importance of network contextual information & mitigating …
TRANSCRIPT
U S I N G AT TA C K G R A P H S
IMPORTANCE OF NETWORK CONTEXTUAL INFORMATION & MITIGATING CONTROLS IN PRIORITIZING VULNERABILITIES
SPEAKER
§ 20 years of Infosec experience
§ Extensive experience in penetration testing and adversarial simulation
§ Consulting and industry experience
§ Entrepreneur
Founder and CTO
MICHELANGELO SIDAGNI
© 2019 CROWDSTRIKE
© 2019 CROWDSTRIKE
§ B R E A C H E S A N D T H E I R C A U S E S
§ V U L N E R A B I L I T Y P R O L I F E R A T I O N A N D P R I O R I T I Z A T I O N
§ C V S S S C O R E P R I O R I T I Z A T I O N
§ T H R E A T - B A S E D P R I O R I T I Z A T I O N
§ C O N T E X T - B A S E D P R I O R I T I Z A T I O N
§ A T T A C K G R A P H S
§ M I T I G A T I N G C O N T R O L S
§ C O N C L U S I O N S
AGENDA
© 2019 CROWDSTRIKE
PROLIFERATION OF UNKNOWN ASSETS AND RELATED VULNERABILITIES PROMOTES WIDESPREAD SECURITY BREACHES
IN THE SEA OF VULNERABILITIES HOW DO YOU PRIORITIZE THEM
FOR REMEDIATION?
§ Over 100,000 documented CVE Entries in NVD so far
§ Unpatched known vulnerabilities à security risk
§ Only a small fraction of CVEs have exploits, and even fewer are exploited in real-world attacks
§ Desirable to prioritize remediation of vulnerabilities that are likely to be targeted in real-world attacks!
CVSS SCORE BASED PRIORITIZATION
© 2019 CROWDSTRIKE
Monthly disclosed vulnerabilities (NVD)
§ CVSS Score: Base, Temporal, and Environmental Groups
§ Base Score: Assigns severity rankings of low (0 – 3.9), medium (4 – 6.9), and high (7 – 10) severity to vulnerabilities based on their intrinsic characteristics:
§ Exploitability (access vector, access complexity, authentication)
§ Impact (confidentiality, integrity, availability)
CVSS SCORE: MANY HIGH SEVERITY VULNERABILITIES
© 2019 CROWDSTRIKE
CVSS distribution for all CVEs
38%: high severity54%: medium severity8%: low severity
MALWARE & EXPLOIT KIT INCORPORATION RATES AREON THE RISE, BUT REMAIN LOW OVERALL
© 2019 CROWDSTRIKE
§ ~21% of all CVEs have some form of exploit code published in the Exploit Database (EDB), (~ 26% when combining our current sources of exploit code)
• Malware and exploit kits incorporation rates have been on a rise:
§ 0.2 % of CVEs from 2005§ 3.4% of CVEs from 2017 (so far)
§ Remember, CVSS tells us that 38% are high severity – prioritizing based on CVSS alone when trying to find the most dangerous CVEs is likely to lead to many false positives (many CVEs that do not have malware/exploit kit association)
Malware & exploit kit incorporation rates
CVES WITH MALWARE AND EXPLOIT KIT ASSOCIATION NEED NOT HAVE HIGH SEVERITY CVSS SCORE
© 2019 CROWDSTRIKE
• Malware and exploit kits incorporation rates have been on a rise:
§ ~ 44% of CVEs with historical or recent malware & exploit kit association have CVSS base score < 7 – medium or low severity
§ If you only prioritize based only on high CVSS, you are likely to miss many dangerous vulnerabilities – CVSS alone likely to lead to many false negatives as well (CVEs that do have malware/exploit kit association, but would not be picked up as such)
CVSS score distribution for CVEs with malware & exploit kits
§ In order to prioritize well, CVSS needs to be supplemented with additional information
§ For now, we will look at: vendor information, vulnerability descriptions
THREAT-BASED PRIORITIZATION
VRM PROBLEM STATEMENT
Given a vulnerability
(CVE), how much risk will it
represent if left unpatched?
Can we identify vulnerabilities
likely to be used in real-world
attacks?
Find the probability that this particular vulnerability will be used in targeted
attacks in the wild, or that there will be highly weaponized
exploit kits & malware* (threats)
making use of it
© 2019 CROWDSTRIKE
THREAT-BASED PRIORITIZATION ML MODELSupervised ML Classification problem: given a set of training examples (past CVEs) with:
1. Some features/attributes (e.g., CVSS score, vulnerability age, vulnerability type, existence of exploits, language used in descriptions, social media mentions, etc.) – X
2. A set of corresponding targets/labels/the ground truth (e.g., “no malware” versus “has malware”)* - Y, first find the best possible function/model that maps X to Y and then apply it to a separate test dataset to measure model performance and make predictions.
