SlideShare a Scribd company logo

CVE Analysis using vFeed

Download as PPTX, PDF
DNIF
DNIF

In this presentation, we talk about actual use cases that can be created in DNIF to leverage the additional information provided by vFeed based on attack CVEs and related CAPEC information. This presentation was demonstrated live during the DNIF Konnect session held on 4th July 2019 - You can watch the complete session here: https://youtu.be/owp1q-XoBoc?t=1170

Technology
1 of 22
© Copyright 2018 NETMONASTERY Inc CVE Analysis using vFeed 1 NETMONASTERY Inc.
© Copyright 2018 NETMONASTERY Inc - CVEs (Common Vulnerabilities and Exposures) provide a standard identifier for a given vulnerability or exposure that could be used by hackers as a stepping stone into a system or the network. - DNIF with the help of vFeed help analyze CVEs using various functions that help obtain additional information like CWE ID and CAPEC details. Using vFeed with DNIF for CVE Analysis and Raising Tickets
© Copyright 2018 NETMONASTERY Inc 3 Query 1
© Copyright 2018 NETMONASTERY Inc _fetch * from event where $Duration=7d AND $LogName=CHECKPOINT limit 1 >>_field $Keyword string “OpenSSL” >>_lookup vfeed-pro keyword_to_cve $Keyword >>_agg count_unique $CVE DNIF Query
© Copyright 2018 NETMONASTERY Inc - In the first line of the query we are fetching logs from the Checkpoint firewall for a duration of seven days, for example purposes we are limiting the query result to only one output. - In the second line of the query we are looking to add a field called $Keyword and we wish to add “OpenSSL” as the string value that should populate the field. (In this example we have used the String value “OpenSSL” which exists in the Checkpoint Firewall logs, this can also be done for string values that do not exist in the logs) - In the third line of the query, we perform a lookup via vFeed Professional using the function “keyword_to_cve “ for the inputs of the $Keyword field - In the last line of the query we aggregate the unique CVEs obtained in the output as shown in following screenshot DNIF Query
© Copyright 2018 NETMONASTERY Inc
© Copyright 2018 NETMONASTERY Inc 7 Query 2
© Copyright 2018 NETMONASTERY Inc _fetch * from event where $Duration=7d AND $LogName=CHECKPOINT limit 1 >>_field $Keyword string “Excel” >>_lookup vfeed-pro keyword_to_cve $Keyword >>_agg count_unique $CVE DNIF Query
© Copyright 2018 NETMONASTERY Inc - In this example, we have used the String value “Excel” which does not exist in the Checkpoint Firewall logs. We can however still run a vFeed lookup for all the CVEs in relation to the keyword “Excel” DNIF Query
© Copyright 2018 NETMONASTERY Inc
© Copyright 2018 NETMONASTERY Inc 11 Query 3
© Copyright 2018 NETMONASTERY Inc _fetch * from event where $Duration=7d AND $LogName=CHECKPOINT group count_unique $CVE limit 10 DNIF Query
© Copyright 2018 NETMONASTERY Inc - In this query we are fetching logs from the Checkpoint firewall for a duration of seven days and we are grouping the CVEs by their unique counts. - We then add a context menu that will help us deep dive into a particular CVE. By using the context menu option, we ensure that any further analysis can be done by a simple right click. DNIF Query
© Copyright 2018 NETMONASTERY Inc
© Copyright 2018 NETMONASTERY Inc
© Copyright 2018 NETMONASTERY Inc
© Copyright 2018 NETMONASTERY Inc 17 Query 4
© Copyright 2018 NETMONASTERY Inc _fetch * from event where $LogName=CHECKPOINT AND $Duration=30d group count_unique $CVE , $LogName, $SrcIP, $AtkDesc limit 1 >>_lookup vfeed-pro get_cvss3_score $CVE >>_checkif int_compare $VFCVSS3Base > 7 include >>_raise module dnif_konnect high_severity_vulnerability_detected $CVE 4 12h >>_trigger api freshdesk create_ticket High Severity Vulnerability detected : , $CVE , CVE.txt DNIF Query
© Copyright 2018 NETMONASTERY Inc DNIF Query - In this query we are checking for Checkpoint firewall logs in the duration of 30 days. We are grouping all the unique CVEs along with the log name, source IP and attack description - We are now running a lookup on vFeeds Professional where in we are retrieving the CVSS3 details for the CVE - Here we are checking and comparing if the CVSS3 base score is greater than 7 as the scores that fall between 7 and 9 are categorized as high severity vulnerabilities. If they satisfy the condition, we include the results in the next pipelined query. - Based on the results of the earlier query, we raise the following module “High Severity Vulnerability Detected” - As the final step we go ahead and raise a ticket in Freshdesk from Freshworks using the Freshdesk API
© Copyright 2018 NETMONASTERY Inc
© Copyright 2018 NETMONASTERY Inc
© Copyright 2018 NETMONASTERY Inc Thank You 22

