Attacker Behavior Boston Security Conference 2015

39
Boston Security Conference Attacker Behavioral Analysis 2014

Transcript of Attacker Behavior Boston Security Conference 2015

Page 1: Attacker Behavior Boston Security Conference 2015

Boston Security Conference

Attacker BehavioralAnalysis

2014

Page 2: Attacker Behavior Boston Security Conference 2015

INFORMATION SECURITYIS A GAME

Page 3: Attacker Behavior Boston Security Conference 2015
Page 4: Attacker Behavior Boston Security Conference 2015

Remove the Threat

REMEDIATIONAccept the Risk

Repair the Vulnerability

Page 5: Attacker Behavior Boston Security Conference 2015

C(ommon) V(ulnerability) S(coring) S(ystem)

“CVSS is designed to rank information system vulnerabilities”

Exploitability/Temporal (Likelihood)

Impact/Environmental (Severity)

The Good: Open, Standardized Scores

Page 6: Attacker Behavior Boston Security Conference 2015

F1: Data FundamentalismSince 2006 Vulnerabilities have declined by 26 percent.” http://csrc.nist.gov/groups/SNS/rbac/documents/vulnerability-trends10.pdf

The total number of vulnerabilities in 2013 is up 16 percent so far when compared to what we saw in the same time period in 2012. ”http://www.symantec.com/content/en/us/enterprise/other_resources/b-intelligence_report_06-2013.en-us.pdf

http://www.symantec.com/content/en/us/enterprise/other_resources/b-intelligence_report_06-2013.en-us.pdf
Page 7: Attacker Behavior Boston Security Conference 2015

FAIL 2: A Priori Modeling“Following up my previous email, I have tweaked my equation to try to achieve better separation between adjacent scores and to have CCC have a perfect (storm) 10 score...There is probably a way to optimize the problem numerically, but doing trial and error gives one plausible set of parameters...except that the scores of 9.21 and 9.54 are still too close together. I can adjust x.3 and x.7 to get a better separation . . .”

Page 8: Attacker Behavior Boston Security Conference 2015

F3: Stochastic Ignorance

Attackers Change Tactics Daily

Page 9: Attacker Behavior Boston Security Conference 2015

Repair the Vulnerability

Page 10: Attacker Behavior Boston Security Conference 2015

I LOVE IT WHEN YOU CALL ME BIG DATA150,000,000 LIVE VULNERABILITIES

1,500,000 ASSETS

2,000 ORGANIZATIONS

Page 11: Attacker Behavior Boston Security Conference 2015

100,000,000 BREACHES

I LOVE IT WHEN YOU CALL ME BIG DATA

Page 12: Attacker Behavior Boston Security Conference 2015

ATTACKERS CHANGE TACTICS DAILY

Page 13: Attacker Behavior Boston Security Conference 2015

WE CARE ABOUTVULNERABILITIES

Page 14: Attacker Behavior Boston Security Conference 2015

BREACHES BY CVE 2014

Page 15: Attacker Behavior Boston Security Conference 2015

2014

Q1 Q2

Q3

Q4

Page 16: Attacker Behavior Boston Security Conference 2015
Page 17: Attacker Behavior Boston Security Conference 2015
Page 18: Attacker Behavior Boston Security Conference 2015

ATTACKERS DON’T CARE WHEN YOUR VULN WAS PUBLISHED

Page 19: Attacker Behavior Boston Security Conference 2015

HEARTBLEED

SHELLSHOCK

Page 20: Attacker Behavior Boston Security Conference 2015

HEARTBLEED

SHELLSHOCK

HEARTBLEED

POODLE

Page 21: Attacker Behavior Boston Security Conference 2015
Page 22: Attacker Behavior Boston Security Conference 2015
Page 23: Attacker Behavior Boston Security Conference 2015

ATTACKERS DON’T CARE ABOUT YOUR VULN’S LOGO

Page 24: Attacker Behavior Boston Security Conference 2015

BREACHES by CVSS

Page 25: Attacker Behavior Boston Security Conference 2015

CVSS byBREACHVOLUME+CVE

Page 26: Attacker Behavior Boston Security Conference 2015

CWE

Page 27: Attacker Behavior Boston Security Conference 2015

DEADLY SOFTWARE SINS:

1. ACCESS CONTROL2. INPUT VALIDATION3. BUFFER OVERFLOW4. INJECTION5. BAD CRYPTO

Page 28: Attacker Behavior Boston Security Conference 2015

CVSS AS A BREACH VOLUME PREDICTOR:

Page 29: Attacker Behavior Boston Security Conference 2015
Page 30: Attacker Behavior Boston Security Conference 2015

ATTACKERS DON’T CARE ABOUT CVSS

Page 31: Attacker Behavior Boston Security Conference 2015

WE CARE ABOUTVULNERABILITIES

Page 32: Attacker Behavior Boston Security Conference 2015
Page 33: Attacker Behavior Boston Security Conference 2015

ATTACKERS CARE ABOUTBREACHES

Page 34: Attacker Behavior Boston Security Conference 2015

CVEsOVER TIME

Page 35: Attacker Behavior Boston Security Conference 2015
Page 36: Attacker Behavior Boston Security Conference 2015

CVEsOVERTIME(normalized)

