Login to the Tutela admin portal and note your API key, or create a new oneClick for full size
Edit the "Agent Targets" and enter the targets the agent should scan:Click for full sizeTargets should be inserted each on a seperate line, and format may be:
A single IP Address
An IP subnet (example: 192.168.1.0/24)
A domain name (example: scanme.nmap.org)
Run following on a server where docker is installed:
docker run dvassallocs/tutela --api_key <INSERT_YOUR_API_KEY_HERE>
May I view the how-to screencast again?
What is Network-based Asset Management?
Output from network scans are used to populate a database of assets. Each asset is fingerprinted and where possible the asset is tagged with:
type of device (e.g. windows, linux, server, etc...)
Public / Private IP
Newly Detected Asset
Each asset is given a "state" (see next FAQ for more details) and the dashboard allows you to easily query assets in different states for easy reporting and compliance checks
Click for full size
What are Network-based Asset Management "states"?
A network asset can take on one of three states:
Authorized
Under Investigation
Unseen
When an asset is initially detected, it is put in the "unseen" state. This indicates to analysts that the asset hasn't been reviewed yet. Once an asset is detected, an analyst can put the asset state to "under investigation" while appropriate checks are carried our to see if said asset is to be allowed on the network. Tutela allows the analyst to store "notes" pertaining to the asset to add better context to the asset. Once investigations are completed, the asset can be moved to "authorized" to indicate concluded investigations.
What are the agent requirements?
The agent is packaged as a single linux container, hence it only requires a valid docker environment. If you run a windows host docker server, you will need to have either WSL2 or Hyper-V enabled. If this is not possible for some reason, please see the procedure outlined in "How do I install the native windows network scanner?"
How do I install/update the agent?
You can do this by executing the following on a server where docker is installed:
docker pull dvassallocs/tutela
If the container is already installed, re-running the above will update to the latest version.
How do I install the native windows network scanner?
The docker method outlined above is the easier and more convenient option, however there are some cases when you'd like to install the network scanner on a windows server which doesn't support running linux docker containers. In this case an alternative native windows agent is provided which has a slightly more involved (though still easy) installation process:
You are not limited in the number of agents and corresponding API keys you can generate. Ideally you should have seperate agnets / API keys for each subset of related targets you are planning to scan
How Do I Add More IP Address Targets to scan?
There are two options to accomplish this:
Via the web portal (recommended)
Via the agent command line interface
Adding targets via the web portal is straightforward:Click for full size
Targets will then be automatically pushed to the agent on the next scan.
Adding targets via the CLI involves using the following command line arguments when running the agent (see this FAQ):-targets string targets seperated by spaces enclosed within quotes (e.g. "8.8.8.8 4.2.2.2") -targets_file string targets file
How Do I Exclude IP Addresses from the Targets to scan?
Excluding targets via the web portal is done by simply prepending the target with a negative sign: "-", for example: -192.168.1.2
Click for full size
In the example above, 192.168.0.0/24 subnet will be scanned, except for 192.168.1.1. Targets will then be automatically excluded in the next scan.
May I run both internal and external network scans?
Yes! Since you are not limited in the number of agents and corresponding API keys you can generate, it is possible and encouraged that you:
Generate an agent to be used for internal scanning with "Targets" set to internal addresses such as "192.168.0.0/24"
Generate an agent to be used for external scanning with "Targets" set to external addresses such as "scanme.nmap.org"
As long as each agent has network connectivity to it's targets this will work. If you'd like to scan your own external footprint from an external endpoint please let us know and contact support who will arrange for this service to be provided to you
Agent Command Line Settings
Recommended Use :
docker run -v "$(pwd)/results:/app/results" dvassallocs/tutela --api_key INSERT_API_KEY_HERE
TIP: Note the use of a bind volume mount. This will store the latest raw scan on the agent's disk as well as uploading the raw scan to the Tutela server. Useful in cases where raw scan uploads get large and susceptible to network timeouts during uploadsTo see all the available options:
docker run dvassallocs/tutela --help
CyberSift Tutela Agent
======================Usage of ./csVasAgentLinux:
-api_key string
Use an api key instead of public IP (contact support)-mass_scan
Enable Mass Scanning (WARNING: this will increase the scanning time considerably and SHOULD NOT be carried out over the internet)-max_connections int
maximum simultaneous connections to open during scanning (default 500)(default 500)-port_timeout int
maximum port timeout to use during scanning (default 50ms). Bigger values are more accurate but scans take longer (default 50)-scan
run scan (default true)-scan_name string
scan name (default "cs-vas")-targets string
targets seperated by spaces enclosed within quotes (e.g. "8.8.8.8 4.2.2.2")-targets_file string
targets file
What does "Exploit Available" mean?
