Mastering Nessus: A Step-by-Step Guide
Back to Blog
Blue Team
Jul 02, 202515 min read

Mastering Nessus: A Step-by-Step Guide

S
Shubham Singla

Vulnerability scanning is the bread and butter of Blue Teaming. But running a scan is easy; interpreting the results is hard. This guide covers how to set up Tenable Nessus, run credentialed scans, and filter out the noise.

Vulnerability Scanning

Executive Summary

Nessus is the industry standard for vulnerability assessment. It works by probing a target system's ports and services to identify outdated software, missing patches, and misconfigurations.

However, a "default" scan is often useless. It generates thousands of "Info" level alerts and misses the deep vulnerabilities that only a logged-in user can see. Real value comes from Credentialed Scanning.

Credentialed vs Non-Credentialed

Imagine a house inspector.

  • Non-Credentialed Scan: The inspector walks around the outside of the house. They can see a broken window or an open door, but they can't judge the wiring inside walls.
  • Credentialed Scan: You give the inspector the keys. They go inside, check the fuse box, and look under the sink.

To run a credentialed scan, you must provide Nessus with an SSH key (Linux) or SMB credentials (Windows). This allows it to run local commands like rpm -qa to list installed packages.

Setting Up Your First Scan

  1. Discovery: First, run a "Host Discovery" scan to find what is alive on the network (Ping sweep).
  2. Policy Creation: Clone the "Advanced Scan" template. vital settings:
    • Assess -> General: Enable "Show missing patches that have been superseded" (cleans up report).
    • Discovery -> Port Scanning: Scan all 65535 ports if time permits.
  3. Launch: Run the scan during a maintenance window (scans can crash fragile legacy services).
Scanning Infrastructure

Technical Deep Dive: The Attack Anatomy

Understanding the specific mechanics of the attack is crucial for engineers. Most advanced threats follow the Cyber Kill Chain model:

RECONNAISSANCE: The attacker gathers information on the target. This can be passive (OSINT) or active (port scanning).

WEAPONIZATION: Creating a deliverable payload (e.g., a malicious PDF or Office macro).

DELIVERY: Transmitting the weapon to the target (e.g., via Phishing or USB).

EXPLOITATION: Triggering the payload to exploit a vulnerability (e.g., CVE-2023-xyz).

INSTALLATION: establishing a backdoor or persistence mechanism (e.g., a scheduled task or registry key).

COMMAND & CONTROL (C2): The compromised system calls home to the attacker server for instructions.

ACTIONS ON OBJECTIVES: The attacker achieves their goal (encryption, extensive data exfiltration, destruction).

CVSS Scoring Explained

Nessus uses the Common Vulnerability Scoring System (CVSS) to rate severity from 0.0 to 10.0.

CVSS = Base + Temporal + Environmental

Nessus gives you the Base score. But you must mentally calculate the Environmental score:

  • Is this server internet-facing? (If yes, score goes UP).
  • Is there a working exploit available? (If yes, score goes UP).
  • Is the asset critical? (If yes, score goes UP).

Regulatory and Compliance Context

In the aftermath of such incidents, organizations must navigate a complex web of regulatory obligations. Failure to comply can result in severe fines and reputational damage.

GDPR (General Data Protection Regulation)

For organizations operating in or serving citizens of the EU, GDPR mandates strict breach notification timelines (usually within 72 hours). Article 32 requires the implementation of appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

NIST Cybersecurity Framework

The NIST framework provides a standard for critical infrastructure. It is organized around five core functions: Identify, Protect, Detect, Respond, and Recover. This incident highlights failures primarily in the 'Protect' and 'Detect' functions.

Local Legislation (Privacy Act 1988 - Australia)

Under the Notifiable Data Breaches (NDB) scheme, organizations must notify the OAIC and affected individuals if a data breach is likely to result in serious harm. This includes unauthorized access to personal information.

False Positives

The bane of a scanner's existence. Nessus might report "Apache Version Outdated" because it reads the banner. However, on Red Hat systems, patches are often "backported" without changing the version number. You must verify these manually before yelling at the SysAdmin.

Standard Incident Response Procedures

A robust Incident Response Plan (IRP) is the best defense against chaos. The SANS Institute outlines a six-step process:

  1. Preparation: Training, tooling, and dry runs (tabletop exercises).
  2. Identification: Detecting the deviation from normal behavior and determining the scope.
  3. Containment: Short-term mitigation (isolating the system) and long-term containment (patching).
  4. Eradication: Removing the root cause (malware, compromised accounts).
  5. Recovery: Restoring systems to normal operation and monitoring for recurrence.
  6. Lessons Learned: Post-incident analysis to improve future response.

Conclusion

Nessus is a compass, not a map. It points you in the direction of the problem, but you still have to hike there and fix it.

Comprehensive Mitigation Strategies

To prevent recurrence, a defense-in-depth approach is required. This involves layering security controls so that if one fails, another catches the threat.

  • Network Segmentation: Isolate critical assets in separate VLANs with strict firewall rules (East-West traffic inspection).
  • Endpoint Detection and Response (EDR): Deploy agents that can detect behavioral anomalies, not just file signatures.
  • Identity and Access Management (IAM): Enforce Least Privilege and MFA everywhere. Review access logs regularly.
  • Regular Audits: Conduct penetration testing and vulnerability scanning (using tools like Nessus or Burp Suite) at least quarterly.