establishing a quality vulnerability management program · 29 now have attacker profiling –attack...

SESSIONID:SESSIONID:

#RSAC

ZeeAbdelnabi

EstablishingaQualityVulnerabilityManagementProgram

TECH-W03

RedTeamLeadMajorAutomotiveCompany@Infosec_17

#RSAC

2

#RSAC

3

#RSAC

4

#RSAC

#RSAC

Overview

6

WhatisVM?HowtosellastorytobuildaVulnerabilitymanagementprogram

PickingtheRightTool

Evaluatecostsandadvantages:PayingforProfessionalServicesDeploymentvs.TrainingyourTeam

MistakestoAvoidCreatingaRunbook/TabletopExercises

VMLifecycle

Problems

Tips

#RSAC

WhatisVulnerabilityManagement?

7

Theprocesswhenyouaccept,eliminate,ormitigatevulnerabilitiesbaseduponthebusinessriskandthecostassociatedwithfixingthevulnerabilities.

Mostvulnerabilitiesarelongknownbeforetheyareexploited.

#RSAC

WhatdoyouREALLYthinkofVM?

It’srepetitive,time-consuming,seemstoneverend

8

#RSAC

#RSAC

SelltheStorytoEstablishProgramtoManagement

10

Competitorexamples

Growth

Whatbusinessgoalsaremet

Useregulationsandcompliance:S-Ox,HIPAA,GLBAorPCIDSS

Maintainingcompaniesimage

Improvesecurity,IT,andthegeneralbusiness

Specificdeliverables

Identifyandreducerisk…itsnotaboutjustfixingvulnerabilities

#RSAC

11

Privateresearchshownduringlivetalk

#RSAC

12

Privateresearchshownduringlivetalk

#RSAC

13

Privateresearchshownduringlivetalk

#RSAC

14

Privateresearchshownduringlivetalk

#RSAC

Privateresearchshownduringlivetalk

#RSAC

16

Privateresearchshownduringlivetalk

#RSAC

#RSAC

CompareVMTools

18

LearnhowtopickthebesttoolsetforyourEnvironment.

AssetManagementisimportanthere:Whenyouknowwhatyouhave;youcanlookatthesystemsthatcanbemoreeffectivelyscanned

Scadaenv/orOSthattheVMtooldoesn’tscanwhygetit?Whattoolwillscanmostofwhatyouhave

Haveascorecard– weighwhat’smostimportanttoyouListyourmostimportantassets

NeedagoodAssetManagementsystem/tool

#RSAC

ToolSelectionCriteria

19

Activevs.PassiveVM:IfyoucantgetanActivescanningtoolbecauseyoumighthavesystemsthatareveryfragileyoucanusePassive.

Passivedoesn’tscananything…

Ifyouhaveasystemyoudon’twanttoactivelyscan(becauseifyoudo,itwilldie),putitinthePassivetoolandgetAlertsonit

ImplementingToolsthataren’tusedorconfiguredproperlyisawaste:Toomanyfalsepositivesusesresources,causes“alertfatigue”

Toomanyfalsenegativesleadstooverconfidenceandfalsereassurancethatalliswell

#RSAC

MakesuretheToolhas….

20

Adequatedocumentation

Detailedreportsonthediscoveredvulnerabilities,includinghowtheymightbeexploitedandfixed

Generalindustryacceptance

Availabilityofupdatesandsupport

High-levelreportsthatcanbepresentedtomanagersornontechnicaltypes

#RSAC

ToolImplementationGuidelines

21

Consultthereadmeand/oronlineHelpfilesandFAQs.

Studytheuserguides.

UsetheToolinalabortestenvironmentfirst.MakesureitplayswellwithyourotherTools

EnsureTooldeliverspromisedfunctionality

Considerformalclassroomtraining.

#RSAC

OutsourceorBuildCapabilities

22

EvaluatethecostsandadvantagesofpayingforProfessionalServicesdeploymentvstrainingyourteamDeterminetheskillsandcompetenciesnecessarytomakeasuccessfulteamFigureoutamountoftimerequiredtodothis— Increasesspeedandthequalityofdelivery— Freesmanagementtime,enablingcompanytofocusoncorecompetencieswhilenot

beingconferencedaboutconsultants— Possiblelossofcontroloveracompany’sbusinessprocesses— Lowerthanexpectedrealizationofbenefitsandresults

#RSAC

MistakestoAvoid

23

RemediateallthingsPrioritization

Relyingononetool

Scanning,butnotactingonthescanresults

Identifyassetstoavoidscanning

ThinkingthatPatching=VM

Beingunpreparedforazerodayexploit

Rolesandresponsibilities– ProcessImprovement,escalation,accountability

Forgettingcompliancestandardstofollow

#RSAC

MistakestoAvoid

24

PeoplemisinterprettheCVSS;ifCVSSislowdoesn’tmeanriskislow

Whenprioritizingkeepinmindtheattackdepth

Forgettingpolicyscanning

Intelligencegathering:Latestattacks

GarbageIn– GarbageOut(GIGO)

Volumesofuselesschecks

Authenticationvs.Un-authentication– Password(pw)changesWhoisresponsibleforgivingyouthosepwsorchangingthemAlertyourgroupsonpwchanges

#RSAC

25

#RSAC

CreateaRunbook

26

Communicationplan– CommunicationsMatrix– RACIchart

Overview

Management/teamà GOALS

ChallengesthecompanyhasencounteredduringVM

Networkinformation:Domainnames,internalandexternalIPaddresses,networkarchitecture

Assetsforgrouping/tagging,OptionProfilesbuilt

Createscanprofiles:scanningandreportingschedules.

