Uncovering Unknowns Through Topology Analysis


Version 1.1.5 of the Rumble platform is live! This release includes a new Switch Topology report, updates to the Network Bridges report, and improvements to how SNMP data is collected during scans. Combined, these updates can shine a light on misconfigured network segmentation and help identify assets that may not have been scanned at all. This post will walk through these updates and highlight how these reports can be used to identify unknown risks.

Rumble Switch Topology Report

The Switch Topology report uses data enumerated via SNMP to map switch ports to assets. In environments where SNMP v2 with public or private communities are in use, this enumeration happens automatically, but non-default communities can also be provided in the scan configuration, with ~~SNMP v3 support planned for the near future~~ SNMP v3 support available. Clicking on a node in this report will highlight its connections, while mousing over the connections will indicate the specific switch interface associated with the connection. This report is available for all organizations with SNMP-enabled switches and covered by a recent scan (Rumble Agent/Scanner v1.1.4 or newer).

This topology view is helpful when trying to understand how a given asset or switch is connected, but also provides a critical data point related to risk; the number of unmapped assets. An unmapped asset is a MAC address connected to a switch, but not found in an ARP cache or through any of the other techniques Rumble uses for remote MAC address discovery. For environments where a Rumble agent is connected to each network segment, unmapped assets may highlight VLANs or network segments that are missing from the scan scope. In environments where Rumble is scanning assets multiple hops away, the unmapped asset count can provide an estimate of how well the remote segment is being identified.

Rumble Switch Topology Report - Unmapped Assets

In the graph above, we can see that Rumble identified five unmapped assets across five different switch ports. These unmapped assets could not be correlated with scan data and should be investigated to determine where they are coming from and why they aren't turning up as part of a normal scan. Ports with unmapped assets are identified as red diamonds on the map, with the total count summarized at the bottom.

Rumble Switch Topology Report - Overview

In more complex environments, the Switch Topology report makes it possible identify subnets missing from the discovery scope. In the graph above, we can see that for two switches, our visibility is almost perfect, but there are two segments with limited visibility, and another with almost none. To improve the discovery process, the IP ranges of those subnets should be identified and rescanned.

This graph also highlights broadcast domain visibility for connected assets. The highlighted asset in the center can see layer-2 broadcast data across four different switches. This may highlight a risk; an attacker running NetBIOS or LLMNR spoofing tools such as Responder or Metasploit could launch attacks against a large number of assets from this node.

Rumble Bridges Report

The Network Bridges report received an overhaul in this update, with changes to weights, layouts, and interactivity. Assets that have been identified as network switches are now shown as orange squares to match the Switch Topology report, multi-homed assets are now shown as gray hexagons, and assets are now weighted based on the number of networks they bridge. In the graph above, we can see four internet-facing subnets (red circles) are bridged into the internal network, along with seven highly interconnected assets (the larger gray hexagons). From a risk perspective, these may be worth investigating, as a breach of one of these assets could provide across to the rest of the environment.

We hope you find these updates useful and we would love your feedback about what we can improve.

Don't have a Rumble account? Sign up for a free trial and let us know what you think!

Written by HD Moore

HD Moore is the co-founder and CEO of runZero. Previously, he founded the Metasploit Project and served as the main developer of the Metasploit Framework, which is the world's most widely used penetration testing framework.
More about HD Moore
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Related Articles

Product Release
Introducing the customizable dashboard, Wiz integration, and more!
Introducing the customizable dashboard, Wiz Integration, and other Q2 2024 enhancements to the runZero Platform.
Product Release
How to integrate your SIEM platform with runZero to create an actionable asset inventory
Learn how to combine runZero's real-time asset inventory with SIEM exports for comprehensive asset tracking and historical data analysis..
runZero Insights
Celebrating Women’s History Month with trailblazers & innovators
It’s Women’s History Month! runZero is celebrating all month long by highlighting innovative women who have been technological trailblazers.
Upcoming NYDFS regulatory requirements on asset inventory and vulnerability enumeration
Is your business prepared for the approaching deadlines for complying with the latest version of the NYDFS Cybersecurity Regulation (23 NYCRR 500)?...

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved