Post on 16-Jul-2015
Boston Security Conference
Attacker BehavioralAnalysis
2014
INFORMATION SECURITYIS A GAME
Remove the Threat
REMEDIATIONAccept the Risk
Repair the Vulnerability
C(ommon) V(ulnerability) S(coring) S(ystem)
“CVSS is designed to rank information system vulnerabilities”
Exploitability/Temporal (Likelihood)
Impact/Environmental (Severity)
The Good: Open, Standardized Scores
F1: Data FundamentalismSince 2006 Vulnerabilities have declined by 26 percent.” http://csrc.nist.gov/groups/SNS/rbac/documents/vulnerability-trends10.pdf
The total number of vulnerabilities in 2013 is up 16 percent so far when compared to what we saw in the same time period in 2012. ”http://www.symantec.com/content/en/us/enterprise/other_resources/b-intelligence_report_06-2013.en-us.pdf
FAIL 2: A Priori Modeling“Following up my previous email, I have tweaked my equation to try to achieve better separation between adjacent scores and to have CCC have a perfect (storm) 10 score...There is probably a way to optimize the problem numerically, but doing trial and error gives one plausible set of parameters...except that the scores of 9.21 and 9.54 are still too close together. I can adjust x.3 and x.7 to get a better separation . . .”
F3: Stochastic Ignorance
Attackers Change Tactics Daily
Repair the Vulnerability
I LOVE IT WHEN YOU CALL ME BIG DATA150,000,000 LIVE VULNERABILITIES
1,500,000 ASSETS
2,000 ORGANIZATIONS
100,000,000 BREACHES
I LOVE IT WHEN YOU CALL ME BIG DATA
ATTACKERS CHANGE TACTICS DAILY
WE CARE ABOUTVULNERABILITIES
BREACHES BY CVE 2014
2014
Q1 Q2
Q3
Q4
ATTACKERS DON’T CARE WHEN YOUR VULN WAS PUBLISHED
HEARTBLEED
SHELLSHOCK
HEARTBLEED
SHELLSHOCK
HEARTBLEED
POODLE
ATTACKERS DON’T CARE ABOUT YOUR VULN’S LOGO
BREACHES by CVSS
CVSS byBREACHVOLUME+CVE
CWE
DEADLY SOFTWARE SINS:
1. ACCESS CONTROL2. INPUT VALIDATION3. BUFFER OVERFLOW4. INJECTION5. BAD CRYPTO
CVSS AS A BREACH VOLUME PREDICTOR:
ATTACKERS DON’T CARE ABOUT CVSS
WE CARE ABOUTVULNERABILITIES
ATTACKERS CARE ABOUTBREACHES
CVEsOVER TIME
CVEsOVERTIME(normalized)
Probability A Vuln Having Property X Has Observed Breaches
Random Vuln
CVSS 10
Exploit DB
Metasploit
MSP+EDB
0.0 0.1 0.2 0.2 0.3
DATA RULES EVERYTHING AROUND MERANDOM = 2%
CVSS 10 = 4%
METASPLOIT + EXPLOITDB = 30%
RISK.IO/JOBS@mroytman