Navigating the River of Woe to EPIC Vulnerability Assessments

Transcription

1 SEC460.3 Enterprise Threat and Vulnerability Assessment Navigating the River of Woe to EPIC Vulnerability Assessments Copyright Matthew Toussain All Rights Reserved

2 2

3 CHOICE You dash out of the cube farm knocking your boss out of the way whilst claiming explosive diarrhea You lean back in your chair the aspect of relaxation itself. You got this. Your awesome. Your boss needs to get with the program. Beyond Scanning Delivering Impact Driven Vulnerability Assessments 3

4 NOBODY LIKES GARY Beyond Scanning Delivering Impact Driven Vulnerability Assessments 4

5 THE IMPORTANCE OF COLLABORATION When attack meets defense the whole is greater than the sum of its parts Red Teams attack, Blue Teams defend -- but they share a common goal: Continuous Security Improvement SEC460 Enterprise Threat and Vulnerability Assessment 5

6 THE TEAMING CONCEPT The idea behind teaming is to create a representative role-based guide where different teams are assigned color coded objectives Blue Team The blue team is tasked with network defense Red Team The red team exists to evaluate and grow the blue team s capacity to perform network defense Less Common Teams Green Team The team tasked with remediation of security vulnerabilities Black Team Also know as the hunt team, the black team is focused cyberspace trapping and adversarial deception SEC460 Enterprise Threat and Vulnerability Assessment 6

7 THE TEAMING CONCEPT Non-participative groups essential to facilitating the teaming objective are referred to as cells White Cell The white cell s purpose is to enable the teaming event by acting as the intercessor between red and blue teams, validating findings and ensuring system availability Gray Cell The gray cell simulates an unwitting user or occasionally an insider threat. Gray cell s role adds realism to the network exercise and facilitates blue team growth by aiding red team exploitation SEC460 Enterprise Threat and Vulnerability Assessment 7

8 PURPLE TEAMING Purple Teaming is a newer concept focused on a direct collaborative relationship between blue and red functions The purple team is not adversarial! Often formed of members from both blue and red Simulation over Exploitation SEC460 Enterprise Threat and Vulnerability Assessment 8

9 YOU MAD BRO!? Beyond Scanning Delivering Impact Driven Vulnerability Assessments 9

10 CHOICE You reach for the crayons because there is nothing a kaleidoscope of colors cannot solve! You go to your quiet place (bean bag) to meditate on the choices that brought you here. Beyond Scanning Delivering Impact Driven Vulnerability Assessments 10

11 NONE OF OUR METRICS MAKE ANY SENSE!!! Beyond Scanning Delivering Impact Driven Vulnerability Assessments 11

12 Beyond Scanning Delivering Impact Driven Vulnerability Assessments 12

13 WHAT IS VULNERABILITY SCANNING? Vulnerability Scanning is the process of identifying services, configurations, and conditions that a threat actor could leverage to achieve maligned objectives. Beyond Scanning Delivering Impact Driven Vulnerability Assessments 13

14 THE VULNERABILITY SCANNER A vulnerability scanner moves beyond typical enumeration scanning procedures General Purpose Vulnerability Scanners Nessus Nexpose SAINT Retina Applications Specific Vulnerability Scanners Nikto Burpsuite IBM AppScan Qualys OpenVAS Accunetix WPScan VOIPAudit Beyond Scanning Delivering Impact Driven Vulnerability Assessments 14

15 GENERAL PURPOSE SCANNERS Vulnerability scanners have a robust feature set that goes beyond simpler port scanning tools Scanning Asset Discovery Scanning Service Detection Vulnerability Testing Banner Grabbing Vulnerability Correlation Validate Vulnerability Beyond Scanning Delivering Impact Driven Vulnerability Assessments 15

16 WHERE DO THEY COME FROM? Two categories of risk Identification Mitigation Mitigation blueprint an accurate measurement of unrealized risk must be taken Vulnerability assessors are responsible for identification, measurement, and triage of cybersecurity exposure Many testers fail to assess Sources Precomputation, database lookup Computational Blended Beyond Scanning Delivering Impact Driven Vulnerability Assessments 16

17 developing a concrete mitigation blueprint RISK MANAGEMENT CULTURE Developing an organizational risk management culture is iterative and cumulative Risk Identification Threat Assessment and risk ratings enable true network security insight Mitigation Develop a mitigation blueprint in order to Control the risk Beyond Scanning Delivering Impact Driven Vulnerability Assessments 17

18 TYPES OF BUSINESS RISK Risk is the possibility of suffering a loss Probability of negative happening if the risk is realized Risk is a cost center There are many kinds, cybersecurity is only one subcategory Strategic risk Compliance risk Operational risk Financial risk Reputational risk Cybersecurity risk is often not the most frequently realized, and prone to be disregarded Low probability of occurrence, high impact when realized Beyond Scanning Delivering Impact Driven Vulnerability Assessments 18

19 THE RISK EQUATION Organizational Risk = Probability x Impact In cybersecurity Vulnerability magnitude relates to the potential for catastrophic impact The organizational threat (ransomware, intellectual property theft, sabotage) provides the motive for attack. Greater motive equals higher chances of becoming a target Final risk should factor in additional concerns that may go beyond intrinsic risk Countermeasures Human Cost Risk = Threat Probability x Vulnerability Severity Beyond Scanning Delivering Impact Driven Vulnerability Assessments 19

20 SEVERITY RISK RATING BY PRECOMPUTATION Severity is not risk Benefits of vulnerability rating lookup systems Unbiased Simple and Fast Easy to justify Negatives No inclusion of probability or impact metrics Beyond Scanning Delivering Impact Driven Vulnerability Assessments 20