ScanwindowsHowoftencanwescan?

Limitsonbandwidth?

#RSAC

AttackinganAttackersPlan

27

#RSAC

TabletopExercises

28

Demonstraterealliveattackscenarios:Biggestbusinessimpact(greatestrelevancetoorg)

ReviewScenarioBreakitintotactics

Gainassuranceonexistingcontrols

Howreadyareyou?

Helpsseetrendanalysis(seeingthisalot)

Increasesefficiency

Whyweretheybreached,samevulnerabilityused?

AttackpatternsWherearetheyattacking,whataretheydoing?

#RSAC

ResultsandFollow-Up

29

Nowhaveattackerprofiling– attackpatternsbuiltupfromvulns

Buildscenariomodelsensorsandrunexperiments

Whichvulnscanbeexercisedthroughexternalsysteminputtorealizecybereffect

Actionableintelligence

Deepdiveintodarkside

Figuringouthowcansomeonemovethroughournetwork

Programmaturity

Automaticallyinjectpublicandprivatelistsofvulnerabilitiesandorganizethemintostandardizedattackpointsystem

#RSAC

VulnerabilityManagementLifecycle

30

#RSAC

DiscoverPhase

31

What’sactuallyrunninginthedifferentpartsofyournetwork.Accesspoints,webserversandotherdevicesthatcanleaveyournetworkopentoattack.

Operatingsystem,findingopennetworksports,determineswhatservicesareactiveonthoseports.Scanbynetworkrange.

Giveshacker’seyeviewofyournetwork

#RSAC

DiscoverPhaseHelps

32

Wheredevices,suchasafirewalloranIPS,areplacedonthenetworkandhowthey’reconfigured

Whatexternalattackersseewhentheyperformportscansandhowtheycanexploitvulnerabilitiesinyournetworkhosts

Networkdesign,suchasInternetconnections,remoteaccesscapabilities,layereddefenses,andplacementofhostsonthenetwork

Whatprotocolsareinuse

Commonlyattackedportsthatareunprotected

Networkhostconfigurations

#RSAC

33

#RSAC

Prioritize

34

Assetclassificationsystem:Assignbusinessvaluetoassets

Identifythehighestbusinessrisksusingtrendanalysis,Zero-DayandPatchimpactpredictions.

Prioritizeyoursystemssoyoucanfocusyoureffortsonwhatmatters.Someassetsaremorecriticaltobusinessthenothers

Criticalitydependsofbusinessimpact

Identifyassetowners

#RSAC

Prioritize

35

Whichsystems,ifaccessedwithoutauthorization,wouldcausethemosttroubleorsufferthegreatestlosses?

Whichsystemsappearmostvulnerabletoattack?

Whichsystemscrashthemost?

Whichsystemsarenotdocumented,arerarelyadministered,oraretheonesyouknowtheleastabout?

#RSAC

Assess

36

Scansystemsanywherefromthesameconsole:Yourperimeter

Internalnetworkandcloudenvironments

TargethostsbyIPaddress,assetgrouporassettag

ThosethingsyoufindscanandfindoutwhatVulnerabilitiestheyhave

#RSAC

Reporting

37

ReportingConsiderations:Whatreportsarecurrentlygenerated?

Build/Importreporttemplates

Whatinformationisneededfromreports?

Newdatapoints

Whatlevelsreceivereports(executive,linemanagers,linestaff)

MakeITthehero– Promotethemwhentheydoagreatjob&usemetrics

Holdpeopleaccountable

#RSAC

ReportTemplatesandMetrics

38

Establishreporttemplatesandmetricsyouneedtoshowyourprogramissuccessful.

