Navigating the River of Woe to EPIC Vulnerability Assessments · Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 22 INFOCON –ISC RISK RATING Infocon Rubric

SEC460.3

Navigating the River of Woe to EPIC Vulnerability Assessments

Copyright 2016-2017 Matthew Toussain | All Rights Reserved

Enterprise Threat and Vulnerability Assessment

2

Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 3

CHOICE

You dash out of the cube farm knocking your boss out of the way whilst claiming explosive diarrhea

You lean back in your chair the aspect of relaxation itself. You got this. Your awesome. Your boss needs to get with the program.


NOBODY LIKES GARY

SEC460 | Enterprise Threat and Vulnerability Assessment 5

THE IMPORTANCE OF COLLABORATION

When attack meets defense the whole is greater than the sum of its partsRed Teams attack, Blue Teams defend -- but they share a common goal: Continuous Security Improvement


THE TEAMING CONCEPT

The idea behind teaming is to create a representative role-based guide where different teams are assigned color coded objectives• Blue Team – The blue team is tasked with network defense• Red Team – The red team exists to evaluate and grow the blue

team’s capacity to perform network defenseLess Common Teams• Green Team – The team tasked with remediation of security

vulnerabilities• Black Team – Also know as the hunt team, the black team is

focused cyberspace trapping and adversarial deception


THE TEAMING CONCEPT

Non-participative groups essential to facilitating the teaming objective are referred to as cells • White Cell – The white cell’s purpose is to enable the teaming

event by acting as the intercessor between red and blue teams, validating findings and ensuring system availability

• Gray Cell – The gray cell simulates an unwitting user or occasionally an insider threat. Gray cell’s role adds realism to the network exercise and facilitates blue team growth by aiding red team exploitation


PURPLE TEAMING

Purple Teaming – is a newer concept focused on a direct collaborative relationship between blue and red functions• The purple team is not adversarial!• Often formed of members from both blue and red• Simulation over Exploitation


YOU MAD BRO!?


CHOICE

You reach for the crayons because there is nothing a kaleidoscope of colors cannot solve!

You go to your quiet place (bean bag) to meditate on the choices that brought you here.


NONE OF OUR METRICS MAKE ANY SENSE!!!



WHAT IS VULNERABILITY SCANNING?

Vulnerability Scanning is the process of identifying services, configurations, and conditions that a threat actor could leverage to achieve maligned objectives.


THE VULNERABILITY SCANNER

A vulnerability scanner moves beyond typical enumeration scanning procedures

• General Purpose Vulnerability Scanners

• Applications Specific Vulnerability Scanners

• Nessus

• Nexpose

• SAINT

• Retina

• Qualys

• OpenVAS

• Nikto

• Burpsuite

• IBM AppScan

• Accunetix

• WPScan

• VOIPAudit


GENERAL PURPOSE SCANNERS

Vulnerability scanners have a robust feature set that goes beyond simpler port scanning tools

• Scanning

• Asset Discovery

• Scanning

• Service Detection

• Vulnerability Testing

• Banner Grabbing

• Vulnerability Correlation

• Validate Vulnerability


WHERE DO THEY COME FROM?

Two categories of risk• Identification• Mitigation

Mitigation blueprint an accurate measurement of unrealized risk must be taken

Vulnerability assessors are responsible for identification, measurement, and triage of cybersecurity exposure

Many testers fail to assess

Sources• Precomputation, database lookup• Computational• Blended


RISK MANAGEMENT CULTURE

Developing an organizational risk management culture is iterative and cumulative

• Risk Identification• Threat Assessment and risk

ratings enable true network security insight

• Mitigation• Develop a mitigation blueprint

in order to Control the risk

developing a concrete mitigation blueprint


TYPES OF BUSINESS RISK

Risk is the possibility of suffering a loss• Probability of negative happening if the risk is realized

Risk is a cost center

There are many kinds, cybersecurity is only one subcategory• Strategic risk• Compliance risk• Operational risk• Financial risk• Reputational risk

Cybersecurity risk is often not the most frequently realized, and prone to be disregarded

Low probability of occurrence, high impact when realized


THE RISK EQUATION

Organizational Risk = Probability x Impact• In cybersecurity…• Vulnerability magnitude relates to the potential for catastrophic impact• The organizational threat (ransomware, intellectual property theft, sabotage)

provides the motive for attack. Greater motive equals higher chances of becoming a target

• Final risk should factor in additional concerns that may go beyond intrinsic risk• Countermeasures• Human Cost

