performing-endpoint-vulnerability-remediation

What this skill does

# Performing Endpoint Vulnerability Remediation

## When to Use

Use this skill when:
- Remediating vulnerabilities identified by scanners (Nessus, Qualys, Rapid7)
- Responding to zero-day CVE advisories requiring immediate patching
- Maintaining compliance with patch management SLAs (critical within 14 days, high within 30 days)
- Building a prioritized remediation plan from vulnerability scan results

**Do not use** this skill for vulnerability scanning itself (use scanning tools) or for application-layer vulnerability remediation (use DevSecOps processes).

## Prerequisites

- Vulnerability scan results (Nessus, Qualys, or Rapid7 export in CSV/XML format)
- Patch management platform (WSUS, SCCM, Intune, or third-party like Automox)
- Administrative access to target endpoints or deployment infrastructure
- Change management process for production endpoint patching
- Testing environment for patch validation before production rollout

## Workflow

### Step 1: Import and Prioritize Vulnerability Findings

```
Priority scoring combines:
1. CVSS Base Score (0-10)
2. EPSS (Exploit Prediction Scoring System) - probability of exploitation
3. CISA KEV (Known Exploited Vulnerabilities) catalog membership
4. Asset criticality (business impact of affected endpoint)
5. Network exposure (internet-facing vs. internal)

Priority Matrix:
  P1 (Critical - 14 days SLA):
    - CVSS >= 9.0 OR
    - Listed in CISA KEV OR
    - Active exploitation in the wild + CVSS >= 7.0

  P2 (High - 30 days SLA):
    - CVSS 7.0-8.9 AND
    - EPSS > 0.5 (50% probability of exploitation)

  P3 (Medium - 60 days SLA):
    - CVSS 4.0-6.9 OR
    - CVSS 7.0-8.9 with EPSS < 0.1

  P4 (Low - 90 days SLA):
    - CVSS < 4.0 AND
    - No known exploit
```

### Step 2: Identify Remediation Actions

For each vulnerability, determine the appropriate remediation:

```
Remediation Types:
1. Patch: Apply vendor security update (most common)
2. Configuration change: Modify settings to mitigate (registry, GPO)
3. Upgrade: Update to newer software version
4. Workaround: Apply temporary mitigation when patch unavailable
5. Compensating control: Network segmentation, WAF rule, EDR rule
6. Accept risk: Document accepted risk with CISO sign-off
```

### Step 3: Deploy Patches via WSUS/SCCM

```powershell
# WSUS: Approve patches for deployment
# 1. Open WSUS Console
# 2. Navigate to Updates → Security Updates
# 3. Approve selected KBs for target computer groups

# SCCM: Create Software Update Group
# 1. Software Library → Software Updates → All Software Updates
# 2. Select required KBs → Create Software Update Group
# 3. Deploy to target collection with maintenance window

# Intune: Create Windows Update Ring
# Devices → Windows → Update rings
# Configure: Quality updates deferral = 0 days (for critical)
# Feature updates deferral = per policy

# PowerShell: Force Windows Update check
Install-Module PSWindowsUpdate -Force
Get-WindowsUpdate -KBArticleID "KB5034441" -Install -AcceptAll -AutoReboot

# Verify patch installation
Get-HotFix -Id "KB5034441"
systeminfo | findstr "KB5034441"
```

### Step 4: Apply Configuration-Based Remediations

```powershell
# Example: Disable SMBv1 (CVE-2017-0144 - EternalBlue)
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart

# Example: Disable Print Spooler on non-print servers (CVE-2021-34527 - PrintNightmare)
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

# Example: Disable LLMNR (credential theft mitigation)
# Via GPO: Computer Configuration → Admin Templates → Network → DNS Client
# Turn off multicast name resolution: Enabled
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" `
  -Name EnableMulticast -Value 0 -PropertyType DWORD -Force

# Example: Restrict NTLM authentication
# Via GPO: Security Settings → Local Policies → Security Options
# Network security: Restrict NTLM: Audit/Deny
```

