Tag Archive for: network security

Greenbone AG

Greenbone Reduces the Blast Radius of a Cyber Breach

Cyber attacks, like other types of security incidents, range dramatically in scope and impact. When defenders are prepared, an incident may be contained, damage limited, and recovery swift. When caught unprepared, a single incident may result in days or weeks of downtime, lost revenue, tarnished reputation, regulatory penalties or class action settlements [1][2]. In May 2024, Change Healthcare forecasted an expected loss of 1.6 billion Dollar. As of January 2025, the total cost of the Change Healthcare ransomware attack has reached almost 3 billion Dollar [3][4].

The totality of damage caused by an IT security breach, known as the “blast radius”, depends on many factors. These factors include whether vulnerabilities are being managed, if a defense in depth approach to cybersecurity has been applied, network segmentation, effective backup strategies and more. Negligent security hygiene is an open invitation to attackers, resulting in more costly outcomes like extensive data theft, ransomware extortion and even destructive wiper attacks used for industrial sabotage. A recent report found that once inside a network, attackers now deploy ransomware within 48 minutes on average and CVE disclosures are being weaponized into exploits within 18 days.

This article explores the concept of a cyber attack “blast radius” and the role that effective Vulnerability Management plays in containing the fallout from cyber intrusions. With the right controls in place, the damage from a cyber breach can be minimized and worst-case outcomes prevented

What is the “Blast Radius” of a Cyber Breach?

The term “blast radius” is military jargon referring to the physical area damaged by an exploding bomb. In digital systems, the term similarly refers to the extent of damage caused by a cyber attack. How many systems did an attacker compromise? Were they able to subsequently compromise critical systems after initial access? Did they breach adjacent networks or cloud assets?

Far-reaching damage is not a foregone conclusion when hackers gain initial access. Defenders can effectively cut off the attack at an early stage, preventing malicious actors from achieving their ultimate objectives or causing far reaching damage.

The Consequences of a Bigger Blast Radius

While forfeiting unauthorized access to an adversary is bad, it’s the subsequent stages of an attack that keeps IT security managers up at night. The latter stages of a cyber breach such as installing malware on critical assets, exfiltrating sensitive data, or encrypting files have the most profound implications for organizations. As blast radius increases, it is much more likely that an organization will experience a significantly negative impact.

Increased blast radius can result in:

  • Longer “Dwell Time”: Lateral movement and persistence techniques can allow attackers to remain undetected for extended periods, gathering intelligence and preparing subsequent attacks.
  • Increased financial losses: Service disruptions and ransomware attacks contribute to higher financial losses, lost revenue from downtime, risk of regulatory penalties and erode business relationships.
  • Increased operational downtime: The impact of operational downtime can reverberate across an organization causing delays, frustration and desynchronizing operations.
  • Loss of sensitive data: Attackers seek to exfiltrate sensitive data to support espionage campaigns or extort victims into paying ransom.
  • Compromised trust: Unauthorized access to messaging systems or third-party assets can erode trust among stakeholders, including customers, employees and business partners.

Greenbone Reduces the Blast Radius of a Cyber Breach

Vulnerability Management is a powerful factor in reducing the so-called “blast radius”. Effective mitigation of security gaps can leave an adversary with no easily accessible means to extend their initial foothold. Vulnerability management is most efficiently and effectively implemented by automatically scanning for security weaknesses throughout a network infrastructure and remediating the attack surface. In doing so, organizations can greatly reduce the potential blast radius of a successful cyber attack and also reduce probability of being breached in the first place.

Threat Mapping helps IT security teams understand their attack surfaces, the locations where adversaries may be able to enter a network. Greenbone’s core capabilities support Threat Mapping efforts with system and service discovery scans and by scanning both network and host attack surfaces allowing defenders to reduce their attack surface by 99%. Furthermore, Greenbone provides real-time reporting and alerts to keep security teams informed of emerging threats, enabling a proactive cybersecurity posture and timely remediation. This proactive, layered approach to cybersecurity reduces the potential blast radius and results in better security outcomes. Defenders are afforded more time to detect an attacker’s presence and eliminate it before catastrophic damage can be done.

