Establishing a Quality Vulnerability Management Program · 29 Now have attacker profiling –attack...
Transcript of Establishing a Quality Vulnerability Management Program · 29 Now have attacker profiling –attack...
SESSIONID:SESSIONID:
#RSAC
ZeeAbdelnabi
EstablishingaQualityVulnerabilityManagementProgram
TECH-W03
RedTeamLeadMajorAutomotiveCompany@Infosec_17
#RSAC
2
#RSAC
3
#RSAC
4
#RSAC
#RSAC
Overview
6
WhatisVM?HowtosellastorytobuildaVulnerabilitymanagementprogram
PickingtheRightTool
Evaluatecostsandadvantages:PayingforProfessionalServicesDeploymentvs.TrainingyourTeam
MistakestoAvoidCreatingaRunbook/TabletopExercises
VMLifecycle
Problems
Tips
#RSAC
WhatisVulnerabilityManagement?
7
Theprocesswhenyouaccept,eliminate,ormitigatevulnerabilitiesbaseduponthebusinessriskandthecostassociatedwithfixingthevulnerabilities.
Mostvulnerabilitiesarelongknownbeforetheyareexploited.
#RSAC
WhatdoyouREALLYthinkofVM?
It’srepetitive,time-consuming,seemstoneverend
8
#RSAC
#RSAC
SelltheStorytoEstablishProgramtoManagement
10
Competitorexamples
Growth
Whatbusinessgoalsaremet
Useregulationsandcompliance:S-Ox,HIPAA,GLBAorPCIDSS
Maintainingcompaniesimage
Improvesecurity,IT,andthegeneralbusiness
Specificdeliverables
Identifyandreducerisk…itsnotaboutjustfixingvulnerabilities
#RSAC
11
Privateresearchshownduringlivetalk
#RSAC
12
Privateresearchshownduringlivetalk
#RSAC
13
Privateresearchshownduringlivetalk
#RSAC
14
Privateresearchshownduringlivetalk
#RSAC
Privateresearchshownduringlivetalk
#RSAC
16
Privateresearchshownduringlivetalk
#RSAC
#RSAC
CompareVMTools
18
LearnhowtopickthebesttoolsetforyourEnvironment.
AssetManagementisimportanthere:Whenyouknowwhatyouhave;youcanlookatthesystemsthatcanbemoreeffectivelyscanned
Scadaenv/orOSthattheVMtooldoesn’tscanwhygetit?Whattoolwillscanmostofwhatyouhave
Haveascorecard– weighwhat’smostimportanttoyouListyourmostimportantassets
NeedagoodAssetManagementsystem/tool
#RSAC
ToolSelectionCriteria
19
Activevs.PassiveVM:IfyoucantgetanActivescanningtoolbecauseyoumighthavesystemsthatareveryfragileyoucanusePassive.
Passivedoesn’tscananything…
Ifyouhaveasystemyoudon’twanttoactivelyscan(becauseifyoudo,itwilldie),putitinthePassivetoolandgetAlertsonit
ImplementingToolsthataren’tusedorconfiguredproperlyisawaste:Toomanyfalsepositivesusesresources,causes“alertfatigue”
Toomanyfalsenegativesleadstooverconfidenceandfalsereassurancethatalliswell
#RSAC
MakesuretheToolhas….
20
Adequatedocumentation
Detailedreportsonthediscoveredvulnerabilities,includinghowtheymightbeexploitedandfixed
Generalindustryacceptance
Availabilityofupdatesandsupport
High-levelreportsthatcanbepresentedtomanagersornontechnicaltypes
#RSAC
ToolImplementationGuidelines
21
Consultthereadmeand/oronlineHelpfilesandFAQs.
Studytheuserguides.
UsetheToolinalabortestenvironmentfirst.MakesureitplayswellwithyourotherTools
EnsureTooldeliverspromisedfunctionality
Considerformalclassroomtraining.
#RSAC
OutsourceorBuildCapabilities
22
EvaluatethecostsandadvantagesofpayingforProfessionalServicesdeploymentvstrainingyourteamDeterminetheskillsandcompetenciesnecessarytomakeasuccessfulteamFigureoutamountoftimerequiredtodothis— Increasesspeedandthequalityofdelivery— Freesmanagementtime,enablingcompanytofocusoncorecompetencieswhilenot
beingconferencedaboutconsultants— Possiblelossofcontroloveracompany’sbusinessprocesses— Lowerthanexpectedrealizationofbenefitsandresults
#RSAC
MistakestoAvoid
23
RemediateallthingsPrioritization
Relyingononetool
Scanning,butnotactingonthescanresults
Identifyassetstoavoidscanning
ThinkingthatPatching=VM
Beingunpreparedforazerodayexploit
Rolesandresponsibilities– ProcessImprovement,escalation,accountability
Forgettingcompliancestandardstofollow
#RSAC
MistakestoAvoid
24
PeoplemisinterprettheCVSS;ifCVSSislowdoesn’tmeanriskislow
Whenprioritizingkeepinmindtheattackdepth
Forgettingpolicyscanning
Intelligencegathering:Latestattacks
GarbageIn– GarbageOut(GIGO)
Volumesofuselesschecks
Authenticationvs.Un-authentication– Password(pw)changesWhoisresponsibleforgivingyouthosepwsorchangingthemAlertyourgroupsonpwchanges
#RSAC
25
#RSAC
CreateaRunbook
26
Communicationplan– CommunicationsMatrix– RACIchart
Overview
Management/teamà GOALS
ChallengesthecompanyhasencounteredduringVM
Networkinformation:Domainnames,internalandexternalIPaddresses,networkarchitecture
Assetsforgrouping/tagging,OptionProfilesbuilt
Createscanprofiles:scanningandreportingschedules.