Recommended

Advanced malware analysis training session11 part2 dissecting the heart beat ...
Advanced malware analysis training session11 part2 dissecting the heart beat ...Advanced malware analysis training session11 part2 dissecting the heart beat ...
Advanced malware analysis training session11 part2 dissecting the heart beat ...Cysinfo Cyber Security Community
 
Kaspersky Threat Intelligence Portal and DNIF Use Cases
Kaspersky Threat Intelligence Portal and DNIF Use Cases Kaspersky Threat Intelligence Portal and DNIF Use Cases
Kaspersky Threat Intelligence Portal and DNIF Use Cases DNIF
 
Re-checking the ReactOS project - a large report
Re-checking the ReactOS project - a large reportRe-checking the ReactOS project - a large report
Re-checking the ReactOS project - a large reportPVS-Studio
 
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatBasic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatVladyslav Radetsky
 
soscon2018 - Tracing for fun and profit
soscon2018 - Tracing for fun and profitsoscon2018 - Tracing for fun and profit
soscon2018 - Tracing for fun and profithanbeom Park
 
[xp2013] Narrow Down What to Test
[xp2013] Narrow Down What to Test[xp2013] Narrow Down What to Test
[xp2013] Narrow Down What to TestZsolt Fabok
 
Automating Performance Monitoring at Microsoft
Automating Performance Monitoring at MicrosoftAutomating Performance Monitoring at Microsoft
Automating Performance Monitoring at MicrosoftThousandEyes
 
The Little Unicorn That Could
The Little Unicorn That CouldThe Little Unicorn That Could
The Little Unicorn That CouldPVS-Studio
 

Recommended

Advanced malware analysis training session11 part2 dissecting the heart beat ...
Advanced malware analysis training session11 part2 dissecting the heart beat ...Advanced malware analysis training session11 part2 dissecting the heart beat ...
Advanced malware analysis training session11 part2 dissecting the heart beat ...Cysinfo Cyber Security Community
 
Kaspersky Threat Intelligence Portal and DNIF Use Cases
Kaspersky Threat Intelligence Portal and DNIF Use Cases Kaspersky Threat Intelligence Portal and DNIF Use Cases
Kaspersky Threat Intelligence Portal and DNIF Use Cases DNIF
 
Re-checking the ReactOS project - a large report
Re-checking the ReactOS project - a large reportRe-checking the ReactOS project - a large report
Re-checking the ReactOS project - a large reportPVS-Studio
 
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatBasic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatVladyslav Radetsky
 
soscon2018 - Tracing for fun and profit
soscon2018 - Tracing for fun and profitsoscon2018 - Tracing for fun and profit
soscon2018 - Tracing for fun and profithanbeom Park
 
[xp2013] Narrow Down What to Test
[xp2013] Narrow Down What to Test[xp2013] Narrow Down What to Test
[xp2013] Narrow Down What to TestZsolt Fabok
 
Automating Performance Monitoring at Microsoft
Automating Performance Monitoring at MicrosoftAutomating Performance Monitoring at Microsoft
Automating Performance Monitoring at MicrosoftThousandEyes
 
The Little Unicorn That Could
The Little Unicorn That CouldThe Little Unicorn That Could
The Little Unicorn That CouldPVS-Studio
 
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET Journal
 
Penetration testing using metasploit framework
Penetration testing using metasploit frameworkPenetration testing using metasploit framework
Penetration testing using metasploit frameworkPawanKesharwani
 
Browser exploitation SEC-T 2019 stockholm
Browser exploitation SEC-T 2019 stockholmBrowser exploitation SEC-T 2019 stockholm
Browser exploitation SEC-T 2019 stockholmJameel Nabbo
 
