DHS CISA Exploited Vulnerabilities against CrowdStrike

DHS has created a great "Known Exploited Vulnerabilities Catalog" which can be used by the US Gov't or anyone else anyone with an internet connection. This showcases the CVE's that are being compromised in the wild.

For DHS and .GOV agencies, this also provides a "Due Date" on why actions must be executed against these specific CVEs.

For CrowdStrike customers, this complements Spotlight's ExPERT.ai very nicely.

Although no work has gone into comparing CrowdStrike's ExPERT.ai, (the suspicion is this being a more targeted sub-set of a list), we thought it would be neat to use Spotlight data to help measure "compliance".

Goals

Leverage the great work at FalconPy to take in Spotlight data and compare it against DHS CISA's catalog.

Provide simple output, in CSV format, sorting by DHS CISA's Due Date field, to prioritize action. This data can then be further analyzed, visualized (i.e. Domo, PowerBI, Excel Pivot Tables, Google Sheets, etc.) to aid customer's operations.

This is particularly useful for...

This project is for everyone, however, its of particular use to those Departments and agencies (D/a) who are subject to CISA's due dates.

Installation

This project leverages python and was tested against the latest version when this was written, 3.10.1. Other versions of Python3 should work, although this has not been tested.

In addition to the python environment, variables need to set based on your CrowdStrike Client APIs.

Python

This project includes both a Pipfile and a requirements.txt file.

For those using Pipenv:

pipenv install to get the necessary python libraries/dependencies.

pipenv shell to then run commands inside that environment.

For everyone else

pip install -r requirements.txt

Usage

In order to run this demonstration, you you will need access to CrowdStrike API keys with the following scopes:

Service Collection
Scope

Hosts

READ

Spotlight Vulnerabilities

READ

To use this application, use the following command line with respective arguments: ./python3 main.py --client_id <client_id> --client_secret <secret>

If you are using GovCloud: ./python3 main.py --client_id <client_id> --client_secret <secret> --base_url usgov1

If you have SSL Validation issues, you most likely have a network device intercepting SSL traffic which can cause issues. If you can validate this to be the case, add the --ssl_verify False flag. ./python3 main.py --client_id <client_id> --client_secret <secret> --ssl_verify False

This will always download the newest version of Known Exploitable Vulnerabilities from CISA, comparing that list via real-time APIs fusing it with CVEs via Falcon Spotlight.

Limitations

This code can see the unique machines GUID who matches a vulnerability. To see which applications on that device are causing this issue, use the Spotlight console to help prioritize against application owner.

About the author

Andrew Harris is currently the Sr. Director of Technology Strategy for CrowdStrike's Public Sector.

Example source code

The source code for this example can be found here.

PreviousspotlightNextuser_management

Last updated

Was this helpful?