Full Report
Ever since Ron Gula’s RiskyBusiness talk #142 about their Nessus philosophy, I decided to come out of the closet and share with our readers the work we do in the vulnerability management field. [Ed: If you don’t listen to Risky Business then, as we say in South Africa, eish.] Ron explained that with Nessus they aim to give users a tool that can be used for monitoring and auditing – not enforcing. The “sed quis custodiet ipsos custodes” mantra comes to mind. For 9 years now we have been building two vulnerability management solutions named HackRack (for hosted, external scanning) and BroadView (for internal scanning) and it was especially HackRack that has claimed the limelight. The runt of the litter has always been BroadView, but alas (luckily?), no more.
Analysis Summary
# Tool/Technique: BroadView
## Overview
BroadView is a vulnerability management solution developed by SensePost, primarily focused on **internal scanning** of network environments. It is positioned as a comprehensive data collector and auditing tool rather than an enforcement mechanism, similar to the philosophy expressed for Nessus.
## Technical Details
- Type: Tool (Vulnerability Management Solution)
- Platform: Internal network environments (Implied Linux/Windows hosts being scanned)
- Capabilities: Internal vulnerability scanning, extensive attribute data collection, visualized SQL query results (Blizzards), bandwidth optimization via protocol changes (SOAP to Thrift).
- First Seen: The article was published on March 30, 2010, describing 9 years of development leading up to BroadView v4.
## MITRE ATT&CK Mapping
Since BroadView is explicitly described as a vulnerability management and auditing tool, its mapping focuses on the Reconnaissance, Discovery, and potentially Initial Access tactics used by security professionals employing such tools (or the TTPs they help uncover).
- **TA0043 - Reconnaissance**
- T1595 - Active Scanning
- T1595.002 - Internet Scan
- **TA0007 - Discovery**
- T1046 - Network Service Scanning
## Functionality
### Core Capabilities
- **Internal Scanning:** Dedicated solution for assessing vulnerabilities within an internal network perimeter.
- **Data Collection:** Collects a wide range of attributes from probed devices beyond basic inventory, including operating system values, SMS agent presence, and WebDAV directories on HTTP services.
- **Visualization:** Features "Blizzards"—visual SQL queries—that display calculated or averaged results of vulnerability scans and collected attributes to quickly represent the current state of the network environment (e.g., impact of new machine deployments on issue counts).
### Advanced Features
- **Intensity Scans:** Capable of executing "intensity scans" on virtualized hardware.
- **Software Mining:** Ability to "mine for installed software" on OS X systems.
- **Protocol Optimization:** Transitioned scanning/communication protocols from SOAP to Thrift, resulting in significant bandwidth utilization reduction.
## Indicators of Compromise
*Note: As this is a defensive/auditing tool, not malware, typical malware IOCs are not applicable.*
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (Focus is on scanning activity targeting internal assets)
- Behavioral Indicators: Increased outbound network traffic characterized by vulnerability scanning probes or data retrieval sessions, potential use of Thrift or historical SOAP protocols for data egress/C2 emulation if misused.
## Associated Threat Actors
This tool is used by **Defenders/Security Testers** conducting vulnerability management and auditing, often associated with SensePost’s work. (Not associated with malicious threat actors, although the techniques it employs can be replicated by adversarial tools.)
## Detection Methods
Detection strategies would focus on identifying network reconnaissance activities characteristic of vulnerability scanners:
- **Signature-based detection:** Signatures against known BroadView agent/scanner traffic patterns (if internal communication protocols are identifiable).
- **Behavioral detection:** Monitoring for systematic enumeration or scanning across internal IP ranges originating from designated scanning hosts.
- **YARA rules:** Not applicable for network scanning tools that do not deploy malicious payloads.
## Mitigation Strategies
Mitigation strategies relate to controlling and limiting discovery activity within the network:
- **Prevention measures:** Strict firewall rules and Network Access Control (NAC) limiting which hosts can initiate broad internal scans.
- **Hardening recommendations:** Ensuring asset inventory is accurate so that unauthorized scanning attempts are immediately flagged as anomalous. Implementing least privilege principles for scanning accounts.
## Related Tools/Techniques
- **Nessus:** Mentioned explicitly as an object of comparison regarding scanning philosophy.
- **HackRack:** SensePost's other major solution, focused on hosted, external scanning.
- **Vulnerability Scanners (General):** Tools like Qualys, OpenVAS, or other internal assessment platforms that perform similar proactive discovery and auditing functions.