ScanwindowsHowoftencanwescan?
Limitsonbandwidth?
#RSAC
AttackinganAttackersPlan
27
#RSAC
TabletopExercises
28
Demonstraterealliveattackscenarios:Biggestbusinessimpact(greatestrelevancetoorg)
ReviewScenarioBreakitintotactics
Gainassuranceonexistingcontrols
Howreadyareyou?
Helpsseetrendanalysis(seeingthisalot)
Increasesefficiency
Whyweretheybreached,samevulnerabilityused?
AttackpatternsWherearetheyattacking,whataretheydoing?
#RSAC
ResultsandFollow-Up
29
Nowhaveattackerprofiling– attackpatternsbuiltupfromvulns
Buildscenariomodelsensorsandrunexperiments
Whichvulnscanbeexercisedthroughexternalsysteminputtorealizecybereffect
Actionableintelligence
Deepdiveintodarkside
Figuringouthowcansomeonemovethroughournetwork
Programmaturity
Automaticallyinjectpublicandprivatelistsofvulnerabilitiesandorganizethemintostandardizedattackpointsystem
#RSAC
VulnerabilityManagementLifecycle
30
#RSAC
DiscoverPhase
31
What’sactuallyrunninginthedifferentpartsofyournetwork.Accesspoints,webserversandotherdevicesthatcanleaveyournetworkopentoattack.
Operatingsystem,findingopennetworksports,determineswhatservicesareactiveonthoseports.Scanbynetworkrange.
Giveshacker’seyeviewofyournetwork
#RSAC
DiscoverPhaseHelps
32
Wheredevices,suchasafirewalloranIPS,areplacedonthenetworkandhowthey’reconfigured
Whatexternalattackersseewhentheyperformportscansandhowtheycanexploitvulnerabilitiesinyournetworkhosts
Networkdesign,suchasInternetconnections,remoteaccesscapabilities,layereddefenses,andplacementofhostsonthenetwork
Whatprotocolsareinuse
Commonlyattackedportsthatareunprotected
Networkhostconfigurations
#RSAC
33
#RSAC
Prioritize
34
Assetclassificationsystem:Assignbusinessvaluetoassets
Identifythehighestbusinessrisksusingtrendanalysis,Zero-DayandPatchimpactpredictions.
Prioritizeyoursystemssoyoucanfocusyoureffortsonwhatmatters.Someassetsaremorecriticaltobusinessthenothers
Criticalitydependsofbusinessimpact
Identifyassetowners
#RSAC
Prioritize
35
Whichsystems,ifaccessedwithoutauthorization,wouldcausethemosttroubleorsufferthegreatestlosses?
Whichsystemsappearmostvulnerabletoattack?
Whichsystemscrashthemost?
Whichsystemsarenotdocumented,arerarelyadministered,oraretheonesyouknowtheleastabout?
#RSAC
Assess
36
Scansystemsanywherefromthesameconsole:Yourperimeter
Internalnetworkandcloudenvironments
TargethostsbyIPaddress,assetgrouporassettag
ThosethingsyoufindscanandfindoutwhatVulnerabilitiestheyhave
#RSAC
Reporting
37
ReportingConsiderations:Whatreportsarecurrentlygenerated?
Build/Importreporttemplates
Whatinformationisneededfromreports?
Newdatapoints
Whatlevelsreceivereports(executive,linemanagers,linestaff)
MakeITthehero– Promotethemwhentheydoagreatjob&usemetrics
Holdpeopleaccountable
#RSAC
ReportTemplatesandMetrics
38
Establishreporttemplatesandmetricsyouneedtoshowyourprogramissuccessful.