Netwitness RT - Don’t scratch that patch.pptx
Netwitness RT - Don’t scratch that patch.pptxNetwitness RT - Don’t scratch that patch.pptx
Netwitness RT - Don’t scratch that patch.pptxStefano Maccaglia
 
Sony C#/.NET component set analysis
Sony C#/.NET component set analysisSony C#/.NET component set analysis
Sony C#/.NET component set analysisPVS-Studio
 
27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploit27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploitFreddy Buenaño
 
Automated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation VulnerabilitiesAutomated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation VulnerabilitiesYuji Kosuga
 
Profiling your Java Application
Profiling your Java ApplicationProfiling your Java Application
Profiling your Java ApplicationVictor Rentea
 
PRG 420 Week 3 Individual Assignment Netbeans Project (annual co.docx
PRG 420 Week 3 Individual Assignment Netbeans Project (annual co.docxPRG 420 Week 3 Individual Assignment Netbeans Project (annual co.docx
PRG 420 Week 3 Individual Assignment Netbeans Project (annual co.docxharrisonhoward80223
 
Best Practices for Scalable Monitoring (ENT310-S) - AWS re:Invent 2018
Best Practices for Scalable Monitoring (ENT310-S) - AWS re:Invent 2018Best Practices for Scalable Monitoring (ENT310-S) - AWS re:Invent 2018
Best Practices for Scalable Monitoring (ENT310-S) - AWS re:Invent 2018Amazon Web Services
 
High Velocity DevOps: Four Ways to Leverage CloudFront in Faster DevOps Workf...
High Velocity DevOps: Four Ways to Leverage CloudFront in Faster DevOps Workf...High Velocity DevOps: Four Ways to Leverage CloudFront in Faster DevOps Workf...
High Velocity DevOps: Four Ways to Leverage CloudFront in Faster DevOps Workf...Amazon Web Services
 
Ane for 9ria_cn
Ane for 9ria_cnAne for 9ria_cn
Ane for 9ria_cnsonicxs
 
Long-Awaited Check of CryEngine V
Long-Awaited Check of CryEngine VLong-Awaited Check of CryEngine V
Long-Awaited Check of CryEngine VPVS-Studio
 
Discussing Errors in Unity3D's Open-Source Components
Discussing Errors in Unity3D's Open-Source ComponentsDiscussing Errors in Unity3D's Open-Source Components
Discussing Errors in Unity3D's Open-Source ComponentsPVS-Studio
 
Lesser Known Security Problems in PHP Applications
Lesser Known Security Problems in PHP ApplicationsLesser Known Security Problems in PHP Applications
Lesser Known Security Problems in PHP ApplicationsZendCon
 
Доступная безопасность: смесь инструментов с данными. Советы архитектора Oracle
Доступная безопасность: смесь инструментов с данными. Советы архитектора OracleДоступная безопасность: смесь инструментов с данными. Советы архитектора Oracle
Доступная безопасность: смесь инструментов с данными. Советы архитектора OracleTimur Bagirov
 
ChakraCore: analysis of JavaScript-engine for Microsoft Edge
ChakraCore: analysis of JavaScript-engine for Microsoft EdgeChakraCore: analysis of JavaScript-engine for Microsoft Edge
ChakraCore: analysis of JavaScript-engine for Microsoft EdgePVS-Studio
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects 100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects Andrey Karpov
 
Double agent zero-day code injection and persistence technique
Double agent zero-day code injection and persistence techniqueDouble agent zero-day code injection and persistence technique
Double agent zero-day code injection and persistence techniqueKarlFrank99
 
Checking 7-Zip with PVS-Studio analyzer
Checking 7-Zip with PVS-Studio analyzerChecking 7-Zip with PVS-Studio analyzer
Checking 7-Zip with PVS-Studio analyzerPVS-Studio
 
Beyond blacklists - A cyber threat intelligence perspective
Beyond blacklists - A cyber threat intelligence perspectiveBeyond blacklists - A cyber threat intelligence perspective
Beyond blacklists - A cyber threat intelligence perspectiveDNIF
 
