Threat and Vulnerability Intelligence Anton Chuvakin, Ph.D., GCIA, GCIH Security Strategist ISSA NY November 2003
Overview Threat and Vulnerability (T&V) Intelligence (TVI) Definitions of threats, vulnerabilities and intelligence Threats Vulnerabilities Sources of information on T & V Fusing T and V together Acting on T&V intelligence Automating TVI Example Conclusion
Definitions Threats Malicious factors with a chance to incur loss Vulnerabilities Potential weaknesses and flaws in software, policies and human factor T&V Intelligence A process to make sense of the above and guide the corrective/preventative action
Security Methodology Collect  information on  threats  and  vulnerabilities Organize  and  correlate  the information Analyze its  relevance  to the organization Determine  needed course of action Prioritize  the actions Act ! Assess the  results
Example? You hear about a new worm on the loose… Collect :  where and what is said, do you see it Organize : structured report from all sources Relevance : will we be affected too? Action  plan: need to patch all servers! Prioritize : what do we patch first? Act :do it Assess : did it work out? Can we still suffer?
OODA Observe, Orient, Decide and Act!
Threats Threat categories Natural and man-made Internal and external Human and automated Known and unknown Targeted and industry-specific and universal Threat agents Hackers Insiders Competitors Malware Software and hardware failures
Threat Info Sources Local Alerts and events from security gear Reports on suspicious activity and failures Global Malware emergence Common attack statistics New vulnerabilities New exploits Hacker “chatter” activity
Global Threat Intel What is out there? Free SANS DShield MyNetWatchman Symantec Analyzer Commercial Symantec DeepSight ISS XForce Why should you care?  Early warning and preparedness
DShield
MyNetWatchMan
Vulnerabilities Software  and hardware From buffer overflows thru SQL injection to new bug types… Policy  and process From planning to configuring: bad decisions on all stages of IT process People From ‘bad apples’ to natural weaknesses and persuasion
Vulnerability Info Local Vulnerability scanning  Application assessment and code reviews Pentesting (systems and humans) Audits (from policy to configurations) Global Vulnerability alerts and advisories Mailing lists
Global Vulnerability Intel Free: Bugtraq and other lists, Secunia, SANS Low costs “second hand” ThreatFocus, Sintelli, Secunia, SecurityTracker “ Original” iDefense, TruSecure, Symantec, ISS
Why care? Why care for global vulnerability intel? Less searching Fuller coverage Filtering by applicability Risk level Remediation guidance Testing
ThreatFocus Alert
Value When looking at relevance, need to know  business value System value Business critical vs testing lab System role and alignment with mission Web server for eCommerce site System “popularity” How many rely on the system?
Attack parameters, source and destination investigative info, attacker history, direction,  global situation, etc Value, popularity, role from  the asset’s business owners Scan data, ports, unsafe applications, patch level, OS type TVI  “Fusion”
Acting on TVI Using the  knowledge base  to plot a course Choose and customize  recommended  investigative and mitigation workflows Update  the knowledge base with lessons learned Automate the investigation and mitigation via  automated incident management Provide  investigative  tools Manage   the  collaboration Track the results  and confirm that no loss occurred
Presenting the Results Visualization  and  reporting Views of collected information Threat, vulnerability picture  Correlated picture Relevance Priorities Action status Long term profile
More Automation!? Automating T&V Intelligence via  threat and exposure algorithms Benefits: Accelerate OODA loop: faster, better Limitations: Cannot automate full cycle Still needs a human to decide and act Enabling/empowering and not replacing
Example IDS reports an attack from an IP address in China against a web server
Threat Algorithm Example IDS reports an attack from an IP address in China against a web server Device type : Snort NIDS  Attack type : buffer overflow Success : likely Source history : has probed us before Global threat : common DShield “client” Direction : attack from outside to inside Country : elevated threat
Exposure Algorithm Example IDS reports an attack from an IP address in China against a web server OS : Windows server Vulnerabilities : has known vulnerabilities Applications:  has IIS Patch status : not up to date Exposures : has open ‘unsafe’ ports Network visibility : exposed to Internet
Including Value Example IDS reports an attack from an IP address in China against a web server Value : critical server Role : main web server Used by : all the customers
Example Action Planning Using the  knowledge base  to plot a course Choose and customize recommended workflow:  external hacker attack Automate the investigation and mitigation via  automated incident management Manage the collaboration : monitoring team to firewall administrators and incident responders Track the results  and confirm that no loss occurred
Existing Tech  for  TVI Have this: Log Management or SIEM Intrusion detection Vulnerability remediation and patch management Vulnerability alerting services Global threat web sites Need the TVI methodology, more integration and automation
Thanks for Viewing the Presentation Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA http://www.chuvakin.org   Author of “Security Warrior” (O’Reilly) –  http://www.securitywarrior.org   Book on logs is coming soon! See  http://www.info-secure.org   for my papers, books, reviews and other security resources related to logs

Anton Chuvakin on Threat and Vulnerability Intelligence

  • 1.
    Threat and VulnerabilityIntelligence Anton Chuvakin, Ph.D., GCIA, GCIH Security Strategist ISSA NY November 2003
  • 2.
