAccountLimits","autoscaling:DescribeAutoScalingGroups","autoscaling:DescribeAutoScalingInstances","autoscaling:DescribeLaunchConfigurations","autoscaling:DescribePolicies","autoscaling:DescribeLoadBalancers","autoscaling:DescribeNotificationConfigurations","autoscaling:DescribeScalingActivities","autoscaling:DescribeScheduledActions","cloudformation:DescribeStackResource","cloudformation:DescribeStackResources","cloudformation:DescribeStacks","cloudformation:GetTemplate","cloudformation:ListStackResources","cloudformation:ListStacks","cloudformation:ValidateTemplate","cloudtrail:LookupEvents","cloudwatch:DescribeAlarms","cloudwatch:GetMetricStatistics","cloudwatch:ListMetrics","ec2:DescribeAccountAttributes","ec2:DescribeAddresses","ec2:DescribeImages","ec2:DescribeInstanceAttribute","ec2:DescribeInstances","ec2:DescribeInstanceStatus","ec2:DescribeKeyPairs","ec2:DescribeLaunchTemplateVersions","ec2:DescribeLaunchTemplates","ec2:DescribeSecurityGroups","ec2:DescribeSnapshots","ec2:DescribeSpotInstanceRequests","ec2:DescribeAvailabilityZones","ec2:DescribeSubnets","ec2:DescribeVpcs","elasticbeanstalk:Check*","elasticbeanstalk:Describe*","elasticbeanstalk:List*","elasticbeanstalk:RequestEnvironmentInfo","elasticbeanstalk:RetrieveEnvironmentInfo","elasticloadbalancing:DescribeInstanceHealth","elasticloadbalancing:DescribeLoadBalancers","elasticloadbalancing:DescribeSSLPolicies","elasticloadbalancing:DescribeTargetGroups","elasticloadbalancing:DescribeTargetHealth","iam:GetRole","iam:ListAttachedRolePolicies","iam:ListInstanceProfiles","iam:ListRolePolicies","iam:ListRoles","iam:ListServerCertificates","rds:DescribeDBEngineVersions","rds:DescribeDBInstances","rds:DescribeOrderableDBInstanceOptions","rds:DescribeDBSnapshots","s3:ListAllMyBuckets","sns:ListSubscriptionsByTopic","sns:ListTopics","sqs:ListQueues"],"Resource": "*"},{"Sid": "AllowS3","Effect": "Allow","Action": ["s3:GetObject","s3:GetObjectAcl","s3:GetObjectVersion","s3:GetObjectVersionAcl","s3:GetBucketLocation","s3:GetBucketPolicy","s3:ListBucket"],"Resource": "arn:aws:s3:::elasticbeanstalk-*"}]}
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"AWS": "arn:aws:iam::675351422352:root"},"Action": "sts:AssumeRole","Condition": {"StringEquals": {"sts:ExternalId": "dijasduoheuhsoifh"}}}]}
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"AWS": "arn:aws:iam::675351422352:root"},"Action": "sts:AssumeRole","Condition": {}}]}
Whenever NVADR find a security risk that fall outside of a designated range, it will
send an event to a service in PagerDuty. Events from NVADR will trigger a new incident
on the corresponding PagerDuty service, or group as alerts into an existing incident.
PagerDuty integrations require an Admin base role for account authorization.
If you do not have this role, please reach out to an Admin within your organization
to configure the integration.
If you need help with this integration, please contact support@redhuntlabs.com.
Configuration
menu, select Services.
name
of the Integrations
tab and New Integration
button.NVADR
as the Integration Type
in step 4. NVADR
section (below) once you have finished these steps.Integration Name
in the format monitoring-tool-service-name
NVADR
-Shopping-Cart) and select NVADR
from the Integration Type menu.Add Integration
button to save your new integration. You will be redirected Integration Key
will be generated on this screen. Keep this key saved in a safe place, NVADR
in the next section.Settings
tab, go to Integrations menu.PagerDuty
icon in Notifications
section and click on Add PagerDuty
button.Settings
tab, go to Integrations menu.PagerDuty
icon in Notifications
section.Delete
icon infront of it to uninstall the integration.