Insight into SOAR
Insight into SOARInsight into SOAR
Insight into SOARDNIF
 

More Related Content

Similar to CVE Analysis using vFeed

IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET Journal
 
Penetration testing using metasploit framework
Penetration testing using metasploit frameworkPenetration testing using metasploit framework
Penetration testing using metasploit frameworkPawanKesharwani
 
Browser exploitation SEC-T 2019 stockholm
Browser exploitation SEC-T 2019 stockholmBrowser exploitation SEC-T 2019 stockholm
Browser exploitation SEC-T 2019 stockholmJameel Nabbo
 
Netwitness RT - Don’t scratch that patch.pptx
Netwitness RT - Don’t scratch that patch.pptxNetwitness RT - Don’t scratch that patch.pptx
Netwitness RT - Don’t scratch that patch.pptxStefano Maccaglia
 
Sony C#/.NET component set analysis
Sony C#/.NET component set analysisSony C#/.NET component set analysis
Sony C#/.NET component set analysisPVS-Studio
 
27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploit27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploitFreddy Buenaño
 
Automated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation VulnerabilitiesAutomated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation VulnerabilitiesYuji Kosuga
 
Profiling your Java Application
Profiling your Java ApplicationProfiling your Java Application
Profiling your Java ApplicationVictor Rentea
 
PRG 420 Week 3 Individual Assignment Netbeans Project (annual co.docx
PRG 420 Week 3 Individual Assignment Netbeans Project (annual co.docxPRG 420 Week 3 Individual Assignment Netbeans Project (annual co.docx
PRG 420 Week 3 Individual Assignment Netbeans Project (annual co.docxharrisonhoward80223
 
Best Practices for Scalable Monitoring (ENT310-S) - AWS re:Invent 2018
Best Practices for Scalable Monitoring (ENT310-S) - AWS re:Invent 2018Best Practices for Scalable Monitoring (ENT310-S) - AWS re:Invent 2018
Best Practices for Scalable Monitoring (ENT310-S) - AWS re:Invent 2018Amazon Web Services
 
High Velocity DevOps: Four Ways to Leverage CloudFront in Faster DevOps Workf...
High Velocity DevOps: Four Ways to Leverage CloudFront in Faster DevOps Workf...High Velocity DevOps: Four Ways to Leverage CloudFront in Faster DevOps Workf...
High Velocity DevOps: Four Ways to Leverage CloudFront in Faster DevOps Workf...Amazon Web Services
 
Ane for 9ria_cn
Ane for 9ria_cnAne for 9ria_cn
Ane for 9ria_cnsonicxs
 
Long-Awaited Check of CryEngine V
Long-Awaited Check of CryEngine VLong-Awaited Check of CryEngine V
Long-Awaited Check of CryEngine VPVS-Studio
 
Discussing Errors in Unity3D's Open-Source Components
Discussing Errors in Unity3D's Open-Source ComponentsDiscussing Errors in Unity3D's Open-Source Components
Discussing Errors in Unity3D's Open-Source ComponentsPVS-Studio
 
Lesser Known Security Problems in PHP Applications
Lesser Known Security Problems in PHP ApplicationsLesser Known Security Problems in PHP Applications
Lesser Known Security Problems in PHP ApplicationsZendCon
 
Доступная безопасность: смесь инструментов с данными. Советы архитектора Oracle
Доступная безопасность: смесь инструментов с данными. Советы архитектора OracleДоступная безопасность: смесь инструментов с данными. Советы архитектора Oracle
Доступная безопасность: смесь инструментов с данными. Советы архитектора OracleTimur Bagirov
 
ChakraCore: analysis of JavaScript-engine for Microsoft Edge
ChakraCore: analysis of JavaScript-engine for Microsoft EdgeChakraCore: analysis of JavaScript-engine for Microsoft Edge
ChakraCore: analysis of JavaScript-engine for Microsoft EdgePVS-Studio
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects 100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects Andrey Karpov
 
Double agent zero-day code injection and persistence technique
Double agent zero-day code injection and persistence techniqueDouble agent zero-day code injection and persistence technique
Double agent zero-day code injection and persistence techniqueKarlFrank99
 
Checking 7-Zip with PVS-Studio analyzer
Checking 7-Zip with PVS-Studio analyzerChecking 7-Zip with PVS-Studio analyzer
Checking 7-Zip with PVS-Studio analyzerPVS-Studio
 

