Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

К базе данных уязвимостей и дальше

185 views

Published on

Язык докладаРусскийСпециалист по автоматизации информационной безопасности. В течение 6 лет участвовал в разработке сканеров уязвимостей и продуктов управления соответствием. Работает в крупнейшей интернет-компании России и отвечает за автоматизированный анализ защищенности огромной и разнообразной IT-инфраструктуры. Ведет блог avleonov.com, посвященный в основном вопросам vulnerability management. Александр Леонов Александр Леонов Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атакТехнологии

Published in: Technology
  • Be the first to comment

  • Be the first to like this

К базе данных уязвимостей и дальше

  1. 1. To Vulnerability Database and beyond Alexander Leonov, PHDays 2017
  2. 2. 2 #:whoami - Security Analyst at Mail.Ru Group - Security Automation blog at avleonov.com
  3. 3. 3 Security Advisories … OVER 9000!
  4. 4. 4 CVSS, CPE Vendor’s Bug Exploit DBs Media Advisory id remediation strategy CERTs … … … Security Content
  5. 5. 5 Home-grown Database CVSS, CPE Vendor Bug Exploit DBs Media Advisories id remediation strategy CERTs Customer’s Side … … … Home-grown Vulnerability Database parser
  6. 6. Commercial Database Vulnerability Base Search System Notification Service Vulnerability Intelligence 6 API
  7. 7. Vulnerability Base Search System Notification Service Vulnerability Intelligence API Applicability Verification + Detection Rules & Plugins + Transports Vulnerability Scanner + Dashboards + TaskTracker Vulnerability Management + Infrastructure context Threat/Risk Management 7
  8. 8. Still a Vulnerability Database! Vulnerability Base 8 - Vulnerabilities your vendor knows/don’t know - Vulnerabilities your vendor can/can’t detect in various modes - How quickly your vendor adds detection plugins
  9. 9. What to do? 9
  10. 10. Subscriptions? 10 Manual vulnerability tracking Subscriptions to all vulnerabilities Subscriptions to vulnerabilities in software we use Automated applicability verification
  11. 11. Subscriptions? 11 Manual vulnerability tracking Subscriptions to all vulnerabilities Subscriptions to vulnerabilities in software we use Automated applicability verification https://telegram.me/vulnersBot
  12. 12. 12 What will explode next? ?!
  13. 13. 13 Vulnerability Hype - Researchers can overestimate the importance of vulnerability for self-promotion - Hyped vulnerability: really critical or not? - What is out of scope?
  14. 14. 14 Vulnerability Hype GHOST CVE-2015-0235 Heartbleed CVE-2014-0160 Shellshock CVE-2014-6271 Badlock CVE-2016-2118 ImageTragick CVE-2016–3714
  15. 15. 15 CVSS
  16. 16. 16 CVSS - Every CVSS vector was filled manually by some analyst - Appear in databases with a significant latency - For the most vulnerabilities Temporal Vector is not available - Doesn't express current relevance and criticality based on all factors
  17. 17. 17 CVSS High / CVSS Base Score : 5.0 Medium (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) High / CVSS Base Score : 9.4 High (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N) Heartbleed CVE-2014-0160 https://www.tenable.com/plugins/index.php?view=single&id=73412 Confidentiality Impact: Complete or Partial? Integrity Impact: None or Complete?
  18. 18. 18 CVSS “CVSSv3 doesn’t fix the major disparities with data confidentiality. Instead the whole flawed section is exactly the same.” https://www.pentestpartners.com/blog/cvssv3-whats-changed-or-why-even-bother/
  19. 19. 19 References Heartbleed CVE-2014-0160
  20. 20. 20 2 characteristics - "Danger" an assessment of criticality, exploitability - "Relevance" shows an attention paid to the vulnerability
  21. 21. 21 Vulnerability Danger - CVSS Base Score ↑ - Potential exploitability ↑ - Exploits ↑ - Malware ↑ - Patches ↓ - Detection plugins ↓ - Age ↓
  22. 22. 22 Vulnerability Relevance - Media coverage ↑ - Descriptions ↑ - Detection plugins ↑ - Search queries ↑ - Search results ↑ - Clicks ↑ - Age ↓
  23. 23. 23 Quadrants
  24. 24. 24 PoC Heartbleed CVE-2014-0160
  25. 25. 25 PoC Heartbleed CVE-2014-0160
  26. 26. 26 PoC Heartbleed CVE-2014-0160
  27. 27. 27 PoC Heartbleed CVE-2014-0160
  28. 28. 28 PoC WannaCry SMB v.1 RCE CVE-2017-0143
  29. 29. 29 PoC Latest 3500 CVEs (max 10 days in Daily Routine <3.5)
  30. 30. 30 PoC CVE-2017-2478 RCE Latest 3500 CVEs (max 10 days in Daily Routine <3.5)
  31. 31. 31 PoC Latest 3500 CVEs (max 10 days in Daily Routine <3.5)
  32. 32. 32 PoC Latest 3500 CVEs (max 10 days in Daily Routine <3.5)
  33. 33. 33 More vulnerabilities!
  34. 34. 34 Possibilities - Watch vulnerabilities in dynamics - Highlight most critical vulnerabilities and groups - Identify trends - Have fun :-)
  35. 35. 35 Problems - It’s all about CVEs One vulnerability - a lot of CVEs Vulnerabilities without CVEs - Subjective formulas for Danger and Relevance - Data sources
  36. 36. 36 Thanks! - Security Automation Blog avleonov.com - me@avleonov.com

×