how not to suck at vulnerability management
play

HOw NOT to suck at Vulnerability Management Shellcon.io Plug - PowerPoint PPT Presentation

Nov 12, 2022 •382 likes •955 views

HOw NOT to suck at Vulnerability Management Shellcon.io Plug (@plugxor) and Chris (@ChrisHalbersma) Current Landscape Apache Struts backend server exposed to the Internet DATABASE EXPOSED UNSECURED SERVER DATA LEAK

  1. HOw NOT to suck at Vulnerability Management Shellcon.io Plug (@plugxor) and Chris (@ChrisHalbersma)

  2. Current Landscape

  3. ● Apache Struts ● backend server exposed to the Internet ● DATABASE EXPOSED ● UNSECURED SERVER ● DATA LEAK ● Software Bug SOURCE: https://blog.barkly.com/biggest-data-breaches-2018-so-far

  4. DUO Labs - Beyond S3: Exposed Resources on AWS https://duo.com/blog/beyond-s3-exposed-resources-on-aws

  5. Vulnerability Management is NOT a Compliance

  6. Vulnerability Management is NOT Easy

  7. Goals

  8. Goals: Quick Identifications Real Time Identification The sooner you know of a vulnerability the better your chances to mitigate accordingly. Reduce time of discovery

  9. Goals: Quick Triaging of Issues Fast Triage You have to make critical decisions fast. Blue teams do it, Vulns teams should too!

  10. Goals: Starting Remediation Mitigation and Remediation You want to be able to mitigate, as soon as possible, taking in consideration business needs

  11. ChallEnges Multiple sources of Vulnerability Intelligence Too many sources of data and “noise”. Consume what you need, discard the rest A Patch is not available or Patching is not always possible What mitigation measures are at your disposal? How about extra visibility and monitoring?

  12. Common Vulnerability Scoring System (CVSS) Standardized Rubric that can be useful for determining the impact of various vulnerabilities. Don’t rely on it to make decisions, it’s a numerical score, useful, but you need context! Don’t Accept Blindly for Triage.

  13. CVSS Context: Vuln Comparison CVE-2014-0160 (Heartbleed) SCORE v2: 5.0 vs. CVE-2017-0143,44,45,46 (Eternal Blue) SCOREv3: 8.1 SCOREv2: 9.3 Which one affected your production environment more?

  14. Context: Undisclosed Vulns CVE-2018-6693 Example (ENSLTP on Linux Vuln) Vulns can be partially disclosed. Where the fix may be out but things like details might not be disclosed yet or still under a Security Embargo. How you handle this issue can be varied.

  15. Prerequisites

  16. Know your assets Comprehensive list of Assets CMDB. Preferably not a spreadsheet. Keeping IP ranges up-to-date What are my organization IP blocks? Are they current? How about IPv6? CMDBuild A CMDB for IT infrastructures (slides for AutomateIT² event)

  17. assets in the CLoud The Cloud Is the cloud at play? Which providers? Which environments? What are the accounts?

  18. Attribution Very important for triage and remediation Who owns asset $x? Who do I contact? What about other records or accounts? You’ll never be the expert on everything. Lean on your teams.

  19. Vuln Mgmt Theory

  20. The General Theory of Vuln Management Use the combination of your ● internal and external intelligence to make decisions. Goal: Drive remediations of the ● issues you’re vulnerable to. Largely you’re going to say ● things like “go patch yourself”. Sometimes you’ll be asking more ● questions. Most important Rule: Don’t get ● Bogged Down!

  21. External Intelligence It’s a Dope Buzzword Includes things like public CVEs, Blog Posts, Security Bulletins and other Security Info Quality, be Picky For your environment, focus on high signal to noise indicators, especially when starting. Requires Parsing While tools exist you’ll likely need to parse this information to combine it with your Internal Intelligence

  22. Internal Intelligence Not a Buzzword, we Made it Up! What do you know about your environment? When you ask questions this is what gives answers. Accuracy + Quantity You want to be able to see as much as you can with maximum accuracy. Decisions are made with this data. Integrations This is where you’ll build most of your integrations.

  23. Internal Intelligence Consider which internal tools can provide intelligence Discovery and Broadcast protocols (BOOTP, Windows Browser, etc) ● DHCP, DNS or AD Servers ● Network Devices (Switch, Router, Firewalls, etc) ● <Insert tool name> logs ● Flow Data ● Plenty of intelligence exploring flow data! ○

  24. Metrics & Data Collect Metrics Metrics will help you figure out how your org is doing. Data-Powered Reinforcement Your actions are easier to justify with the data. Graphs are Fun I’m a Nerd, I’ll admit it.

