CAASM Use Case #9 – Finding Unsanctioned Software

CAASM Use Case #9 – Finding Unsanctioned Software

Welcome to the ninth instalment in our series exploring the practical applications of Cyber Asset Attack Surface Management (CAASM).

Today, we’re diving into a critical challenge faced by cybersecurity professionals: identifying and managing unsanctioned software within your organization.

Imagine this scenario: Your company has strict software policies in place, but you suspect that employees might be using unauthorized applications.

How do you find these potential security risks hiding in plain sight? That’s where CAASM comes in.

Regulatatory Compliance

Vulnerabilities

Data Leaks

Inefficiences

Increase Attack Surface

Lack of visibility

Table of Contents

The Unsanctioned Software Problem

Unsanctioned software is a thorn in the side of IT and security teams everywhere. These applications, while potentially useful for employees, can pose significant risks to your organization’s security posture. They might include:

  • Peer-to-peer networking tools (e.g., Tor, TikTok)
  • Cracking tools (e.g., AirCrack, L0phtcrack)
  • Protocol analysis tools (e.g., Wireshark, Npcap)
  • Vulnerability mapping and penetration testing tools
  • Cryptocurrency wallets and miners
  • Gaming applications
  • Remote Access Tools (RATs)

The challenges in finding this software are numerous:

  1. Difficulty in searching across existing asset inventories
  2. Incomplete software lists in asset inventories
  3. Conflicting data due to outdated information
  4. Limited sources for software inventory lists

Enter SJULTRA's Cybersecurity Observability Service

This is where SJULTRA’s CAASM services, becomes your incident response nitrous boost.

It’s like giving your security team a time machine and a crystal ball, all rolled into one.

CAASM pulls data from a smorgasbord of sources:

  • Endpoint Agents
  • Configuration and Patch Management Tools
  • Ticketing & Helpdesk Platforms
  • Networking Tools
  • Vulnerability Assessment Tools
  • IAM Solutions
  • Cloud Infrastructure

By correlating this data, CAASM creates a rich, unified view of your entire digital ecosystem. It’s like having a digital map of your entire IT landscape, with every device, user, and cloud instance clearly labeled.

Book your free CAASM trial now

Get visibility on all 14 cybersecurity observability use cases in less than 30 days with SJULTRA.

Getting organized: defining your unsanctiones software list

The software that’s installed on your devices will be one of three types:

  1. Known – Sanctioned — eg. Microsoft Office apps.
  2. Known – Unsanctioned — e.g. Nmap, Bitminer, etc
  3. Unknown – Unsanctioned.

The goal with SJULTRA CAASM is to build up these lists so it makes it easy to query your IT landscape and put software in the correct bucket.

Technical Deep Dive: Finding Unsanctioned Software

Let’s walk through how to use SJULTRA CAASM to hunt down unsanctioned software:

  1. View All Installed Software:
    • Navigate to the devices page
    • Add the “installed software” column to your view
  2. Search for Specific Software:
    • Use the CAASM Query Wizard
    • Search by software name, version, or description

A list of common unsanctioned software

  • Peer to Peer Networks: Tor, Torrent, TikTok, WeChat, PopcornTime
  • Cracking Tools: AirCrack, L0phtcrack, Brutus
  • Protocol Analysis Tools: winpcap, wireshark, mergcap, mergecap, npcap
  • Vulnerability mapping and pentest tools: dsniff, metasploit, nessus, nikto, nmap
  • Cryptocurrency Wallets and Miners: btcminer, bfgminer, cgminer
  • Gaming: Pokerstars, Discord, Steam, etc
  • Native applications that can be used for malicious purposes: nmap, mimikatz, dsniff, wireshark, metasploit,
  • Keyloggers / Password crackers: davegrohl
  • Remote Access Tools (RATs): Poison Ivy, Sakula, KjWorm, Havex, Dark Comet, AlienSpy
  • Unsanctioned IT & Security tools: any unsanctioned platforms including VPN, Antivirus, Cloud storage, and more.

Integrating CAASM with your software datasources

To find unsanctioned software, you will need to connect to adapter sources that glean lots of information on devices directly. These include:

Using the CAASM Security Policy Enforcement Center, you can also initiate WMI scans to generate a list of installed software for all windows devices.

Search by software Name

Searching for specific unsanctioned software can be done by using the Installed Software: Software Name field. Using the OR switch and the contains function allows searches for multiple software instances simultaneously. 

This query below shows a search for any device that has metasploit, or nmap.

sjultra axonius caasm query wizard find unsanctioned software name contains

Search by software Vendor

If there are certain software vendors your company does business with, you can simply search by the software vendor using the Installed Software: Software Vendor field.

For example, Adobe.

sjultra axonius caasm query wizard find unsanctioned software vendor name

Digging Deeper with More advanced queries

For more complex scenarios, try these advanced queries: via CAASM Query Language (AQL):

  1. Find all devices with any P2P software:
installed_software.software_name == regex("tor|torrent|tiktok|wechat|popcorntime", "i")
  1. Identify machines with cryptocurrency mining software:
installed_software.software_name == regex("btcminer|bfgminer|cgminer", "i")
  1. Detect potential RATs:
installed_software.software_name == regex("poison ivy|s

Taking action

Once you’ve spotted these digital apparitions, what next? CAASM lets you automate your ghostbusting:

  1. Slack Alerts: Instantly notify teams about new ephemeral devices. “Who ya gonna call? The DevOps team!”
  2. Jira Tickets: Automatically create issues for IT and DevOps to review. It’s like setting ghostbusting assignments.
  3. Tagging: Add tags in CAASM for easy tracking. Think of it as putting a spectral tag on each ghost.
  4. CMDB Updates: Keep your Configuration Management Database up-to-date, even with short-lived devices. It’s like maintaining a constantly updated ghostbusting logbook.

Summary

Finding unsanctioned software is just one of the 14 powerful use cases for CAASM. By leveraging SJULTRA’s Cybersecurity Observability Service, you can take control of your software ecosystem and significantly reduce your attack surface.

Ready to see it in action? Start your free trial of SJULTRA CAASM today!

Remember, in the world of cybersecurity, knowledge is power. Stay vigilant, stay informed, and keep those unauthorized apps at bay!

Happy hunting, cyber defenders! 🕵️‍♂️💻🛡️

documentation and Videos

Read the documentation: Finding unsanctioned software.