The Strongest Defenses with Greenbone Enterprise Feed

The strongest defenses come from Greenbone’s industry leading Enterprise Vulnerability Feed. In total, the Greenbone Enterprise Feed has approximately 180,000 vulnerability tests and counting which can detect both general security compliance weaknesses and application specific vulnerabilities. Our Enterprise Feed adds hundreds of new tests each week to detect the newest emerging threats.

Here is a list of IT assets that Greenbone is designed to scan:

  • Internal network infrastructure: Scanning internal network devices with any type of exposed service, such as databases, file shares, SNMP enabled devices, firewalls, routers, VPN gateways and more.
  • On-premises and cloud servers: Attesting server configurations to ensure compliance with security policies and standards.
  • Workstations: Greenbone scans workstations and other endpoints across all major operating system (Windows, Linux, and macOS) to identify the presence of known software vulnerabilities attesting compliance with cybersecurity standards like CIS Benchmark
  • IoT and peripheral devices: IoT and peripheral devices, such as printers, use the same network protocols for communication as other network services. This allows them to be easily scanned for device and application specific vulnerabilities and common misconfigurations similarly to other network endpoints.

Reducing Network Attack Surface

Network attack surface consists of exposed network services, APIs and websites within an organization’s internal network environment and public facing infrastructure. To scan network attack surfaces, Greenbone builds an inventory of endpoints and listening services within target IP range(s) or a list of hostnames, then scans for known vulnerabilities.

Greenbone’s network vulnerability tests (NVTs) consist of version checks and active checks. Version checks query the service for a version string and then compare it for matching CVEs. Active checks use network protocols to interact with the exposed service to verify whether known exploit techniques are effective. These active checks use the same network communication techniques as real world cyber attacks, but do not seek to exploit the vulnerability. Instead, they simply notify the security team that a particular attack is possible. Anything an attacker can reach via the internet or local network, Greenbone can scan for vulnerabilities.

Reducing Host Attack Surface

Host attack surface is the software and configurations within individual systems that cannot be accessed directly via the network. Reducing the host attack surface minimizes what an attacker can do with initial access. Greenbone’s authenticated scans conduct Local Security Checks (LSC) to assess a system’s internal components for known weaknesses and non-compliant configurations that could allow attackers to escalate their privilege level, access sensitive information, install additional malware or move laterally to other systems.

Greenbone’s Enterprise Feed includes families of LSC for each major operating system including Ubuntu, Debian, Fedora, Red Hat, Huawei, SuSE Linux distributions, Microsoft Windows, macOS and many more.

Post-Breach Tactics: the Second Stage of Cyber Intrusions

Once attackers gain a foothold within a victim’s network, they engage in secondary exploitation techniques to deepen their access and achieve their objectives. In the modern cybercrime ecosystem, Initial Access Brokers (IABs) specialize in gaining unauthorized access. IABs then sell this access to other cybercriminal groups that specialize in second-stage attack tactics such as deploying ransomware or data theft. Similar to breaching the walls of a fortress, after initial access, an organization’s internal network becomes more accessible to attackers.

Some tactics used during the second stage of cyber attack include:

  • Privilege escalation [TA0004]: Attackers seek ways to elevate their access rights, allowing them access to more sensitive data or to execute administrative actions.
  • Lateral movement [TA0008]: Attackers compromise other systems within the victim’s network, extending their access to high-value resources.
  • Persistent remote access [TA0028]: Creating new accounts, deploying backdoors or using compromised credentials, attackers seek to maintain their access even if the initial vulnerability is remediated or their presence is detected.
  • Credential theft [TA0006]: Stolen sensitive data can be processed offline by attackers attempting to crack passwords, break into protected resources or plan social engineering attacks.
  • Accessing messaging systems [T1636]: Accessing organizational messaging platforms or collaboration tools gives access to sensitive information which can be used to conduct social engineering attacks such as spear phishing, even targeting external partners or customers.
  • Encryption for impact [T1486]: Identifying critical assets, financially motivated adversaries seek to maximize impact by deploying ransomware and extorting the victim to return access to the encrypted data.
  • Data exfiltration [TA0010]: Downloading a victim’s sensitive data can be used for espionage and also gives attackers leverage to extort victims into paying to not release it publicly.
  • Denial of Service attacks [T0814]: Service disruption can be used for further extortion or as a distraction to execute other attacks within the victim’s network.