21 VULNERABILITY DATABASE SEVERITY RATINGS Databases National Vulnerability Database Symantec Security Response VulDB CVE Details Microsoft Exploitability Index Scanner Databases: Rapid7, Qualys, Nessus, etc Beyond Scanning Delivering Impact Driven Vulnerability Assessments 21

22 INFOCON ISC RISK RATING Infocon Rubric Infocon reflects changes Connectivity Disruptions Known Malicious Traffic These criteria are judged as a series of true/false questions +2 Slammer-like impact on Internet wide operations +2 Remote arbitrary code execution +2 No vendor patch or effective mitigation Beyond Scanning Delivering Impact Driven Vulnerability Assessments 22

23 RISK ASSESSMENT MATRIX Risk Assessment Matrices also known as Risk Assignment Matrices enable simplistic quantitative risk assessment Advantages Elimination of personal biases Numerical identification creates black or white conditions that are easy to interpret Beyond Scanning Delivering Impact Driven Vulnerability Assessments 23

24 NETWORK DIAGRAM Services Enclave User Enclave DMZ PII SharePoint Workstation 1 Workstation 2 Public Webserver DC/DNS File Share Beyond Scanning Delivering Impact Driven Vulnerability Assessments 24

25 DRAFTING A RISK ASSIGNMENT MATRIX Severity Probability High (4) Medium (3) Low (2) Informational (1) High (4) MS ETERNALBLUE Web Directory Traversal Shared Local Admin (w/ DA) PII SharePoint Read Network File Share Full Access Domain Admin s Workstation Critical Customer Data Medium (3) PII SharePoint Write Website Directory Indexing Low (2) Informational (1) Scale Beyond Scanning Delivering Impact Driven Vulnerability Assessments 25

26 STICKY NOTE HELL! Beyond Scanning Delivering Impact Driven Vulnerability Assessments 26

27 CHOICE Use your mad skillz to triage and remediate vulnerabilities. Your boss will forever bask in the radiance of your glory. Frame Gary. Take the money. Nobody likes him anyway. Plus you deserve it. You are pretty awesome after all! Beyond Scanning Delivering Impact Driven Vulnerability Assessments 27

28 DMZ VULNERABILITY REPORT Public Webserver (H) Vulnerable to Directory Traversal (I) Directory Indexing Enabled DMZ H Public Webserver Directory Indexing Directory Traversal Beyond Scanning Delivering Impact Driven Vulnerability Assessments 28

29 SERVICES ENCLAVE VULNERABILITY REPORT PII SharePoint (I) Critical Customer Data (M) World Readable (M) World Writeable DC/DNS (I) Fully Patched Services Enclave M PII SharePoint L DC/DNS Beyond Scanning Delivering Impact Driven Vulnerability Assessments 29

30 USER ENCLAVE VULNERABILITY REPORT Workstation 1 MS ETERNALBLUE Shared Local Admin with workstation 2 No sensitive data on system Workstation 2 Domain Admin s Workstation Fully Patched Windows File Share Fully patched Full access for all domain users User Enclave C L Workstation 1 Workstation 2 L File Share Beyond Scanning Delivering Impact Driven Vulnerability Assessments 30

31 DEVELOPING A RISK ASSIGNMENT MATRIX SOLUTION Severity Probability High (4) Medium (3) Low (2) Informational (1) High (4) MS ETERNALBLUE Apache Struts RCE Shared Local Admin (w/ DA) PII SharePoint Read Network File Share Full Access Domain Admin s Workstation Critical Customer Data Medium (3) PII SharePoint Write Web Directory Traversal Website Directory Indexing Low (2) Informational (1) Scale Beyond Scanning Delivering Impact Driven Vulnerability Assessments 31

32 QUALITATIVE RATING RUBRIC Does the vulnerability affect compliance related systems/information? (+2) Is the vulnerability actively exploited in-the-wild by major intrusion sets? (+1) Is the vulnerable service publicly accessible? (+1) Can you think up/brainstorm others? Beyond Scanning Delivering Impact Driven Vulnerability Assessments 32

33 QUALITATIVE ADJUSTMENT & TRIAGE Rating Metric Vulnerability 10 Apache Struts RCE 9 MS ETERNALBLUE Rating Metric Vulnerability 5 Domain Admin s Workstation (I) 4 Website Directory Indexing (I) 9 PII SharePoint Read 8 PII SharePoint Write 7 Shared Local Admin (w/ DA) 6 Network File Share Full Access 5 Web Directory Traversal Beyond Scanning Delivering Impact Driven Vulnerability Assessments 33

34 TPS REPORTS!?!? WHAT THE ACTUAL Beyond Scanning Delivering Impact Driven Vulnerability Assessments 34

35 QUALITATIVE ADJUSTMENT & TRIAGE Rating Metric Vulnerability 10 Apache Struts RCE 9 MS ETERNALBLUE Rating Metric Vulnerability 5 Domain Admin s Workstation (I) 4 Website Directory Indexing (I) 9 PII SharePoint Read 8 PII SharePoint Write 7 Shared Local Admin (w/ DA) 6 Network File Share Full Access 5 Web Directory Traversal Beyond Scanning Delivering Impact Driven Vulnerability Assessments 35

36 HACK THE PLANET! Attacker Services Enclave User Enclave Web Attk??? DMZ Info-Disclosure Shared Admin PII SharePoint Workstation 1 Workstation 2 Public Webserver DC/DNS File Share Beyond Scanning Delivering Impact Driven Vulnerability Assessments 36

37 I M ON A BOAT Beyond Scanning Delivering Impact Driven Vulnerability Assessments 37