Google says tsunami is an extensible network scanner to detect high-intensity vulnerabilities with as few false positives as possible.
Google has an insecure security scanner for large-scale enterprise networks, including thousands or millions of Internet-connected systems.
Tsunami is not an officially branded Google product but rather operated by the open-source community, thus making Google the first Kubernetes (another Google internal device) available to the public.
How the tsunami works
There are hundreds of other commercial or open-source risk scanners already on the market, but what makes the tsunami different is that Google built it based on companies like Mammoth.
This includes companies that operate hundreds of servers, workstations, networking devices, and networks that have IoT devices connected to the Internet.
Google said the tsunami was designed to accommodate very diverse and very large networks, without the need to run different scanners for each device type.
Google claims to have done so by first dividing the tsunami into two main components and then adding an expandable plugin policy.
The first tsunami component is the scanner – or surveillance module. This component scans the company’s network for open ports. It tests each port and tries to identify the exact protocols and services that are running on it, in an attempt to prevent faulty portables and test equipment for faulty vulnerability.
Google says the Port Finger Printing module is based on the industry-tested NAMP network mapping engine but also uses some custom code.
The second part is more complicated. This follows based on previous results. It takes each device and its exposed ports, selects a list of vulnerabilities to test, and executes sensitive exploits to check if the device is vulnerable to attacks.
We can also tell how tsunamis can be extended by vulnerability verification module plugins – so that security teams can add new attack vectors and vulnerabilities to investigate within their networks.
The current tsunami version comes with plugins:
Exposed Sensitive UI: Unix with Jenkins, Jupiter, and Hadoop Yarn Ship allows apps to schedule workloads or execute system commands. If these systems are exposed to the Internet without authentication, attackers can exploit the application’s functionality to execute malicious commands.
Weak credentials: Tsunami uses other open-source tools such as ncrack to detect weak passwords used by protocols and devices, including SSH, FTP, RDP and MySQL.
Google says it plans to increase the tsunami with new plugins to track different types of success in the coming months. All plugins are released through a second dedicated GitHub repository.
The project will focus on false-compatibility
The search giant said the upcoming tsunami will focus on the goals of high-end enterprise customers like themselves and those found on large and multi-device networks.
Scan accuracy becomes the primary goal, focusing on delivering results with false-positives (false detectives).
This is important because the scanner runs over a wide network, where small-positive results can result in device crashes and network crashes, sending wrong patches to hundreds or even thousands of devices. Too many working hours, and even a company’s bottom line risks.
In addition, tsunamis can thrive only in support of high-intensity vulnerabilities as weapons, but rather than focusing on scanning everything under the sun. Scanners are done today. This can be done to minimize alert fatigue for security teams.