Effective vulnerability management starts with understanding what matters most. That means assessing every asset based on its criticality and value to your organization's infrastructure. In this article, I will cover: - Why assessing asset criticality is essential. - What criterias to use when evaluating asset criticality. - Which tools and approaches can support this process. Why Asset Assessment Matters In addition to the vulnerability rating, the criticality of the asset where the vulnerability is found is a key factor in prioritizing remediation. The same vulnerability may carry different levels of risk depending on the context, including the asset’s function, the sensitivity of the data it processes, and its exposure to potential attackers. It makes asset criticality assessment a crucial step in effective vulnerability management. CVSS Vulnerability Rating plus Threat Intelligence Combining Threat Intelligence with CVSS vulnerability rating enables the creation of a more accurate and risk-based prioritization of vulnerability remediation. This approach is a vulnerability management enhancement because it enables mapping and prioritizing trending vulnerabilities. Trending vulnerabilities are high-risk security flaws that are currently gaining attention due to active exploitation or widespread impact. Tactical Evaluation of Asset Criticality However, this is not enough to prevent targeted and sophisticated attacks. In my opinion, it is important to assess assets' criticality more tactically. By word tactically I mean assessing from the attacker's perspective and focussing on what matters first as a priority. Ask yourself: How would an attacker engage(HWAE)? It’s a good idea to review the history of previous penetration tests conducted across the infrastructure and highlight their remediation recommendations for specific assets. Such a strategy, when combined with CVSS metrics and threat intelligence, leads to predictive prioritization. The Infrastructure Attackers Love: Key Asset Types to Watch I’ve decided to outline the asset types that are important from a tactical perspective. Identifying and tracking these assets in the vulnerability management platform will help prioritize and streamline remediation efforts. Internet-Facing Servers and Services These assets are constantly exposed to external threats and are typically the first targets in attack chains. Mapping them should be a top priority. You can discover Internet-facing assets using tools like nmap, whatweb, asnmap, httpx and platforms - Shodan, Censys. Shodan Censys Wireless Local Area Network(Wi-Fi) Assets To identify and assess wireless networks from an attacker's perspective, tools like Kismet and Airodump-ng can be used. IT Personnel Endpoints We can identify these endpoints by analyzing Active Directory group memberships and computer configurations. For example, the presence of administrator tools like PuTTY SSH client, often indicates that this endpoint is used by IT staff. Email servers On an Exchange server, you can run the following PowerShell command to list servers: Get-ExchangeServer | Format-List Get-ExchangeServer | Format-List To discover machines offering email services on your network, scan for common mail ports with Nmap: nmap -P0 -p 143,993,110,995,25,587 -sV --open 192.10.10.0/24 nmap -P0 -p 143,993,110,995,25,587 -sV --open 192.10.10.0/24 DNS Servers Use nslookup to resolve the name servers for a domain: nslookup -q=ns example.com nslookup -q=ns example.com Discover hosts listening on TCP port 53: nmap -P0 -sT -p 53 -sV --open 192.10.10.0/24 nmap -P0 -sT -p 53 -sV --open 192.10.10.0/24 Discover hosts listening on UDP port 53 (with verbose output): nmap -P0 -sU -p 53 -vv -sV --open 192.10.10.0/24 nmap -P0 -sU -p 53 -vv -sV --open 192.10.10.0/24 Domain controllers (DC) In PowerShell, retrieve all DC hostnames in the current Active Directory domain: Get-ADDomainController -filter * | Select-Object Hostname Get-ADDomainController -filter * | Select-Object Hostname Discover DCs offering LDAP and Global Catalog services: nmap -P0 -p 88,389,636,3268,3269 -sV --open 192.10.10.0/24 nmap -P0 -p 88,389,636,3268,3269 -sV --open 192.10.10.0/24 DHCP servers In PowerShell, retrieve all DHCP servers authorized in Active Directory: Get-DhcpServerInDC Get-DhcpServerInDC Use Nmap to discover hosts offering DHCP services on UDP port 67: nmap -P0 -sU -vv -p 67 -sV --open 192.10.10.0/24 nmap -P0 -sU -vv -p 67 -sV --open 192.10.10.0/24 Active Directory Certificate Services (AD CS) Servers Retrieve the names, statuses, and configurations of the Certificate Authorities: certutil certutil -CA certutil -ADCA certutil certutil -CA certutil -ADCA System Center Configuration Manager (SCCM) Servers Query the SCCM client WMI class on an endpoint to check for the installed agent: Get-WmiObject -Namespace "root\ccm" -Class SMS_Client Get-WmiObject -Namespace "root\ccm" -Class SMS_Client Use the sccmhunter script to discover SCCM infrastructure in your domain: sccmhunter python3 sccmhunter.py find -u 'lowpriv' -p 'P@ssw0rd' -d internal.lab -dc-ip 192.10.100.100 python3 sccmhunter.py find -u 'lowpriv' -p 'P@ssw0rd' -d internal.lab -dc-ip 192.10.100.100 Windows Server Update Services (WSUS) Servers Query WSUS configuration in the registry: reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v wuserver wuserver REG_SZ https://xx.example.com:xxxx reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v wuserver wuserver REG_SZ https://xx.example.com:xxxx List WSUS servers via PowerShell: Get-WsusServer Get-GPOReport -All -ReportType Xml | Select-String -Pattern 'WSUS' Get-WsusServer Get-GPOReport -All -ReportType Xml | Select-String -Pattern 'WSUS' Scan Group Policy Objects for WSUS URLs: Get-GPO -All | ForEach-Object { Get-GPOReport -Guid $_.Id -ReportType Xml } | Select-String -Pattern 'http[s]?://[^"]*/(WSUS)' Get-GPO -All | ForEach-Object { Get-GPOReport -Guid $_.Id -ReportType Xml } | Select-String -Pattern 'http[s]?://[^"]*/(WSUS)' AD objects with Kerberos delegation List all computer accounts with unconstrained delegation enabled: Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} -Properties trustedfordelegation,serviceprincipalname,description Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} -Properties trustedfordelegation,serviceprincipalname,description Use the impacket-findDelegation tool to discover delegation-enabled objects in the domain: impacket-findDelegation example.com/username --dc-ip 192.168.1.1 impacket-findDelegation example.com/username --dc-ip 192.168.1.1 Windows servers with Print Spooler service Print Spooler uses MS-RPRN (Microsoft Print System Remote Protocol), and it is possible to trick a host to authenticate with another host over the network and use its request for NTLM Relay attacks or capture hashes. Next Actions & Vulnerability Remediation Prioritization After mapping priority assets, I usually prioritize them as highly critical. In some vulnerability management platforms, this is easily done and its criticality is automatically calculated. Keep track of attack history and see if the asset has been targeted or involved in past incidents or security breaches. What if vulnerability is impossible to remediate? Then, it is better to consider compensation controls - any technical or organizational measure that mitigates the exploitation of this vulnerability. Tactical assessment and automated prioritization will allow the team to focus on truly critical assets, where risk is highest and response time is crucial.