PHDays VII: To Vulnerability Database and beyond

•Download as PPTX, PDF•

1 like•4,084 views

Last Tuesday and Wednesday, May 23-24, I attended PHDays VII conference in Moscow. I was talking there about vulnerability databases and the evolution process of vulnerability assessment tools, as far as I understand it. Read more and watch video: https://avleonov.com/2017/05/29/phdays-vii-to-vulnerability-database-and-beyond/

Data & Analytics

To Vulnerability
Database and
beyond
Alexander Leonov, PHDays 2017

2
#:whoami
- Security Analyst at Mail.Ru Group
- Security Automation blog at avleonov.com

4
CVSS, CPE
Vendor’s
Bug
Exploit
DBs
Media
Advisory
id
remediation
strategy
CERTs
…
…
…
Security Content

5
Home-grown Database
CVSS, CPE
Vendor
Bug
Exploit
DBs
Media
Advisories
id
remediation
strategy
CERTs
Customer’s Side
…
…
…
Home-grown
Vulnerability
Database
parser

Commercial Database
Vulnerability
Base
Search System
Notification Service
Vulnerability Intelligence
6
API

Vulnerability
Base
Search System
Notification Service
Vulnerability Intelligence
API
Applicability Verification
+ Detection Rules & Plugins
+ Transports
Vulnerability
Scanner
+ Dashboards
+ TaskTracker
Vulnerability
Management
+ Infrastructure
context
Threat/Risk
Management
7

Still a Vulnerability Database!
Vulnerability
Base
8
- Vulnerabilities your vendor knows/don’t know
- Vulnerabilities your vendor can/can’t detect in
various modes
- How quickly your vendor adds detection
plugins

Subscriptions?
10
Manual vulnerability tracking
Subscriptions to
all vulnerabilities
Subscriptions
to vulnerabilities
in software we use
Automated
applicability
verification

Subscriptions?
11
Manual vulnerability tracking
Subscriptions to
all vulnerabilities
Subscriptions
to vulnerabilities
in software we use
Automated
applicability
verification
https://telegram.me/vulnersBot

13
Vulnerability Hype
- Researchers can overestimate the importance of vulnerability
for self-promotion
- Hyped vulnerability: really critical or not?
- What is out of scope?

14
Vulnerability Hype
GHOST
CVE-2015-0235
Heartbleed
CVE-2014-0160
Shellshock
CVE-2014-6271
Badlock
CVE-2016-2118
ImageTragick
CVE-2016–3714

16
CVSS
- Every CVSS vector was filled manually by some analyst
- Appear in databases with a significant latency
- For the most vulnerabilities Temporal Vector is not available
- Doesn't express current relevance and criticality based on all
factors

17
CVSS
High / CVSS Base Score : 5.0 Medium
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
High / CVSS Base Score : 9.4 High
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N)
Heartbleed
CVE-2014-0160
https://www.tenable.com/plugins/index.php?view=single&id=73412
Confidentiality Impact: Complete or Partial?
Integrity Impact: None or Complete?

18
CVSS
“CVSSv3 doesn’t fix the major disparities with data confidentiality.
Instead the whole flawed section is exactly the same.”
https://www.pentestpartners.com/blog/cvssv3-whats-changed-or-why-even-bother/

20
2 characteristics
- "Danger" an assessment of criticality, exploitability
- "Relevance" shows an attention paid to the vulnerability

21
Vulnerability Danger
- CVSS Base Score ↑
- Potential exploitability ↑
- Exploits ↑
- Malware ↑
- Patches ↓
- Detection plugins ↓
- Age ↓

22
Vulnerability Relevance
- Media coverage ↑
- Descriptions ↑
- Detection plugins ↑
- Search queries ↑
- Search results ↑
- Clicks ↑
- Age ↓

28
PoC
WannaCry
SMB v.1 RCE
CVE-2017-0143

29
PoC
Latest 3500 CVEs
(max 10 days in Daily
Routine <3.5)

30
PoC
CVE-2017-2478
Execute arbitrary
code in a privileged
context via a crafted
app
Latest 3500 CVEs
(max 10 days in Daily
Routine <3.5)

31
PoC
Latest 3500 CVEs
(max 10 days in Daily
Routine <3.5)

32
PoC
Latest 3500 CVEs
(max 10 days in Daily
Routine <3.5)

34
Possibilities
- Watch vulnerabilities in dynamics
- Highlight most critical vulnerabilities and groups
- Identify trends
- Have fun :-)