Summary

Blast radius refers to the scope of damage that an adversary imposes during a cyber attack. As attacks progress, adversaries seek to penetrate deeper, gaining access to more sensitive systems and data. Lack of cyber hygiene gives attackers free reign to steal data, deploy ransomware and cause service disruptions and complicates detection and recovery. Minimizing attack surface is crucial for reducing the potential impact of a cyber breach and helps ensure a better security outcome.

Greenbone’s core contribution to cybersecurity is to increase security visibility in real-time, alerting defenders to vulnerabilities and giving them the opportunity to close security gaps, preventing hackers from exploiting them. This includes both network attack surface: public-facing assets, internal network infrastructure, cloud assets and host attack surface: internal software applications, packages and common misconfigurations.

By delivering industry-leading vulnerability detection, Greenbone empowers real-time threat visibility, empowering defenders to proactively ensure that adversaries are decisively neutralized.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

January 2025 Threat Report: Fortune Favors the Prepared

This year, many large organizations around the world will be forced to reckon with the root-cause of cyber intrusions. Many known vulnerabilities are an open gateway to restricted network resources. Our first Threat Report of 2025 reviews some disastrous breaches from 2024 and then dives into some pressing cybersecurity vulnerabilities from this past month.

However, to be clear, the vulnerabilities discussed here merely scratch the surface. In January 2025, over 4,000 new CVEs (Common Vulnerabilities and Exposures) were published; 22 with the maximum CVSS score of 10, and 375 rated critical severity. The deluge of critical severity flaws in edge networking devices has not abated. Newly attacked flaws in products from global tech giants like Microsoft, Apple, Cisco, Fortinet, Palo Alto Networks, Ivanti, Oracle and others have been appended to CISA’s (Cybersecurity and Infrastructure Security Agency) Known Exploited Vulnerabilities (KEV) catalog.

Software Supply Chain: the User’s Responsibility

We are all running software we didn’t design ourselves. This places a huge emphasis on trust. Where trust is uncertain – whether due to fears of poor diligence, malice or human error – cybersecurity responsibility still rests on the end-user. Risk assurances depend heavily on technical knowledge and collective effort. Defenders need to remember these facts in 2025.

When supply chain security fails, ask why! Did the software vendor provide the required tools to take control of your own security outcomes? Is your IT security team executing diligent vulnerability discovery and remediation? Are your resources segmented with strong access controls? Have employees been trained to identify phishing attacks? Are other reasonable cybersecurity measures in place? Organizations need to mature their ransomware-readiness, implement regular vulnerability assessments and prioritized patch management. And they should verify reliable backup strategies can meet recovery targets and prioritize other fundamental security controls to protect sensitive data and prevent downtime.

Fortune Favors the Prepared

Assessing 2024, the UK’s NCSC (National Cyber Security Center) annual review painted a grim picture; significant cyberattacks had increased three times compared to 2023. For a birds-eye view, CSIS (The Center for International Strategic & International Studies) has posted an extensive list of the most significant cyber incidents of 2024. The landscape has been shaped by the Russia Ukraine conflict and an accelerated shift from globalization to adversarialism.

Check Point Research found that 96% of all vulnerabilities exploited in 2024 were over a year old. These are positive findings for proactive defenders. Entities conducting vulnerability management will fare much better against targeted ransomware and mass exploitation attacks. One thing is clear: proactive cybersecurity reduces the cost of a breach.

Let’s review two of the most significant breaches from 2024:

  • The Change Healthcare Breach: Overall in 2024, breaches of healthcare entities were down from 2023’s record setting year. However, the ransomware attack against Change Healthcare set a new record for the number of affected individuals at 190 million, with total costs so far reaching 2,457 billion Dollar. The State of Nebraska has now filed a lawsuit against Change Healthcare for operating outdated IT systems that failed to meet enterprise security standards. According to IBM, breaches in the healthcare industry are the most costly, averaging 9.77 million Dollar in 2024.
  • Typhoon Teams Breach 9 US Telecoms: The “Typhoon” suffix is used by Microsoft’s threat actor naming convention for groups with Chinese origins. The Chinese state-sponsored adversary known as Salt Typhoon infiltrated the networks of at least nine major U.S. telecommunications companies, accessing user’s call and text metadata and audio recordings of high-profile government officials. Volt Typhoon breached Singapore Telecommunications (SingTel) and other telecom operators globally. The “Typhoons” exploited vulnerabilities in outdated network devices, including unpatched Microsoft Exchange Server, Cisco routers, Fortinet and Sophos Firewalls and Ivanti VPN appliances. Greenbone is able to detect all known software vulnerabilities associated with Salt Typhoon and Volt Typhoon attacks [1][2].