Similar to CVE Analysis using vFeed (20)

IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit Framework
 
Penetration testing using metasploit framework
Penetration testing using metasploit frameworkPenetration testing using metasploit framework
Penetration testing using metasploit framework
 
Browser exploitation SEC-T 2019 stockholm
Browser exploitation SEC-T 2019 stockholmBrowser exploitation SEC-T 2019 stockholm
Browser exploitation SEC-T 2019 stockholm
 
Netwitness RT - Don’t scratch that patch.pptx
Netwitness RT - Don’t scratch that patch.pptxNetwitness RT - Don’t scratch that patch.pptx
Netwitness RT - Don’t scratch that patch.pptx
 
Sony C#/.NET component set analysis
Sony C#/.NET component set analysisSony C#/.NET component set analysis
Sony C#/.NET component set analysis
 
27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploit27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploit
 
Automated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation VulnerabilitiesAutomated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation Vulnerabilities
 
Profiling your Java Application
Profiling your Java ApplicationProfiling your Java Application
Profiling your Java Application
 
PRG 420 Week 3 Individual Assignment Netbeans Project (annual co.docx
PRG 420 Week 3 Individual Assignment Netbeans Project (annual co.docxPRG 420 Week 3 Individual Assignment Netbeans Project (annual co.docx
PRG 420 Week 3 Individual Assignment Netbeans Project (annual co.docx
 
Best Practices for Scalable Monitoring (ENT310-S) - AWS re:Invent 2018
Best Practices for Scalable Monitoring (ENT310-S) - AWS re:Invent 2018Best Practices for Scalable Monitoring (ENT310-S) - AWS re:Invent 2018
Best Practices for Scalable Monitoring (ENT310-S) - AWS re:Invent 2018
 
High Velocity DevOps: Four Ways to Leverage CloudFront in Faster DevOps Workf...
High Velocity DevOps: Four Ways to Leverage CloudFront in Faster DevOps Workf...High Velocity DevOps: Four Ways to Leverage CloudFront in Faster DevOps Workf...
High Velocity DevOps: Four Ways to Leverage CloudFront in Faster DevOps Workf...
 
Ane for 9ria_cn
Ane for 9ria_cnAne for 9ria_cn
Ane for 9ria_cn
 
Long-Awaited Check of CryEngine V
Long-Awaited Check of CryEngine VLong-Awaited Check of CryEngine V
Long-Awaited Check of CryEngine V
 
Discussing Errors in Unity3D's Open-Source Components
Discussing Errors in Unity3D's Open-Source ComponentsDiscussing Errors in Unity3D's Open-Source Components
Discussing Errors in Unity3D's Open-Source Components
 
Lesser Known Security Problems in PHP Applications
Lesser Known Security Problems in PHP ApplicationsLesser Known Security Problems in PHP Applications
Lesser Known Security Problems in PHP Applications
 
Доступная безопасность: смесь инструментов с данными. Советы архитектора Oracle
Доступная безопасность: смесь инструментов с данными. Советы архитектора OracleДоступная безопасность: смесь инструментов с данными. Советы архитектора Oracle
Доступная безопасность: смесь инструментов с данными. Советы архитектора Oracle
 
ChakraCore: analysis of JavaScript-engine for Microsoft Edge
ChakraCore: analysis of JavaScript-engine for Microsoft EdgeChakraCore: analysis of JavaScript-engine for Microsoft Edge
ChakraCore: analysis of JavaScript-engine for Microsoft Edge
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects 100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects
 
Double agent zero-day code injection and persistence technique
Double agent zero-day code injection and persistence techniqueDouble agent zero-day code injection and persistence technique
Double agent zero-day code injection and persistence technique
 
Checking 7-Zip with PVS-Studio analyzer
Checking 7-Zip with PVS-Studio analyzerChecking 7-Zip with PVS-Studio analyzer
Checking 7-Zip with PVS-Studio analyzer
 

More from DNIF

Beyond blacklists - A cyber threat intelligence perspective
Beyond blacklists - A cyber threat intelligence perspectiveBeyond blacklists - A cyber threat intelligence perspective
Beyond blacklists - A cyber threat intelligence perspectiveDNIF
 