35
Problems
- It’s all about CVEs
One vulnerability - a lot of CVEs
Vulnerabilities without CVEs
- Subjective formulas for Danger and Relevance
- Data sources

36
Thanks!
- Security Automation Blog avleonov.com
- me@avleonov.com

Recently uploaded

Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service9953056974 Low Rate Call Girls In Saket, Delhi NCR

Mature dropshipping via API with DroFx.pptxolyaivanovalion

Probability Grade 10 Third Quarter LessonsJoseMangaJr1

Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...amitlee9823

Thane Call Girls 7091864438 Call Girls in Thane Escort service book now -Pooja Nehwal

Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...amitlee9823

Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...amitlee9823

Anomaly detection and data imputation within time seriesParis Women in Machine Learning and Data Science

➥🔝 7737669865 🔝▻ malwa Call-girls in Women Seeking Men 🔝malwa🔝 Escorts Ser...amitlee9823

Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...amitlee9823

Capstone Project on IBM Data Analytics ProgramMoniSankarHazra

Mg Road Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Banga...amitlee9823

Call Girls In Bellandur ☎ 7737669865 🥵 Book Your One night Standamitlee9823

Vip Mumbai Call Girls Thane West Call On 9920725232 With Body to body massage...amitlee9823

Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...Valters Lauzums

Predicting Loan Approval: A Data Science ProjectBoston Institute of Analytics

Call Girls In Attibele ☎ 7737669865 🥵 Book Your One night Standamitlee9823

Discover Why Less is More in B2B Researchmichael115558

Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 nightDelhi Call girls

Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...amitlee9823

Recently uploaded (20)

Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service

Mature dropshipping via API with DroFx.pptx

Probability Grade 10 Third Quarter Lessons

Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...

Thane Call Girls 7091864438 Call Girls in Thane Escort service book now -

Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...

Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...

Anomaly detection and data imputation within time series

➥🔝 7737669865 🔝▻ malwa Call-girls in Women Seeking Men 🔝malwa🔝 Escorts Ser...

Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...

Capstone Project on IBM Data Analytics Program

Mg Road Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Banga...

Call Girls In Bellandur ☎ 7737669865 🥵 Book Your One night Stand

Vip Mumbai Call Girls Thane West Call On 9920725232 With Body to body massage...

Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...

Predicting Loan Approval: A Data Science Project

Call Girls In Attibele ☎ 7737669865 🥵 Book Your One night Stand

Discover Why Less is More in B2B Research

Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night

Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...

Featured

How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow

AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork

Skeleton Culture CodeSkeleton Technologies

PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley

Content Methodology: A Best Practices Report (Webinar)contently

How to Prepare For a Successful Job Search for 2024Albert Qian

Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)

Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal

5 Public speaking tips from TED - Visualized summarySpeakerHub

ChatGPT and the Future of Work - Clark Boyd Clark Boyd

Getting into the tech field. what next Tessa Mero

Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray

How to have difficult conversations Rajiv Jayarajah, MAppComm, ACC

Introduction to Data ScienceChristy Abraham Joy

Time Management & Productivity - Best PracticesVit Horky

The six step guide to practical project managementMindGenius

Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36

Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools

12 Ways to Increase Your Influence at WorkGetSmarter

ChatGPT webinar slidesAlireza Esmikhani

Featured (20)

How Race, Age and Gender Shape Attitudes Towards Mental Health

AI Trends in Creative Operations 2024 by Artwork Flow.pdf

Skeleton Culture Code

PEPSICO Presentation to CAGNY Conference Feb 2024

Content Methodology: A Best Practices Report (Webinar)

How to Prepare For a Successful Job Search for 2024

Social Media Marketing Trends 2024 // The Global Indie Insights

Trends In Paid Search: Navigating The Digital Landscape In 2024

5 Public speaking tips from TED - Visualized summary

ChatGPT and the Future of Work - Clark Boyd

Getting into the tech field. what next

Google's Just Not That Into You: Understanding Core Updates & Search Intent

How to have difficult conversations

Introduction to Data Science

Time Management & Productivity - Best Practices

The six step guide to practical project management

Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...

Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...

12 Ways to Increase Your Influence at Work

ChatGPT webinar slides

PHDays VII: To Vulnerability Database and beyond

1. To Vulnerability Database and beyond Alexander Leonov, PHDays 2017

2. 2 #:whoami - Security Analyst at Mail.Ru Group - Security Automation blog at avleonov.com

3. 3 Security Advisories … OVER 9000!

