vulnerability risk management for everyone · • “vulnerability risk management” requires...

arkenoi@gmail.comENOG12

Vulnerability Risk management for everyone

theopenNet

•  mobilizetechnicalInternetcommunity•  providetechnicalexper@se•  talktootherstakeholders

Whybother

RiskManagementistheessenceandpurposeofallInforma@onSecurityac@vi@esEverythingyoudoforInforma@onSecurityissomekindofriskmanagement!

Whocares?

•  60%ofrespondentsstatedcompanyexecu@vesareonly“somewhat”to“notatall”informedabouttheriskposedtotheirbusinessfromtoday’ssecuritythreats

(NopSec 2016 Outlook: Vulnerability Risk Management and Remediation Trends)

Whatisriskmanagement

•  GRC:Governance,RiskmanagementandCompliance

•  Stage0:adhoc•  Stage1:missing!(alotofbadstuffhappensjusthere)

•  Stage2:compliancedriven(thingsthatcannotbeignored)

Natureofriskmanagementgap

•  Cultural(“Itiscompliancedrivenstuff,wedonotcare,wehavebusinesstodo”)

•  Financial(“Onlywealthycompaniescanaffordthis”)

•  Technological(“Wehavenoresourcestowasteonyourcomplicatedtoys”)

Measurement:Quan@ta@ve?

Risk=Impact($)*Probability

Bothvariablesaremostlyunknown,yetes@mated.Theformulamightgetcomplicatedifyouaddmorevariables(means,mo@ve,controls,whatever)

Reliabilityofdatasourcesisques@onable,yetifyoupresentanynumbersratherthannoneitlooksmoreconvincing

Measurement:Qualita@ve?

•  Be`erfordecisionmaking•  Youmayormaynothaverealquan@ta@vedataasinput

Googledeeper:Cox’sriskmatrixtheorem

ThreatIntelligence

“What’shappeningoutthere”?Understandingriskthroughexternalcontext.

Notjustabout0-daysandIoCsforIPS/SIEMBothAPT-likeactorsandopportunis@ca`ackersma`er

Networkoperatorsasnaturaldatasourceforthreatintel

HugecoverageAlreadyhavingtools(IDS,trafficanalysis,DPI,DNSrequestdata,etc)

Managedsecurityservicesforcustomers

Crea@ngeffec@vecollabora@on

HowshouldjointCERTwork?Anythingisalwaysbe`erthannothing.Coordinate,aggregate,analyseandshare.Distributedtasksareeasier.

Threefunc@onsofjointCERT

1. CC:coordinateeffortandpromoteinforma@onexchange(herewestart!)

2. CSIRT:incidentinves@ga@on,responseandtac@calanalysis(easier!)

3.  SOC:real@meandretrospec@veeventprocessing(harder!)

Let’sgetprac@cal

Whyvulnerabilitymanagement?Mostofthebreachesinvolvevulnerabilityofsomekind

Manageableandmeasurable(involveslesssocialcontext,asweknowmachinesareeasyandhumansarehard)

VulnerabilityManagement

•  Stage0:none•  Stage0.5:[a]periodicscans,hugevulnerabili@eslists,panicanddepression(significanthumaneffortisrequiredinthisstruggle)

•  Stage1:con@nuousvulnerabilitymanagementandfirsta`emptstopriori@seonthefly(hereVMvendorsjumpinandaskforbig$$)

•  Stage2:moreorlessfu@lea`empttobringbothvariablesintotheriskequa@on(RMvendorsjumpinandaskforevenmore$$)

Whypaypremiumprice

Becauseitisobviouslyvaluable.Andthereis(oratleastseemstobe)noalterna@ve.

51%oforganiza@onsaresufferingfromdataoverload(andI

thinkmanymoreeitherhavemassivelyincompletedataordonotadmittheirdifficul@es)

24%donotknowhowtopriori@ze22%useCVSSandmaybesomeinternaldata21%domanualcorrela@onwiththreatintel31%usecommercialtools(NopSec 2016 Outlook: Vulnerability Risk Management and Remediation Trends)

Notableplayers(VM)Nessusoneofbestyetcheapestsecurityscanners,butcon@nuous

vulnerabilitymanagement(SecurityCenter)isexpensive.Riskmanagementcapabili@esarelimited.