UK May Ban Ransomware Payments in Public Sector

The UK government’s framework to combat ransomware has proposed a ban on ransom payments by public sector entities and critical infrastructure operators with hopes to deter cyber criminals from targeting them in the first place. However, a new report from The National Audit Office (NAO), the UK’s independent public spending watchdog, says “cyber threat to UK government is severe and advancing quickly”.

The FBI, CISA and NSA all advise against paying ransoms. After all, paying a ransom does not guarantee the recovery of encrypted data or prevent the public release of stolen data, and may even encourage further extortion. On the flip side IBM’s security think-tank acknowledges that many SME organizations could not fiscally survive the downtime imposed by ransomware. While both sides make points here, could enriching cyber criminals while failing to shore-up local talent result in a positive outcome?

Vulnerability in SonicWall SMA 1000 Actively Exploited

Microsoft Threat Intelligence has uncovered active exploitation of SonicWall SMA 1000 gateways via CVE-2025-23006 (CVSS 9.8 Critical). The flaw is caused by improper handling of untrusted data during deserialization [CWE-502]. It could allow an unauthenticated attacker with access to the internal Appliance Management Console (AMC) or Central Management Console (CMC) interface to execute arbitrary OS commands. SonicWall has released hotfix version 12.4.3-02854 to address the flaw.

While no publicly available exploit code has been identified, numerous government agencies have issued alerts including Germany’s BSI CERT-Bund, Canadian Center for Cybersecurity, CISA, and the UK’s NHS (National Health Service). Greenbone is able to detect SonicWall systems impacted by CVE-2025-23006 by remotely checking the version identified from the service banner.

CVE-2024-44243 for Persistent Rootkit in macOS

January 2025 was a firestorm month for Apple security. Microsoft Threat Intelligence has found time to security test macOS, discovering a vulnerability that could allow installed apps to modify the OS System Integrity Protection (SIP). According to Microsoft, this could allow attackers to install rootkits, persistent malware and bypass Transparency, Consent and Control (TCC) which grants granular access permissions to applications on a per-folder basis. While active exploitation has not been reported, Microsoft has released technical details on their findings.

As January closed, a batch of 88 new CVEs, 17 with critical severity CVSS scores were published affecting the full spectrum of Apple products. One of these, CVE-2025-24085, was observed in active attacks and added to CISA’s KEV catalog. On top of these, dual speculative execution vulnerabilities in Apple’s M-series chips dubbed SLAP and FLOP were disclosed but have not yet been assigned CVEs. For SLAP, researchers leveraged chip flaws to exploit Safari WebKit’s heap allocation techniques and manipulated JavaScript string metadata to enable out-of-bounds speculative reads, allowing them to extract sensitive DOM content from other open website tabs. For FLOP, researchers demonstrated that sensitive data can be stolen from Safari and Google Chrome; bypassing Javascript type checking in Safari WebKit and Chrome’s Site Isolation via WebAssembly.

Furthermore, five high severity vulnerabilities were also published affecting Microsoft Office for macOS. Each potentially forfeiting Remote Code Execution (RCE) to an attacker. Affected products include Microsoft Word (CVE-2025-21363), Excel (CVE-2025-21354 and CVE-2025-21362) and OneNote (CVE-2025-21402) for macOS. While no technical details about these vulnerabilities are yet available, all have high CVSS ratings and users should update as soon as possible.

The Greenbone Enterprise Feed includes detection for missing macOS security updates and many other CVEs affecting applications for macOS including the five newly disclosed CVEs in Microsoft Office for Mac.

6 CVEs in Rsync Allow Both Server and Client Takeover

The combination of two newly discovered vulnerabilities may allow the execution of arbitrary code on vulnerable rsyncd servers while having only anonymous read access. CVE-2024-12084, a heap buffer overflow and CVE-2024-12085, an information leak flaw are the culprits. Public mirrors using rsyncd represent the highest risk since they inherently lack access control.