  25. Metrics & Data : Graphs Keep in mind your audience Does Management need X ? Does it convey the right message? DON'T DO THIS

  26. Metrics & Data : Better Graphs Make it simple Less is more. Don’t try to put every single item on your charts !

  27. Triage

  28. Triage : Prerequisites Know your software stack To be effective during triage, document your software stack. Don’t waste time on things that don’t impact Get to know your environment Get familiar with your applications and the architecture, it matters!

  29. Triage : CVE Considerations Again, don’t rely blindly on CVSS Scores Does this vulnerability impact your environment? If so, how, where, what? A remote attacker could possibly... Is there a public exploit? How complex is the vulnerability? Temporal and Environmental Scores Matter. Know how this vuln affects your environment. The Temporal and Environmental Sections of CVSS3 can help objectify that risk.

  30. Triage : Understanding your Vulnerability Data Validate and verify your findings Most scan tools use application and port banners to identify vulnerabilities. Validate the findings! Did you actually connect to X service to confirm? Does the version impacted match that of the one installed on the system? Don’t make Big Triage Decisions on Unvalidated Data

  31. Triage : With Friends Build healthy partnerships with your Org. teams Security is everyone's problem, be kind. You will need their help and they will need yours! When in doubt, it’s not only OK to ask, you should! Reach out to your organization teams for answers. They are the subject matter expert!

  32. Tools

  33. Toolset : The Basics Your trusty: Spreadsheet Extremely useful when working with new data.

  34. Tooling : About Network Scanning Discovery Scan Strategies Start small, use a simple port list or the most common, TCP Use results to augment your inventory data, validate, repeat, win! Do NOT engage in vulnerability scans until you have reviewed discovery data Firewalls and fragile devices Remember, you can get data (host, service, OS) from other sources (flow, bro, etc.), use it!

  35. Scanning Do NOT touch! Courtesy of Alejandro Hernández @nitr0usmx

  36. Toolset : More on Network Scanning Authenticated or Unauthenticated Scans Do you really, really , need authenticated scans? Have you tuned, reviewed, and validated your scan templates? Keep your templates up-to-date! Secure your scanning infrastructure! IPv6 - Network Reconnaissance in IPv6 Networks https://tools.ietf.org/html/rfc7707

  37. Toolset : Ongoing Considerations Technology is constantly changing Are your tools still effective? Find the tools that work for you Evaluate the tools your organization has, can any of those tools be reused? Can you adapt them accordingly? Before you introduce new tools Make sure the basic requirements of your program are covered first, unless these new tools complement it

  38. Toolset : Approach Avoid the “one tool fits all” mentality. No need to reinvent the wheel Plenty of awesome Open Source tools out there

  39. Tooling : Internal Intelligence Options Lots of Potential Tooling: ● HubbleStack ○ Katello and RH Satellite ○ OSQuery ○ Lynis ○ YASAT ○ Zeus ○ WSUS (Windows) ○ Evaluate your needs and build, ● buy, combine or modify to suit them. There is no Ring of Power. ●

  40. man o' war BSD Licensed Internal ● Intelligence System we Wrote Link ● One of a Number of tools you ● could use. Missing some helper tools ● (haven’t got them opened yet).

  41. Man o’ War - Theory Tie In Helps you manage internal and ● external intelligence sources. Parses and checks your external ● intel into valid comparisons. Provides a friendly(ish) way to ● access the data in question.

  42. Man o’ War - Demo Agenda Going to take you through an example of triaging. ● Start with the Upstream vulns. ● Show how it profiles. ● Show Auditing ● Using Example USN-3765-1 a recent Curl Vuln ○ Show some “unstructured” Investigation Data Available ● Conclusions ●

  43. Backup Demo Video

  44. Remediation

  45. Interacting With The Org - Two Paths Work Assignment Self-Service Sometimes you gotta “Cut Tickets” Present your findings as ● ● to the asset owners to fix things. accurately as you can to your org. You get/have to be the bad guy Think Dashboards. ● sometimes here. If the culture works, teams will ● Try to Avoid a “Shame Culture”. “self-resolve” issue you find. ● Data Accuracy is important here. ● False positives lower trust in your team.

  46. REmediation or Mitigation Patching Capabilities What are your current capabilities? How fast can you deploy x patch? How accurately can you validate proper patch installation? You may not be able to patch What mitigation controls are available?

  47. Decision Documentation Document decisions The organization may need to take drastic decisions, make sure they are documented!

