Anton Chuvakin on Threat and Vulnerability Intelligence

Threat and Vulnerability Intelligence Anton Chuvakin, Ph.D., GCIA, GCIH Security Strategist ISSA NY November 2003

Overview Threat and Vulnerability (T&V) Intelligence (TVI) Definitions of threats, vulnerabilities and intelligence Threats Vulnerabilities Sources of information on T & V Fusing T and V together Acting on T&V intelligence Automating TVI Example Conclusion

Definitions Threats Malicious factors with a chance to incur loss Vulnerabilities Potential weaknesses and flaws in software, policies and human factor T&V Intelligence A process to make sense of the above and guide the corrective/preventative action

Security Methodology Collect information on threats and vulnerabilities Organize and correlate the information Analyze its relevance to the organization Determine needed course of action Prioritize the actions Act ! Assess the results

Example? You hear about a new worm on the loose… Collect : where and what is said, do you see it Organize : structured report from all sources Relevance : will we be affected too? Action plan: need to patch all servers! Prioritize : what do we patch first? Act :do it Assess : did it work out? Can we still suffer?

OODA Observe, Orient, Decide and Act!

Threats Threat categories Natural and man-made Internal and external Human and automated Known and unknown Targeted and industry-specific and universal Threat agents Hackers Insiders Competitors Malware Software and hardware failures

Threat Info Sources Local Alerts and events from security gear Reports on suspicious activity and failures Global Malware emergence Common attack statistics New vulnerabilities New exploits Hacker “chatter” activity

Global Threat Intel What is out there? Free SANS DShield MyNetWatchman Symantec Analyzer Commercial Symantec DeepSight ISS XForce Why should you care? Early warning and preparedness

Vulnerabilities Software and hardware From buffer overflows thru SQL injection to new bug types… Policy and process From planning to configuring: bad decisions on all stages of IT process People From ‘bad apples’ to natural weaknesses and persuasion

Vulnerability Info Local Vulnerability scanning Application assessment and code reviews Pentesting (systems and humans) Audits (from policy to configurations) Global Vulnerability alerts and advisories Mailing lists

Global Vulnerability Intel Free: Bugtraq and other lists, Secunia, SANS Low costs “second hand” ThreatFocus, Sintelli, Secunia, SecurityTracker “ Original” iDefense, TruSecure, Symantec, ISS

Why care? Why care for global vulnerability intel? Less searching Fuller coverage Filtering by applicability Risk level Remediation guidance Testing

Value When looking at relevance, need to know business value System value Business critical vs testing lab System role and alignment with mission Web server for eCommerce site System “popularity” How many rely on the system?

Attack parameters, source and destination investigative info, attacker history, direction, global situation, etc Value, popularity, role from the asset’s business owners Scan data, ports, unsafe applications, patch level, OS type TVI “Fusion”

Acting on TVI Using the knowledge base to plot a course Choose and customize recommended investigative and mitigation workflows Update the knowledge base with lessons learned Automate the investigation and mitigation via automated incident management Provide investigative tools Manage the collaboration Track the results and confirm that no loss occurred

Presenting the Results Visualization and reporting Views of collected information Threat, vulnerability picture Correlated picture Relevance Priorities Action status Long term profile

More Automation!? Automating T&V Intelligence via threat and exposure algorithms Benefits: Accelerate OODA loop: faster, better Limitations: Cannot automate full cycle Still needs a human to decide and act Enabling/empowering and not replacing

Example IDS reports an attack from an IP address in China against a web server

Threat Algorithm Example IDS reports an attack from an IP address in China against a web server Device type : Snort NIDS Attack type : buffer overflow Success : likely Source history : has probed us before Global threat : common DShield “client” Direction : attack from outside to inside Country : elevated threat

Exposure Algorithm Example IDS reports an attack from an IP address in China against a web server OS : Windows server Vulnerabilities : has known vulnerabilities Applications: has IIS Patch status : not up to date Exposures : has open ‘unsafe’ ports Network visibility : exposed to Internet

Including Value Example IDS reports an attack from an IP address in China against a web server Value : critical server Role : main web server Used by : all the customers

Example Action Planning Using the knowledge base to plot a course Choose and customize recommended workflow: external hacker attack Automate the investigation and mitigation via automated incident management Manage the collaboration : monitoring team to firewall administrators and incident responders Track the results and confirm that no loss occurred

Existing Tech for TVI Have this: Log Management or SIEM Intrusion detection Vulnerability remediation and patch management Vulnerability alerting services Global threat web sites Need the TVI methodology, more integration and automation

Thanks for Viewing the Presentation Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA http://www.chuvakin.org Author of “Security Warrior” (O’Reilly) – http://www.securitywarrior.org Book on logs is coming soon! See http://www.info-secure.org for my papers, books, reviews and other security resources related to logs

Anton Chuvakin on Threat and Vulnerability Intelligence

More Related Content

What's hot

Similar to Anton Chuvakin on Threat and Vulnerability Intelligence

More from Anton Chuvakin

Recently uploaded

Anton Chuvakin on Threat and Vulnerability Intelligence