DeepSurface: Model

Documentation
Installation Guide
Overview
Let DeepSurface Host For You
Getting Started
System Requirements
Self Hosted Quick Start - Installing to Cloud Platforms
Self Hosted - Installation Using an OVA
Registration, Package Installation, and Initialization
First Steps After Initialization of the Console
Deployment Options
Main and Subordinate Consoles
Agent-Based Deployment
User Managed Scan Deployment
Credentialed Scanning Deployment
Mixed Environment
Deployment Tools
Active Directory Group Policy
Microsoft Endpoint Configuration Manager (part of InTune)
Tanium Deploy
HCL BigFix
Ivanti
Virtual Machines
VMWare
Virtual Box
VirtualBox Guest Additions
AWS EC2 (BYOL)
AWS EC2 (Usage Based)
Azure Cloud
Google Cloud
Additional Items to Consider
Main Console Server Certificates
LDAP
TOFU
Clock Sync
DeepSurface Commands
Multiple Vulnerability Sources
API Documentation
User Guide
Reporting
Dashboards
Exports
Risk Insight
Hosts
Patches
Vulnerabilities
Vulnerability Instances
Users
Remediation Workflow Manager
Plans
Settings
Integrations
Workflow
Exporting
Accepted Risk Plans
Accepted Risk Workflow
Explore
Model
Paths
Activity
Tasks
Configuration Alerts
Scan Logs
Notification Settings
Scanning
Status
Agents
User Managed
Credentialed Scanning Settings
Credentials
Scan Groups
General Settings
Cloud Scanning
Network Connectivity
Subordinates
Vulnerability Sources
Setup
Sensitive Assets: Polices
Sensitive Assets: Manual
Admin Settings
SMTP Settings
Certificates
Outbound Proxy
Authentication Providers
Users
Tags
Integrations Guide
Vulnerability Sources
CrowdStrike Spotlight
SentinelOne
Carbon Black Cloud
Microsoft Defender for Endpoint
Wazuh
Lansweeper Cloud
Nessus API
Tenable.io API
Security Center/Tenable.sc API
Rapid7 InsightVM API
Qualys API
Nozomi Guardian
Eclypsium
AWS Inspector
Remediation
Jira Software
Tanium (BETA)
Authentication Providers
LDAP (Active Directory)
SAML (Azure Active Directory)
SAML (Google)
SAML (Okta)
PAM
CyberArk
Delinea (Thycotic)
Microsoft LAPS
Security Guide
Firewall Configuration
Base Network Requirements
Agent Network Requirements
Credentialed Scanning Network Requirements
API Network Requirements
How DeepSurface Scans Work
Domain (LDAP) Scanning
Host Scanning Routine
Reasons for the Administrative Access Requirement
Endpoint Protection Considerations
Other Items
Scope of Data Storage and Retention
IPS/IDS Considerations
Logging
Resetting the DSADMIN password
Product Information
Changelogs
Open source Licenses
End User License Agreement (EULA)

The Explore area of the application is all about discovering and understanding your network as DeepSurface sees it. The Explore > Model section is all about mixing, matching, and visualizing all of the data that DeepSurface has gathered for you. It is possible to see a large portion of your network from a bird's eye view, and also dive down to the smallest detail of just one vulnerability instance.

Explore Model - empty graph

The heart of the Model explorer is the Graph Visualizer. This powerful interface allows you to see all of the connections and pathways that DeepSurface has mapped out. However, when you first visit the page, the graph is empty. To remedy this, you can start adding different elements by selecting them in the graph menu section of the interface. You have several options on what to add to the graph visualizer:

You can toggle between the different element types with the selector at the top of the menu and DeepSurface will automatically show you the top 100 elements of that type, sorted by greatest overall percentage of your risk score. You can further narrow down this list by adding keywords to filter by. Once you have added a few elements, your graph will begin to fill out and possibly look something like this:

Explore Model - full graph

Understanding the model

Now that your visualizer has some elements selected, you can see the list of selected elements in the lower section of the graph menu. At any time, you can remove a selected element by clicking on its remove button at any time. For some of the selected elements, mousing over them will highlight that particular element in the graph visualizer. This is not possible for all types of added elements ( patches and vulnerabilities do not have an associated element to highlight ), but is useful for quickly identifying a scope, node, path, or segment.

Explore Model - hover 1 Explore Model - hover 2

Once you have all of the items selected, it might be helpful to collapse the graph menu so that it does not take up any space on the screen. To do this, simply click "collapse" and the menu will appear as a tab in the top left of the screen.

Explore Model - collapsed

Now lets focus on the graph visual itself. The graph consists of 3 main elements. Scopes, Segments, and Nodes.