The researchers also found that a weaponized rsync server can read and write arbitrary files on connected clients. This can allow theft of sensitive information and potentially execution of malicious code by modifying executable files.

Here is a summary of the new flaws ordered by CVSS severity:

Collectively, these flaws present serious risk of RCE, data exfiltration and installing persistent malware on both rsyncd servers and unsuspecting clients. Users must update to the patched version, thoroughly look for any Indicators of Compromise (IoC) on any systems that have used rsync, and potentially redeploy file sharing infrastructure. Greenbone is able to detect all known vulnerabilities in rsync and non-compliance with critical security updates.

CVE-2025-0411: 7-Zip Offers MotW Bypass

On January 25, 2025, CVE-2025-0411 (CVSS 7.5 High) was published affecting 7-Zip archiver. The flaw allows bypassing the Windows security feature Mark of the Web (MotW) via specially crafted archive files. MoTW tags files downloaded from the internet with a Zone Identifier alternate data stream (ADS), warning when they originate from an untrusted source. However, 7-Zip versions before 24.09 do not pass the MotW flag to files within nested archives. Exploiting CVE-2025-0411 to gain control of a victim’s system requires human interaction. Targets must open a trojanized archive and then further execute a malicious file contained within.

Interestingly, research from Cofence found government websites around the world have been leveraged for credential phishing, malware delivery and command-and-control (C2) operations via CVE-2024-25608, a Liferay digital platform vulnerability. This flaw allows attackers to redirect users from trusted .gov URLs to malicious phishing sites. Combining redirection from a trusted .gov domain with the 7-Zip flaw has significant potential for stealthy malware distribution.

Considering the risks, users should manually upgrade to version 24.09, which has been available since late 2024. As discussed in the introduction above, software supply chain security often lies in a grey zone, we all depend on software beyond our control. Notably, prior to the publication of CVE-2025-0411, 7-Zip had not alerted users to a security flaw. Furthermore, although 7-Zip is open-source, the product’s GitHub account does not reveal many details or contact information for responsible disclosure.

Furthermore, the CVE has triggered DFN-CERT and BSI CERT-Bund advisories [1][2]. Greenbone is able to detect the presence of vulnerable versions of 7-Zip.

Summary

This edition of our monthly Threat Report reviewed major breaches from 2024 and newly discovered critical vulnerabilities in January 2025. The software supply chain presents elevated risk to all organizations large and small from both open-source and closed-source products. However, open-source software offers transparency and the opportunity for stakeholders to engage proactively in their own security outcomes, either collectively or independently. While cybersecurity costs are significant, advancing technical capabilities will increasingly be a determinant factor in both enterprise and national security. Fortune favors the prepared.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Stop the Standstill: how Greenbone Helps Protect Against DoS Attacks

A DoS attack (Denial of Service) can mean a complete standstill: an important service fails, an application no longer responds or access to one’s own system is blocked. DoS attacks have a clear, destructive goal: to paralyze digital resources, preventing access to the legitimate users. The consequences of a DoS attack can be drastic: from downtime and business interruptions to financial losses and significant risks for the entire organization.

For several years, DoS attacks have been on the rise and have significantly impacted business, critical infrastructure and healthcare services. DoS attacks are also being leveraged in sophisticated cyber military campaigns and to extort victims into paying a ransom. What lies behind these attacks and how can you protect yourself?

Widening the Threat Landscape

With unauthorized access attackers may impose DoS by simply shutting down a system [T1529]. Otherwise, application logic flaws can allow a remote attacker to crash the system, or they may flood it with network traffic to exhaust its resources. Blocking account access [T1531], destroying data [T1485], or deploying ransomware [T1486] can further hinder system recovery [T1490] or distract defenders while other attacks take place. At the same time, disabled critical services increase vulnerability to further cyber attacks; if a virus scanner is stopped, malware can enter the network unimpeded; if backup services are down, full recovery from ransomware may be impossible.

DoS Attacks Often Leverage Known Weaknesses

DoS attacks often exploit weaknesses in network protocol specifications, improper protocol implementations, faulty logic in software applications, or misconfigurations. Some software flaws that could allow DoS attacks include:

  • Uncontrolled resource consumption
  • Buffer overflows
  • Memory leaks
  • Improper error handling
  • Asymmetric resource consumption (amplification)
  • Failure to release a resource after use

When vulnerabilities such as these are discovered, vendors rush to issue patches. However, only users who install them are protected. By scanning network and host attack surfaces, IT security teams can be alerted to DoS and other types of vulnerabilities. Once alerted, defenders can act by applying updates or adjusting vulnerable configurations.