### Step 5: Handle Zero-Day Vulnerabilities (No Patch Available)

```
When vendor patch is not yet available:

1. Check vendor advisory for workarounds
   - Microsoft: https://msrc.microsoft.com/update-guide
   - Adobe: https://helpx.adobe.com/security.html
   - Linux: Distribution security trackers

2. Apply temporary mitigations:
   - Disable vulnerable feature/service
   - Deploy EDR detection rule for exploitation attempt
   - Apply network-level blocking (WAF/firewall rules)
   - Restrict access to vulnerable application

3. Monitor for patch release:
   - Subscribe to vendor security mailing list
   - Monitor CISA KEV additions
   - Set calendar reminder for next Patch Tuesday

4. Document workaround with expiration date
```

### Step 6: Validate Remediation

```powershell
# Re-scan remediated endpoints to confirm vulnerability closure
# Option 1: Targeted vulnerability scan
nessuscli scan --target 192.168.1.0/24 --plugin-id 12345

# Option 2: PowerShell verification
# Check specific KB is installed
$kb = Get-HotFix -Id "KB5034441" -ErrorAction SilentlyContinue
if ($kb) {
    Write-Host "PASS: KB5034441 installed on $(hostname)" -ForegroundColor Green
} else {
    Write-Host "FAIL: KB5034441 missing on $(hostname)" -ForegroundColor Red
}

# Check service is disabled
$svc = Get-Service -Name Spooler
if ($svc.StartType -eq 'Disabled') {
    Write-Host "PASS: Print Spooler disabled" -ForegroundColor Green
}

# Check registry configuration
$val = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" `
  -Name SMB1 -ErrorAction SilentlyContinue
if ($val.SMB1 -eq 0) {
    Write-Host "PASS: SMBv1 disabled" -ForegroundColor Green
}
```

### Step 7: Report and Track

Generate remediation status report:
```
Remediation Metrics:
  - Total vulnerabilities: X
  - Remediated: Y (Z%)
  - Pending (within SLA): A
  - Overdue (past SLA): B
  - Accepted risk: C
  - Mean time to remediate (MTTR): D days
  - SLA compliance rate: E%
```

## Key Concepts

| Term | Definition |
|------|-----------|
| **CVSS** | Common Vulnerability Scoring System; 0-10 severity scale for vulnerabilities |
| **EPSS** | Exploit Prediction Scoring System; probability (0-1) that a CVE will be exploited in the wild within 30 days |
| **CISA KEV** | CISA Known Exploited Vulnerabilities catalog; federal mandate to patch these CVEs within specified timeframes |
| **SLA** | Service Level Agreement for remediation timelines based on vulnerability severity |
| **MTTR** | Mean Time To Remediate; average days from vulnerability discovery to confirmed fix |
| **Compensating Control** | Alternative security measure when direct remediation is not feasible |

## Tools & Systems

- **Nessus/Tenable.io**: Vulnerability scanning and remediation tracking
- **Qualys VMDR**: Vulnerability management, detection, and response platform
- **Rapid7 InsightVM**: Vulnerability assessment with live dashboards
- **WSUS/SCCM/Intune**: Microsoft patch deployment infrastructure
- **Automox**: Cloud-native patch management for Windows, macOS, Linux
- **CISA KEV Catalog**: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

## Common Pitfalls

- **Patching without testing**: Apply patches to a test group first. Some patches cause application compatibility issues or BSOD.
- **Ignoring EPSS scores**: A CVSS 9.8 vulnerability with EPSS 0.01 may be less urgent than a CVSS 7.5 with EPSS 0.95 (actively exploited).
- **Not validating remediation**: Deploying a patch does not guarantee installation. Always re-scan to confirm closure.
- **Excluding critical servers from patching**: Servers that "cannot be rebooted" accumulate critical vulnerabilities. Schedule maintenance windows.
- **Treating all CVEs equally**: Risk-based prioritization (CVSS + EPSS + asset criticality + exposure) is more effective than patching all criticals first.