    Overview Threat andVulnerability (T&V) Intelligence (TVI) Definitions of threats, vulnerabilities and intelligence Threats Vulnerabilities Sources of information on T & V Fusing T and V together Acting on T&V intelligence Automating TVI Example Conclusion
  • 3.
    Definitions Threats Maliciousfactors with a chance to incur loss Vulnerabilities Potential weaknesses and flaws in software, policies and human factor T&V Intelligence A process to make sense of the above and guide the corrective/preventative action
  • 4.
    Security Methodology Collect information on threats and vulnerabilities Organize and correlate the information Analyze its relevance to the organization Determine needed course of action Prioritize the actions Act ! Assess the results
  • 5.
    Example? You hearabout a new worm on the loose… Collect : where and what is said, do you see it Organize : structured report from all sources Relevance : will we be affected too? Action plan: need to patch all servers! Prioritize : what do we patch first? Act :do it Assess : did it work out? Can we still suffer?
  • 6.
    OODA Observe, Orient,Decide and Act!
  • 7.
    Threats Threat categoriesNatural and man-made Internal and external Human and automated Known and unknown Targeted and industry-specific and universal Threat agents Hackers Insiders Competitors Malware Software and hardware failures
  • 8.
    Threat Info SourcesLocal Alerts and events from security gear Reports on suspicious activity and failures Global Malware emergence Common attack statistics New vulnerabilities New exploits Hacker “chatter” activity
  • 9.
    Global Threat IntelWhat is out there? Free SANS DShield MyNetWatchman Symantec Analyzer Commercial Symantec DeepSight ISS XForce Why should you care? Early warning and preparedness
  • 10.
  • 11.
  • 12.
    Vulnerabilities Software and hardware From buffer overflows thru SQL injection to new bug types… Policy and process From planning to configuring: bad decisions on all stages of IT process People From ‘bad apples’ to natural weaknesses and persuasion
  • 13.
    Vulnerability Info LocalVulnerability scanning Application assessment and code reviews Pentesting (systems and humans) Audits (from policy to configurations) Global Vulnerability alerts and advisories Mailing lists
  • 14.
    Global Vulnerability IntelFree: Bugtraq and other lists, Secunia, SANS Low costs “second hand” ThreatFocus, Sintelli, Secunia, SecurityTracker “ Original” iDefense, TruSecure, Symantec, ISS
  • 15.
    Why care? Whycare for global vulnerability intel? Less searching Fuller coverage Filtering by applicability Risk level Remediation guidance Testing
  • 16.
  • 17.
    Value When lookingat relevance, need to know business value System value Business critical vs testing lab System role and alignment with mission Web server for eCommerce site System “popularity” How many rely on the system?
  • 18.
    Attack parameters, sourceand destination investigative info, attacker history, direction, global situation, etc Value, popularity, role from the asset’s business owners Scan data, ports, unsafe applications, patch level, OS type TVI “Fusion”
  • 19.
    Acting on TVIUsing the knowledge base to plot a course Choose and customize recommended investigative and mitigation workflows Update the knowledge base with lessons learned Automate the investigation and mitigation via automated incident management Provide investigative tools Manage the collaboration Track the results and confirm that no loss occurred
  • 20.
    Presenting the ResultsVisualization and reporting Views of collected information Threat, vulnerability picture Correlated picture Relevance Priorities Action status Long term profile
  • 21.
    More Automation!? AutomatingT&V Intelligence via threat and exposure algorithms Benefits: Accelerate OODA loop: faster, better Limitations: Cannot automate full cycle Still needs a human to decide and act Enabling/empowering and not replacing
  • 22.
    Example IDS reportsan attack from an IP address in China against a web server
  • 23.
    Threat Algorithm ExampleIDS reports an attack from an IP address in China against a web server Device type : Snort NIDS Attack type : buffer overflow Success : likely Source history : has probed us before Global threat : common DShield “client” Direction : attack from outside to inside Country : elevated threat
  • 24.
    Exposure Algorithm ExampleIDS reports an attack from an IP address in China against a web server OS : Windows server Vulnerabilities : has known vulnerabilities Applications: has IIS Patch status : not up to date Exposures : has open ‘unsafe’ ports Network visibility : exposed to Internet
  • 25.
    Including Value ExampleIDS reports an attack from an IP address in China against a web server Value : critical server Role : main web server Used by : all the customers
  • 26.
    Example Action PlanningUsing the knowledge base to plot a course Choose and customize recommended workflow: external hacker attack Automate the investigation and mitigation via automated incident management Manage the collaboration : monitoring team to firewall administrators and incident responders Track the results and confirm that no loss occurred
  • 27.
    Existing Tech for TVI Have this: Log Management or SIEM Intrusion detection Vulnerability remediation and patch management Vulnerability alerting services Global threat web sites Need the TVI methodology, more integration and automation
  • 28.
    Thanks for Viewingthe Presentation Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA http://www.chuvakin.org Author of “Security Warrior” (O’Reilly) – http://www.securitywarrior.org Book on logs is coming soon! See http://www.info-secure.org for my papers, books, reviews and other security resources related to logs