• Like
  • Save
Anton Chuvakin on Threat and Vulnerability Intelligence
Upcoming SlideShare
Loading in...5
×
 

Anton Chuvakin on Threat and Vulnerability Intelligence

on

  • 7,797 views

Anton Chuvakin on Threat and Vulnerability Intelligence

Anton Chuvakin on Threat and Vulnerability Intelligence

Statistics

Views

Total Views
7,797
Views on SlideShare
7,790
Embed Views
7

Actions

Likes
3
Downloads
0
Comments
0

2 Embeds 7

http://www.slideshare.net 6
http://e-presentations.us 1

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Anton Chuvakin on Threat and Vulnerability Intelligence Anton Chuvakin on Threat and Vulnerability Intelligence Presentation Transcript

    • Threat and Vulnerability
    • Intelligence
    • Anton Chuvakin, Ph.D., GCIA, GCIH
    • Security Strategist
    • ISSA NY
    • November 2003
  • Overview
    • Threat and Vulnerability (T&V) Intelligence (TVI)
    • Definitions of threats, vulnerabilities and intelligence
    • Threats
    • Vulnerabilities
    • Sources of information on T & V
    • Fusing T and V together
    • Acting on T&V intelligence
    • Automating TVI
    • Example
    • Conclusion
  • Definitions
    • Threats
      • Malicious factors with a chance to incur loss
    • Vulnerabilities
      • Potential weaknesses and flaws in software, policies and human factor
    • T&V Intelligence
      • A process to make sense of the above and guide the corrective/preventative action
  • Security Methodology
    • Collect information on threats and vulnerabilities
    • Organize and correlate the information
    • Analyze its relevance to the organization
    • Determine needed course of action
    • Prioritize the actions
    • Act !
    • Assess the results
  • Example?
    • You hear about a new worm on the loose…
    • Collect : where and what is said, do you see it
    • Organize : structured report from all sources
    • Relevance : will we be affected too?
    • Action plan: need to patch all servers!
    • Prioritize : what do we patch first?
    • Act :do it
    • Assess : did it work out? Can we still suffer?
  • OODA Observe, Orient, Decide and Act!
  • Threats
    • Threat categories
      • Natural and man-made
      • Internal and external
      • Human and automated
      • Known and unknown
      • Targeted and industry-specific and universal
    • Threat agents
      • Hackers
      • Insiders
      • Competitors
      • Malware
      • Software and hardware failures
  • Threat Info Sources
    • Local
      • Alerts and events from security gear
      • Reports on suspicious activity and failures
    • Global
      • Malware emergence
      • Common attack statistics
      • New vulnerabilities
      • New exploits
      • Hacker “chatter” activity
  • Global Threat Intel
    • What is out there?
    • Free
      • SANS DShield
      • MyNetWatchman
      • Symantec Analyzer
    • Commercial
      • Symantec DeepSight
      • ISS XForce
    • Why should you care? Early warning and preparedness
  • DShield
  • MyNetWatchMan
  • Vulnerabilities
    • Software and hardware
      • From buffer overflows thru SQL injection to new bug types…
    • Policy and process
      • From planning to configuring: bad decisions on all stages of IT process
    • People
      • From ‘bad apples’ to natural weaknesses and persuasion
  • Vulnerability Info
    • Local
      • Vulnerability scanning
      • Application assessment and code reviews
      • Pentesting (systems and humans)
      • Audits (from policy to configurations)
    • Global
      • Vulnerability alerts and advisories
      • Mailing lists
  • Global Vulnerability Intel
    • Free:
      • Bugtraq and other lists, Secunia, SANS
    • Low costs “second hand”
      • ThreatFocus, Sintelli, Secunia, SecurityTracker
    • “ Original”
      • iDefense, TruSecure, Symantec, ISS
  • Why care?
    • Why care for global vulnerability intel?
    • Less searching
    • Fuller coverage
    • Filtering by applicability
    • Risk level
    • Remediation guidance
    • Testing
  • ThreatFocus Alert
  • Value
    • When looking at relevance, need to know business value
    • System value
      • Business critical vs testing lab
    • System role and alignment with mission
      • Web server for eCommerce site
    • System “popularity”
      • How many rely on the system?
  • Attack parameters, source and destination investigative info, attacker history, direction, global situation, etc Value, popularity, role from the asset’s business owners Scan data, ports, unsafe applications, patch level, OS type TVI “Fusion”
  • Acting on TVI
    • Using the knowledge base to plot a course
      • Choose and customize recommended investigative and mitigation workflows
      • Update the knowledge base with lessons learned
    • Automate the investigation and mitigation via automated incident management
      • Provide investigative tools
      • Manage the collaboration
      • Track the results and confirm that no loss occurred
  • Presenting the Results
    • Visualization and reporting
    • Views of collected information
      • Threat, vulnerability picture
      • Correlated picture
    • Relevance
    • Priorities
    • Action status
    • Long term profile
  • More Automation!?
    • Automating T&V Intelligence via threat and exposure algorithms
    • Benefits:
    • Accelerate OODA loop: faster, better
    • Limitations:
    • Cannot automate full cycle
    • Still needs a human to decide and act
    • Enabling/empowering and not replacing
  • Example
    • IDS reports an attack from an IP address in China against a web server
  • Threat Algorithm Example
    • IDS reports an attack from an IP address in China against a web server
    • Device type : Snort NIDS
    • Attack type : buffer overflow
    • Success : likely
    • Source history : has probed us before
    • Global threat : common DShield “client”
    • Direction : attack from outside to inside
    • Country : elevated threat
  • Exposure Algorithm Example
    • IDS reports an attack from an IP address in China against a web server
    • OS : Windows server
    • Vulnerabilities : has known vulnerabilities
    • Applications: has IIS
    • Patch status : not up to date
    • Exposures : has open ‘unsafe’ ports
    • Network visibility : exposed to Internet
  • Including Value Example
    • IDS reports an attack from an IP address in China against a web server
    • Value : critical server
    • Role : main web server
    • Used by : all the customers
  • Example Action Planning
    • Using the knowledge base to plot a course
      • Choose and customize recommended workflow: external hacker attack
    • Automate the investigation and mitigation via automated incident management
      • Manage the collaboration : monitoring team to firewall administrators and incident responders
      • Track the results and confirm that no loss occurred
  • Existing Tech for TVI
    • Have this:
    • Log Management or SIEM
    • Intrusion detection
    • Vulnerability remediation and patch management
    • Vulnerability alerting services
    • Global threat web sites
    • Need the TVI methodology, more integration and automation
  • Thanks for Viewing the Presentation
    • Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
    • http://www.chuvakin.org
    • Author of “Security Warrior” (O’Reilly) – http://www.securitywarrior.org
    • Book on logs is coming soon!
    • See http://www.info-secure.org for my papers, books, reviews and other security resources related to logs