12-netsec syshardening + vuln mngmt edit...• misuse detection àlist unwanted behaviour, report if...
TRANSCRIPT
![Page 1: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/1.jpg)
NetworkSecurityAA2015/2016
Systemhardening(IDS,Vuln Management)
Dr.LucaAllodi
SomeslidesfromM.Cremonini
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016)
1
![Page 2: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/2.jpg)
IntrusionDetectionSystems
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016)
2
![Page 3: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/3.jpg)
FunctionofanIDS
• Firewallspreventunwantedaccesstonetworkresourcesthatshouldbeisolatedw.r.t.anothernetwork
• IDSmonitorsincomingconnections• Dependingonitspositioninthenetworkmayprovidedifferentfunctionalities
• Moreonthislater
• IntrusionPreventionSystems(IPS)canactover“malicious”behaviour
• IDSà passivemonitoring• IPSà activemonitoring• Inrealityfunctionalitiesarenotentirelydistinct
• Commerciallingoratherthanactuallydifferenttechnology
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 3
![Page 4: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/4.jpg)
IDS– 3phases
1. Datacollection• Host-basedIDSà Sitonanhost(client,server)• Network-basedIDSà Collectsnetworkdata
2. Dataanalysis• Twodistinctapproaches• Misusedetectionàlistunwantedbehaviour,reportifdetected
• Anomalydetectionà buildaverageprofile,reportifcurrentactivitysignificantlydifferentfromaverage
3. Action• IDSà report,logentry• IPSà report,logentry,block/alert
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 4
![Page 5: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/5.jpg)
Misusedetection
• IDSequivalentof“defaultallow”policies• ”blacklist”patternsthatarebelievedtoberelatedtomaliciousactivities
• Systemcalls• Payloadsinnetworkprotocols
• Signature-based• Verydiffuseddetectiontechnique• Easytodeploy• Typicalimplementationfornetwork-basedIDSs
• Asallblacklistingapproaches(signature-based)itcanonlydetectpatternsthatarealreadyknown
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 5
![Page 6: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/6.jpg)
Anomalydetection
• Assumesintruderbehaviour differsfromlegitimateprofile
• Buildinglegitimateprofilemaybeanissue• Dependsondatausedforprofiling(e.g.sampledvswholedataset)
• Profilecanevolveà new“legitimateactivity”lookssuspicious
• CanbeusedbothforHIDSandNIDS• HIDSà syscall,systemfilehashing,systemstates,..• NIDSà protocolanalysis,similartoapplicationproxy
• Monitoringasopposedtofiltering
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 6
![Page 7: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/7.jpg)
NetworkIDS
• Baselineimplementationisoftypemisusedetection
• Easiertoimplement• Networktrafficishardtopredictevenonwell-controlledenvironments
• Signatureexample:
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 7
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:to_server,establishedcontent:"|eb2f 5feb 4a5e 89fb 893e 89f2|" msg:"EXPLOIT x86 linux samba overflow" reference:bugtraq,1816 reference:cve,CVE-1999-0811
![Page 8: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/8.jpg)
Thebase-ratefallacy– or,canwehaveactuallygooddetectionrates?• Bothanomalyandmisusesdetectionnecessarilyleadtofalsepositivesandfalsenegatives
• ANIDSwith99%truepositiverateand99%truenegativerateseemstohavehigh-reliabilityalarms
• à analarmfiresupà youshouldworry• à noalarmfiresupà allisgood• Butisit?
• Base-ratefallacy• SimplederivationfromBayestheorem• Verywellknownbymedicsanddoctors• StillmakingitswaythroughinInfoSec
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 8
![Page 9: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/9.jpg)
Thebase-ratefallacy[Axelsson2000]• Testswithhightruepositivesandnegativesratesyieldmuch“worse”resultsthanexpectedbytheaverageuser
• RememberBayestheorem
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 9
• Let’smaketheclassicmedicalexample• Attack=illness• IDSAlarm=medicaltest
ThisisP(B)expandedtoall“n”casesforAthatBcomprisesP(A|B)
![Page 10: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/10.jpg)
Base-ratefallacyexample
• A=eventispatientissick• B=medicaltestsayspatientissick• P(A|B)=patientisactuallysickgiventhattestsaidso
• Equivalentto“thereisanactualattackgiventhatNIDSfiredalarm”• SetTP=99%;TN=99%à P(B|A)=0.99• Diseasesarerare.Say1/10.000peoplehavetheillnessàP(A)=1/10.000
• Mostnetworktrafficislegitimate
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 10
P(A|B)
• Thereisonly1%chancethatpatientissickwhentestsaysso• Analarmisnotverymeaningfulà IDSalarmsarehardtomanageà loganalysis
P(A|B)
![Page 11: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/11.jpg)
Base-ratefallacyandIDSs
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 11Noticethatthefalsepositivesrateistheonethatdominates thecurve
![Page 12: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/12.jpg)
Architecturalaspects
• ExternalNIDS• Analysisofallsetofincomingtraffic• Onlygeneralsignaturesarepossible
• highincidenceofFP• Alldetected“attemptedattacks”arelogged
• "normal"Internettraffic maygeneratemanyalarms
• InternalNIDS• Analysisoftrafficallowedbythefirewall
• Morespecificsignaturesarepossible
• e.g.basedonservicesbehindfirewall,subnetcharacteristics,..