The vulnerability assessment tool will display all appropriate CVEs. However, a common problem is the sheer number of CVEs which are published on a daily baisis. In order to help you cut through the noise and prioritize those vulnerabilities that really matter, we also check exploit databses for vulnerabilites which have exploit code vailable to them as this significantly increases the chances of said vulnerability being successfully attacked. This is a known way of properly prioritizing which CVEs should be addressed first:
The easiest way of doing this is to add a cron job which calls the Tutela Agent container perdiocally. For example:
0120 * * docker run dvassallocs/tutela --api_key INSERT_YOUR_API_KEY
The above cronjob will launch a scan on the 20th day of every month
Why do I see vulnerabilities with CVE ID "CS-VER-UNKNOWN"?
In some cases after a network vulnerability scan you would see entries similar to the following, with "CVE" set to "CS-VER-UNKNOWN":
Click for full size
TL;DR: this means the scanner was unable to determine the version of software running, and such alerts can in general be safely resolved or ignored
The reason the above appear is to alert you to the fact that the agent is unable to determine the version of software running on the given port. In the above screenshot example, the product was determined to be "NGINX", however the version could not be determined. Rather than spamming you with inaccurate vulnerability entries, the scanner generates a "meta-alert" named "CS-VER-UNKONWN" (a.k.a CyberSift-VERsion-UNKNOWN). The alert is not necessarily a bad indicator, in fact during many pentesting engagements customers are encouraged to disabled headers and other data which can leak information such as version numbers that may aid an attacker.
How can I give scans a friendly name to better identify them on the dashboard?
By default, a unique name is generated by the agent whenever a scan is uploaded. You can influence the name that is generated by using:
-scan_name insert-scan-name-here
as an additional argument whenever you call the agent.
The above argument is valid for both infrastructure and web application scans
What is "Sentinel Mode"?
Sentinel Mode places any given agent into a special mode which allows it to scan all private IP subnets continuously. This allows you to continously monitor all your internal network without any pre-configured schedule or any pre-configured tagets. This mode is meant to aid in network discovery and in scenarios where you would like to periodically and randomly crawl your entire network to make sure nothing changes without you being alerted. At the moment, the WebUI only supports configuring agents in either Sentinel or 'normal' mode. However you can run agents in both Sentinel and normal mode on the same server using the CLI. No configuration is needed on the agent to run in 'Sentinel Mode', at the cost of flexibility in assigning targets and schedules to your scans.
What is host-based vulnerability scanning?
Host based scanning is similar to network-based scanning, however instead of a docker-based agent which probes your network, this approach uses an agent which is installed directly on a PC or server. This give you even greater visibility into your infrastructure as a host based agent is able to enumerate software which is installed on a given PC/Server and detect any CVEs for that software. The host based scanning feature allows you to:
Keep track of what software is installed in your environment
Keep track of which users are given administrative access to each host the agent is installed on
Enumerate known CVEs which affect the software installed on a host
The MSI may be installed manually or pushed via an appropriate Group Policy Object
Running the agent is very straightforward. Simply run the below command from an elevated privilege command prompt:
C:\Program Files (x86)\Tutela Windows Agent\winAgent.exe --api_key INSERT_YOUR_API_KEY
Scheduling the agent to run periodically can be easily accomplished using a windows scheduled task setup manually (for an example see below) or setup via an appropriate Group Policy Object
Running the agent is very straightforward. Simply run the below command from a root terminal:
./TutelaLinuxAgent -api_key INSERT_YOUR_API_KEY
The agent does not need to be "installed", simply executed, and can be run on a schedule using CRON. An example provisioning bash script which downloads, and schedules the scan is provided below:
What is supply chain (library) vulnerability scanning?