  48. Pitfalls

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Buying Into the Bias: Why Vulnerability Sta6s6cs Suck

Buying Into the Bias: Why Vulnerability Sta6s6cs Suck

Buying Into the Bias: Why Vulnerability Sta6s6cs Suck Steve Christey (MITRE) &amp; Brian Mar6n (OSF) (We speak for ourselves, not our employers)

1.67k views • 142 slides
Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a cybersecurity flaw in a system that leave it open to attack. A vulnerability may also refer to any type of weakness in a computer system

407 views • 16 slides
Vulnerability management with OpenVAS Henri Doreau henri.doreau@greenbone.net 12 th LSM -

Vulnerability management with OpenVAS Henri Doreau henri.doreau@greenbone.net 12 th LSM -

Vulnerability management with OpenVAS Henri Doreau henri.doreau@greenbone.net 12 th LSM - Strasbourg 2011 OpenVAS Vulnerability management Project news Conclusion Outline OpenVAS 1 Introduction Architecture Vulnerability management 2

691 views • 29 slides
Hunting Black Swans Dr Luke Kemp Centre for the Study of Existential Risk We suck at prediction.

Hunting Black Swans Dr Luke Kemp Centre for the Study of Existential Risk We suck at prediction.

Hunting Black Swans Dr Luke Kemp Centre for the Study of Existential Risk We suck at prediction. We suck at thinking systemically. We can suck less in the future. Predicting Doomsday is Hard Statistical Methods Expertise is not a Panacea

562 views • 8 slides
Your Slides Suck!: Wow Your Audience with Engaging, Empowering and Effective Your Slides Suck!:

Your Slides Suck!: Wow Your Audience with Engaging, Empowering and Effective Your Slides Suck!:

NRNELHXLRJIM ^ Kindle Your Slides Suck!: Wow Your Audience with Engaging, Empowering and Effective PowerPoint... Your Slides Suck!: Wow Your Audience with Engaging, Empowering and Effective Your Slides Suck!: Wow Your Audience with Engaging,

493 views • 4 slides
Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a

Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a

Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a significant shock that brings welfare below a socially accepted level (Khl, 2003) Vulnerability increases when there is uncertainty with respect to

529 views • 21 slides
Community Vulnerability Tools Presented to C/CAG Resource Management and Climate Protection

Community Vulnerability Tools Presented to C/CAG Resource Management and Climate Protection

Community Vulnerability Tools Presented to C/CAG Resource Management and Climate Protection Committee May 20, 2020 Outline Why use Community Vulnerability Tools? Major tools Benefits and examples of how to use them Discussion

362 views • 24 slides
Contents What is vulnerability? Why conduct vulnerability assessments? Defining

Contents What is vulnerability? Why conduct vulnerability assessments? Defining

6/19/2015 Vulnerability and Capacity Assessment Index (VCAI) for Climate Change Adaptation SVRK Prabhakar USAID ADAPT Asia-Pacific Presented at NABARD Training Workshop, Mumbai on 18 June 2015 Contents What is vulnerability? Why

705 views • 21 slides
Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1

Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1

Vulnerability Analysis and Food Aid W orking Group Chaired by W FP/ VAM Unit Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1 Overview 1 . Methodology of the VA 2 0 0 4 2 . Highlights of

703 views • 28 slides
Metastore About Metastore Solutions Timeline Mainframe ICT Security Threat and Vulnerability

Metastore About Metastore Solutions Timeline Mainframe ICT Security Threat and Vulnerability

Metastore About Metastore Solutions Timeline Mainframe ICT Security Threat and Vulnerability Management z/OS Security Management Identity, Access and Entitlement Management z/OS Operations Management 1992 2016 Windows Server Data

304 views • 9 slides
Vulnerability Screening Tool Identifying and addressing vulnerability: A tool for asylum and

Vulnerability Screening Tool Identifying and addressing vulnerability: A tool for asylum and

Vulnerability Screening Tool Identifying and addressing vulnerability: A tool for asylum and migration systems Purpose Intended to guide &amp; inform frontline workers &amp; decision makers on the relevance of vulnerability factors to

507 views • 19 slides
Earthquake Vulnerability Earthquake Vulnerability Vulnerability Assessment &amp; EVR measures

Earthquake Vulnerability Earthquake Vulnerability Vulnerability Assessment &amp; EVR measures

Earthquake Vulnerability Earthquake Vulnerability Vulnerability Assessment &amp; EVR measures Islamabad Pakistan Assessment and Vulnerability Assessment and Vulnerability Reduction Measures Reduction Measures adpc Asian Disaster

702 views • 46 slides
Youve Got Your Nice List of Bugs, Now What? Vulnerability Discovery and Management

Youve Got Your Nice List of Bugs, Now What? Vulnerability Discovery and Management

Youve Got Your Nice List of Bugs, Now What? Vulnerability Discovery and Management Processes in the Wild Noura Alomar, Primal Wijesekera, Edward Qiu, and Serge Egelman University of California (Berkeley) and ICSI Motivation Many