• Saysnothingaboutattacksattemptedbutblockedbyfirewall
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 12
Internet
InternalNIDS
ExternalNIDS
![Page 13: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/13.jpg)
NIDSoncomplexnetworks
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 13
Publicservices• Front-facing
webservers• Contentdelivery
systems
Datamanagement• Databases• Querybackend/
dataelaboration
Dataservers
Webservers
Applicationlogic• Backendmanagement• Dynamicpage
generation
Backend
Borderrouter(staticfiltering)
SecondlevelRouterIntranet
Internalclients
1. Generalrulesforinternettraffic• Alarmslowpriority
2. Detectionofgeneralattacksfortrafficallowedbyrouter
• Alarmslowpriority3. Twosetsofrules
a. Incomingtraffic• Mediumpriority (filteredby
firewall)b. Outgoingtraffic
• Lowpriority (intranet-generated)
4. Specialised alarms• e.g.SQLi signatures• Alarmshighpriority
172.16.0.0/16
172.17.0.0/16
172.17.1.0/24 172.17.2.0/24
NIDS
NIDS
NIDS
NIDS
1
2
3
4
Internet
![Page 14: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/14.jpg)
NIDSevasion[Siddharth 2005]
• Signature-basedevasioncanbefairlytrivial• Dependsonimplementationofactualsignature
content:”/bin/bash” • à detectsremotecallstobash• Doesnotdetectstring“/etc/../bin/bash”,etc.
• MoreadvancedtechniquesaretypicallybasedonIPfragmentation
• Alltechniqueshavecommongoal:NIDSseesdifferentpacketthanclient
• Lookatthesekeepinginmindyoumaywanttopreventtheattackerfromperforming
• Networkmapping• OSfingerprinting
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 14
![Page 15: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/15.jpg)
Evasiontechnique– Reassemblytime-out• NIDShaslowerreassemblytimeoutthanreceivingclient
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 15
![Page 16: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/16.jpg)
Evasiontechnique– Reassemblytime-out(2)• NIDShashigher reassemblytimeoutthanreceivingclient
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 16
![Page 17: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/17.jpg)
Evasiontechnique– Time-to-live
• Routerdropspacketanalysed byNIDSthatwillnotbedeliveredtovictim
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 17
![Page 18: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/18.jpg)
Evasiontechnique– Fragmentreplacement• Someoperatingsystemsreplacefragmentswithnewerones,otherskeepoldfragments
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 18
![Page 19: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/19.jpg)
Suggestedreading
• Wool,Avishai."Aquantitativestudyoffirewallconfigurationerrors."Computer 37.6(2004):62-67.
• Axelsson,Stefan."Thebase-ratefallacyandthedifficultyofintrusiondetection."ACMTransactionsonInformationandSystemSecurity(TISSEC) 3.3(2000):186-205.
• [Siddharth 2005]http://www.symantec.com/connect/articles/evading-nids-revisited
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 19
![Page 20: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/20.jpg)
Vulnerabilitymitigation
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016)
20
![Page 21: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/21.jpg)
Attacksurfaceminimisation inpractice- recap• Networkhardening
• Firewallsà blockunwantedtraffic• Defaultallowà easierconfiguration,lesssecureingeneral• Defaultdenyà cancausedisservicesfortheusers,highsecurity
• IDSà analyse trafficpayloadtocheckformaliciouspackets• Misuses detectionà signaturesthatmatchknownpayloads• Anomalydetectionà signalsbehaviour (host,network)significantlydifferentfromexpected
• Systemhardening• “can’tbreakwhat’snotthere”à trimsystemconfigurationtoonlyallowactionsthatareneededforsystemfunctionality
• Authenticationàminimise setofuseractionstominimal• Openvulnerabilitiesrepresentariskofincomingattacks
• Vulnerabilities patchesnotalways(immediately)possible• Mitigationtechniques
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 21
![Page 22: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/22.jpg)
OSvulnerabilitymitigation– BoFvsDEPprotection
• Bufferoverflow• attackercanoverwritedatainstackwithexecutableshellcode
• Redirectexecutiontoshellcode• Butinstackthereshouldneverbecode,onlydata
• DataExecutionProtection(DEP)• Dataareasinmemoryaremarkedasnon-executable
• Hw supportà AMDNXbit,IntelXDbit
• Defeatscodeexecutionviastackcorruption
• DoesnotpreventcorruptionofHeaporredirectiontootherfunctionsinmemory
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 22
Startofstack
Endofstack
RETURN ADDRESS=kRETURN ADDRESS=K
k=c+n
newBuffer (128 bytes)
NOP
shellcode
shellcode...
