Official Cyber Range Project
In this project, we simulate the implementation of a comprehensive vulnerability management program, from inception to completion.
Inception State: the organization has no existing policy or vulnerability management practices in place.
Completion State: a formal policy is enacted, stakeholder buy-in is secured, and a full cycle of organization-wide vulnerability remediation is successfully completed.
- Tenable (enterprise vulnerability management platform)
- Azure Virtual Machines (Nessus scan engine + scan targets)
- PowerShell & BASH (remediation scripts)
- Vulnerability Management Policy Draft Creation
- Mock Meeting: Policy Buy-In (Stakeholders)
- Policy Finalization and Senior Leadership Sign-Off
- Mock Meeting: Initial Scan Permission (Server Team)
- Initial Scan of Server Team Assets
- Vulnerability Assessment and Prioritization
- Distributing Remediations to Remediation Teams
- Mock Meeting: Post-Initial Discovery Scan (Server Team)
- Mock CAB Meeting: Implementing Remediations
- Remediation Round 1: Outdated Wireshark Removal
- Remediation Round 2: Insecure Protocols & Ciphers
- Remediation Round 3: Guest Account Group Membership
- Remediation Round 4: Windows OS Updates
- First Cycle Remediation Effort Summary
This phase focuses on drafting a Vulnerability Management Policy as a starting point for stakeholder engagement. The initial draft outlines scope, responsibilities, and remediation timelines, and may be adjusted based on feedback from relevant departments to ensure practical implementation before final approval by upper management.
Draft Policy
In this phase, a meeting with the server team introduces the draft Vulnerability Management Policy and assesses their capability to meet remediation timelines. Feedback leads to adjustments, like extending the critical remediation window from 48 hours to one week, ensuring collaborative implementation.
Hope: Morning, Jimmy. How have things been lately? I know it’s been pretty busy for everyone these past few weeks.
Jimmy: Morning, Hope. Yeah, it’s been a bit hectic, but we’re managing. How about your side?
Hope: About the same, to be honest. I had a chance to review the policy draft, and overall it makes sense. I think it’s a good direction. My only concern is the remediation timelines — especially the 48-hour window for critical vulnerabilities.
Jimmy: Yeah, I figured that might come up. It is quite aggressive.
Hope: Exactly. With our current staffing levels, it would be really difficult to meet that consistently. We want to do it properly, not rush and risk missing things.
Jimmy: That’s completely fair. What if we extend the critical vulnerability timeline to one week for now? We could still keep the 48-hour turnaround for truly severe cases, like zero-day vulnerabilities.
Hope: That sounds much more realistic. We’d really appreciate that flexibility. Would there also be some leeway in the first few months while we adjust to the remediation and patching process?
Jimmy: Absolutely. Once the policy is finalised, we’ll officially roll it out, but we’re planning to give all departments about six months to get comfortable with the new process.
Hope: That feels fair. We’ll definitely do our best. I also really appreciate being part of the discussion — it makes a big difference feeling involved rather than just being handed targets.
Jimmy: Of course. This works best when we’re aligned. Thanks for being open about the challenges.
Hope: Thank you for being flexible. And thanks for keeping this short — those are my favourite kinds of meetings.
Jimmy: Same here. Let’s catch up again soon.
Hope: Sounds good. Speak soon.
After gathering feedback from the server team, the policy is revised, addressing aggressive remediation timelines. With final approval from upper management, the policy now guides the program, ensuring compliance and reference for pushback resolution.
Finalized Policy
The team collaborates with the server team to initiate scheduled credential scans. A compromise is reached to scan a single server first, monitoring resource impact, and using just-in-time Active Directory credentials for secure, controlled access.
Hope:
Morning Jimmy.
Jimmy:
Morning Hope. I heard you are ready to start running some scans?
Hope:
Yes. Now that the Vulnerability Management Policy is in place, I would like to begin scheduling regular credentialed scans of your server environment.
Jimmy:
Sounds good. What does that involve and how can we support?
Hope:
We are planning weekly scans of the server infrastructure. With around 200 assets, we estimate each scan will take about four to six hours. To get accurate results, we will need administrative credentials so the scan engine can log into the systems and properly assess them.
Jimmy:
Okay, hold on. What exactly happens during these scans? I am a bit concerned about resource utilisation. And giving admin credentials to all 200 machines does not sound very safe.
