How to Survive Security Summer Camp - Blackhat Defcon BSidesLV
BSidesLV Vulnerability & Exploit Trends
-
Upload
ed-bellis -
Category
Technology
-
view
13.748 -
download
1
description
Transcript of BSidesLV Vulnerability & Exploit Trends
![Page 1: BSidesLV Vulnerability & Exploit Trends](https://reader034.fdocuments.in/reader034/viewer/2022051514/5483fdbbb4795984178b45f4/html5/thumbnails/1.jpg)
Vulnerability & Exploit Trends: A Deep Look Inside the DataBSides Las VegasEd Bellis & Michael Roytman
![Page 2: BSidesLV Vulnerability & Exploit Trends](https://reader034.fdocuments.in/reader034/viewer/2022051514/5483fdbbb4795984178b45f4/html5/thumbnails/2.jpg)
Nice To Meet You
• CoFounder Risk I/O
About Us
About Risk I/O
• Former CISO Orbitz• Contributing Author: Beautiful Security• CSO Magazine/Online Writer
• Data-Driven Vulnerability Intelligence Platform• DataWeek 2012 Top Security Innovator• 3 Startups to Watch - Information Week
• InfoSec Island Blogger
• 16 Hot Startups - eWeek
Ed Bellis
• Naive Grad Student• Still Plays With Legos• Barely Passed Regression Analysis
• Once Jailbroke His iPhone 3G• Has Coolest Job In InfoSec
Michael Roytman
![Page 3: BSidesLV Vulnerability & Exploit Trends](https://reader034.fdocuments.in/reader034/viewer/2022051514/5483fdbbb4795984178b45f4/html5/thumbnails/3.jpg)
Starting From Scratch
Academia!• GScholar!• JSTOR!• IEEE!• ProQuest!
InfoSec Blogs!• CSIOs!• Pen Testers!• Threat Reports!• SOTI/DBIR!!
Twitter!• Thought Leaders (you
know who you are)!• BlackHats!• Vuln Researchers!
Primary Sources!• MITRE!• OSVDB!• NIST CVSS
Committee(s)!• Internal Message
Boards for ^!Text
CISOs
![Page 4: BSidesLV Vulnerability & Exploit Trends](https://reader034.fdocuments.in/reader034/viewer/2022051514/5483fdbbb4795984178b45f4/html5/thumbnails/4.jpg)
#DoingItWrong
Data Fundamentalism
Don’t Ignore What a Vuln Is: Creation Bias (http://blog.risk.io/2013/04/data-fundamentalism/) <Shameless(ful) Self-Promotion
Jerico/Sushidude @ BlackHat (https://www.blackhat.com/us-13/briefings.html#Martin)
Luca Allodi (https://securitylab.disi.unitn.it/lib/exe/fetch.php?media=seminar-unimi-apr-13.pdf):
Protip: http://disi.unitn.it/~allodi/allodi-12-badgers.pdf
![Page 5: BSidesLV Vulnerability & Exploit Trends](https://reader034.fdocuments.in/reader034/viewer/2022051514/5483fdbbb4795984178b45f4/html5/thumbnails/5.jpg)
#DoingItWrong
”Since 2006 Vulnerabilities have declined by 26 percent.” ! -http://csrc.nist.gov/groups/SNS/rbac/documents/vulnerability-trends10.pdf
“The total number of vulnerabilities in 2013 is up 16 percent so far when compared to what we saw in the same time period in 2012. ”
-http://www.symantec.com/content/en/us/enterprise/other_resources/b-intelligence_report_06-2013.en-us.pdf
![Page 6: BSidesLV Vulnerability & Exploit Trends](https://reader034.fdocuments.in/reader034/viewer/2022051514/5483fdbbb4795984178b45f4/html5/thumbnails/6.jpg)
What’s Good?
Bad For Vulnerability Statistics:
NVD, OSVDB, ExploitDB, CVSS, Patches, Microsoft Reports, etc, et al, and so on.
Good For Vulnerability Statistics:
Vulnerabilities.