Risk = Threat Probability x Vulnerability Severity


SEVERITY – RISK RATING BY PRECOMPUTATION

Severity is not risk

Benefits of vulnerability rating lookup systems• Unbiased

• Simple and Fast

• Easy to justify

Negatives• No inclusion of probability or impact metrics


VULNERABILITY DATABASE SEVERITY RATINGS

Databases• National Vulnerability Database

• Symantec Security Response

• VulDB

• CVE Details

• Microsoft Exploitability Index

• Scanner Databases: Rapid7, Qualys, Nessus, etc


INFOCON – ISC RISK RATING

Infocon Rubric

• Infocon reflects changes

• Connectivity Disruptions

• Known Malicious Traffic

• These criteria are judged as a series of true/false questions

• +2 Slammer-like impact on Internet wide operations

• +2 Remote arbitrary code execution

• +2 No vendor patch or effective mitigation

https://isc.sans.edu/infocon.html


RISK ASSESSMENT MATRIX

Risk Assessment Matrices also known as Risk Assignment Matrices enable simplistic quantitative risk assessment

Advantages

• Elimination of personal biases

• Numerical identification creates “black or white” conditions that are easy to interpret


Services Enclave

User Enclave

NETWORK DIAGRAM

Workstation 2Workstation 1

DC/DNS File Share

DMZ

Public Webserver

PII SharePoint


DRAFTING A RISK ASSIGNMENT MATRIX

SeverityProbability

High(4)

Medium(3)

Low(2)

Informational(1)

High (4) ➢ MS-17-010 ETERNALBLUE

➢ Web Directory Traversal

➢ Shared Local Admin (w/ DA)

➢ PII SharePoint Read

➢ Network File Share Full Access

➢ Domain Admin’s Workstation

➢ Critical Customer Data

Medium (3) ➢ PII SharePoint Write ➢ Website Directory Indexing

Low (2)

Informational (1)

Scale


STICKY NOTE HELL!


CHOICE

Use your mad skillz to triage and remediate vulnerabilities. Your boss will forever bask in the radiance of your glory.

Frame Gary. Take the money. Nobody likes him anyway. Plus you deserve it. You are pretty awesome after all!


DirectoryTraversal

DMZ –VULNERABILITY REPORT

Public Webserver

• (H) Vulnerable to Directory Traversal

• (I) Directory Indexing Enabled

DMZ

Public Webserver

H

DirectoryIndexing


SERVICES ENCLAVE –VULNERABILITY REPORT

PII SharePoint

• (I) Critical Customer Data

• (M) World Readable

• (M) World Writeable

DC/DNS

• (I) Fully Patched

Services Enclave

DC/DNS

PII SharePoint

M

L


USER ENCLAVE –VULNERABILITY REPORT

Workstation 1

• MS-17-010 ETERNALBLUE

• Shared Local Admin with workstation 2

• No sensitive data on system

Workstation 2

• Domain Admin’s Workstation

• Fully Patched

Windows File Share

• Fully patched

• Full access for all domain users

User Enclave


File Share

C

L

L


DEVELOPING A RISK ASSIGNMENT MATRIX – SOLUTION

SeverityProbability

High(4)

Medium(3)

Low(2)

Informational(1)

High (4) ➢ MS-17-010 ETERNALBLUE

➢ Apache Struts RCE

➢ Shared Local Admin (w/ DA)

➢ PII SharePoint Read

➢ Network File Share Full Access

➢ Domain Admin’s Workstation

➢ Critical Customer Data

Medium (3) ➢ PII SharePoint Write ➢ Web Directory Traversal

➢ Website Directory Indexing

Low (2)

Informational (1)

Scale


QUALITATIVE RATING RUBRIC

• Does the vulnerability affect compliance related systems/information? (+2)

• Is the vulnerability actively exploited in-the-wild by major intrusion sets? (+1)

• Is the vulnerable service publicly accessible? (+1)

Can you think up/brainstorm others?


QUALITATIVE ADJUSTMENT & TRIAGE

RatingMetric

Vulnerability

10 Apache Struts RCE

9 MS-17-010 ETERNALBLUE

9 PII SharePoint Read

8 PII SharePoint Write

7 Shared Local Admin (w/ DA)

6 Network File Share Full Access

5 Web Directory Traversal

RatingMetric

Vulnerability

5 Domain Admin’s Workstation (I)

4 Website Directory Indexing (I)


TPS REPORTS!?!? WHAT THE ACTUAL…


QUALITATIVE ADJUSTMENT & TRIAGE

RatingMetric

Vulnerability

10 Apache Struts RCE

9 MS-17-010 ETERNALBLUE

9 PII SharePoint Read

8 PII SharePoint Write

7 Shared Local Admin (w/ DA)

6 Network File Share Full Access

5 Web Directory Traversal

RatingMetric

Vulnerability

5 Domain Admin’s Workstation (I)

4 Website Directory Indexing (I)


Services Enclave

User Enclave

HACK THE PLANET!


DC/DNS File Share

DMZ

Public Webserver

PII SharePoint

Attacker

Shared Admin

Info-Disclosure

Web

Attk

???


I’M ON A BOAT

Documents

Navigating the River of Woe to EPIC Vulnerability Assessments · Beyond Scanning | Delivering Impact Driven Vulnerability Assessments 22 INFOCON –ISC RISK RATING Infocon Rubric