Hope:
Those are valid concerns. The scan engine sends controlled traffic to check for known vulnerabilities. It looks for things like outdated software, insecure protocols, weak cipher suites, and certain registry configurations. It does not make changes to the systems, it only reads information. That is why credentials are required. Without them, we would only get a surface level view.
Jimmy:
Alright. As long as it does not take any servers offline or cause performance issues, we should be fine.
Hope:
It should not, but to be cautious we can start by scanning just one server first and monitor CPU and memory usage. That way we can confirm there is no noticeable impact before rolling it out more widely.
Jimmy:
I like that approach.
Hope:
Regarding credentials, instead of using permanent admin accounts, could we create a dedicated Active Directory account just for scanning? We can keep it disabled and only enable it during the scan window, then disable or remove it afterwards. That would follow a just in time access model and reduce risk.
Jimmy:
That makes sense. I will ask Susan to look at automating the account provisioning.
Hope:
Perfect. Let me know once the credentials are ready and we can schedule the first test scan.
Jimmy:
Will do. I will get back to you once everything is set up.
Hope:
Great. Speak soon.
Jimmy:
Speak soon.
In this phase, an insecure Windows Server is provisioned to simulate the server team's environment. After creating vulnerabilities, an authenticated scan is performed, and the results are exported for future remediation steps.
We assessed vulnerabilities and established a remediation prioritization strategy based on ease of remediation and impact. The following priorities were set:
- Third Party Software Removal (Wireshark)
- Windows OS Secure Configuration (Protocols & Ciphers)
- Windows OS Secure Configuration (Guest Account Group Membership)
- Windows OS Updates
The server team received remediation scripts and scan reports to address key vulnerabilities. This streamlined their efforts and prepared them for a follow-up review.
The server team reviewed vulnerability scan results, identifying outdated software, insecure accounts, and deprecated protocols. The remediation packages were prepared for submission to the Change Control Board (CAB).
The Change Control Board (CAB) reviewed and approved the plan to remove insecure protocols and cipher suites. The plan included a rollback script and a tiered deployment approach.
The server team used a PowerShell script to remove outdated Wireshark. A follow-up scan confirmed successful remediation.
Wireshark Removal Script
Scan 2 - Third Party Software Removal
The server team used PowerShell scripts to remediate insecure protocols and cipher suites. A follow-up scan verified successful remediation, and the results were saved for reference.
PowerShell: Insecure Protocols Remediation
PowerShell: Insecure Ciphers Remediation
Scan 3 - Ciphersuites and Protocols
The server team removed the guest account from the administrator group. A new scan confirmed remediation, and the results were exported for comparison.
PowerShell: Guest Account Group Membership Remediation
Scan 4 - Guest Account Group Removal
Windows updates were re-enabled and applied until the system was fully up to date. A final scan verified the changes
The remediation process reduced total vulnerabilities by 80%, from 30 to 6. Critical vulnerabilities were resolved by the second scan (100%), and high vulnerabilities dropped by 90%. Mediums were reduced by 76%. In an actual production environment, asset criticality would further guide future remediation efforts.
After completing the initial remediation cycle, the vulnerability management program transitions into Maintenance Mode. This phase ensures that vulnerabilities continue to be managed proactively, keeping systems secure over time. Regular scans, continuous monitoring, and timely remediation are crucial components of this phase. (See Finalized Policy for scanning and remediation cadence requirements.)
Key activities in Maintenance Mode include:
- Scheduled Vulnerability Scans: Perform regular scans (e.g., weekly or monthly) to detect new vulnerabilities as systems evolve.
- Patch Management: Continuously apply security patches and updates, ensuring no critical vulnerabilities remain unpatched.
- Remediation Follow-ups: Address newly identified vulnerabilities promptly, prioritizing based on risk and impact.
- Policy Review and Updates: Periodically review the Vulnerability Management Policy to ensure it aligns with the latest security best practices and organizational needs.
- Audit and Compliance: Conduct internal audits to ensure compliance with the vulnerability management policy and external regulations.
- Ongoing Communication with Stakeholders: Maintain open communication with teams responsible for remediation, ensuring efficient coordination.
By maintaining an active vulnerability management process, organizations can stay ahead of emerging threats and ensure long-term security resilience.