Reading the Security Tea Leaves

SECURITY TEA LEAVES

NOVEMBER 2013

Matt JohansenThreat Research Center Manager

@mattjay

Ed BellisFounder & CEO of Risk I/O

@ebellis

© 2013 WhiteHat Security, Inc. 2

SPEAKERS


•BlackHat, DEFCON, RSA Speaker•Oversees assessment of 15,000+ websites•Background in Penetration Testing•Hacker turned Management•I'm hiring… a lot…

Ed BellisCoFounder, CEO

•Contributing Author, Beautiful Security•Manages 50M+ vulnerabilities daily•Background in Baseball•Former Orbitz CISO, 20+ years experience•I'm hiring… a lot…

© 2013 Risk IO, Inc.

NICE TO MEET YOU

✓ DataWeek 2012 Top Security Innovator

✓ Chicago & San Francisco

✓ Data-Driven Vulnerability Intelligence Platform

✓ Processing 50M+ Vulnerabilities Daily

3© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.

4

ABOUT

WhiteHat Security, Inc.3970 Freedom Cir #200, Santa Clara, CA 95054

Founded 2001Head quartered in Santa Clara, CAEmployees: 260+WhiteHat Sentinel: SaaS end-to-end website risk

management platform (static and dynamic analysis)Customers: 500+ (banking, retail, healthcare, etc.)

Founded in 2001 by Jeremiah Grossman–a former Yahoo! information security officer–WhiteHat

combines a revolutionary, cloud-based technology platform with a team of leading security experts to

help customers in the toughest, most regulated industries, including e-commerce, financial services,

information technology, healthcare and more.

Dozens of companies in the Fortune 500 rely on WhiteHat to help them prevent website attacks that

could cost them millions.

© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.

5

REPORT

WhiteHat Stats Report

In a recent customer survey for our 2012 WhiteHat

Stats report we were asked what the major reason to

fix a vulnerability was.

Answer: Compliance

We also asked if a choice was made to NOT fix a

vulnerability what the major reason was.

Answer: Compliance.

Something wrong with this picture. How do we better

prioritize finding and fixing vulnerabilities in our web

applications?


COUNTERTERRORISM

Known Groups

Surveillance

Threat Intel, Analysts

Targets, Layouts

Past Incidents, Close Calls


INFOSEC?


DATA

8

Industry Vuln DataWhiteHat Stats Report

Industry Attack DataImperva WAF traffic report.

Verizon DBIR

In House Vuln DataFind your vulns!

In House Attack Data

What are the attackers using against YOU!

Data pieces


9

Groups, Motivations

Exploits

Vulnerability Definitions

Asset Topology, Actual Vulns on System

Learning from Breaches

DEFEND LIKE YOU’VE DONE IT BEFORE


WORK WITH WHAT YOU’VE GOT

10

Akamai, Safenet

ExploitDB, Metasploit

NVD, MITRE


11

ARTICLES

BlackhatsTalking to Blackhats gives us great intelligence, even if it’s not always 100% reliable intel.

For those of you who didn’t see the blog posts:• Blackhat part 1

• Blackhat part 2

• Blackhat part 3


“What are the most used web based vulnerabilities?”

Answer:

• “Adam” admits that he doesn’t keep track

•However, he believed that in his world XSS and SQL injection are the most used

12

DATA

Most Used Vulns?


“As you read the OWASP top 10 release candidate for 2013 does the order make sense in terms of how risky and/or common they are for companies to have in their sites if you are going to attack them?”

Answer:

• OWASP release candidate is unhelpful (to put it politely).

• Concept of top 10 vulnerabilities are is “stupid, flawed and inaccurate.”

• For it to be accurate he felt that you would have to update it daily, which is, of course practically impossible.

13

VULNERABILITY

OWASP 2013 RC


“How do you feel about LDAP injection, XML injection and XPath injection?”

Answer:

• “gangs” tend not to share information

•However he wasn’t aware of anyone who was using those.

14

VULNERABILITY

Esoteric Vulns?


“What are the characteristics of a "good" web application vulnerability?”

Answer:

• Fast to exploit

• Persistent

• Full access (root)

• Ability to deface/redirect

• Ability to wipe IP logs

15

VULNERABILITY

Useful Vulns?


“Do blackhats prefer command injection, SQL injection and brute force?”

Answer:

• It depended on the target and the value of the compromise

• However, he indicated again that if it’s vulnerable that’s a problem, and it doesn’t really matter how it’s exploited.

• The one exception to that is that he did concur with me is that “new” attacks tend not to be used much.

16

VULNERABILITY

Preferred Vulns?


“How would would you prioritize fixes?”

Answer:

• “Adam” said the hardest vuln to exploit/find would be last to be fixed and the easiest to exploit/find first.