… (NOP sled)
Exec
ution di
rection
shellcode
RETURN ADDRESS=KRETURN ADDRESS=K
RETURN ADDRESS=K
NOP
c+1
c
c-32
![Page 23: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/23.jpg)
OSvulnerabilitymitigation- BoF vsASLR• WithDEPattackercanstillredirectexecutiontocodeareasinmemory
• e.g.writeastackframeinmemoryandpointtolib-corotherknownfunctions(thatareofcourseexecutable)
• Mostmemorycorruptionattacksrelyontheattackerbeingabletoguessstartaddressofstackframe/heap/otherareasinmemory
• e.g.writenbyteswithn=offsetbetweenbufferandRET• AddressSpaceLayoutRandomizationà ASLR
• Randomise locationinmemoryofstack,heap,libraries• Randomisationhappensinan-bitsspace
• WindowsVistaà 8bità 1/256guesseswork• Linuxà ExecShiel/PaX à 16bits
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 23
![Page 24: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/24.jpg)
DEP+ASLR
• DEPà preventsexecutionofdatainmemory• Canstilljumptoexisting libraries
• ASLRà makesitmoredifficultfortheattackertocorrectlyguessmemoryaddressoflibraries
• Insomecases(e.g.lowmemory,olderimplementations) stillpossibletomakeaguess
• Advancedexploitationtechniquesredirectexecutiontoexistingcodeinmemory
• ReturnOrientedProgrammingà Turing-complete• BypassDEP• ASLRcanbebypassedtoo(mostapplicationsrunsw modulesinnon-randomised memoryareas)
• DEP+ASLRshouldbeusedtogether• Notperfectprotection
• à Vulnerabilitypatching
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 24
![Page 25: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/25.jpg)
Vulnerabilitypatching
• Softwarepatchfixesvulnerabilityincode• ”Justinstallthepatch”approachdoesnotalwaysworkwell
• OSpatchesoftenrequiresystemreboot• Apatchmodifiessoftwarecode
• Softwarefunctionalitiesmaychange• Deprecatedthird-partylibraries
• Productionsystemsneedtobeupandrunning• Can’talwaysinstallpatch• Testpatchbeforeinstall
• Vulnerabilitypatchingiscostlyprocess• “getridofallvulnerabilities”isnotalwaysviable
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 25
![Page 26: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/26.jpg)
Countingvulnerabilities!=securityassessment• Morevulnerabilitiesdonottranslatedirectlyinto“riskofattack”
• Wealreadyknowthatvulnerabilitiesenablethreatscenarioswithacertainimpactandacertainprobability
• Risk!=sum_v(severity_v)• CVSSmeasuresseverity
• Risk=f(impactxlikelihood)• CVSSdoesnotmeasurerisk
• Yet,securitystatusisoftenmeasuredbyhowmanyvulnerabilitieswehave
• SymantecThreatreport2015• Secunia Vuln report2011-2015• “Thegrayedoutsectionrepresentsthevendorwiththeworstsecurityofthemonth.” →
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 26
![Page 27: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/27.jpg)
Doweneedtopatchallvulns?