Types of DoS Attacks

DoS attacks may employ a variety of different techniques, such as flooding networks with excessive traffic, exploiting software vulnerabilities, or manipulating application-level functions. Understanding how DoS attacks work and their potential impact is crucial for organizations to develop comprehensive defense strategies and minimize the risk of such disruptions.

The main categories of DoS attacks include:

  • Volume Based DoS Attacks: Volume-based DoS attacks overwhelm the target’s network bandwidth or compute resources such as CPU and RAM with high volumes of traffic, rendering the network unable to fulfill its legitimate purpose.
  • Application and Protocol DoS Attacks: These attacks target vulnerabilities within software applications or network protocols, which may reside at any layer of the protocol stack. Attackers exploit flaws in a protocol specification, flawed application logic, or system configurations to destabilize or crash the target.
  • Amplification DoS Attacks: Amplification attacks exploit specific protocols that generate a response larger than the initial request. Attackers send small queries to the target which responds with large packets. This tactic significantly amplifies the impact to the victim as high as 100 times the initial request size.
  • Reflection DoS Attacks: The attacker sends a request to a service, but replaces the source IP address with the victim’s IP. The server then sends its response to the victim, “reflecting” the attacker’s forged requests. Reflection attacks typically rely on UDP (User Datagram Protocol) due to its connectionless nature. Unlike TCP, UDP-based services do not automatically verify the source IP address of data they receive.
  • Distributed DoS Attacks (DDoS): DDoS attacks leverage large groups of compromised devices (often called a botnet) to send overwhelming amounts of traffic to a target. Botnets consist of hacked web servers or SOHO (Small Office, Home Office) routers from all over the world and are controlled centrally by the threat actor. The distributed nature of DDoS attacks make them much harder to mitigate, as the malicious traffic comes from many different IP addresses. This makes it difficult to distinguish legitimate users and infeasible to block the botnet’s large number of unique IP addresses.

Using Greenbone Against System Breakdown

Government cybersecurity agencies from all NATO countries such as Germany, the US, and Canada urge vulnerability management as a top priority for defending against DoS attacks.  By scanning for known vulnerabilities, Greenbone helps close the door to DoS attacks and can identify when human error contributes to the problem by detecting known misconfigurations and CIS benchmark controls. Greenbone also updates its vulnerability tests daily to include detection for the latest vulnerabilities that can allow successful DoS attacks.

Greenbone includes the Denial of Service category of vulnerability tests and other test families also include DoS identification such as: database DoS tests, web application DoS tests, web server DoS tests, Windows DoS tests [1][2] and product specific DoS detection for many enterprise networking products such as Cisco, F5, Juniper Networks, Palo Alto and more. Using Greenbone to scan your networks and endpoints, you have access to over 4,900 tests capable of identifying exploitable DoS flaws.

Also, when Greenbone’s “Safe Checks” protection for a scan configuration is disabled, our scanner will conduct active attacks such as amplification DoS attacks. Since these tests present higher risk such as increased likelihood of service disruption, the Safe Checks feature is enabled by default, meaning this extended set of invasive scans are not conducted unless specifically configured to do so.

While no known cybersecurity mitigation can guarantee protection against all DoS attacks such as high volume DDoS attacks, the proactive identification and mitigation of known flaws removes the “low-hanging fruit” presented by exploitable services. By removing known vulnerabilities from its IT infrastructure, an organization can avoid becoming part of the problem as well – since hijacked IT assets are often used by attackers to conduct DDoS attacks against others.