4. 4 CVSS, CPE Vendor’s Bug Exploit DBs Media Advisory id remediation strategy CERTs … … … Security Content

5. 5 Home-grown Database CVSS, CPE Vendor Bug Exploit DBs Media Advisories id remediation strategy CERTs Customer’s Side … … … Home-grown Vulnerability Database parser

6. Commercial Database Vulnerability Base Search System Notification Service Vulnerability Intelligence 6 API

7. Vulnerability Base Search System Notification Service Vulnerability Intelligence API Applicability Verification + Detection Rules & Plugins + Transports Vulnerability Scanner + Dashboards + TaskTracker Vulnerability Management + Infrastructure context Threat/Risk Management 7

8. Still a Vulnerability Database! Vulnerability Base 8 - Vulnerabilities your vendor knows/don’t know - Vulnerabilities your vendor can/can’t detect in various modes - How quickly your vendor adds detection plugins

9. What to do? 9

10. Subscriptions? 10 Manual vulnerability tracking Subscriptions to all vulnerabilities Subscriptions to vulnerabilities in software we use Automated applicability verification

11. Subscriptions? 11 Manual vulnerability tracking Subscriptions to all vulnerabilities Subscriptions to vulnerabilities in software we use Automated applicability verification https://telegram.me/vulnersBot

12. 12 What will explode next? ?!

13. 13 Vulnerability Hype - Researchers can overestimate the importance of vulnerability for self-promotion - Hyped vulnerability: really critical or not? - What is out of scope?

14. 14 Vulnerability Hype GHOST CVE-2015-0235 Heartbleed CVE-2014-0160 Shellshock CVE-2014-6271 Badlock CVE-2016-2118 ImageTragick CVE-2016–3714

15. 15 CVSS

16. 16 CVSS - Every CVSS vector was filled manually by some analyst - Appear in databases with a significant latency - For the most vulnerabilities Temporal Vector is not available - Doesn't express current relevance and criticality based on all factors

17. 17 CVSS High / CVSS Base Score : 5.0 Medium (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) High / CVSS Base Score : 9.4 High (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N) Heartbleed CVE-2014-0160 https://www.tenable.com/plugins/index.php?view=single&id=73412 Confidentiality Impact: Complete or Partial? Integrity Impact: None or Complete?

18. 18 CVSS “CVSSv3 doesn’t fix the major disparities with data confidentiality. Instead the whole flawed section is exactly the same.” https://www.pentestpartners.com/blog/cvssv3-whats-changed-or-why-even-bother/

19. 19 References Heartbleed CVE-2014-0160

20. 20 2 characteristics - "Danger" an assessment of criticality, exploitability - "Relevance" shows an attention paid to the vulnerability

21. 21 Vulnerability Danger - CVSS Base Score ↑ - Potential exploitability ↑ - Exploits ↑ - Malware ↑ - Patches ↓ - Detection plugins ↓ - Age ↓

22. 22 Vulnerability Relevance - Media coverage ↑ - Descriptions ↑ - Detection plugins ↑ - Search queries ↑ - Search results ↑ - Clicks ↑ - Age ↓

23. 23 Quadrants

24. 24 PoC Heartbleed CVE-2014-0160

25. 25 PoC Heartbleed CVE-2014-0160

26. 26 PoC Heartbleed CVE-2014-0160

27. 27 PoC Heartbleed CVE-2014-0160

28. 28 PoC WannaCry SMB v.1 RCE CVE-2017-0143

29. 29 PoC Latest 3500 CVEs (max 10 days in Daily Routine <3.5)

30. 30 PoC CVE-2017-2478 Execute arbitrary code in a privileged context via a crafted app Latest 3500 CVEs (max 10 days in Daily Routine <3.5)

31. 31 PoC Latest 3500 CVEs (max 10 days in Daily Routine <3.5)

32. 32 PoC Latest 3500 CVEs (max 10 days in Daily Routine <3.5)

33. 33 More vulnerabilities!

34. 34 Possibilities - Watch vulnerabilities in dynamics - Highlight most critical vulnerabilities and groups - Identify trends - Have fun :-)

35. 35 Problems - It’s all about CVEs One vulnerability - a lot of CVEs Vulnerabilities without CVEs - Subjective formulas for Danger and Relevance - Data sources

36. 36 Thanks! - Security Automation Blog avleonov.com - me@avleonov.com

PHDays VII: To Vulnerability Database and beyond

Recommended

Recommended

More Related Content

Recently uploaded

Recently uploaded (20)

Featured

Featured (20)

PHDays VII: To Vulnerability Database and beyond