Beyond Patch Management: The Hidden Danger of Network Scans

Police officers, during a blackout, often check if a neighborhood has regained power by spotting the faint glow of doorbells. This tiny beacon of light, even in an empty house, indicates the restoration of electricity. Similarly, criminals employ surprisingly simplistic methods to identify potential targets. For instance, car thieves casually traverse streets, subtly lifting car door handles in search of an unlocked vehicle. Home burglars, on the other hand, are drawn to overgrown yards or accumulation of packages at the doorstep, which might suggest a prolonged absence. Identity thieves prey on those who unwittingly share excessive personal information on social media. Unbeknownst to us, we constantly emit signals that can reveal our vulnerabilities to those with ill intent, and experienced criminals know how to look for them.

Finding Network Vulnerabilities

Just as conventional criminals look for physical signs of vulnerability, hackers, and cyber criminals scout for digital weaknesses. If they’re evaluating a potential target in person, they might pay attention to the operating systems on visible computers, such as those at the front desk. Outdated systems could signal a lag in overall technology adoption, suggesting potential weaknesses in their cybersecurity practices. Similarly, insufficient physical security may indicate a lax attitude towards cybersecurity, presenting an inviting target for cyberattacks.

However, one doesn’t have to be on-prem to probe for weaknesses in your network. A threat actor can easily refer to the latest Common Vulnerabilities and Exposures (CVEs), which are publicly accessible lists of documented security vulnerabilities. These lists are maintained to promote information sharing and help organizations bolster their security posture. According to Eden Naggel, CYREBRO’s DFIR Team Leader,

Scanning is a straightforward concept, and there’s no reason for malicious actors not to start with it. Employing 24/7 monitoring that leverages MITRE ATT&CK TTPs can significantly impact an organization’s security, especially during the crucial early stages of attacks. However, it’s essential to remember that monitoring doesn’t solely rely on ATT&CK TTPs; it should also incorporate signature-based detection, machine learning, tailored rules for identifying anomalous activities, and, of course, Threat Intelligence.

Here’s a typical sequence of steps that hackers might follow:

  1. They begin by consulting the CVE database to identify known vulnerabilities in the systems, computers, and network appliances common to their target organization type.
  2. Once they pinpoint a known vulnerability, they search for associated exploits.
  3. Before striking a live environment, they may choose to trial the exploit.
  4. Hackers use a vulnerability scanner to then probe your network, identifying instances of known vulnerabilities.
  5. Finally, they execute the attack against the vulnerability to secure unauthorized network access and proceed with their malicious activities.

Like nearly all cybersecurity tools, CVEs and network scanning tools can be used for both good and malevolent purposes. Cybercriminals bide their time, keeping tabs on the security community’s CVE announcements, and leveraging them to their advantage. Given the user-friendly nature of modern network scanning tools, even amateur hackers can conduct scans for recently reported CVEs, subsequently selling their discoveries to more adept threat actors who can exploit these vulnerabilities effectively.

The Race is On

How exactly do CVE announcements benefit legitimate organizations when the same information is available to cyber criminals? The purpose of CVEs is to provide insight to internal IT departments and Managed Service Providers (MSPs) about vulnerabilities, both past and present, and enable them to address these issues as per the vendor’s suggested solution, typically through patching. This necessitates that organizations are prompt and thorough in their patching procedures, given that cybercriminals are constantly enhancing their speed, propelled by faster processors, superior tools, and improved reconnaissance. In essence, outpacing the adversaries in your CVE research and mitigation activities is critical. It’s a race that must be won.

You Cannot Rely on Patching Alone

It would be wonderful if cybersecurity were as easy as keeping your systems and software fully patched. Unfortunately, cybersecurity is an involved process that takes time, strategy, and effort. While poor patch management will open your business to exploitable attacks, patching by itself is not enough. Firstly, there are other attack methodologies that hackers can use to gain access to your network such as phishing, social engineering, denial of service attacks, SQL injections, and credential stuffing attacks just to name a few. But even patch management by itself is challenging. Second, CVEs represent known vulnerabilities and do not include zero-day attacks. Patches often require a reboot to complete. Because it seems to never be a good time to take down switches, routers, or application servers, these update processes become perpetually delayed to ‘someday’ that never seems to arrive. At the very least, patching gets delayed until the weekend or non-business hours.

The Network Vulnerability Scanning Process

The good news is that you can run the same vulnerability scans of your network that the hackers are running because you both get access to the same information. It is important to run both external and internal scans as once your network has been breached, the imposters will be able to move laterally across your network to perform reconnaissance. Network scanning can also discover other exploitable attack points such as open ports or settings misconfigurations. Do not consider vulnerability scans as a once-a-year scheduled event either. They need to be conducted regularly on a 24/7 basis because new vulnerabilities are constantly being unveiled and hackers never rest. In fact, many of their scans are automated.

The Challenge for SMBs

The process of patching and conducting vulnerability scanning can pose significant challenges for SMBs, mainly due to limited IT resources and a lack of formal procedures for managing patches. SMBs often lack formal patch management procedures which can lead to an inconsistent application of patches that attackers can take advantage of. Leveraging a Security Operations Center (SOC) such as CYREBRO can address these challenges effectively. By incorporating the expertise of a SOC, which is adept at identifying network vulnerabilities across various industries, SMBs can free their in-house resources to focus on achieving business objectives. This security partnership provides organizations with peace of mind, knowing that their systems are consistently monitored and safeguarded against potential threats.


It can be uncomfortable to know that cybercriminals are turning to the same information resources that cybersecurity teams do regarding security gaps. Patching and updating is never a finished endeavor because new CVEs and exploitable vulnerabilities are constantly being introduced. While the task can be challenging, it can also be manageable with the right solutions to assist.

Sign Up for Updates