Summary

Denial of Service (DoS) attacks aim to disrupt the availability of IT systems by overwhelming them with traffic or by exploiting known software vulnerabilities. Greenbone’s comprehensive vulnerability assessment solutions can identify potential entry points for DoS attacks, enabling organizations to strengthen their defenses and minimize their risk. By proactively managing vulnerabilities and employing continuous monitoring, Greenbone helps organizations to detect and mitigate the impact of potentially destructive DoS attacks.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Greenbone Enterprise Products Lead all Network Vulnerability Scanners

OpenVAS began in 2005 when Nessus transitioned from open source to a proprietary license. Two companies, Intevation and DN Systems adopted the existing project and began evolving and maintaining it under a GPL v2.0 license. Since then, OpenVAS has evolved into Greenbone, the most widely-used and applauded open-source vulnerability scanner and vulnerability management solution in the world. We are proud to offer Greenbone as both a free Community Edition for developers and also as a range of enterprise products featuring our Greenbone Enterprise Feed to serve the public sector and private enterprises alike.

As the “old-dog” on the block, Greenbone is hip to the marketing games that cybersecurity vendors like to play. However, our own goals remain steadfast – to share the truth about our product and industry leading vulnerability test coverage. So, when we reviewed a recent 2024 network vulnerability scanner benchmark report published by a competitor, we were a little shocked to say the least.

As the most recognized open-source vulnerability scanner, it makes sense that Greenbone was included in the competition for top dog. However, while we are honored to be part of the test, some facts made us scratch our heads. You might say we have a “bone to pick” about the results. Let’s jump into the details.

What the 2024 Benchmark Results Found

The 2024 benchmark test conducted by Pentest-Tools ranked leading vulnerability scanners according to two factors: Detection Availability (the CVEs each scanner has detection tests for) and Detection Accuracy (how effective their detection tests are).

The benchmark pitted our free Community Edition of Greenbone and the Greenbone Community Feed against the enterprise products of other vendors: Qualys, Rapid7, Tenable, Nuclei, Nmap, and Pentest-Tools’ own product. The report ranked Greenbone 5th in Detection Availability and roughly tied for 4th place in Detection Accuracy. Not bad for going up against titans of the cybersecurity industry.

The only problem is, as mentioned above, Greenbone has an enterprise product too, and when the results are recalculated using our Greenbone Enterprise Feed, the findings are starkly different – Greenbone wins hands down.

Here is What we Found

Bar chart from the 2024 benchmark for network vulnerability scanners: Greenbone Enterprise achieves the highest values with 78% availability and 61% accuracy

 

Our Enterprise Feed Detection Availability Leads the Pack

According to our own internal findings, which can be verified using our SecInfo Portal, the Greenbone Enterprise Feed has detection tests for 129 of the 164 CVEs included in the test. This means our Enterprise product’s Detection Availability is a staggering 70.5% higher than reported, placing us heads and tails above the rest.

To be clear, the Greenbone Enterprise Feed tests aren’t something we added on after the fact. Greenbone updates both our Community and Enterprise Feeds on a daily basis and we are often the first to release vulnerability tests when a CVE is published. A review of our vulnerability test coverage shows they have been available from day one.

Our Detection Accuracy was far Underrated

And another thing. Greenbone isn’t like those other scanners. The way Greenbone is designed gives it strong industry leading advantages. For example, our scanner can be controlled via API allowing users to develop their own custom tools and control all the features of Greenbone in any way they like. Secondly, our Quality of Detection (QoD) ranking doesn’t even exist on most other vulnerability scanners.

The report author made it clear they simply used the default configuration for each scanner. However, without applying Greenbone’s QoD filter properly, the benchmark test failed to fairly assess Greenbone’s true CVE detection rate. Applying these findings Greenbone again comes out ahead of the pack, detecting an estimated 112 out of the 164 CVEs.

Summary

While we were honored that our Greenbone Community Edition ranked 5th in Detection Availability and tied for 4th in Detection Accuracy in a recently published network vulnerability scanner benchmark, these results fail to consider the true power of the Greenbone Enterprise Feed. It stands to reason that our Enterprise product should be in the running. Afterall, the benchmark included enterprise offerings from other vendors.

When recalculated using the Enterprise Feed, Greenbone’s Detection Availability leaps to 129 of the 164 CVEs on the test, 70.5% above what was reported. Also, using the default settings fails to account for Greenbone’s Quality of Detection (QoD) feature. When adjusted for these oversights, Greenbone ranks at the forefront of the competition. As the most used open-source vulnerability scanner in the world, Greenbone continues to lead in vulnerability coverage, timely publication of vulnerability tests, and truly enterprise grade features such as a flexible API architecture, advanced filtering, and Quality of Detection scores.

Contact Test Now Buy Here Back to Overview

/by