Skip to main content
Skip table of contents

Discovery Scan Configuration



Purpose

This document serves to improve understanding of the role that discovery scans play in enhancing the security and resilience of an organization's digital infrastructure. Its aim is to provide a comprehensive overview of the objectives and configurations of Asset Discovery.

Introduction

Discovery scans serve as the foundation for proactive cybersecurity measures. They assume a pivotal role in asset identification within the network, irrespective of the underlying mechanisms, whether network, cloud, or Docker images. A holistic view of the digital landscape is obtained through these scans, facilitating the groundwork for more comprehensive assessments. This can be achieved through various mechanisms, including network, cloud, and Docker image scans. Each method offers a distinct perspective on asset identification.

Two types of scans can be performed:

  • Asset Discovery scans

  • Assessment scans

It is recommended to perform discovery scans to get an overview of the assets on the network and assessment scans to understand the vulnerabilities on those assets.

Asset Discovery

Asset Discovery enumerate the hardware and software assets within an organization's network infrastructure. The goal of Asset Discovery is to provide a comprehensive view of an organization's IT assets to be used when setting up the Vulnerability Scanning.

Asset Discovery is an essential component of network security and risk management, and is performed with the help of automated tools that scan an organization's network to provide a detailed report of all detected assets.

Docker Image Discovery

A Docker image is a file used to execute code in a Docker container. Docker images act as a set of instructions to build a Docker container, like a template. Docker images also act as the starting point when using Docker. An image is comparable to a snapshot in virtual machine (VM) environments.

Docker Image Discovery enumerates docker images within a registry using provided credentials and the Docker Registry HTTP API V2.


Prerequisite

Prior to running a Docker discovery, make sure you have created the Docker credentials.

Running the Scan

A Docker Registry discovery function retrieves image information from a private Docker Registry such as name, OS, architecture and size.

The discovery will only find Docker images with the latest tag to limit the number of Docker images and improve visibility.

To perform a Docker discovery:

  1. Go to Toolbar.

  2. Expand Configurations.

  3. Select Scan Configurations..

  4. Select Docker image discovery.

    Portal_Configurations_DockerImageDiscovery.png

  5. Fill in the required information.

  6. Select a scanner.

  7. Click on ADD to save the newly created configuration.

  8. Select the Scan configuration and click on the scan now Icon_scan_now.png icon in the blue toolbar at the bottom right to run a Docker image discovery scan.

    Portal_Configurations_DockerImageDiscovery_ScanNow.png

  9. View the scan status under Toolbar/ Scans.

  10. View the discovered assets, Docker images under Assets. They are shown in the list of assets with the filter 'source' set to Cloudsec, and the type set to Docker Image.

    Cloudsec_docker_assets.png

Network Discovery

A Network Discovery scan identifies and lists all the hardware and software assets within an organization's network infrastructure by sending packets over multiple protocols such as ARP/ICMP/TCP/UDP. If the scanner gets anything back from the target, the target is confirmed to be alive.

Setting up a Network Discovery Scan

Running the Scan

To configure a Network discovery scan:

  1. Select the Network discovery radio button.

  2. Enter a Name for the configuration.

  3. Enter Targets for the configuration. These can be in the format of IPv4, IPv6, Hostname, IPv4-CIDR , IPv4-range, separated by newline.

  4. Choose a scanner from the drop-down menu.

  5. Click the ADD button to save the configuration.

Reporting Settings - Packet filter

In the Discovery Scan Settings UI, you can deselect a specific protocol that you do not want to trigger. However, this only stops explicitly sending requests with those protocols, it does not prevent it from triggering on related traffic. This may lead to seeing targets trigger on protocols that are deselected in the UI.

With the advanced report filtering option, you can perform a discovery scan but ignore traffic matching the filter by adding Berkeley Packet Filter (BPF) expressions. 

Portal_Scanning_DiscoveryScanConf_BPFAdv.png

BPF Expression Syntax

Refer to https://biot.com/capstats/bpf.html [1] for syntax.

Use Cases

Sometimes, even if you do not send an Address Resolution Protocol (ARP) message, you may still get an ARP response which marks the target as alive. By setting a filter to remove the ARP messages, the scanner will not report on ARP responses.

Examples

Example 1

Scan results without packet filter.

Portal_Scanning_DiscoveryScanConf_Example1.png

Example 2

Scan results using the packet filter to filter out TCP RST packets “tcp[13] & 0x04 != 0”

Portal_Scanning_DiscoveryScanConf_Example2.png

Example 3

Scan results using the packet filter to capture TCP RST packets “not (tcp[13] & 0x04 != 0)”

Portal_Scanning_DiscoveryScanConf_Example3.png
Additional Resources

Berkeley Packet Filter [2]

Cloud Discovery

A Cloud Discovery scan counts the instances in (AWS currently) cloud environments without using network traffic but with provided AWS credentials and querying the AWS REST APIs.

Run the Cloud Discovery Scan

To configure a Cloud discovery scan:

  1. Go to Toolbar.

  2. Expand Configurations.

  3. Select Scan Configurations.

  4. Select Cloud discovery.

    Portal_Configuration_Cloud_Discovery.png


  5. Select Credentials from the drop-down menu.

  6. Select Regions.

    Portal_Configuration_CloudDiscovery_Regions.PNG

  7. Choose a scanner.

  8. Click the blue ADD button to save the configuration.

  9. Select the Scan configuration and click on the scan now Icon_scan_now.png icon in the blue toolbar at the bottom right to run a Cloud discovery scan.

  10. View the scan status under Main menu > Scans.

    Portal_Configuration_CloudDiscovery_Scans.png

  11. View the discovered assets, Docker images under Assets as the list of assets with the filter 'source' set to Cloudsec and the type set to Docker Image.

    Cloudsec_docker_assets.png


Discovery Tagging

When configuring a discovery scan it is possible to set tags that are applied to the found assets, there are two different ways the tags can be applied.

  • The tags given in Add the following tags to discovered assets is added to all discovered assets.

  • The tags given in Set the following tags to only exist on discovered assets is removed from all assets, and added to all assets found by the discovery.


This will remove that tag from all assets you have, so make sure to not do this for tags you want to be using across different configurations.

Portal_Scanning_DiscoveryScanConf_BPFAdv.png

Adding Tags to Assets

Assets can be tagged in the same way as other objects.

To add tags to an asset:

  1. Go to Portal > Assets > Assets.

  2. Right click at the newly discovered asset, select Edit tags.

    Portal_ScanConfigurations_EditTag.png.PNG

  3. Type in a new tag and click Submit.

For more information, see Tags.

Tag Replacement of Target Group Settings

  • If you used to have  the Add Found Targets To Target Group checkbox you would add a tag representing that target group to Add the following tags to discovered assets. See T11981282 section.

  • If you used to have the Empty Target Group Before Adding checkbox you would only add the tag representing that target group to Set the following tags to only exist on discovered assets.


Reference

  1. BPF Expression Syntax - https://biot.com/capstats/bpf.html

  2. Berkeley Packet Filter - https://en.wikipedia.org/wiki/Berkeley_Packet_Filter





Copyright

© 2024 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.







JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.