• In his opinion SQL injection would probably be the first to get fixed.

17

VULNERABILITY

Prioritization


“Any web-application issues that are extremely useful to attackers that aren't on the OWASP top 10?“

Answer:

•Clickjacking

•Denial of Service/DDoS

18

VULNERABILITY

Additional Vulns


“if followed perfectly, is the OWASP top 10 is enough to stop credit card theft through web application vulnerabilities?”

Answer:

•The whole idea of testing for only 10 is “crazy”.

•He felt that the banks are just as bad in many cases as the merchants.

•Small online merchants should be banned outright from handling payment info

19

VULNERABILITY

Best Practice?


From these answers we know:

• Blackhats don’t care about lists – the top 10 should only be used for prioritization, not as a matter of completeness or “best practice”

• We were right to focus our energies on certain classes of attack first during human review, but also we know to start focusing on those vulns first during automated scans as well.

• Most valuable vulns to attackers are the most valuable vulns to our customers, so why shouldn’t we prioritize ourselves similarly, while still maintaining the same coverage?

20

BLACKHATS

Blackhats


SHOW ME THE MONEY


22

CVSS AND REMEDIATION METRICS


CVSS AND REMEDIATION METRICS - LESSONS FROM A CISO


THE KICKER - LIVE BREACH DATA


25

CVSS AND REMEDIATION - NOPE


26

CVSS - A VERY GENERAL GUIDE FOR REMEDIATION - YEP


27

THE ONE BILLION DOLLAR QUESTION

Probability(You Will Be Breached On A Particular Open Vulnerability)?

1.98%


28

I LOVE IT WHEN YOU CALL ME BIG DATA


29

ENTER, THE SECURITY MENDOZA LINE

Wouldn’t it be nice if we had something that helped us divide who we considered “Amateur” and who we considered

“Professional”?

http://riskmanagementinsight.com/riskanalysis/?p=294

Josh Corman expands the Security Mendoza Line

“Compute power grows at the rate of doubling about every 2 years”

“Casual attacker power grows at the rate of Metasploit”

http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/

Alex Hutton comes up with Security Mendoza Line


30



Data!

• We have another piece of the puzzle. What the bad guys are actually using.

• Prioritization of testing and finding.

• Prioritization of mitigating and fixing.

31

DATA

How do we utilize this?


Use all the Industry and in house data to figure out what to try to test for across your entire web footprint.

SQLi being used heavily by attackers? FIND ALL OF THEM!

Command Injection not being used as much? Find it but not until you find every single SQLi.

32

PRIORITY

Prioritize Testing & Finding


Nobody likes the pile of bug tickets that show up after a vulnerability assessment.

Virtual Patch to buy time. IDS blaring alarms of XSS? Turn up the WAF rules for XSS. Will help block low hanging fruit scanners.

Prioritize your bug tickets for Devs in swallowable chunks. What sounds better. “Ok team lets figure out how to parameterize our SQL queries and go through site by site and implement that.” OR “$Web_Scanner found 120 pages of vulns! Fix them now!!!110101”

32

FIXING

Prioritize Mitigating & Fixing


33


Spray and Pray => 2%

CVSS 10 => 4%

Metasploit + ExploitDB => 30%


RoR case study timeline (hope to get the actual visual from our customer)

Shows importance of staying on top of bugs that are being actively exploited and prioritizing the finding and fixing of them.

34

CASE STUDY

Case Study

1/9/20131/8/2013 1/10/2013 1/11/2013 1/13/20131/12/2013 1/14/2013

1/8/2013Rails team releases patches

and blog post describing critical vulnerabilities in the

Rails framework

1/9/2013Security Team notifies

Developer Team about the new vulnerabilities

1/9/2013Security Team receives

notification from WhiteHat with findings of Rails vulnerability

1/8/2013Security Team receives

notification from Intelligence team about Rails vulnerability

1/13/2013Another exploit attempt seen against large application from

Germany

1/9/2013Highest priority site upgraded

to fully remediate the vulnerability

1/10/2013Metasploit releases a

command injection exploit for CVE-2012-0156

1/11/2013The rest of the vulnerable

applications apply temporary workaround patch

1/10/2013IDS signatures updated to detect/prevent exploitation

1/11/2013Security Team receives first exploit attempt notification from IDS. The

exploit was attempted from a Russian Federation IP address.

2 Hours between workaround and first

identified exploit attempt!



@mattjay

Ed BellisFounder & CEO of Risk I/O

@ebellis

THANK YOU

Date post:	05-Dec-2014
Category:	Technology
Upload:	ed-bellis
View:	788 times
Download:	3 times

Reading the Security Tea Leaves

Technology