Training Examples:
X
Vulnerability 1Vulnerability 2Vulnerability 3
.
.Vulnerability n
Y
Malware No MalwareNo Malware
.
.Malware
LearningAlgorithm
New Vulnerability
Malware?
Model
CVSS VendorA?
“remote code”?
… Malware
Vuln. 1 10 1 1 … 1
Vuln. 2 10 0 0 … 0
Vuln. 3 5 0 0 … 0
… … … … … …
CVSS Vendor A?
“remote code”?
… Malware
Vuln. 4 9 1 1 … ?
Vuln. 5 5 0 0 … ?
Test Examples:
© 2019 CROWDSTRIKE
WHAT ABOUT THE ORGANIZATION-SPECIFIC CONTEXTUAL INFORMATION AND
MITIGATING CONTROLS?
NETWORK-BASED CONTEXTUALPRIORITIZATION
INTRODUCING ATTACK GRAPHS FORVULNERABILITY PRIORITIZATION
§ Attack graph-based probabilistic metric for network security and vulnerability management
§ Attack graphs model how multiple vulnerabilities may be combined for advancing an intrusion
§ In an attack graph, security-related conditions represent the system state, and an exploit of vulnerabilities between connected hosts is modeled as a transition between system states
Based on network configuration and
mitigating controls, can vulnerabilities
be chained in a graph so that they can be prioritized?
© 2019 CROWDSTRIKE
NETWORK DIAGRAM VS. ATTACK GRAPH
© 2019 CROWDSTRIKE
ATTACK-GRAPH FRAMEWORK FOR VULNERABILITY PRIORITIZATION
© 2019 CROWDSTRIKE
HOST VULNERABILITY REPRESENTATION
© 2019 CROWDSTRIKE
vulExists(Dest-Host,'CVE-VULN’, Risk Score, daemon, accessvector, ExecType)
HOST ACL / FIREWALL RULE
© 2019 CROWDSTRIKE
hacl(SourceHost,DestHost, Protocol, Port)
LOCATION OF THE ATTACKER
© 2019 CROWDSTRIKE
attackerLocated(netLocation)
HOST CONFIGURATION
© 2019 CROWDSTRIKE
networkService(Host, Daemon, Protocol, Port, user)
MITIGATING CONTROL
© 2019 CROWDSTRIKE
RiskReduction%(Host, Control, %Decrease)
PRINCIPALS (USER ACCOUNTS)
© 2019 CROWDSTRIKE
hasAccount(user, Host, privilege)
POLICIES
© 2019 CROWDSTRIKE
allow(Everyone, read, webPages)allow(systemAdmin, write, webPages)
INTERACTIONS – PROLOG HORN CLAUSES
© 2019 CROWDSTRIKE
execCode(Attacker, Host, Priv) :-vulExists(Host, VulID, Program),vulProperty(VulID, remoteExploit, privEscalation),
networkService(Host, Program, Protocol, Port, Priv), netAccess(Attacker, Host, Protocol, Port), malicious(Attacker).
EXAMPLE.FULL ATTACK GRAPH - 1
© 2019 CROWDSTRIKE
1. hacl(webServer,dbServer,dbProtocol,dbPort)2. hacl(internet,webServer,httpProtocol,httpPort)3. attackerLocated(internet)4. direct network access5. netAccess(webServer,httpProtocol,httpPort)6. networkServiceInfo(webServer,httpd,httpProtocol,httpPort,apache) 7. vulExists(webServer,'CVE-2006-3747',httpd,remote,privEscalation)8. remote exploit of a server program9. execCode(webServer,apache)
EXAMPLE.FULL ATTACK GRAPH - 2
© 2019 CROWDSTRIKE
10. mitigatingControl(webserver, none, 0%)11. multi-hop access12. netAccess(dbServer,dbProtocol,dbPort)13. networkServiceInfo(dbServer,mySQL,dbProtocol,dbPort,root)14. vulExists(dbServer,'CVE-2009-2446',mySQL,remote,privEscalation)15. mitigatingControl(dbServer, none, 0%)16. remote exploit of a server program17. execCode(dbServer,root)
ATTACK GRAPH ALGORITHM
© 2019 CROWDSTRIKE
Two algorithm phases:1. Attack Simulation: All possible data accesses that can result from multistage, multihost attacks are derived
access(P, Access, Data) :-dataBind(Data, H, Path),accessFile(P, H, Access, Path).
