CyberArk SSH/Windows Dynamic Scanning

Summary

We are proud to announce a major feature request for our modern CyberArk integration that eliminates A) the requirement for the user to manually add specific targets to the target settings and B) the need to create multiple credentials in a single scan. However, this feature does allow end users to create up to five credentials in a single scan.This feature takes advantage of CyberArk’s PVWA REST API to gather bulk account data, adds targets to the scan automatically based on user driver query parameters, and requests passwords from the CCP/AIM Web Service. Not only does this eliminate the requirement for the user to manually add specific targets to the settings and the need to create multiple credentials, but it also reduces calls to gather passwords.

How it Works

When users create a scan they only need to add one arbitrary target to the settings and set up a single credential (reference the two new credential types in the changes below). The credential simply allows communication and authentication between the scanner/sensor and the two CyberArk APIs (PVWA REST API and CCP/AIM Web Service REST API). First, we reach out to the PVWA REST API to gather bulk account details for accounts that meet criteria entered by the user within a ‘platform’ query field. We store this account data and automatically add targets/hosts to the scan. On a host-by-host basis, we request a password based on specific account details. If there are 100 targets added to the scan automatically, we make 100 password requests. As mentioned in the summary, this eliminates the need to make unnecessary requests to ‘try’ multiple credentials against a single target.

Changes and Important Notes

• There will be two NEW credential types:
  • SSH: CyberArk SSH Auto-Discovery
  • Windows: CyberArk Windows Auto-Discovery
• users only need to enter a single arbitrary target to the scan
• users only need to set up a single credential mentioned above, but can configure up to 5 if they choose to.
• The current CyberArk credential will remain unchanged and is still available for use
• Privilege Escalation on SSH is available using this new feature, but only the SUDO method at this time.
• Domain support is included with Windows configuration, but based on the Domain value in the CyberArk Account details.
• SSH Key authentication is supported, but privilege escalation is not available for this authentication type at this time.

For more information please refer to our documentation pages.

TVM: https://docs.tenable.com/integrations/CyberArk/vulnerability-management/Content/DynamicScannngIntro.htm

Nessus: https://docs.tenable.com/integrations/CyberArk/Nessus/Content/DynamicScannngIntro.htm

Impact to Existing Scan Policies

There are no impacts to existing CyberArk credential configurations.

Release Date

TVM/Nessus: Tuesday September 5th 2023