Share with Your Network
Kenna Security released the new Kenna.VM Premier tier offering on November 15th. One of the features in the Premier tier is a Cisco Talos zero day vulnerability intelligence integration. This is discussed in more detail in Monica White’s blog on “Kenna.VM Premier: Accelerate Vulnerability Management with Cisco Talos Intel and Remediation Analytics“. And for a even more details about the Talos Detail page in the Kenna UI, check out Diane Robles’s help article, “Zero Day Vulnerability Intelligence powered by Talos“. However, both blogs do not detail how to obtain the zero day Talos information via Kenna APIs. This blog will rectify that.
I kind of know what zero day vulnerabilities are, but let’s get some solid definition verbiage.
Wikipedia: A zero-day is a computer-software vulnerability previously unknown to those who should be interested in its mitigation, like the vendor of the target software. Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, additional computers or a network. An exploit taking advantage of a zero-day vulnerability is called a zero-day exploit.
Trend Micro: is a little more succinct: A zero-day vulnerability is a vulnerability in a system or device that has been disclosed but is not yet patched. An exploit that attacks a zero-day vulnerability is called a zero-day exploit.
These zero-day vulnerabilities poses a high risk because they are not patched; and therefore, cybercriminals can easily exploit them. Once a vulnerability is known and there is a patch, it moves off the zero-day vulnerability list. Currently, the Talos information is collected once a day.
Obtaining Talos Zero Day Information
Obtaining zero day vulnerability information is a three-step process:
- Invoke the “Search Vulnerability” API, filtering for
- For each vulnerability returned from the search, invoke the “Show Vulnerability” API.
- Extract zero day vulnerability information from the “Show Vulnerability” API response.
The related code is in
Let’s look at the “Search Vulnerability” code:
The search filter,
zero_day=true, is used to return vulnerabilities only with zero day information. Note that if you like using
q=, you can also code
q=zero_day:true. They work the same. I would use
q= if I had more filters in the
query_params also contains
fields=id,created_at,identifiers,last_seen_time,cve_id,description. This reduces the amount of data returned. See API Document Updates, “Vulnerability Fields Query Parameter” for more details. Also if you just wanted this information and nothing more, you would done.
Now that we have a list of zero-day vulnerabilities, we need to invoke “Show Vulnerability” for each item in the list to obtain the Talos information.
Above is a
for loop calling
get_vuln_data with a vulnerability ID and return all the vulnerability data. Then the appropriate information is displayed.
The “Show Vulnerability” code is straight-forward.
Now let’s look at the provided Talos data and where to obtain it.
You can conclude from lines 93 and 97 that the Talos zero-day data is located in the
talos_zero_day field or key. Just like the UI, you can extract the Talos ID, the CVE ID, CVSS information, CPE information, and snort rules. The code also provides a link to a Talos Report on the zero-day vulnerability if the report exists. (Unfortunately, since this is not a GUI, you will have to copy and paste the link into a browser.)
Here is an output example for one zero-day vulnerability.
Now you know how to obtain Talos zero-day intelligence via Kenna APIs. The code presented above could use some enhancements like keeping historical information, or providing an alert when there is a new zero-day vulnerability.
Until next time,