ATTACK GRAPH ALGORITHM -2
© 2019 CROWDSTRIKE
2. Policy Checking: The data access tuples output from the attack simulation phase are compared with the given security policy. If an access is not allowed by the policy, a violation is detected
policyViolation(P, Access, Data) :-access(P, Access, Data),not allow(P, Access, Data).
§ Scalability of Attack Graph algorithm in networks of thousands of hosts. Considering Host groups and HGACL (Host Group ACLs)
§ In the Algorithm Original versions, each Vulnerability Exploitation has the same probability = to success. We introduced the concept of Vulnerability Risk Score that take into account threat-Intel centric vulnerability risk and the concept of mitigating controls, which decreases the probability of successful exploit success
§ Attack graphs for networks with several hosts can contain cycles. These cycles need to be treated properly in security risk analysis. Assuming monotonicity in the acquisition of network privileges, such cycles should be excluded in doing the security risk analysis using attack graphs
§ New techniques are in the process to be developed for security risk analysis of networks against potential zero-day unknown attacks
ALGORITHM CONSIDERATION
© 2019 CROWDSTRIKE
§ We demonstrated that the CVSS score is an incomplete measure of the vulnerability risk
§ We proposed a machine learning algorithm to prioritize vulnerability based on threat intelligence and targeted attacks and similarity of vulnerabilities used in these attacks
§ We proposed a vulnerability prioritization model based on network contextual information and mitigating controls based on attack graphs algorithm
§ We discussed some open areas of research on the proposed algorithm
CONCLUSIONS
© 2019 CROWDSTRIKE
THANK YOU
ANY QUESTIONS?© 2019 CROWDSTRIKE
§ A. Jaquith, Security Metrics: Replacing Fear, Uncertainty, and Doubt, Addison Wesley, 2007.
§ L. Wang, A. Singhal, S. Jajodia, “Measuring the Overall Security of Network Configurations using Attack Graphs,” in Proceedings of the 21st IFIP WG 11.3 Working Conference on Data and Applications Security, Springer-Verlag, 2007.
§ J. Pamula, S. Jajodia, P. Ammann, V. Swarup, “A Weakest-Adversary Security Metric for Network Configuration Scalability of Attack Graph algorithm in networks of thousands of hosts. Considering Host groups and HGACL (Host Group ACLs).
§ In the Algorithm Original versions, each Vulnerability Exploitation has the same probability = to success. We introduced the concept of Vuln Risk Score that take into account threat-intel centric vulnerability risk and the concept of mitigating controls, which decreases the probability of successful exploit success.
§ Attack graphs for networks with several hosts can contain cycles. These cycles need to be treated properly in security risk analysis. Assuming monotonicity in the acquisition of network privileges, such cycles should be excluded in doing the security risk analysis using attack graphs.
§ New techniques are in the process to be developed for security risk analysis of networks against potential zero-day unknown attacks.
§ Security Analysis,” in Proceedings of the 2nd ACM Workshop on Quality of Protection, ACM Press, 2006.
§ “The Systems Security Engineering Capability Maturity Model,” http://www.ssecmm.org/index.html.
§ M. Swanson, N. Bartol, J. Sabato, J Hash, L. Graffo, Security Metrics Guide for Information Technology Systems, Special Publication 800-55, National Institute of Standards and Technology, July 2003.
§ G. Stoneburner, C. Hayden, A Feringa, Engineering Principles for Information Technology Security, Special Publication 800-27 (Rev A), National Institute of Standards and Technology, June 2004.
§ P. Mell, K. Scarforne and S. Romanosky, “A Complete Guide to the Common Vulnerability Scoring System (CVSS) Version 2.0,” http://www.first.org/cvss/cvss-guide.html.
§ R. Ritchey, P. Ammann, “Using Model Checking to Analyze Network Vulnerabilities,” in Proceedings of the IEEE Symposium on Security and Privacy, 2000.
§ O. Sheyner, J. Haines, S. Jha, R. Lippmann, J. Wing, “Automated Generation and Analysis of Attack Graphs,” in Proceedings of the IEEE Symposium on Security and Privacy, 2002.
§ P. Ammann, D. Wijesekera, S. Kaushik, “Scalable, Graph-Based Network Vulnerability Analysis,” in Proceedings of the ACM Conference on Computer and Communications Security, 2002.
