RE 4.1.1

Reporting Engine v4.1.1

This release of Reporting Engine (RE) includes the fix outlined below. See README for full instructions.

Fixes

• Mitigate bug where adding an AffectedSystem object with no name led to a NoneType error that prevented use of the Report screen.

Full Changelog: v4.1.0...v4.1.1

RE 4.1.0

Reporting Engine v4.1.0

This release of Reporting Engine (RE) includes the new features, improvements, and fixes outlined below. See README for full instructions.

New Features

• Operator Notes (accessed via the sticky note icon on the Findings Edit and Details pages) can now be added to findings for anything that teams would like to track internally (these notes do not appear in any exported artifacts and only exist within the RE instance)
• Findings screen now enables granular control over affected systems and their individual mitigation status
• Multiple findings with the same name can now be added and are ordered based on the following hierarchy: severity > assessment_type > creation date/time - with this change it is even more imperative that users export all artifacts only after finding adjustments are finalized in RE so that the numbering/ordering of duplicate findings is consistent across artifacts
• Full implementation of narrative blocks which can be used to pre-populate common attack path steps
• Add CSV findings report export option for FAST
• When a Narrative building block is selected, a 'Recommended' filter for tools and MITRE techniques can be used on the Narrative Details screen to select relevant tools and techniques
• Add warnings throughout the app to flag missing data

Improvements and Updates

• The Artifacts tab in the Activity tracker now has a CSV upload function to replace the artifact upload function that previous auto-calculated hashes - this is a temporary workaround until the SEI Design System is phased out
• Various model and API updates
• Since multiple findings can now be added, the External/Internal assessment type is no longer an option for findings
• Risk score calculations (back end) are now in one central location versus distributed across multiple views - these calculations are performed each time a finding is modified/saved
• Several dependencies have been updated - this could lead to unanticipated issues that were not detected during testing, so please be cognizant of bugs and report them via GitHub immediately
• Add description to 'Mitigated Findings' section for FAST reports
• Include two findings per page in 'Mitigated Findings' section for FAST reports
• Allow users to add/remove the screenshot for each Narrative step
• Navigation and usability improvements across the Narrative screens
• Add 'Affected Systems' column to the Findings Summary table in the FAST report
• Add 'First Discovered' and 'Last Validated' dates to findings for FAST
• Remove 'Port Mapping' service from FAST GUI/artifacts
• Remove TLP references from FAST GUI/artifacts
• Remove acronyms table from FAST report
• Add 'Mitigation Status' to dashboard for all assessment types
• Eliminate redundant use of months in assessment date ranges taking place within the same month
• Automatically replace double spaces after periods with single spaces on report generation
• Split scope list (if lines exceed 10) into columns within the report
• Increase character limit for Port Mapping ports and services fields
• Update assessment ID format from RV####/RV####.## to VMA#######
• Automatically set up dev secret
• Warn users when the ptp.py run command is executed and existing RE containers are detected
• Update KEV and tool database
• Update README to include ptp.py start usage and instructions for automated daily backups
• Exclude non-critical sections containing no data from the exported report
• Move npm, tailwind, and vue installations to docker image build
• Add sub-sectors to Assessment Details and JSON output
• Update security solutions list to align with payload parser
• Update KEV and MITRE lists
• Add formatting to numbers exceeding three digits within exported artifacts
• Add MITRE technique metadata to JSON output
• Update vulnerable dependencies
• Add initial API endpoints for automatic finding ingestion
• Ability to upload affected systems list on findings screen instead of manually entering
• Added invisible keyword tags to findings to improve search function
• Added category filtering capabilities to findings to facilitate easier navigation of findings repository
• Added status to findings to help track which findings need additional work (Draft, Needs Review, Complete)
• More error verbosity and handling on the Assessment Details screen
• Mitigated risk score for each finding is measured based on the percentage of affected systems marked as "Not Mitigated"
• Artifacts now label findings as "Partially Mitigated" if a subset of affected systems are marked as "Mitigated"
• Each unique affected system is assigned a randomized 20-character UID that is listed in the JSON to facilitate anonymized tracking
• Add last_validated field to JSON (N/A for RVA and RPT, date value for FAST)
• Enable Internal Narratives screen for RPT
• Enable Phishing Campaign screen for RPT
• Attribute findings to the user who created them on Dashboard and Finding Details
• Add 'Mitigated Findings' appendix for FAST reports
• Add --no-password and --cron flags to ptp.py backup function for easier automated backups via cron
• Add start function to ptp.py to easily start exited containers

