Performing Endpoint Vulnerability Remediation

When to Use

Use this skill when:

• Remediating vulnerabilities identified by scanners (Nessus, Qualys, Rapid7)
• Responding to zero-day CVE advisories requiring immediate patching
• Maintaining compliance with patch management SLAs (critical within 14 days, high within 30 days)
• Building a prioritized remediation plan from vulnerability scan results

Do not use this skill for vulnerability scanning itself (use scanning tools) or for application-layer vulnerability remediation (use DevSecOps processes).

Prerequisites

• Vulnerability scan results (Nessus, Qualys, or Rapid7 export in CSV/XML format)
• Patch management platform (WSUS, SCCM, Intune, or third-party like Automox)
• Administrative access to target endpoints or deployment infrastructure
• Change management process for production endpoint patching
• Testing environment for patch validation before production rollout

Workflow

Step 1: Import and Prioritize Vulnerability Findings

Priority scoring combines:
1. CVSS Base Score (0-10)
2. EPSS (Exploit Prediction Scoring System) - probability of exploitation
3. CISA KEV (Known Exploited Vulnerabilities) catalog membership
4. Asset criticality (business impact of affected endpoint)
5. Network exposure (internet-facing vs. internal)

Priority Matrix:
  P1 (Critical - 14 days SLA):
    - CVSS >= 9.0 OR
    - Listed in CISA KEV OR
    - Active exploitation in the wild + CVSS >= 7.0

  P2 (High - 30 days SLA):
    - CVSS 7.0-8.9 AND
    - EPSS > 0.5 (50% probability of exploitation)

  P3 (Medium - 60 days SLA):
    - CVSS 4.0-6.9 OR
    - CVSS 7.0-8.9 with EPSS < 0.1

  P4 (Low - 90 days SLA):
    - CVSS < 4.0 AND
    - No known exploit

Step 2: Identify Remediation Actions

For each vulnerability, determine the appropriate remediation:

Remediation Types:
1. Patch: Apply vendor security update (most common)
2. Configuration change: Modify settings to mitigate (registry, GPO)
3. Upgrade: Update to newer software version
4. Workaround: Apply temporary mitigation when patch unavailable
5. Compensating control: Network segmentation, WAF rule, EDR rule
6. Accept risk: Document accepted risk with CISO sign-off

Step 3: Deploy Patches via WSUS/SCCM

# WSUS: Approve patches for deployment
# 1. Open WSUS Console
# 2. Navigate to Updates → Security Updates
# 3. Approve selected KBs for target computer groups

# SCCM: Create Software Update Group
# 1. Software Library → Software Updates → All Software Updates
# 2. Select required KBs → Create Software Update Group
# 3. Deploy to target collection with maintenance window

# Intune: Create Windows Update Ring
# Devices → Windows → Update rings
# Configure: Quality updates deferral = 0 days (for critical)
# Feature updates deferral = per policy

# PowerShell: Force Windows Update check
Install-Module PSWindowsUpdate -Force
Get-WindowsUpdate -KBArticleID "KB5034441" -Install -AcceptAll -AutoReboot

# Verify patch installation
Get-HotFix -Id "KB5034441"
systeminfo | findstr "KB5034441"

Step 4: Apply Configuration-Based Remediations

# Example: Disable SMBv1 (CVE-2017-0144 - EternalBlue)
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart

# Example: Disable Print Spooler on non-print servers (CVE-2021-34527 - PrintNightmare)
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

# Example: Disable LLMNR (credential theft mitigation)
# Via GPO: Computer Configuration → Admin Templates → Network → DNS Client
# Turn off multicast name resolution: Enabled
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" `
  -Name EnableMulticast -Value 0 -PropertyType DWORD -Force

# Example: Restrict NTLM authentication
# Via GPO: Security Settings → Local Policies → Security Options
# Network security: Restrict NTLM: Audit/Deny

Step 5: Handle Zero-Day Vulnerabilities (No Patch Available)

When vendor patch is not yet available:

1. Check vendor advisory for workarounds
   - Microsoft: https://msrc.microsoft.com/update-guide
   - Adobe: https://helpx.adobe.com/security.html
   - Linux: Distribution security trackers

2. Apply temporary mitigations:
   - Disable vulnerable feature/service
   - Deploy EDR detection rule for exploitation attempt
   - Apply network-level blocking (WAF/firewall rules)
   - Restrict access to vulnerable application

3. Monitor for patch release:
   - Subscribe to vendor security mailing list
   - Monitor CISA KEV additions
   - Set calendar reminder for next Patch Tuesday

4. Document workaround with expiration date

Step 6: Validate Remediation

# Re-scan remediated endpoints to confirm vulnerability closure
# Option 1: Targeted vulnerability scan
nessuscli scan --target 192.168.1.0/24 --plugin-id 12345

# Option 2: PowerShell verification
# Check specific KB is installed
$kb = Get-HotFix -Id "KB5034441" -ErrorAction SilentlyContinue
if ($kb) {
    Write-Host "PASS: KB5034441 installed on $(hostname)" -ForegroundColor Green
} else {
    Write-Host "FAIL: KB5034441 missing on $(hostname)" -ForegroundColor Red
}

# Check service is disabled
$svc = Get-Service -Name Spooler
if ($svc.StartType -eq 'Disabled') {
    Write-Host "PASS: Print Spooler disabled" -ForegroundColor Green
}

# Check registry configuration
$val = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" `
  -Name SMB1 -ErrorAction SilentlyContinue
if ($val.SMB1 -eq 0) {
    Write-Host "PASS: SMBv1 disabled" -ForegroundColor Green
}

Step 7: Report and Track

Generate remediation status report:

Remediation Metrics:
  - Total vulnerabilities: X
  - Remediated: Y (Z%)
  - Pending (within SLA): A
  - Overdue (past SLA): B
  - Accepted risk: C
  - Mean time to remediate (MTTR): D days
  - SLA compliance rate: E%

Key Concepts

Term	Definition
CVSS	Common Vulnerability Scoring System; 0-10 severity scale for vulnerabilities
EPSS	Exploit Prediction Scoring System; probability (0-1) that a CVE will be exploited in the wild within 30 days
CISA KEV	CISA Known Exploited Vulnerabilities catalog; federal mandate to patch these CVEs within specified timeframes
SLA	Service Level Agreement for remediation timelines based on vulnerability severity
MTTR	Mean Time To Remediate; average days from vulnerability discovery to confirmed fix
Compensating Control	Alternative security measure when direct remediation is not feasible

Tools & Systems

• Nessus/Tenable.io: Vulnerability scanning and remediation tracking
• Qualys VMDR: Vulnerability management, detection, and response platform
• Rapid7 InsightVM: Vulnerability assessment with live dashboards
• WSUS/SCCM/Intune: Microsoft patch deployment infrastructure
• Automox: Cloud-native patch management for Windows, macOS, Linux
• CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Common Pitfalls

• Patching without testing: Apply patches to a test group first. Some patches cause application compatibility issues or BSOD.
• Ignoring EPSS scores: A CVSS 9.8 vulnerability with EPSS 0.01 may be less urgent than a CVSS 7.5 with EPSS 0.95 (actively exploited).
• Not validating remediation: Deploying a patch does not guarantee installation. Always re-scan to confirm closure.
• Excluding critical servers from patching: Servers that "cannot be rebooted" accumulate critical vulnerabilities. Schedule maintenance windows.
• Treating all CVEs equally: Risk-based prioritization (CVSS + EPSS + asset criticality + exposure) is more effective than patching all criticals first.