![Page 7: BSidesLV Vulnerability & Exploit Trends](https://reader034.fdocuments.in/reader034/viewer/2022051514/5483fdbbb4795984178b45f4/html5/thumbnails/7.jpg)
Adding Some Flavor
![Page 8: BSidesLV Vulnerability & Exploit Trends](https://reader034.fdocuments.in/reader034/viewer/2022051514/5483fdbbb4795984178b45f4/html5/thumbnails/8.jpg)
Defend Like You’ve Done It Before
![Page 9: BSidesLV Vulnerability & Exploit Trends](https://reader034.fdocuments.in/reader034/viewer/2022051514/5483fdbbb4795984178b45f4/html5/thumbnails/9.jpg)
Counterterrorism
Known Groups
Surveillance
Threat Intel, Analysts
Targets, Layouts
Past Incidents, Close Calls
![Page 10: BSidesLV Vulnerability & Exploit Trends](https://reader034.fdocuments.in/reader034/viewer/2022051514/5483fdbbb4795984178b45f4/html5/thumbnails/10.jpg)
Uh, Sports?
Opposing Teams, Specific Players
Gameplay
Scouting Reports, Gametape
Roster, Player Skills
Learning from Losing
![Page 11: BSidesLV Vulnerability & Exploit Trends](https://reader034.fdocuments.in/reader034/viewer/2022051514/5483fdbbb4795984178b45f4/html5/thumbnails/11.jpg)
InfoSec?
![Page 12: BSidesLV Vulnerability & Exploit Trends](https://reader034.fdocuments.in/reader034/viewer/2022051514/5483fdbbb4795984178b45f4/html5/thumbnails/12.jpg)
What It Should Be
Groups, Motivations
Exploits
Vulnerability Definitions
Asset Topology, Actual Vulns on System
Learning from Breaches
![Page 13: BSidesLV Vulnerability & Exploit Trends](https://reader034.fdocuments.in/reader034/viewer/2022051514/5483fdbbb4795984178b45f4/html5/thumbnails/13.jpg)
Work With What You’ve Got:
Akamai, Safenet
ExploitDB, Metasploit
NVD, MITRE
![Page 14: BSidesLV Vulnerability & Exploit Trends](https://reader034.fdocuments.in/reader034/viewer/2022051514/5483fdbbb4795984178b45f4/html5/thumbnails/14.jpg)
Show Me The Money
23,000,000 Vulnerabilities!
Across 1,000,000 Assets!
Representing 9,500 Companies!
Using 22 Unique Scanners!
![Page 15: BSidesLV Vulnerability & Exploit Trends](https://reader034.fdocuments.in/reader034/viewer/2022051514/5483fdbbb4795984178b45f4/html5/thumbnails/15.jpg)
Whatchu Know About Data?
Duplication
Vulnerability Density
Remediation
![Page 16: BSidesLV Vulnerability & Exploit Trends](https://reader034.fdocuments.in/reader034/viewer/2022051514/5483fdbbb4795984178b45f4/html5/thumbnails/16.jpg)
Duplication
0
225,000
450,000
675,000
900,000
1,125,000
1,350,000
1,575,000
1,800,000
2,025,000
2,250,000
2 or more scanners 3 or more 4 or more 5 or more 6 or more
![Page 17: BSidesLV Vulnerability & Exploit Trends](https://reader034.fdocuments.in/reader034/viewer/2022051514/5483fdbbb4795984178b45f4/html5/thumbnails/17.jpg)
Duplication - Lessons From a CISO
We Have: F(Number of Scanners) => Number of Duplicate Vulnerabilities
We Want: F(Number of Scanners) => Vulnerability Coverage
Make Decisions At The Margins!
<---------Good Luck!
0
25.0
50.0
75.0
100.0
0 1 2 3 4 5 6
![Page 18: BSidesLV Vulnerability & Exploit Trends](https://reader034.fdocuments.in/reader034/viewer/2022051514/5483fdbbb4795984178b45f4/html5/thumbnails/18.jpg)
Density
Type of Asset ~Count
Hostname 20,000
Netbios 1000
IP Address 200,000
File 10,000
Url 5,000
Hostname
Netbios
IP
File
Url
0 22.5 45.0 67.5 90.0
![Page 19: BSidesLV Vulnerability & Exploit Trends](https://reader034.fdocuments.in/reader034/viewer/2022051514/5483fdbbb4795984178b45f4/html5/thumbnails/19.jpg)
CVSS And Remediation Metrics
0
375.0
750.0
1125.0
1500.0
1 2 3 4 5 6 7 8 9 10
Average Time To Close By Severity Oldest Vulnerability By Severity
![Page 20: BSidesLV Vulnerability & Exploit Trends](https://reader034.fdocuments.in/reader034/viewer/2022051514/5483fdbbb4795984178b45f4/html5/thumbnails/20.jpg)
CVSS And Remediation - Lessons From A CISO
1 2 3 4 5 6 7 8 9 10
Remediation/Lack Thereof, by CVSS
1 2 3 4 5 6 7 8 9 10
NVD Distribution by CVSS
![Page 21: BSidesLV Vulnerability & Exploit Trends](https://reader034.fdocuments.in/reader034/viewer/2022051514/5483fdbbb4795984178b45f4/html5/thumbnails/21.jpg)
The Kicker - Live Breach Data
1,500,000 !Vulnerabilities Related to Live Breaches Recorded!