Insight into SOAR
Insight into SOARInsight into SOAR
Insight into SOARDNIF
 
A closer look at CTF challenges
A closer look at CTF challengesA closer look at CTF challenges
A closer look at CTF challengesDNIF
 
Threat Intelligence and Cyber Security Challenges | KASPERSKY & DNIF INTEGRATION
Threat Intelligence and Cyber Security Challenges | KASPERSKY & DNIF INTEGRATIONThreat Intelligence and Cyber Security Challenges | KASPERSKY & DNIF INTEGRATION
Threat Intelligence and Cyber Security Challenges | KASPERSKY & DNIF INTEGRATIONDNIF
 
Container Security Essentials
Container Security EssentialsContainer Security Essentials
Container Security EssentialsDNIF
 
Importance of having a vulnerability management | Vfeed
Importance of having a vulnerability management | Vfeed Importance of having a vulnerability management | Vfeed
Importance of having a vulnerability management | Vfeed DNIF
 
Anatomy of Persistence Techniques & Strategies to Detect
Anatomy of Persistence Techniques & Strategies to DetectAnatomy of Persistence Techniques & Strategies to Detect
Anatomy of Persistence Techniques & Strategies to DetectDNIF
 
User Behavior Analytics Using Machine Learning
User Behavior Analytics Using Machine LearningUser Behavior Analytics Using Machine Learning
User Behavior Analytics Using Machine LearningDNIF
 
Process Whitelisting With VirusTotal
Process Whitelisting With VirusTotalProcess Whitelisting With VirusTotal
Process Whitelisting With VirusTotalDNIF
 
VirusTotal Threat Intelligence and DNIF Use Cases
VirusTotal Threat Intelligence and DNIF Use CasesVirusTotal Threat Intelligence and DNIF Use Cases
VirusTotal Threat Intelligence and DNIF Use CasesDNIF
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturityDNIF
 
Data Analytics in Cyber Security
Data Analytics in Cyber SecurityData Analytics in Cyber Security
Data Analytics in Cyber SecurityDNIF
 
Mastering Next Gen SIEM Use Cases (Part 3)
Mastering Next Gen SIEM Use Cases (Part 3)Mastering Next Gen SIEM Use Cases (Part 3)
Mastering Next Gen SIEM Use Cases (Part 3)DNIF
 
Mastering Next Gen SIEM Use Cases (Part 2)
Mastering Next Gen SIEM Use Cases (Part 2)Mastering Next Gen SIEM Use Cases (Part 2)
Mastering Next Gen SIEM Use Cases (Part 2)DNIF
 
Mastering Next Gen SIEM Use Cases (Part 1)
Mastering Next Gen SIEM Use Cases (Part 1)Mastering Next Gen SIEM Use Cases (Part 1)
Mastering Next Gen SIEM Use Cases (Part 1)DNIF
 

More from DNIF (15)

Beyond blacklists - A cyber threat intelligence perspective
Beyond blacklists - A cyber threat intelligence perspectiveBeyond blacklists - A cyber threat intelligence perspective
Beyond blacklists - A cyber threat intelligence perspective
 
Insight into SOAR
Insight into SOARInsight into SOAR
Insight into SOAR
 
A closer look at CTF challenges
A closer look at CTF challengesA closer look at CTF challenges
A closer look at CTF challenges
 
Threat Intelligence and Cyber Security Challenges | KASPERSKY & DNIF INTEGRATION
Threat Intelligence and Cyber Security Challenges | KASPERSKY & DNIF INTEGRATIONThreat Intelligence and Cyber Security Challenges | KASPERSKY & DNIF INTEGRATION
Threat Intelligence and Cyber Security Challenges | KASPERSKY & DNIF INTEGRATION
 
Container Security Essentials
Container Security EssentialsContainer Security Essentials
Container Security Essentials
 
Importance of having a vulnerability management | Vfeed
Importance of having a vulnerability management | Vfeed Importance of having a vulnerability management | Vfeed
Importance of having a vulnerability management | Vfeed
 
Anatomy of Persistence Techniques & Strategies to Detect
Anatomy of Persistence Techniques & Strategies to DetectAnatomy of Persistence Techniques & Strategies to Detect
Anatomy of Persistence Techniques & Strategies to Detect
 
