Endpoint and Server Security: Part 3 – Discovery Through Response
- Published on
- • 6 mins read•--- views
Endpoint and Server Security at GEN: Discovery Through Response
Strengthening the first and last line of defense in any organization starts with understanding how endpoints and servers behave on the network. This article walks through a realistic scenario inside GEN, a loan company building out its cybersecurity practice. Along the way we combine network scanning, vulnerability analysis, prioritization, and lightweight monitoring so you can replicate the same workflow in your own lab.
Learning Goals
By the end of this walkthrough you should be able to:
- Explain why active discovery complements endpoint detection and response (EDR/XDR) tooling.
- Use Nmap to confirm device presence and gather service information.
- Interpret vulnerability findings, map them to CVEs, and order remediation with CVSS.
- Stand up minimal monitoring that raises alerts when critical assets misbehave.
- Outline a short incident playbook that turns raw alerts into decisive action.
Setting the Stage
Inside GEN’s cybersecurity department, we previously used Trend Micro Vision One to highlight several risky assets. That insight now becomes the foundation for broader visibility. For continuity we focus on the three devices that scored highest in Module 2:
| Device | IP Address | Type | Description |
|---|---|---|---|
| Endpoint-001 | 192.168.1.45 | Endpoint | Employee laptop with SMB exposure |
| Server-WEB01 | 192.168.1.100 | Server | Web application server (Apache) |
| Server-DB02 | 192.168.1.103 | Server | Internal PostgreSQL database server |
Treat these entries as examples—swap in your own lab addresses or the dataset from class if you are following along.
Discovering Devices on the Network
Before diving into vulnerabilities, confirm that the targets respond on the wire. A simple ping sweep does the job:
nmap -sn 192.168.1.0/24
The -sn flag tells Nmap to use host discovery without port scanning, and the /24 indicates the subnet range. Collecting the output in a quick reference table makes it easier to spot changes later:
| IP | Name/Identifier | Response Time |
|---|---|---|
| 192.168.1.45 | Endpoint-001 | 12 ms |
| 192.168.1.100 | Server-WEB01 | 8 ms |
| 192.168.1.103 | Server-DB02 | 7 ms |
Because all three hosts reply, we can proceed confidently with deeper inspection.
Inspecting Services and Hunting Vulnerabilities
Service detection (-sV) extends the discovery phase by reporting the software stack exposed on each device. Pair it with Nmap’s vulnerability scripts for richer context:
nmap -sV 192.168.1.45
nmap --script vuln 192.168.1.45
Repeat the commands for every device to build a clear picture. Below are representative highlights you might encounter:
Endpoint-001 – 192.168.1.45
- Service detected: SMBv1 (Microsoft Windows 7 SMBv1)
- Why it matters: SMBv1 remains vulnerable to EternalBlue (MS17-010), a wormable exploit associated with ransomware outbreaks.
- Module 2 connection: Trend Micro already flagged CVE-2017-0144 with a CVSS of 8.1; Nmap reconfirms the risk from a network perspective.
Server-WEB01 – 192.168.1.100
- Service detected: Apache 2.4.29 on Ubuntu
- Vulnerability script insight: Possible exposure to CVE-2021-34798, a
mod_http2denial-of-service flaw triggered by crafted HTTP/2 requests. - Module 2 connection: XDR telemetry pointed at the same CVE, confirming that the public-facing front end needs attention.
Server-DB02 – 192.168.1.103
- Service detected: PostgreSQL 9.5.3
- Potential issue: CVE-2016-2193 may allow privilege escalation under specific conditions, increasing lateral movement risk inside the LAN.
- Module 2 connection: The database was previously marked as outdated; now we understand exactly how an attacker might capitalize on it.
Prioritizing with CVSS and Context
CVSS scores provide a structured baseline, but ordering remediation also requires business awareness. Combining both angles yields the following stack rank:
| Device | CVE | CVSS Score | Severity | Why It Comes First |
|---|---|---|---|---|
| Endpoint-001 | CVE-2017-0144 | 8.1 | Critical | Remote, wormable exploit capable of disrupting the entire estate. |
| Server-WEB01 | CVE-2021-34798 | 7.5 | High | Internet-facing service whose outage impacts customer access. |
| Server-DB02 | CVE-2016-2193 | 6.5 | Medium | Internal asset requiring local foothold, though still deserving patches. |
Aim to patch Endpoint-001 immediately, schedule downtime for Server-WEB01, and plan an upgrade path for Server-DB02. Documenting the reasoning alongside the scores helps leadership understand the remediation roadmap.
Adding Lightweight Monitoring
Vulnerability data is most valuable when paired with visibility into day-to-day health. PRTG Hosted Monitor offers an approachable starting point:
- Organize assets: Create a
GENgroup withServersandEndpointssubgroups. - Add sensors: Attach
PingandUptimesensors for Server-WEB01; for Endpoint-001 expand intoPing,CPU Load, andDisk Usageto catch stress signals. - Define alerts: Configure a ping latency threshold—say 200 ms—and route notifications to security@gen.local or your SOC queue.
- Validate: Simulate packet loss or a service restart to confirm the alert fires. Capture a screenshot or log entry as evidence for change control.
No lab access? Describe the configuration steps and reference provided screenshots. The key lesson is that even basic telemetry shortens the time between an outage and the first human response.
From Alert to Action: A Mini Playbook
Monitoring without a plan can flood teams with noise. Build a concise sequence that operators can follow when an alert—such as high latency on Endpoint-001—appears:
- Detection: Record the alert from PRTG or the chosen monitoring stack.
- Validation: Cross-check with manual
ping/traceroutetests and relevant system logs. - Isolation: If compromise is suspected, quarantine the endpoint via VLAN ACLs or endpoint management tools.
- Notification: Escalate to the security operations team and system owners through established channels.
- Documentation: Open an incident ticket capturing timestamps, scope, and supporting evidence.
- Mitigation & Recovery: Disable SMBv1, apply MS17-010, restart services, or restore from backups as needed.
- Closure Criteria: Confirm normal performance, clear lingering alerts, and schedule a post-incident review.
These steps complement GEN’s XDR platform by adding human decision points, operational accountability, and coverage for assets that might not run an EDR agent.
Key Takeaways
- Active scanning validates and enriches insights from XDR solutions, revealing how exposed services actually behave.
- CVSS provides a numerical anchor, but contextual business impact ensures resources flow to the most dangerous issues first.
- Lightweight monitoring plus a simple response playbook turns raw vulnerability data into a repeatable security discipline.
By rehearsing this workflow in a lab, you build muscle memory that transfers directly into production environments—whether you secure a small IT fleet or a sprawling enterprise like GEN. The article shows how GEN’s security team combines discovery, prioritization, monitoring, and response playbooks to strengthen endpoint and server defenses.
Student: Krivoshchekov Artem
Organization: GEN Cybersecurity Dept
Module: Network & Vulnerability Analysis
Date: 30/09/2025
Table of Contents
- Endpoint and Server Security at GEN: Discovery Through Response
- Learning Goals
- Setting the Stage
- Discovering Devices on the Network
- Inspecting Services and Hunting Vulnerabilities
- Endpoint-001 – 192.168.1.45
- Server-WEB01 – 192.168.1.100
- Server-DB02 – 192.168.1.103
- Prioritizing with CVSS and Context
- Adding Lightweight Monitoring
- From Alert to Action: A Mini Playbook
- Key Takeaways