Advertisement
Check these out next
Top 10 exploited vulnerabilities 2019 (thus far...)
Aug. 13, 2019•0 likes•216 views
1 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Download to read offline
Report
Technology
July Kenna Webinar... showing how intelligence sources can differ, and working out a "Top 10" most attacked vulnerabilities for mid-year 2019
Jonathan CranFollow
Security Research at Kenna SecurityAdvertisement
Advertisement
Advertisement
Recommended
Vulnerability Prioritization and PredictionJonathan Cran
2019 Cybersecurity Retrospective and a look forward to 2020Jonathan Cran
Effective Prioritization Through Exploit Prediction Jonathan Cran
Welcome to the world of Cyber Threat IntelligenceAndreas Sfakianakis
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Stefano Maccaglia
Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021Andreas Sfakianakis
Top 10 exploited vulnerabilities 2019 (thus far...)
- Exploring The Most Exploited Vulnerabilities of 2019 (so far!) Jonathan Cran Head of Research Kenna Security July 16th, 2019
- 2 • Obtain intelligence about what attackers are doing (Likelihood!) - Internal sources: IPS / IDS, AV, Honeypots - External sources: threat feeds, threat exchanges, online chatter • Maintain visibility of assets, and how important they are (Impact!) - CMDB & Vulnerability Scanners - IAM, Finance, etc … extremely long tail • Cross-reference intelligence with problems in your environment - ATT&CK, CVE, CPE, CWE, Internal Identifiers • Distribute information continuously Defining Risk Based Vulnerability Management Impact Likelihood
- 3 Sources of Useful Intelligence 1. Open Source Intelligence & Dark Web 2. Intrusion Detection Systems 3. File-oriented AV analysis APIs - samples from malspam, some APT 4. Honeypots such as Bad Packets and Greynoise - internet-wide scans (often focused on compromised IoT or early info gathering) 5. Local Honeypots 6. Antivirus and Endpoint - on-device attempts
- 4 So Let’s Explore! 1. OSINT & DarkWeb 2. IDS Signatures (Events) 3. Suspicious File Analysis All analyzed across a set of 12 months historical
- Intelligence Source: Open Source Intelligence (OSINT) and DarkWeb
- 6 OSINT and Dark Web by Category (All Time) History(All Time) (All Time)
- 7 CVE-2017-0148, Malware (Historical), 2019-06-23T06:16:34.000Z, 3328, 1085, 3610880, 3328 sightings on 1085 sources. Most recent link (Jun 23; 2019): https://twitter.com/CybazeSocial/statuses/1142677809225224192 OSINT / Darkweb - Sources vs Sightings
- 8 Top 10… OSINT (# Sightings)
- 9 ETERNALBLUE, Wannacry, Petya, NotPetya Source: Ned Pyle @ Microsoft
- 10 Top 10… OSINT (# Sources)
- 11
- 12 Top 10… OSINT (# Sources x # Sightings)
- 13 More Recently, CVE-2018-8453 emerges
- 14 FruityArmor & 0day vulnerabilities October 20, 2016 - CVE-2016-3393 ... October 10, 2018 - CVE-2018-8453 November 14, 2018 - CVE-2018-8589 December 12 2018 - CVE-2018-8611 March 13, 2019 - CVE-2019-0797 Source: securelist.com (Kaspersky)
- 15 Recent OSINT by Rule Triggered
- 16
- 17 OSINT and Darkweb As a Source APT activity intermingled with more widespread activity OSINT can be gamed by simply publishing fake information It can be a great leading indicator, Also helpful for predictions.
- Intelligence Source: Intrusion Detection Systems
- 19 IDS - Unique CVEs by Source
- 20 IDS - CVEs by Event Count (Source 1)
- 21 IDS - CVEs by Event Count (Source 2)
- 22 IDS - Top 10 CVEs by Unique Event Groups
- 23 IDS - Top 10 CVEs by Unique Event Groups (2017+)
- 24 Scanned vulnerabilities drive the high counts- but are they the most important? Normalization by unique CVEs can help Consider placement: Perimeter? Datacenter? Cloud? Helpful to understand the process of signature creation … driven by exploits? IDS Events As A Source
- Intelligence Source: Suspicious File Analysis
- 26 CVEs Detected (unique count - 12 mo)
- 27 CVEs Detected By Product (12 mo)
- 28 Suspicious Files (# days seen - 12 mo)
- 29 Microsoft Office dominating this year – fits with common knowledge Less prone to false positives than OSINT, but also require a sig, time needed. Significantly less volume than IDS in hits Grounded in signatures (a good thing!) Suspicious Files As a Source
- Let’s combine these sources!
- 31 Challenges to a Single “Top X” 1. Cannot compare on pure count, or weighted counts 2. Technique-to-detect and perspective matter 3. Your threat model matters! 4. Is the vulnerability even still out there? Context matters… so where to begin?
- 32 Identifying the most exploited CVEs Methodology: • Gathered CVEs identified by all 3 sources • Cross-referenced with vulnerability prevalence • Ranked from (1) most prevalent to (10) least • Tagged with the source that identified the Vulnerability in our analysis
- Presenting… a Combined Top 10 CVE CPE METHOD 1. CVE-2014-3566 cpe:2.3:o:openssl:openssl ids 1, ids 1,2 2. CVE-2019-0703 cpe:2.3:o:microsoft:windows_10 ids 1 3. CVE-2018-8453 cpe:2.3:o:microsoft:windows_10 osint 4. CVE-2018-8174 cpe:2.3:o:microsoft:windows_10 osint 5. CVE-2018-15982 cpe:2.3:a:adobe:flash_player osint 6. CVE-2017-8759 cpe:2.3:a:microsoft:.net_frame… file analysis 7. CVE-2017-0199 cpe:2.3:a:microsoft:office osint 8. CVE-2018-4878 cpe:2.3:a:adobe:flash_player file analysis 9. CVE-2017-11882 cpe:2.3:a:microsoft:office osint, file analysis 10.CVE-2017-11774 cpe:2.3:a:microsoft:outlook osint
- 34 The Real Top 10 … er, Top 3*! 1) Oracle Java (JDK and JRE) 2) Adobe Flash Player 3) Microsoft Office (Word, Excel etc) … (then everything else) * product list is derived by pulling CPE data from the 255 vulnerabilities scored at 100 on Kenna’s Risk Meter Score
- Context Matters! https://kennasecurity.com/signup hello@kennasecurity.com
- Questions
Advertisement