Page 37: Attacker Behavior Boston Security Conference 2015

Probability A Vuln Having Property X Has Observed Breaches

Random Vuln

CVSS 10

Exploit DB

Metasploit

MSP+EDB

0.0 0.1 0.2 0.2 0.3

Page 38: Attacker Behavior Boston Security Conference 2015

DATA RULES EVERYTHING AROUND MERANDOM = 2%

CVSS 10 = 4%

METASPLOIT + EXPLOITDB = 30%

Page 39: Attacker Behavior Boston Security Conference 2015

RISK.IO/JOBS@mroytman


Enhanced jean Algorithm for Attacker Group Recognition

Enhanced jean Algorithm for Attacker Group Recognition

MOTIVATING HEALTH BEHAVIOR CHANGEMOTIVATING HEALTH BEHAVIOR CHANGE Belinda Borrelli, PhD Professor, Boston University Henry M. Goldman School of Dental Medicine Department of Health

MOTIVATING HEALTH BEHAVIOR CHANGEMOTIVATING HEALTH BEHAVIOR CHANGE Belinda Borrelli, PhD Professor, Boston University Henry M. Goldman School of Dental Medicine Department of Health

Attacker Ghost Stories - ShmooCon 2014

Attacker Ghost Stories - ShmooCon 2014

Analyzing and Profiling Attacker Behavior in Multistage Intrusions

Analyzing and Profiling Attacker Behavior in Multistage Intrusions

Attacker Behavior Industry Report - Attacker...Inversely, the healthcare industry has a low volume of host devices prioritized as high or critical, which indicates that cyberattacks

Attacker Behavior Industry Report - Attacker...Inversely, the healthcare industry has a low volume of host devices prioritized as high or critical, which indicates that cyberattacks

Attacker POV to computer networks Attacker profiles and ...users.jyu.fi/~timoh/TIES327/L3.pdf · • Attacker POV to computer networks • Attacker profiles and public cases ... Product

Attacker POV to computer networks Attacker profiles and ...users.jyu.fi/~timoh/TIES327/L3.pdf · • Attacker POV to computer networks • Attacker profiles and public cases ... Product

Formally Secure Compilation - Proseccoprosecco.gforge.inria.fr/personal/hritcu/talks/2017-12-18-Secure... · Formally secure compilation high-level attacker low-level attacker source

Formally Secure Compilation - Proseccoprosecco.gforge.inria.fr/personal/hritcu/talks/2017-12-18-Secure... · Formally secure compilation high-level attacker low-level attacker source

ATTACKER ANTICS - ruxcon.org.au · ATTACKER ANTICS ILLUSTRATIONS OF INGENUITY ... \Program Files (x86)\McAfee\ePolicy ... csc.exe (Self-signed –Microsoft) MD5

ATTACKER ANTICS - ruxcon.org.au · ATTACKER ANTICS ILLUSTRATIONS OF INGENUITY ... \Program Files (x86)\McAfee\ePolicy ... csc.exe (Self-signed –Microsoft) MD5

A Large-Scale Many-Language Measurement Studypeople.cs.vt.edu/davisjam/downloads/publications/...an attacker triggers polynomial or exponential regex match behavior in server-side

A Large-Scale Many-Language Measurement Studypeople.cs.vt.edu/davisjam/downloads/publications/...an attacker triggers polynomial or exponential regex match behavior in server-side

MOTIVATING HEALTH BEHAVIOR CHANGE › ctsi › files › 2017 › 01 › Motivating-Health-Behavior-Change.pdfMOTIVATING HEALTH BEHAVIOR CHANGE Belinda Borrelli, PhD Professor, Boston

MOTIVATING HEALTH BEHAVIOR CHANGE › ctsi › files › 2017 › 01 › Motivating-Health-Behavior-Change.pdfMOTIVATING HEALTH BEHAVIOR CHANGE Belinda Borrelli, PhD Professor, Boston

Attacker aproach for attacking ics

Attacker aproach for attacking ics

Strategies of the Attacker

Strategies of the Attacker

Automated Crowdturfing Attacks and Defenses in Online ...people.cs.uchicago.edu/~ravenben/publications/pdf/... · Attacker Human Writer (a) Human-based attack. Attacker AI Program

Automated Crowdturfing Attacks and Defenses in Online ...people.cs.uchicago.edu/~ravenben/publications/pdf/... · Attacker Human Writer (a) Human-based attack. Attacker AI Program

The Boston Fed Study of Consumer Behavior and Payment Choice

The Boston Fed Study of Consumer Behavior and Payment Choice

The Fidelis Platform Overview · In addition to advanced malware, exploits and command and control, Fidelis detects attacker behavior including lateral movement and the staging of

The Fidelis Platform Overview · In addition to advanced malware, exploits and command and control, Fidelis detects attacker behavior including lateral movement and the staging of

Multi-waveband Behavior of Blazars Alan Marscher Institute for Astrophysical Research, Boston University Research Web Page: .

Multi-waveband Behavior of Blazars Alan Marscher Institute for Astrophysical Research, Boston University Research Web Page: .

Securing Frame Communication in BrowsersGadget Attacker. A gadget attacker is a web attacker with one additional ability: the integrator embeds a gad-get of the attacker’s choice.

Securing Frame Communication in BrowsersGadget Attacker. A gadget attacker is a web attacker with one additional ability: the integrator embeds a gad-get of the attacker’s choice.

BEHAVIOR & DOWN SYNDROME€¦ · BEHAVIOR & DOWN SYNDROME DR.DAVID STEIN Attending Psychologist, Children’s Hospital Boston Instructor, Harvard Medical School David Stein, 2012

BEHAVIOR & DOWN SYNDROME€¦ · BEHAVIOR & DOWN SYNDROME DR.DAVID STEIN Attending Psychologist, Children’s Hospital Boston Instructor, Harvard Medical School David Stein, 2012

Analyzing and Profiling Attacker Behavior in Multistage Intrusions 1.

Analyzing and Profiling Attacker Behavior in Multistage Intrusions 1.

Framework For Modeling Attacker Capabilities with Deception

Framework For Modeling Attacker Capabilities with Deception