June, July 2013 !
![Page 22: BSidesLV Vulnerability & Exploit Trends](https://reader034.fdocuments.in/reader034/viewer/2022051514/5483fdbbb4795984178b45f4/html5/thumbnails/22.jpg)
CVSS And Remediation - Nope
0
1750.0
3500.0
5250.0
7000.0
1 2 3 4 5 6 7 8 9 10
Oldest Breached Vulnerability By Severity
![Page 23: BSidesLV Vulnerability & Exploit Trends](https://reader034.fdocuments.in/reader034/viewer/2022051514/5483fdbbb4795984178b45f4/html5/thumbnails/23.jpg)
CVSS - A VERY General Guide For Remediation - Yep
0
37500.0
75000.0
112500.0
150000.0
1 2 3 4 5 6 7 8 9 10
Open Vulns With Breaches Occuring By Severity
![Page 24: BSidesLV Vulnerability & Exploit Trends](https://reader034.fdocuments.in/reader034/viewer/2022051514/5483fdbbb4795984178b45f4/html5/thumbnails/24.jpg)
The One Billion Dollar Question
Probability(You Will Be Breached On A Particular Open Vulnerability)?
1.98%=(Open Vulnerabilities | Breaches Occurred On Their CVE)/(Total Open Vulnerabilities)
![Page 25: BSidesLV Vulnerability & Exploit Trends](https://reader034.fdocuments.in/reader034/viewer/2022051514/5483fdbbb4795984178b45f4/html5/thumbnails/25.jpg)
I Love It When You Call Me Big Data
RANDOM VULN
CVSS 10
CVSS 9
CVSS 8
CVSS 6
CVSS 7
CVSS 5
CVSS 4
0 0.01000 0.02000 0.03000 0.04000
Probability A Vulnerability Having Property X Has Observed Breaches
![Page 26: BSidesLV Vulnerability & Exploit Trends](https://reader034.fdocuments.in/reader034/viewer/2022051514/5483fdbbb4795984178b45f4/html5/thumbnails/26.jpg)
Enter The Security Mendoza Line
Wouldn’t it be nice if we had something that helped us divide who we considered “Amateur” and who we considered “Professional”?
http://riskmanagementinsight.com/riskanalysis/?p=294
Josh Corman expandsthe Security Mendoza Line
“Compute power grows at the rate of doubling about every 2
years”
“Casual attacker power grows at the rate of Metasploit”
http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/
Alex Hutton comes up with Security Mendoza Line
![Page 27: BSidesLV Vulnerability & Exploit Trends](https://reader034.fdocuments.in/reader034/viewer/2022051514/5483fdbbb4795984178b45f4/html5/thumbnails/27.jpg)
I Love It When You Call Me Big Data
Random Vuln
CVSS 10
Exploit DB
Metasploit
MSP+EDB
0 0.08 0.15 0.23 0.30
Probability A Vulnerability Having Property X Has Observed Breaches
![Page 28: BSidesLV Vulnerability & Exploit Trends](https://reader034.fdocuments.in/reader034/viewer/2022051514/5483fdbbb4795984178b45f4/html5/thumbnails/28.jpg)
I Love It When You Call Me Big Data
P(Breaches Observed On That Vuln | Random Vuln)
1.98%
![Page 29: BSidesLV Vulnerability & Exploit Trends](https://reader034.fdocuments.in/reader034/viewer/2022051514/5483fdbbb4795984178b45f4/html5/thumbnails/29.jpg)
Thank You
Follow UsBlog: http://blog.risk.ioTwitter: @mroytman
@ebellis@riskio
We’re Hiring! http://www.risk.io/jobs