44con 2013 - surviving the 0-day - reducing the window of exposure - andreas lindh
DESCRIPTION
According to the NIST National Vulnerability Database, 1772 software vulnerabilities with a CVSS score of 7 or higher were disclosed in 2012, and 2013 is so far (at the time of writing) not looking any better. A lot of times the window of exposure - from when a vulnerability is discovered to when a patch has been deployed - is very long. In a corporate environment, it’s not unusual to rely solely on patch management and semi-static security tools such as firewalls, IPS and antivirus for protection, and because of various reasons patch deployment might take a long time or may not even be possible. This talk will discuss why patch management is insufficient for protection against new vulnerabilities, how the traditional “defense in depth” model needs to be re-architected, and finally how the window of exposure can be reduced by active response before incidents occur.TRANSCRIPT
![Page 1: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/1.jpg)
Surviving 0-daysreducing the window of exposure
Andreas Lindh, 44Con 2013
![Page 2: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/2.jpg)
About me
• Security analyst/architect
• Defender by day
• @addelindh on Twitter
![Page 3: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/3.jpg)
The TL;DR
![Page 4: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/4.jpg)
0-days
![Page 5: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/5.jpg)
Disclosure Patch available Patch deployed
Out of our control In our control
Unknown
Discovery
The window of exposure
![Page 6: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/6.jpg)
Common protection
• Patching
• Virtual patching
• Uninstall
![Page 7: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/7.jpg)
How hard can it be?
![Page 8: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/8.jpg)
Pretty hard!
![Page 9: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/9.jpg)
What if you can’t patch?
• Legacy systems
• 3rd party systems
• Insufficient tools
![Page 10: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/10.jpg)
Disclosure Patch available Patch deployed
Out of our control In our control
Unknown
Discovery
HD Moore’s law
![Page 11: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/11.jpg)
Defense in depth
![Page 12: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/12.jpg)
Concept
![Page 13: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/13.jpg)
Implementation
![Page 14: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/14.jpg)
Meanwhile...
![Page 15: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/15.jpg)
Which leaves us with...
![Page 16: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/16.jpg)
Are we on it?
![Page 17: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/17.jpg)
"Put another way, n people want to fix
security holes, 10n people want to
exploit security holes, and 100000n
want Tetris.” (Dan Kaminsky)
![Page 18: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/18.jpg)
![Page 19: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/19.jpg)
What to do?
![Page 20: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/20.jpg)
Root cause
• Over-reliance on patching
• Network-centric defense
architecture
• All about prevention
![Page 21: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/21.jpg)
Firewall all the things?
![Page 22: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/22.jpg)
Things to consider
• Exposure
• Attack likelihood
• History
• Patch status
![Page 23: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/23.jpg)
Approach
• Prevention• Mitigation• ( Detection)
![Page 24: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/24.jpg)
1. Build
![Page 25: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/25.jpg)
Focus
• Proactive
• Inside -> out
• Onion style
• Reusable (ideally)
![Page 26: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/26.jpg)
An example
Software
Sandbox
OS security features
Software restriction
policy
Intermediary channels
Endpoint protection
User permission
s
IPS
![Page 27: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/27.jpg)
Pros and cons
• Pros– Improved security baseline
– Reduced impact
– Pro-active
• Cons– Generic
– Added complexity
![Page 28: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/28.jpg)
2. React
![Page 29: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/29.jpg)
INCIDENT!
React!
(disclos
ure)
Incident timeline
![Page 30: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/30.jpg)
Focus
• Specific vulnerability
• Fast implementation
• Input to #1
![Page 31: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/31.jpg)
Pros and cons
• Pros– Timely mitigation
– Focused approach
– Compliments #1
• Cons– Limited time
– Reactive
![Page 32: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/32.jpg)
Wrapping it up
• Patching takes time
• Can’t patch the unknown
• Traditional controls are
often insufficient
![Page 33: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/33.jpg)
Let’s build!
![Page 34: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/34.jpg)
Thank you for listening!
![Page 35: 44CON 2013 - Surviving the 0-day - Reducing the Window of Exposure - Andreas Lindh](https://reader033.vdocuments.us/reader033/viewer/2022051400/556807dfd8b42a242a8b4c74/html5/thumbnails/35.jpg)
Questions?