Library based scanning is a module included in the host agent. It allows you to scan development "artifacts" for known vulnerabilities (like the infamous Log4jShell) The following is a non-exhaustive list of support "artifacts":
Java: JAR, WAR
NodeJS: yarn.lock
Python: Pipfile.lock, requirements.txt
At the moment, only Linux servers are supported
How do I run the library vulnerability scan?
At the moment, only Linux servers are supported. The library vulnerability scan is included in the linux host agent, so make sure the agent is installed on a linux server, by running the following command:
By default, results are reported back to the Tutela online dashboard, however you have the option to save the results locally in JSON format by using the following:
Scheduling the agent to run periodically can be easily accomplished using a cron job with the above command
What is docker image vulnerability scanning?
Docker is a virtualization system based on the concept of "containers". Each container is in effect a self contained operating system, running underneath the supervision of the host server running docker. As such, each container can include it's own vulnerabilities depending on which image is used. For example, a container based on an Ubuntu image would need to be checked for Ubuntu-specific vulnerabilities. Each container would also need to be scanned for library vulnerabilities (see "Supply Chain scanning" above).
Both types of scanning are supported by Tutela via a module included in the host agent. It allows you to scan saved docker images for known vulnerabilities (both as OS and library level where supported)
How do I run the docker image vulnerability scan?
At the moment, only Linux servers are supported. The docker image vulnerability scan is included in the linux host agent, so make sure the agent is installed on a linux server, by running the following command:
Before running the scan, you need to "export" or "save" the docker container which is to be scanned. Doing this is straightforward. On the docker host server:
docker save --output XYZ.tar container_name:tag
An important note: You must specify a tag or the scan would fail. For example, for the tutela docker image, the proper command would be docker save --output tutela.tar dvassallocs/tutela:latest. Of course, change the output argument to anything you wish. The name of the tar file is used by Tutela to group vulnerabilities from the same docker image together.
Running the agent is straightforward, you simply need to specify your API key and the TAR file from the step above, for example:
By default, results are reported back to the Tutela online dashboard, however you have the option to save the results locally in JSON format by using the following:
Scheduling the agent to run periodically can be easily accomplished using a cron job with the above command
What is Web Application vulnerability scanning?
Web Application scanning allows you to test for common web application vulnerabilities such as the OWASP Top 10. The web application scanner is shipped as a seperate docker agent which can very easily be setup to scan multiple websites, and configured to scan periodically. The results are then uploaded to the Tutela dashboard to give you a single view of all vulnerabilities detected across your infrastructure.
This feature allows you to:
Improve your security by adding missing best-practice HTTP headers to your setup
Avoid common HTML / Javascript vulnerabilites such as Injection, Broken Authentication and XSS
You can do this by executing the following on a server where docker is installed:
docker pull dvassallocs/tutela-web-scanner
If the container is already installed, re-running the above will update to the latest version.
How do I launch a web scan?
You can do this by executing the following on a server where docker is installed:
docker run dvassallocs/tutela-web-scanner --targets 'https://scanme.nmap.org/, https://public-firing-range.appspot.com/' -api <INSERT_YOUR_API_KEY>
If the container is already installed, re-running the above will update to the latest version. The above example also illustrates scanning two target, and the use of "ZAP Test Plans" which allow for more accurate scanning of web applications protected by a login page.By default the agent will run a "light" scan, however a more thorough (but time-consuming) active scan can be launch with the following code:
docker run dvassallocs/tutela-web-scanner --targets 'https://scanme.nmap.org/, https://public-firing-range.appspot.com/' -api <INSERT_YOUR_API_KEY> -active true
The agent also accepts selenium test plans written in python (typically exported from SeleniumIDE). Test plans should be reachable from within the agent docker container at the path /zap/testPlans, usually achieved by using a bind mount as per the below example:
Cloud Provider Integration is used to enumerate resources which are provisioned in your Cloud Provider, giving you greater visibility into your infrastructure. The cloud provider integration currently supports the following providers:
Azure Compute
Amazon Web Services EC2
How do I setup AWS Integration?
