SEC460.3
Navigating the River of Woe to EPIC Vulnerability Assessments
Copyright 2016-2017 Matthew Toussain | All Rights Reserved
Enterprise Threat and Vulnerability Assessment
2
Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 3
CHOICE
You dash out of the cube farm knocking your boss out of the way whilst claiming explosive diarrhea
You lean back in your chair the aspect of relaxation itself. You got this. Your awesome. Your boss needs to get with the program.
Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 4
NOBODY LIKES GARY
SEC460 | Enterprise Threat and Vulnerability Assessment 5
THE IMPORTANCE OF COLLABORATION
When attack meets defense the whole is greater than the sum of its partsRed Teams attack, Blue Teams defend -- but they share a common goal: Continuous Security Improvement
SEC460 | Enterprise Threat and Vulnerability Assessment 6
THE TEAMING CONCEPT
The idea behind teaming is to create a representative role-based guide where different teams are assigned color coded objectives• Blue Team – The blue team is tasked with network defense• Red Team – The red team exists to evaluate and grow the blue
team’s capacity to perform network defenseLess Common Teams• Green Team – The team tasked with remediation of security
vulnerabilities• Black Team – Also know as the hunt team, the black team is
focused cyberspace trapping and adversarial deception
SEC460 | Enterprise Threat and Vulnerability Assessment 7
THE TEAMING CONCEPT
Non-participative groups essential to facilitating the teaming objective are referred to as cells • White Cell – The white cell’s purpose is to enable the teaming
event by acting as the intercessor between red and blue teams, validating findings and ensuring system availability
• Gray Cell – The gray cell simulates an unwitting user or occasionally an insider threat. Gray cell’s role adds realism to the network exercise and facilitates blue team growth by aiding red team exploitation
SEC460 | Enterprise Threat and Vulnerability Assessment 8
PURPLE TEAMING
Purple Teaming – is a newer concept focused on a direct collaborative relationship between blue and red functions• The purple team is not adversarial!• Often formed of members from both blue and red• Simulation over Exploitation
Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 9
YOU MAD BRO!?
Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 10
CHOICE
You reach for the crayons because there is nothing a kaleidoscope of colors cannot solve!
You go to your quiet place (bean bag) to meditate on the choices that brought you here.
Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 11
NONE OF OUR METRICS MAKE ANY SENSE!!!
Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 12
Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 13
WHAT IS VULNERABILITY SCANNING?
Vulnerability Scanning is the process of identifying services, configurations, and conditions that a threat actor could leverage to achieve maligned objectives.
Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 14
THE VULNERABILITY SCANNER
A vulnerability scanner moves beyond typical enumeration scanning procedures
• General Purpose Vulnerability Scanners
• Applications Specific Vulnerability Scanners
• Nessus
• Nexpose
• SAINT
• Retina
• Qualys
• OpenVAS
• Nikto
• Burpsuite
• IBM AppScan
• Accunetix
• WPScan
• VOIPAudit
Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 15
GENERAL PURPOSE SCANNERS
Vulnerability scanners have a robust feature set that goes beyond simpler port scanning tools
• Scanning
• Asset Discovery
• Scanning
• Service Detection
• Vulnerability Testing
• Banner Grabbing
• Vulnerability Correlation
• Validate Vulnerability
Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 16
WHERE DO THEY COME FROM?
Two categories of risk• Identification• Mitigation
Mitigation blueprint an accurate measurement of unrealized risk must be taken
Vulnerability assessors are responsible for identification, measurement, and triage of cybersecurity exposure
Many testers fail to assess
Sources• Precomputation, database lookup• Computational• Blended
Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 17
RISK MANAGEMENT CULTURE
Developing an organizational risk management culture is iterative and cumulative
• Risk Identification• Threat Assessment and risk
ratings enable true network security insight
• Mitigation• Develop a mitigation blueprint
in order to Control the risk
developing a concrete mitigation blueprint
Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 18
TYPES OF BUSINESS RISK
Risk is the possibility of suffering a loss• Probability of negative happening if the risk is realized
Risk is a cost center
There are many kinds, cybersecurity is only one subcategory• Strategic risk• Compliance risk• Operational risk• Financial risk• Reputational risk
Cybersecurity risk is often not the most frequently realized, and prone to be disregarded
Low probability of occurrence, high impact when realized
Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 19
THE RISK EQUATION
Organizational Risk = Probability x Impact• In cybersecurity…• Vulnerability magnitude relates to the potential for catastrophic impact• The organizational threat (ransomware, intellectual property theft, sabotage)
provides the motive for attack. Greater motive equals higher chances of becoming a target