Fixes

• RV has been replaced with VMA in JSON filenames
• Recommended tool and technique counts have been fixed so that overlapping items across narrative blocks are only counted once
• Fix ptp.py restore function to prevent database conflicts
• Change "RV" to "VMA" for id field in assessment JSON
• Revert to previous findings ordering scheme in exported reports
• Fix images in detailed findings section for exported reports
• Miscellaneous fixes to the ptp.py backup function
• Move bottom TLP label (on the cover page of reports) to the next line to avoid an unintended linebreak
• Replace 'vulnerability' email alias with the corresponding regional email alias based on the 'State' value
• Replace instances of filler words 'in the event that' / 'in order to' with 'if' / 'to'
• Allow report generation even when scope metrics are missing
• Include risk scores in RPT JSON output
• Justify text alignment throughout report
• Remove references to ‘Assessments team’ from report
• Change vulnerability_info email alias to vulnerability
• Resolve line break issues in captions
• Prevent inadvertent duplicate findings (e.g., if the save button is selected multiple times)

RE 2.0.5

Reporting Engine v2.0.5

This release of Reporting Engine (RE) 2.0 builds on 2.0.4 and includes the new features, fixes, and improvements outlined below. See README for full instructions.

New Features

• Initial Remote Penetration Test implementation including the following features:
  • Assessment Details to track stakeholder and assessor information
  • Findings to track details about vulnerabilities, misconfigurations, and other findings of note during an assessment
  • Phishing services to track metrics pertaining to payload testing
  • Other services to track OSINF and port mapping metrics
  • Narratives to track attack path details and step-by-step walkthroughs
  • KEV Catalog to track identified Known Exploited Vulnerabilities and map them to findings
  • Risk Scoring placeholder to generate a score for comparing risk over time and between stakeholders based on custom methodology
  • Activity Tracker to track high level assessment activity and infrastructure details for stakeholder awareness
  • Report screen for previewing/finalizing the assessment report
  • Export screen for exporting various artifacts and deliverables related to the assessment

Improvements and Updates

• Instances of Vulnerability Evaluation have been changed to Penetration Testing Capabilities
• Out-Brief slides for RVA and FAST now include the narrative steps (one slide per step)
• Bumped Pillow dependency to v10.0.1 due to vulnerabilities in previous versions
• Changed EI JSON output to use helpful descriptors instead of numbers
• Updated README to reflect correct Node/NPM requirements
• Updated Payload Parser dependencies
• Updated KEV Catalog
• Implemented number type form fields to restrict data entry to numbers for certain fields
• Added two new findings: Non-Essential Use of Elevated Accounts and Spam Filtering Weakness
• Updated various finding descriptions

Fixes

• Mailto hyperlink for vulnerability_info has been fixed (previously was pointing to vulnerability alias)
• Export All function only exports relevant artifacts based on assessment type
• Offline restore function in ptp.py has been fixed
• Date fields have been converted to naive form fields to eliminate issues when changing timezones
• MITRE sub-techniques now appear on the attack path creation screen (previously only appeared on the edit screen)

RE 2.0.4

Reporting Engine v2.0.4

This is the initial release of Reporting Engine (RE) 2.0 and includes the features outlined below. Assessment types not described below are not currently supported and will not work correctly until implementation in future releases. See README for full instructions.

• Initial Risk and Vulnerability Assessment (RVA) implementation including the following features:

  • Assessment Details to track stakeholder and assessor information
  • Findings to track details about vulnerabilities, misconfigurations, and other findings of note during an assessment
  • Phishing services to track metrics pertaining to payload testing and phishing campaigns
  • Other services to track data exfiltration, ransomware, and port mapping metrics
  • Narratives to track attack path details and step-by-step walkthroughs
  • KEV Catalog to track identified Known Exploited Vulnerabilities and map them to findings
  • Risk Scoring placeholder to generate a score for comparing risk over time and between stakeholders based on custom methodology
  • Activity Tracker to track high level assessment activity and infrastructure details for stakeholder awareness
  • Election Infrastructure to track information pertaining to elections systems and their findings
  • Report screen for previewing/finalizing the assessment report
  • Export screen for exporting various artifacts and deliverables related to the assessment

• Initial Federal Attack Surface Testing (FAST) implementation including the following features:

  • Assessment Details to track stakeholder and assessor information
  • Findings to track details about vulnerabilities, misconfigurations, and other findings of note during an assessment
  • Phishing services to track metrics pertaining to phishing campaigns
  • Port Mapping services to report open ports on public-facing systems
  • Narratives to track attack path details and step-by-step walkthroughs
  • KEV Catalog to track identified Known Exploited Vulnerabilities and map them to findings
  • Activity Tracker to track high level assessment activity and infrastructure details for stakeholder awareness
  • Report screen for previewing/finalizing the assessment report
  • Export screen for exporting various artifacts and deliverables related to the assessment