AWS Integration involves creating an App ID and secret for a dedicated Tutela user via Amazon IAM.
Sign into the AWS console and navigate to the IAM service:
Click for full size
Add a new user, with an appropriate username and select the "Acces key - Programmatic Access" option:
Click for full size
(Recommended) Place the newly-created user into a dedicated newly-created group:
Click for full size
(Recommended) Name the group, and assign the "AmazonEC2ReadOnlyAccess" policy ONLY:
Click for full size
Make a note of the Access key ID (a.k.a Identifier) and the Secret access key (a.k.a Secret):
Click for full size
Sign into the Tutela console and navigate to Settings > Agent Management > Add Cloud Provider :
Click for full size
Insert the appropriate details recorded in step 5 above, ensuring that the "Amazon Web Services" option is selected:
Click for full size
Please note! Cloud Provider assets may take up to 24 hours to be shown in the Tutela dashboard
How do I setup Azure Integration?
Azure Integration involves creating a Service Principal for a dedicated Tutela App:
Sign into the Azure console and open a cloud shell:
Click for full size
Enter the following command:
az ad sp create-for-rbac --name TUTELA
Click for full size
Make a note of the output, specifically the Identifier, Secret, and Tenant ID:
Click for full size
Next is noting your subscription ID. Search for "Subscriptions" in the Azure portal:
Click for full size
Note the appropriate Subscription ID assigned to your account:
Click for full size
Sign into the Tutela dashboard, and navigate to Settings > Agent management > Add Cloud Provider.
Insert the required information gathered from the previous steps into the dialog box, taking special care to select the
"Azure Compute" option:
Click for full size
What is external domain management used for?
External Domain Management is a Tutela feature which allows you to keep an eye on registered subdomains for a given main domain. Apart from listing any detected subdomains, Tutela also lists any resolved IP addresses for each subdomain detected. This allows you as a security administrator to:
Enumerate any subdomains you may not have been aware of. This is a problem especially for larger teams which may unknowingly increase your attack surface without your knowledge
Enumerate any leaked internal subdomains which should not be public
Be aware of any unreasonable domain IP changes. This may be simply a valid and authorized DNS change, but it may also be a warning sign for a subdomain takeover.
These DNS resolutions are done externally from your own infrastructure, i.e. these checks do not use your DNS servers. This allows you to see your DNS infrastructure from the point of view of a potential attacker.
How do I configure external domain management?
In three simple steps:
Click for full sizeAmong other domain checks, the above procedure will activate the external domain management feature
What is Data Leak & Phishing Detection?
Data Leak & Phishing Detection is a Tutela feature which allows security administrators to:
Detect lookalike domains which could be leveraged to launch phishing campaigns
Detect possible cloned sites which are usually used to phish users into disclosing company credentials
Detect sensitivie information which may have been disclosed due to possible data leaks both intentional and unintentional on the visible and dark web
How do I configure Data Leak & Phishing Detection?
This is done in three steps:
Click for full sizeOnce done, Tutela will kick off a number of checks, te results of which can be seen under the "Data Leak & Phishing Detection" section in the UI:Click for full sizeIn the "Flagged Domains" section of this screen you will be able to see any results which are picked up by Tutela for the given domain:Click for full sizeThis includes details such as which module flagged the issue (Data Leak Prevention, Darkweb Scanner, Similar Domain Generator, etc...), as well as utilities for an analyst to add notes and filter by status ("unseen", "acknowledged", "resolved", etc...) The Similar Domain Generator module can be seen further down in this page:Click for full sizeThe table shows a list of "currently monitored suspicious domains", each generated by a number of methods such as Domain Generation Algorithms (DGA), as well as SSL and DNS monitoring.
My browser tab gets unresponsive when generating a PDF report... is this normal?
This happens when you select a rather large report to be generated. PDF generation happens client-side within your browser, so large reports will cause your browser to become unresponsive until it manages to render all the PDF pages. Usually given enough time (even upto 10 minutes) the browser will display the PDF report - however in these situaitons we recommend you change your report type to the default "spreadsheet" since this is generated on our servers and will be significantly faster
CyberSift Tutela FAQs