Anicetrytointegratethreatintelligenceandadvancedasset

managementintovulnerabilityscanning,again,big$$AsauthorsofMetasploit,thepenetraiontes@ngtool,Rapid7is

notableforhighlyprac@calapproachtovulnerabilitymanagement.

Notableplayers(RM)AnIsraelistart-up,first(knowntome)a`empttobreakvendor

lock-inforthevulnerabilityriskmanagement.Hasconnectorstomul@plescanners.Startswith$30Korso.

IfyouarenotfromRussia,youprobablyneverheardaboutthis

one.It’sashamebecausethecapabili@esareimpressive.GRCvendorswithoutspecificfocusonVM(likeRSAetc)arenot

listedhereforobviousreason.

Industry’sDirtyLi`leSecret

Aseasyasthat•  “Con@nuousvulnerabilitymanagement”requiresadatabase

backend,vulnerabilityscannerconnectorsandafewrepor@ngtools.Anditisalreadyhere(Seccubusproject,developedbySchubergPhilis)

•  “Vulnerabilityriskmanagement”requires(surprisingly)anassetmanagementtoolwithgoodheuris@cstoassistevalua@on(thinkhostnames,souwareinventory,LDAPlookupsetc),amethodtointegrateenvironmentalfactors(firewallconfigura@on,protec@vetools,..),possiblethreatintelligencedataandvulnerabilityassessmentasis.

•  (ifyouareinterestedinriskassessmentmethodologyperse,refertoOpenGroup’sFAIR(*),itsimple)

(*)FactorAnalysisofInforma@onRisk

HowtoevaluatevulnerabilityLikehackers(well,orpentesters;-)do!•  Theonlythingsyouneedtoknoware:•  Isthisvulnerabilityexploitableinyourconfigura,on?•  Isthereapre-builtexploitforyoursystemavailable?•  Whatistherealimpact?•  •  Ifyouknowthat,yougetpartoftheequa@onsolved.The

otherpartsaretheassetvalue,protec@oncountermeasuresandyouchancestobea`acked.

Areallifeexample

●  Winshock(MS14-066)vulnerability●  Unauthen@catedRCEinWindowsSChannelcode

●  “Exploitsareavailable”,giventopprioritybyallvulnerabilityscanners

●  MaximumposibleCVSSscoreof10.0●  ActuallynoRCEexploitsinthewild,justDoS!

Simplyput

Tradi@onalvulnerabilityscanningsouwarescaresyouintothinkingyouhaveanimmediateandimminentthreatandyoushouldconcentrateyoureffortsonfixingthat.Whilethereactuallycouldbemoreimportantthingsforyoutodo,becausethecostandcomplexityofthea`ackismuchhigherthanwasimplied!

EnterVulners

Asearchengineforexploitsandsecuritybulle@ns,contains60+Kexploitstodate

Non-profitandfreetouse

But,wait

●  Vulnersexploitsearchisforhumans●  Noformaldefini@onexistsforexploitcapabili@es

●  Timetofixthat!

EnterECDMLandEACVSS

●  ExploitCapabilityDefini@onMarkupLanguage–describeexploitproper@esviaCVE,CPEandsupplementaryinforma@on(CCE,commonconfigura@onenumera@onisdead,sorry)

●  EACVSS–ExploitAdjustedCVSS–evaluaterealexploitcapability

Sorryfornon-readabletext;-)

BacktoriskanalysisandFAIRmethodology

What’snext

●  AugmentriskintelligencewithThreatEventFrequency

●  Implement(mostly)automatedriskassessmentsusingFAIRmethodology

●  That’swherejointCERTcouldprovideextremelyvaluableinforma@on!

Dreams;-)

●  ● 

Howstateoftheartriskanalysisshouldwork

Notcoveredhere

•  Advancedvulnerabilitymanagementissueslikedetec@ngandavoidingvulnerabilityscangaps,“scannerless”datacollec@on,etcetc

•  Seccubusimplementa@onanddeploymentdetails(askmeifyouwanttodiscussanyofthoselater)

•  FAIRmethodologyindepth• Privacyissuesforthreatintel•  Threatintelinforma@onexchangeformats

Usefullinks

• h`p://theopennet.ru• h`ps://www.vulners.com• h`ps://www.seccubus.com

Thank you! Questions?