• Final risk should factor in additional concerns that may go beyond intrinsic risk• Countermeasures• Human Cost
Risk = Threat Probability x Vulnerability Severity
Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 20
SEVERITY – RISK RATING BY PRECOMPUTATION
Severity is not risk
Benefits of vulnerability rating lookup systems• Unbiased
• Simple and Fast
• Easy to justify
Negatives• No inclusion of probability or impact metrics
Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 21
VULNERABILITY DATABASE SEVERITY RATINGS
Databases• National Vulnerability Database
• Symantec Security Response
• VulDB
• CVE Details
• Microsoft Exploitability Index
• Scanner Databases: Rapid7, Qualys, Nessus, etc
Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 22
INFOCON – ISC RISK RATING
Infocon Rubric
• Infocon reflects changes
• Connectivity Disruptions
• Known Malicious Traffic
• These criteria are judged as a series of true/false questions
• +2 Slammer-like impact on Internet wide operations
• +2 Remote arbitrary code execution
• +2 No vendor patch or effective mitigation
https://isc.sans.edu/infocon.html
Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 23
RISK ASSESSMENT MATRIX
Risk Assessment Matrices also known as Risk Assignment Matrices enable simplistic quantitative risk assessment
Advantages
• Elimination of personal biases
• Numerical identification creates “black or white” conditions that are easy to interpret
Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 24
Services Enclave
User Enclave
NETWORK DIAGRAM
Workstation 2Workstation 1
DC/DNS File Share
DMZ
Public Webserver
PII SharePoint
Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 25
DRAFTING A RISK ASSIGNMENT MATRIX
SeverityProbability
High(4)
Medium(3)
Low(2)
Informational(1)
High (4) ➢ MS-17-010 ETERNALBLUE
➢ Web Directory Traversal
➢ Shared Local Admin (w/ DA)
➢ PII SharePoint Read
➢ Network File Share Full Access
➢ Domain Admin’s Workstation
➢ Critical Customer Data
Medium (3) ➢ PII SharePoint Write ➢ Website Directory Indexing
Low (2)
Informational (1)
Scale
Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 26
STICKY NOTE HELL!
Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 27
CHOICE
Use your mad skillz to triage and remediate vulnerabilities. Your boss will forever bask in the radiance of your glory.
Frame Gary. Take the money. Nobody likes him anyway. Plus you deserve it. You are pretty awesome after all!
Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 28
DirectoryTraversal
DMZ –VULNERABILITY REPORT
Public Webserver
• (H) Vulnerable to Directory Traversal
• (I) Directory Indexing Enabled
DMZ
Public Webserver
H
DirectoryIndexing
Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 29
SERVICES ENCLAVE –VULNERABILITY REPORT
PII SharePoint
• (I) Critical Customer Data
• (M) World Readable
• (M) World Writeable
DC/DNS
• (I) Fully Patched
Services Enclave
DC/DNS
PII SharePoint
M
L
Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 30
USER ENCLAVE –VULNERABILITY REPORT
Workstation 1
• MS-17-010 ETERNALBLUE
• Shared Local Admin with workstation 2
• No sensitive data on system
Workstation 2
• Domain Admin’s Workstation
• Fully Patched
Windows File Share
• Fully patched
• Full access for all domain users
User Enclave
Workstation 2Workstation 1
File Share
C
L
L
Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 31
DEVELOPING A RISK ASSIGNMENT MATRIX – SOLUTION
SeverityProbability
High(4)
Medium(3)
Low(2)
Informational(1)
High (4) ➢ MS-17-010 ETERNALBLUE
➢ Apache Struts RCE
➢ Shared Local Admin (w/ DA)
➢ PII SharePoint Read
➢ Network File Share Full Access
➢ Domain Admin’s Workstation
➢ Critical Customer Data
Medium (3) ➢ PII SharePoint Write ➢ Web Directory Traversal
➢ Website Directory Indexing
Low (2)
Informational (1)
Scale
Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 32
QUALITATIVE RATING RUBRIC
• Does the vulnerability affect compliance related systems/information? (+2)
• Is the vulnerability actively exploited in-the-wild by major intrusion sets? (+1)
• Is the vulnerable service publicly accessible? (+1)
Can you think up/brainstorm others?
Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 33
QUALITATIVE ADJUSTMENT & TRIAGE
RatingMetric
Vulnerability
10 Apache Struts RCE
9 MS-17-010 ETERNALBLUE
9 PII SharePoint Read
8 PII SharePoint Write
7 Shared Local Admin (w/ DA)
6 Network File Share Full Access
5 Web Directory Traversal
RatingMetric
Vulnerability
5 Domain Admin’s Workstation (I)
4 Website Directory Indexing (I)
Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 34
TPS REPORTS!?!? WHAT THE ACTUAL…
Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 35
QUALITATIVE ADJUSTMENT & TRIAGE
RatingMetric
Vulnerability
10 Apache Struts RCE
9 MS-17-010 ETERNALBLUE
9 PII SharePoint Read
8 PII SharePoint Write
7 Shared Local Admin (w/ DA)
6 Network File Share Full Access
5 Web Directory Traversal
RatingMetric
Vulnerability
5 Domain Admin’s Workstation (I)
4 Website Directory Indexing (I)
Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 36
Services Enclave
User Enclave
HACK THE PLANET!
Workstation 2Workstation 1
DC/DNS File Share
DMZ
Public Webserver
PII SharePoint
Attacker
Shared Admin
Info-Disclosure
Web
Attk
???
Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 37
I’M ON A BOAT
Top Related