688 views • 23 slides
Introduction What is Disaster vulnerability? Vulnerability is the inability to resist a

Introduction What is Disaster vulnerability? Vulnerability is the inability to resist a

Vulnerability to Disasters: A Gendered Analysis on Water Availability and Livelihoods in Nadu Colony, Kovalam, Chennai, India Group No: 02 Sumaia Kashem Shreeya Lohani Shanmuga Priya. G Meththa Prabodhani Menike

834 views • 40 slides
Vulnerability and Threat Management and Prevention Weston Hecker Security Expert With KLJ Systems

Vulnerability and Threat Management and Prevention Weston Hecker Security Expert With KLJ Systems

A1 Vulnerability and Threat Management and Prevention Weston Hecker Security Expert With KLJ Systems Network Analyst/Penetration Tester/President Of Computer Security Association Of North Dakota Slide 1 A1 Author, 9/16/2013 About Me About Me:

925 views • 23 slides
Bi Biol ology ogy and Con and Contro trol of L l of Leaf eaf- Suck Su cking ing, , St

Bi Biol ology ogy and Con and Contro trol of L l of Leaf eaf- Suck Su cking ing, , St

Bi Biol ology ogy and Con and Contro trol of L l of Leaf eaf- Suck Su cking ing, , St Stem em-Inf Infest esting ing, and , and Ro Root ot-Fe Feedi eding Inse ng Insect ct and and Mit Mites es Pes Pests ts of of P Pec

584 views • 57 slides
trt r

trt r

trt r r rrts s r

644 views • 28 slides
You Are a Scala Contributor Seth Tisue @SethTisue Scala team, Lightbend or you can be, if you

You Are a Scala Contributor Seth Tisue @SethTisue Scala team, Lightbend or you can be, if you

Scala Days 2018 You Are a Scala Contributor Seth Tisue @SethTisue Scala team, Lightbend or you can be, if you want to. heres how. you are a Scala contributor If you open an issue If you comment on an issue or a pull request If you

759 views • 72 slides
Bug Triage for Ubuntu By: Draycen DeCator (ddecator) What is this presentation for? This

Bug Triage for Ubuntu By: Draycen DeCator (ddecator) What is this presentation for? This

Bug Triage for Ubuntu By: Draycen DeCator (ddecator) What is this presentation for? This presentation is intended to introduce all of the information a person should need to triage bug reports. This presentation has a LOT of information.

1.02k views • 37 slides
Rico Angell, Ben Oztalay, and Andrew DeOrio University of

Rico Angell, Ben Oztalay, and Andrew DeOrio University of

Rico Angell, Ben Oztalay, and Andrew DeOrio University of Michigan X X X X X X X X X X X X X X X X X

1.35k views • 16 slides
Statistical Exploration of Geographical Lexical Variation in Social Media Jacob Eisenstein

Statistical Exploration of Geographical Lexical Variation in Social Media Jacob Eisenstein

Statistical Exploration of Geographical Lexical Variation in Social Media Jacob Eisenstein Brendan O'Connor Noah A. Smith Eric P. Xing Social media Social media links online text with social networks. Increasingly ubiquitous form of

725 views • 39 slides
Ma c hine L e a rning with MAT L AB - - c la ssific a tion Stanley Liang, PhD York

Ma c hine L e a rning with MAT L AB - - c la ssific a tion Stanley Liang, PhD York

7/27/2017 Ma c hine L e a rning with MAT L AB - - c la ssific a tion Stanley Liang, PhD York University Classific atio n the de finitio n In machine learning and statistics, classification is the problem of identifying to which of a

695 views • 9 slides
Emerging microenvironmental approaches for enhanced bioremediation Bioremediation - Expanding the

Emerging microenvironmental approaches for enhanced bioremediation Bioremediation - Expanding the

Emerging microenvironmental approaches for enhanced bioremediation Bioremediation - Expanding the Toolbox Session III: Emerging Opportunities October 11, 2019 Ameen Razavi Microvi Biotech Inc. Presentation Outline Part I: I: Introduction

182 views • 17 slides
Highway 7 &amp; Wooddale Highway 7 &amp; Wooddale Avenue Vapor Avenue Vapor Study Background

Highway 7 &amp; Wooddale Highway 7 &amp; Wooddale Avenue Vapor Avenue Vapor Study Background

Highway 7 &amp; Wooddale Highway 7 &amp; Wooddale Avenue Vapor Avenue Vapor Study Background Study Background Public Meetings, December 13 and 15, 2007 MPCA Project Team Doug Wetzstein, Supervisor Dave Moore, Project Leader Dave

199 views • 8 slides

More recommend