§ R. Lippmann, K. Ingols, C. Scott, K. Piwowarski, K. Kratkiewicz, M. Artz, R. Cunningham, “Validating and Restoring Defense in Depth Using Attack Graphs,” MILCOM Military Communications Conference, 2006.
REFERENCES
© 2019 CROWDSTRIKE
§ S. Noel, J. Jajodia, “Understanding Complex Network Attack Graphs through Clustered Adjacency Matrices,” in Proceedings of the 21st Annual ComputerSecurity Applications Conference, 2005.
§ S. Noel, S. Jajodia, “Managing Attack Graph Complexity through Visual Hierarchical Aggregation,” in Proceedings of the ACM CCS Workshop on Visualization and Data Mining for Computer Security, 2004.
§ S. Noel, S. Jajodia, “Advanced Vulnerability Analysis and Intrusion Detection through Predictive Attack Graphs,” Critical Issues in C4I, Armed Forces Communications and Electronics Association (AFCEA) Solutions Series, 2009.
§ S. Noel, S. Jajodia, “Proactive Intrusion Prevention and Response via Attack Graphs,” in Practical Intrusion Detection, Ryan Trost (ed.), Addison-Wesley Professional, in preparation.
§ F. Cuppens, R. Ortalo, “LAMBDA: A Language to Model a Database for Detection of Attacks,” in Proceedings of the Workshop on Recent Advances in Intrusion Detection, 2000.
§ S. Templeton, K. Levitt, “A Requires/Provides Model for Computer Attacks,” in Proceedings of the New Security Paradigms Workshop, 2000.
§ R. Ritchey, B. O’Berry, S. Noel, “Representing TCP/IP Connectivity for Topological Analysis of Network Security,” in Proceedings of the 18th AnnualComputer Security Applications Conference, 2002.
§ R. Lippmann, K. Ingols, “An Annotated Review of Past Papers on Attack Graphs,” Lincoln Laboratory Technical Report ESC-TR-2005-054, 2005.
§ S. Jajodia, S. Noel, B. O’Berry, “Topological Analysis of Network Attack Vulnerability,” in Managing Cyber Threats: Issues, Approaches and Challenges, V. Kumar, J. Srivastava, A. Lazarevic (eds.), Springer, 2005.
§ L. Wang, T. Islam, T. Long, A. Singhal and S. Jajodia, “An Attack Graph Based Probabilistic Security Metrics,” Proceedings of 22nd IFIP WG 11.3 Working Conference on Data and Application Security (DBSEC 2008), London, UK, July 2008.
REFERENCES - 2
© 2019 CROWDSTRIKE
§ A. Singhal and S. Xou, “Techniques for Enterprise Network Security Metrics,” Proceedings of 2009 Cyber Security and Information Intelligence Research Workshop, Oakridge National Labs, Oakridge, April 2009.
§ M. Frigault, L. Wang, A. Singhal and S. Jajodia, “Measuring Network Security Using Dynamic Bayesian Network,” 2008 ACM Workshop on Quality of Protection, October 2008.
§ P. Manadhata, J. Wing, M. Flynn and M. McQueen. “Measuring the attack surface of two FTP daemons,” Proceedings of 2nd ACM Workshop on Quality of Protection, 2006.
§ K. Ingols, R. Lippmann and K. Piwowarski, “Practical Attack Graph Generation for Network Defense,” Proceedings of ACSAC Conference 2006.
§ K. Ingols, M. Chu, R. Lippmann, S. Webster and S. Boyer, “Modeling Modern Network Attacks and Countermeasures Using Attack Graphs,” Proceedings of ACSAC Conference 2009.
§ X. Ou, W.F. Boyer and M.A. McQueen. “A Scalable Approach to Attack Graph Generation,” Proceedings of 13th ACM CCS Conference, pages 336-345, 2006.X. Ou, S. Govindavajhala, and A. W. Apple, “MULVAL: A logic based network security analyzer,” 14th USENIX Security Symposium, 2005.
§ P. Manadhata, J. Wing, M. Flynn and M. McQuen, “Measuring the attack surfaces of two FTP daemons,” Proceedings of the 2nd ACM Workshop on Quality of Protection, 2006.
§ J. Homer, X. Ou, and D. Schmidt. “A sound and practical approach to quantifying security risk in enterprise networks,” Technical report, Kansas State University, Computing and Information Sciences Department, August 2009.
§ Wang, Jajodia, Singhal, Noel, “K Zero Day Safety: Measuring the Security of Networks against Unknown Attacks,” European Symposium on Research in Computer Security (ESORICS) September 2010.
REFERENCES - 3
© 2019 CROWDSTRIKE