Attacker Behavior Boston Security Conference 2015
-
Upload
michael-roytman -
Category
Internet
-
view
164 -
download
0
Transcript of Attacker Behavior Boston Security Conference 2015
![Page 1: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/1.jpg)
Boston Security Conference
Attacker BehavioralAnalysis
2014
![Page 2: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/2.jpg)
INFORMATION SECURITYIS A GAME
![Page 3: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/3.jpg)
![Page 4: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/4.jpg)
Remove the Threat
REMEDIATIONAccept the Risk
Repair the Vulnerability
![Page 5: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/5.jpg)
C(ommon) V(ulnerability) S(coring) S(ystem)
“CVSS is designed to rank information system vulnerabilities”
Exploitability/Temporal (Likelihood)
Impact/Environmental (Severity)
The Good: Open, Standardized Scores
![Page 6: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/6.jpg)
F1: Data FundamentalismSince 2006 Vulnerabilities have declined by 26 percent.” http://csrc.nist.gov/groups/SNS/rbac/documents/vulnerability-trends10.pdf
The total number of vulnerabilities in 2013 is up 16 percent so far when compared to what we saw in the same time period in 2012. ”http://www.symantec.com/content/en/us/enterprise/other_resources/b-intelligence_report_06-2013.en-us.pdf
![Page 7: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/7.jpg)
FAIL 2: A Priori Modeling“Following up my previous email, I have tweaked my equation to try to achieve better separation between adjacent scores and to have CCC have a perfect (storm) 10 score...There is probably a way to optimize the problem numerically, but doing trial and error gives one plausible set of parameters...except that the scores of 9.21 and 9.54 are still too close together. I can adjust x.3 and x.7 to get a better separation . . .”
![Page 8: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/8.jpg)
F3: Stochastic Ignorance
Attackers Change Tactics Daily
![Page 9: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/9.jpg)
Repair the Vulnerability
![Page 10: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/10.jpg)
I LOVE IT WHEN YOU CALL ME BIG DATA150,000,000 LIVE VULNERABILITIES
1,500,000 ASSETS
2,000 ORGANIZATIONS
![Page 11: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/11.jpg)
100,000,000 BREACHES
I LOVE IT WHEN YOU CALL ME BIG DATA
![Page 12: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/12.jpg)
ATTACKERS CHANGE TACTICS DAILY
![Page 13: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/13.jpg)
WE CARE ABOUTVULNERABILITIES
![Page 14: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/14.jpg)
BREACHES BY CVE 2014
![Page 15: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/15.jpg)
2014
Q1 Q2
Q3
Q4
![Page 16: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/16.jpg)
![Page 17: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/17.jpg)
![Page 18: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/18.jpg)
ATTACKERS DON’T CARE WHEN YOUR VULN WAS PUBLISHED
![Page 19: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/19.jpg)
HEARTBLEED
SHELLSHOCK
![Page 20: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/20.jpg)
HEARTBLEED
SHELLSHOCK
HEARTBLEED
POODLE
![Page 21: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/21.jpg)
![Page 22: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/22.jpg)
![Page 23: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/23.jpg)
ATTACKERS DON’T CARE ABOUT YOUR VULN’S LOGO
![Page 24: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/24.jpg)
BREACHES by CVSS
![Page 25: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/25.jpg)
CVSS byBREACHVOLUME+CVE
![Page 26: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/26.jpg)
CWE
![Page 27: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/27.jpg)
DEADLY SOFTWARE SINS:
1. ACCESS CONTROL2. INPUT VALIDATION3. BUFFER OVERFLOW4. INJECTION5. BAD CRYPTO
![Page 28: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/28.jpg)
CVSS AS A BREACH VOLUME PREDICTOR:
![Page 29: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/29.jpg)
![Page 30: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/30.jpg)
ATTACKERS DON’T CARE ABOUT CVSS
![Page 31: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/31.jpg)
WE CARE ABOUTVULNERABILITIES
![Page 32: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/32.jpg)
![Page 33: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/33.jpg)
ATTACKERS CARE ABOUTBREACHES
![Page 34: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/34.jpg)
CVEsOVER TIME
![Page 35: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/35.jpg)
![Page 36: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/36.jpg)
CVEsOVERTIME(normalized)
![Page 37: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/37.jpg)
Probability A Vuln Having Property X Has Observed Breaches
Random Vuln
CVSS 10
Exploit DB
Metasploit
MSP+EDB
0.0 0.1 0.2 0.2 0.3
![Page 38: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/38.jpg)
DATA RULES EVERYTHING AROUND MERANDOM = 2%
CVSS 10 = 4%
METASPLOIT + EXPLOITDB = 30%
![Page 39: Attacker Behavior Boston Security Conference 2015](https://reader037.fdocuments.net/reader037/viewer/2022110310/55a7a1c01a28ab3f438b4868/html5/thumbnails/39.jpg)
RISK.IO/JOBS@mroytman