Whatiseachteamtryingtoaccomplish?Add/removestaffPromotecostoptimizationDemonstrateeffectiveness

That’showyouwilldemonstratemetricsonhowmuchworkisbeingdone,howmanyVulnerabilitiesarebeingremediated

Makesurereportsareprovidingvalueandgivingmanagementtherightinformation

#RSAC

TemplateExamples

39

Confirmed4/5sonly

ExecutiveTrendingReport

ExecutiveTrendingReport– 4/5s

ExecutiveTrendingReport– over90days

OverallPatches4+5– Last30days

PatchReport

Youcan’tmanagewhatyoucan’tmeasure

#RSAC

Remediation:FixingVulnerabilities

40

Howmanygroupsareinvolvedinremediationefforts?Thiswilldriveassetgroups/taggingPatching/configurationprocessWilltakeapproximately2-3hoursworkingwitheachgroup

HowpatchingandVulnerabilityremediationiscurrentlyperformedifnotcreateaplanPatchingscheduleWhatpatchingtoolwillyouusePatchtesting(java)Whatgroupsinvolved

#RSAC

Remediation

41

Iftheriskoutweighsthecost– eliminateormitigatetheVulnerability!

Implementmitigatingcontrols(defenseindepth)Intrusionpreventionsystems(IPS)Intelligentfirewalls

HaveaPlan,makesureyouhaveresourcesandpermissiontoacceptshort-termriskstomitigatelong-termvulnerabilities

WhathappensiftheCostoutweighstheRisk

#RSAC

Verification

42

Verifyappliedpatchesandconfirmcompliance

Verifytheticketsaftertheyareclosed

#RSAC

Majorityof2’sand3’s=Misconfiguration

43

Misconfigurationsofsystems,servers,andfirewallsalsoleadtothecompromiseofnetworks.

ChangestoGroupPolicyorotherchangemethods.Thisisawaytoreduceriskintheenvironmentonalargescalewithminimaleffort.Reviewnon-patchableVulnerabilitiestoidentifyquickwinsontheconfigurationsidetoreducerisk.

Removethevulnerabilitiesandbettersecureyoursystems

#RSAC

#RSAC

Problems:Don’tIgnoreIssues

45

TheHighImpactPatches:ReportthatidentifiestheareasthatreducethelargestamountofVulnerabilitiesandVulnerabilitiessoeffortcanbeprioritized.— OpeningupticketsforeachofthesepatchableVulnerabilitiesover90days.— Thiswilldriveremediationandgettheseissuesclosed.

NotusingIPs:TheseIPscanbeusedtoscanothersystemstodriveremediationandactualreductionofrisk.— Reviewinghoststoidentifyiftheyarestillintheenvironment.— HoststhatarenotscannedcannevershowfixedVulnerabilities,andkeeptheVulnerabilitycount

artificiallyhigh.

#RSAC

Problems

46

Thereare305IPsthathavenotbeenscannedinmorethan60dayswithsomehostsnotscannedsinceJuly2010.

SCCMbroken

Teamswillnotauthorizetheappropriatelevelofaccesstorunauthenticatedscans.Pluginthecredentials

Re-openedVulnerabilities

#RSAC

RiskManagement

47

RISK=

AssetsxVulnerabilities xThreatsYoucan controlVulnerabilities.

Focusonyourhighpriorityassets,andReduceyourthreatlandscape

#RSAC

Tips

48

MostorganizationsdoagoodjobofkeepingMicrosoftoperatingsystemsandapplicationsuptodate.Butdon’tfairnearlyaswellwhenitcomestoLinux,UNIX,Mac,and3rdpartyapplicationssuchasAdobe.

Applicationscanningshouldbeaddedtothetypesoftestsperformedtomakesurethatanyneworexistingapplicationarenotvulnerable.

Createainternalhackinglab(recon,scanning,exploitation):✓ Exploitingmissingpatches✓ Attackingbuilt-inauthenticationsystems✓ Breakingfilesystemsecurity✓ Crackingpasswordsandweakencryptionimplementations

#RSAC

Tips

49

Don’tOverlookPhysicalSecurity

Wheneveryonehasastake,wheneveryteamhasskininthegame,thentheburdenofVMissharedandperhapslessenedforeachindividual.

ActFast

#RSAC

50

MakingContacttoReportVulnerabilities

Privateresearchshownduringlivetalk

#RSAC

InaPerfectWorld:YouthinkyourVMprogramwilllooklikethis…

BUT…

#RSAC

#RSAC

Tips

53

FrequentGapAssessments:Makesurethatyougobackoverwhatyoudid.Documentwhatworks,whatdoesn’t,andwhyitdidn’t/failed.Communicatelessonslearnedandcontinuepushingitthroughtheprogramforcontinualimprovement

InternalVulnerabilityassessmentswithpolicycompliancescanningshouldbeperformedandrunmonthly.

Maintainsecuritythroughongoingtestinganddiscovery.

#RSAC

“Apply”Slide

54

Nextweekyoushould:Haveaconversationwiththerightdepartmentandunderstandwhatyoucurrentlydoforvulnerabilitymanagement.

Inthefirstthreemonthsfollowingthispresentationyoushould:DeterminethecurrentlevelofmaturityofyourprogramAssesspreandpostvulnerabilitylifecycle.Performanassessment.

Withinsixmonthsyoushould:SelectacentralizesystemtodumpOSINTvulnerabilitiesandabasiclabsetup.Createaninternalrunbookandperformtabletopexercise