Whatiseachteamtryingtoaccomplish?Add/removestaffPromotecostoptimizationDemonstrateeffectiveness
That’showyouwilldemonstratemetricsonhowmuchworkisbeingdone,howmanyVulnerabilitiesarebeingremediated
Makesurereportsareprovidingvalueandgivingmanagementtherightinformation
#RSAC
TemplateExamples
39
Confirmed4/5sonly
ExecutiveTrendingReport
ExecutiveTrendingReport– 4/5s
ExecutiveTrendingReport– over90days
OverallPatches4+5– Last30days
PatchReport
Youcan’tmanagewhatyoucan’tmeasure
#RSAC
Remediation:FixingVulnerabilities
40
Howmanygroupsareinvolvedinremediationefforts?Thiswilldriveassetgroups/taggingPatching/configurationprocessWilltakeapproximately2-3hoursworkingwitheachgroup
HowpatchingandVulnerabilityremediationiscurrentlyperformedifnotcreateaplanPatchingscheduleWhatpatchingtoolwillyouusePatchtesting(java)Whatgroupsinvolved
#RSAC
Remediation
41
Iftheriskoutweighsthecost– eliminateormitigatetheVulnerability!
Implementmitigatingcontrols(defenseindepth)Intrusionpreventionsystems(IPS)Intelligentfirewalls
HaveaPlan,makesureyouhaveresourcesandpermissiontoacceptshort-termriskstomitigatelong-termvulnerabilities
WhathappensiftheCostoutweighstheRisk
#RSAC
Verification
42
Verifyappliedpatchesandconfirmcompliance
Verifytheticketsaftertheyareclosed
#RSAC
Majorityof2’sand3’s=Misconfiguration
43
Misconfigurationsofsystems,servers,andfirewallsalsoleadtothecompromiseofnetworks.
ChangestoGroupPolicyorotherchangemethods.Thisisawaytoreduceriskintheenvironmentonalargescalewithminimaleffort.Reviewnon-patchableVulnerabilitiestoidentifyquickwinsontheconfigurationsidetoreducerisk.
Removethevulnerabilitiesandbettersecureyoursystems
#RSAC
#RSAC
Problems:Don’tIgnoreIssues
45
TheHighImpactPatches:ReportthatidentifiestheareasthatreducethelargestamountofVulnerabilitiesandVulnerabilitiessoeffortcanbeprioritized.— OpeningupticketsforeachofthesepatchableVulnerabilitiesover90days.— Thiswilldriveremediationandgettheseissuesclosed.
NotusingIPs:TheseIPscanbeusedtoscanothersystemstodriveremediationandactualreductionofrisk.— Reviewinghoststoidentifyiftheyarestillintheenvironment.— HoststhatarenotscannedcannevershowfixedVulnerabilities,andkeeptheVulnerabilitycount
artificiallyhigh.
#RSAC
Problems
46
Thereare305IPsthathavenotbeenscannedinmorethan60dayswithsomehostsnotscannedsinceJuly2010.
SCCMbroken
Teamswillnotauthorizetheappropriatelevelofaccesstorunauthenticatedscans.Pluginthecredentials
Re-openedVulnerabilities
#RSAC
RiskManagement
47
RISK=
AssetsxVulnerabilities xThreatsYoucan controlVulnerabilities.
Focusonyourhighpriorityassets,andReduceyourthreatlandscape
#RSAC
Tips
48
MostorganizationsdoagoodjobofkeepingMicrosoftoperatingsystemsandapplicationsuptodate.Butdon’tfairnearlyaswellwhenitcomestoLinux,UNIX,Mac,and3rdpartyapplicationssuchasAdobe.
Applicationscanningshouldbeaddedtothetypesoftestsperformedtomakesurethatanyneworexistingapplicationarenotvulnerable.
Createainternalhackinglab(recon,scanning,exploitation):✓ Exploitingmissingpatches✓ Attackingbuilt-inauthenticationsystems✓ Breakingfilesystemsecurity✓ Crackingpasswordsandweakencryptionimplementations
#RSAC
Tips
49
Don’tOverlookPhysicalSecurity
Wheneveryonehasastake,wheneveryteamhasskininthegame,thentheburdenofVMissharedandperhapslessenedforeachindividual.
ActFast
#RSAC
50
MakingContacttoReportVulnerabilities
Privateresearchshownduringlivetalk
#RSAC
InaPerfectWorld:YouthinkyourVMprogramwilllooklikethis…
BUT…
#RSAC
#RSAC
Tips
53
FrequentGapAssessments:Makesurethatyougobackoverwhatyoudid.Documentwhatworks,whatdoesn’t,andwhyitdidn’t/failed.Communicatelessonslearnedandcontinuepushingitthroughtheprogramforcontinualimprovement
InternalVulnerabilityassessmentswithpolicycompliancescanningshouldbeperformedandrunmonthly.
Maintainsecuritythroughongoingtestinganddiscovery.
#RSAC
“Apply”Slide
54
Nextweekyoushould:Haveaconversationwiththerightdepartmentandunderstandwhatyoucurrentlydoforvulnerabilitymanagement.
Inthefirstthreemonthsfollowingthispresentationyoushould:DeterminethecurrentlevelofmaturityofyourprogramAssesspreandpostvulnerabilitylifecycle.Performanassessment.
Withinsixmonthsyoushould:SelectacentralizesystemtodumpOSINTvulnerabilitiesandabasiclabsetup.Createaninternalrunbookandperformtabletopexercise