Scopes are represented as boxes in the visualizer. A scope will always contain at least one node and may also be a host but does not necessarily have to be one.

Nodes are represented with a label and an icon. There are several types of node possibilities. A node of the graph could represent a user, a group, a shared folder, or a database, as possible examples. A node will usually have a line connecting it to another node in the graph. This line is the third main element in the visualizer, a segment.

Segments are represented as lines connecting different nodes. A segment can only exist if there is an exploitable vulnerability or implicit access between nodes. The risk level of a segment is represented by the color, dark red being the highest risk, down to a neutral light grey, signifying implicit access.

clicking on a segment will give you more information about what vulnerabilities are being exploited to achieve the connection between the nodes on your network. There are often several vulnerabilities present on a given segment and DeepSurface will let you dive into any or all of them as deeply as you like.

Explore Model - Selected Segment

When a segment is selected, it will be highlighted in the graph, as well as the two nodes that it connects to. Once selected, a new modal will appear on the right of the screen showing an overview of the information DeepSurface has about that segment. The most prominent piece of information provided is a list of all the vulnerabilities present on this segment. Clicking into any of these vulnerabilities will provide you with all of the information that DeepSurface has gathered from our feeds and your particular vulnerability scanner. If you would like to investigat this vulnerability further, click the "Learn More" link and you be taken to the detail page for this vulnerability where you can see all of the details, affected hosts, available patches, CVSS breakdown, and exploit status, as well as all of the other information DeepSurface has for this vulnerability.

Explore Model - Selected Vulnerability

When a node is selected, DeepSurface will provide you with all of the information that we have gathered on the node. This may include its name, any vulnerable or potentially risky permissions and/or behavior (in the case of a user), and any alerts present.

Explore Model - Add Segment 1 Explore Model - Add Segment 2

Similarly, when selecting a scope in the graph, an informative modal will appear that gives you an overview of the given scope. If the scope also happens to be a host, a link to the detail page for that host will be present and you can click that in order to see everything DeepSurface knows about that host.

Explore Model - Selected Node

Similar to the graph menu, you might find it helpful to collapse the element information modal down to a tab as well. Just like in the graph menu, click the collapse button at the top of any of these information modals and the modal will instead appear as a tab in the top right of the screen, ready to open again whenever you wish to understand more about a given element.

Explore Model - Selected Node

Dynamic path finding

One useful visual tool is the ability to dynamically find paths between 2 nodes in the visualizer. To do this, choose the "Find paths from here" option by either right-clicking on, or selecting a node and you will be prompted to select the second node you would like to find paths to. Once selected, DeepSurface will calculate the available segments and return a list that will appear in the information modal above the options. Hovering over any of the paths will highlight that path in the graph for you to see.

Explore Model - Selected Node

Editing the model

Not only is the Explore interface a good way to research and understand your model, it also includes a powerful editing interface as well. Any of the main elements discussed above can also be edited or even added to the model. You may have noticed that when clicking on any of the segments, nodes, or scopes, there was also an options menu at the bottom of the information modal. The same options can also be access by right-clicking on any element of the visualizer. To illustrate the power of editing, we can choose the "Add Segment" option when right-clicking on a node.

Explore Model - Selected Node

Here you can see that you are immediately asked to either choose an existing vulnerability to add to this segment, or even create a new custom vulnerability that is not yet in DeepSurface. You must choose either because, as stated above, a segment cannot exist without a vulnerability that is being exploited. If you decide to add an existing vulerability, you will be taken to another screen that will let you modify this particular instance that best suits the situation you are trying to create in the model. The form is divided into 2 sections. The upper section contains the actual vulnerability details themselves and therefore, if you want to edit any of that information, a warning will let you know that doing so will edit the details for EVERY instance of that vulnerability in the DeepSurface system. The lower section pertains to this specific instance of the vulnerability and therefore will not apply to any other if edited.

Explore Model - Edit Vulnerability 1 Explore Model - Edit Vulnerability 2

You can always go back and add or create as many vulnerabilities as you would like for this segment, noting that each newly added or created vulnerability will be added to the left-hand column. Clicking on any of the vulnerabilities in this column will bring up its form and allow you to make as many changes as you would like. Once you are satisfied with the vulnerabilities on this segment, click "Save all changes" and the alert will tell you what impact your changes will have on the model. If you agree to these changes, the form will save and you will now notice that the newly created segment has been added to the visualizer and now appears with the other selected elements in the lower left corner of the interface.

Adding, or editing scopes and nodes are a much simpler affair. Right-clicking on the visualizer on either of these elements will give you a simple form for changing the name, impact, parent scope, etc. And just like when creating a new segment, the visualizer will refresh to include the newly added or edited elements.

Explore Model - Edit Vulnerability 1 Explore Model - Edit Vulnerability 2