• Let'slookatthenumbers• ExploitationLevel=EL• EL1→NVD:vulnerabilityisdisclosed• EL2→EDB:Exploit-DB,PoC existsandispublic• EL3→EKITS:datasetcollected@UniTn,infiltrationinundergroundmarkets→exploitistradedintheRussianCybercrimeMarkets
• EL4→SYM:vulnerabilityisreportedasexploitedinSymantec’sThreatExplorerdataset(atleastoneexploithasbeendetected)
• EL5→WINE:Symantecdatasetofdetectedattacksinthewildovermorethan1Msensors
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 27
![Page 28: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/28.jpg)
CVSSvs exploitationlevels
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 28
LOWCVSS
MEDIUMCVSS
HIGHCVSS
EL:1
EL:3
EL:2
EL:4
![Page 29: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/29.jpg)
Howtoevaluateariskmetric
• MuchlikewedidbeforetoevaluateeffectivenessofIDSalarms
• Evaluatetrueandfalsepositivesvsallalarms
• Sensitivityà truepositives vsall"sick people"• HIGHà thetestcorrectly identifies exploited vulns• LOWà lots of“sick people”undetected
• Specificityà true negatives vsall healthy people• HIGHà thetestcorrectly identifiesnonexploited vulns• LOWà lots of“healthy people” flagged
29
![Page 30: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/30.jpg)
CVSSversusriskofexploitation
30
Sensitivity
SpecificityPCI-DSS
High+MediumCVSS(e.g.NISTSCAP)
![Page 31: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/31.jpg)
Numericalexamples
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 31
Test forPatching Sensitivity SpecificityPatch Everything 100% 0%
CVSS High+Med 91% 23%
CVSS+PoC in EDB 97% 22%
CVSS+EKITS 94% 50%
3BT: DownSyndrome 69% 95%
PSA: ProstateCancer 81% 90%
![Page 32: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/32.jpg)
CVSSdoesnotcorrelatewithrisk,buthowisriskdistributed?• HereweareatEL5• Evaluateoverallnumberofattacksinthewild
• Howmanyattacksdoesavulnerabilitydriveonaverage?• Answerisinnextslide
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 32
Vuln. Category Samplesoftware names No.ofvulns Attacks(Millions)PLUGIN Acrobatreader,FlashPlayer 86 24.75
PROD MicrosoftOffice, Eudora 146 3.16
WINDOWS WindowsXP, Vista 87 47.3
BROWSER InternetExplorer 55 0.55
Tot: 374 75.76
![Page 33: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/33.jpg)
Distributionofattackspervuln
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 33
WINDOWS
log(attacks)
Frequency
0 2 4 6 80
510
1520
0 1 2 3 4 5 6 7 8
PROD
log(attacks)
Frequency
0 1 2 3 4 5 6 7
010
2030
40
0 1 2 3 4 5 6 7
BROWSER
log(attacks)
Frequency
0 1 2 3 4 5 6
05
1015
0 1 2 3 4 5 6
PLUGIN
log(attacks)
Frequency
0 2 4 6 8
010
2030
4050
0 1 2 3 4 5 6 7 8
0.0 0.2 0.4 0.6 0.8 1.00.0
0.2
0.4
0.6
0.8
1.0
WINDOWS
p
L(p)
0.0 0.2 0.4 0.6 0.8 1.00.0
0.2
0.4
0.6
0.8
1.0
PROD
p
L(p)
0.0 0.2 0.4 0.6 0.8 1.00.0
0.2
0.4
0.6
0.8
1.0
BROWSER
p
L(p)
0.0 0.2 0.4 0.6 0.8 1.00.0
0.2
0.4
0.6
0.8
1.0
PLUGIN
p
L(p)
% vulnerabilities % vulnerabilities % vulnerabilities % vulnerabilities
% a
ttack
s
• Lorentzcurveofattackspervulnerability• x-axis=percentageofvulnerabilities
receivinganL(p) fractionofattacks• AllcategoriesbutPLUGINsee10%of
vulnerabilities responsible for90%+ofattacks
• ExampleforPROD:• 7vulnerabilitiesreceive3.000.000attacks• 139vulnerabilitiesreceive100.000attacks
![Page 34: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/34.jpg)
Riskofvulnerabilityexploitation-recap• Somevulnerabilitiesareexploitedseveralorderofmagnitudemorethanthe”average”vulnerability
• Risk=likelihoodofexploitationximpactofexploitation• Riskisnotuniformlydistributed
• CVSSmeasuresvulnerabilityseverity• Doesnotmakeaclaimtoestimateexploitlikelihood• Currently,bestavailablemeasure(worstcasescenarioisaccountedfor)
• Howtocalculateexploitationriskisstillanopenresearchproblem
• Technicalevaluations• Attackereconomics
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 34
![Page 35: 12-NetSec SysHardening + Vuln mngmt edit...• Misuse detection àlist unwanted behaviour, report if detected • Anomaly detection à build average profile, report if current activity](https://reader035.vdocuments.us/reader035/viewer/2022071001/5fbda66f5d0d73578e297d34/html5/thumbnails/35.jpg)
Suggestedreading
• Allodi,Luca,andFabioMassacci."Comparingvulnerabilityseverityandexploitsusingcase-controlstudies."ACMTransactionsonInformationandSystemSecurity(TISSEC) 17.1(2014):1.
• Nayak,Kartik,etal."Somevulnerabilitiesaredifferentthanothers."ResearchinAttacks,IntrusionsandDefenses.SpringerInternationalPublishing,2014.426-446.
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 35