User Behavior Analytics Using Machine Learning
User Behavior Analytics Using Machine LearningUser Behavior Analytics Using Machine Learning
User Behavior Analytics Using Machine Learning
 
Process Whitelisting With VirusTotal
Process Whitelisting With VirusTotalProcess Whitelisting With VirusTotal
Process Whitelisting With VirusTotal
 
VirusTotal Threat Intelligence and DNIF Use Cases
VirusTotal Threat Intelligence and DNIF Use CasesVirusTotal Threat Intelligence and DNIF Use Cases
VirusTotal Threat Intelligence and DNIF Use Cases
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
 
Data Analytics in Cyber Security
Data Analytics in Cyber SecurityData Analytics in Cyber Security
Data Analytics in Cyber Security
 
Mastering Next Gen SIEM Use Cases (Part 3)
Mastering Next Gen SIEM Use Cases (Part 3)Mastering Next Gen SIEM Use Cases (Part 3)
Mastering Next Gen SIEM Use Cases (Part 3)
 
Mastering Next Gen SIEM Use Cases (Part 2)
Mastering Next Gen SIEM Use Cases (Part 2)Mastering Next Gen SIEM Use Cases (Part 2)
Mastering Next Gen SIEM Use Cases (Part 2)
 
Mastering Next Gen SIEM Use Cases (Part 1)
Mastering Next Gen SIEM Use Cases (Part 1)Mastering Next Gen SIEM Use Cases (Part 1)
Mastering Next Gen SIEM Use Cases (Part 1)
 

Recently uploaded

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 

CVE Analysis using vFeed

  • 1. © Copyright 2018 NETMONASTERY Inc CVE Analysis using vFeed 1 NETMONASTERY Inc.
  • 2. © Copyright 2018 NETMONASTERY Inc - CVEs (Common Vulnerabilities and Exposures) provide a standard identifier for a given vulnerability or exposure that could be used by hackers as a stepping stone into a system or the network. - DNIF with the help of vFeed help analyze CVEs using various functions that help obtain additional information like CWE ID and CAPEC details. Using vFeed with DNIF for CVE Analysis and Raising Tickets
  • 3. © Copyright 2018 NETMONASTERY Inc 3 Query 1
  • 4. © Copyright 2018 NETMONASTERY Inc _fetch * from event where $Duration=7d AND $LogName=CHECKPOINT limit 1 >>_field $Keyword string “OpenSSL” >>_lookup vfeed-pro keyword_to_cve $Keyword >>_agg count_unique $CVE DNIF Query
  • 5. © Copyright 2018 NETMONASTERY Inc - In the first line of the query we are fetching logs from the Checkpoint firewall for a duration of seven days, for example purposes we are limiting the query result to only one output. - In the second line of the query we are looking to add a field called $Keyword and we wish to add “OpenSSL” as the string value that should populate the field. (In this example we have used the String value “OpenSSL” which exists in the Checkpoint Firewall logs, this can also be done for string values that do not exist in the logs) - In the third line of the query, we perform a lookup via vFeed Professional using the function “keyword_to_cve “ for the inputs of the $Keyword field - In the last line of the query we aggregate the unique CVEs obtained in the output as shown in following screenshot DNIF Query
  • 6. © Copyright 2018 NETMONASTERY Inc
  • 7. © Copyright 2018 NETMONASTERY Inc 7 Query 2
  • 8. © Copyright 2018 NETMONASTERY Inc _fetch * from event where $Duration=7d AND $LogName=CHECKPOINT limit 1 >>_field $Keyword string “Excel” >>_lookup vfeed-pro keyword_to_cve $Keyword >>_agg count_unique $CVE DNIF Query
  • 9. © Copyright 2018 NETMONASTERY Inc - In this example, we have used the String value “Excel” which does not exist in the Checkpoint Firewall logs. We can however still run a vFeed lookup for all the CVEs in relation to the keyword “Excel” DNIF Query
  • 10. © Copyright 2018 NETMONASTERY Inc
  • 11. © Copyright 2018 NETMONASTERY Inc 11 Query 3
  • 12. © Copyright 2018 NETMONASTERY Inc _fetch * from event where $Duration=7d AND $LogName=CHECKPOINT group count_unique $CVE limit 10 DNIF Query
  • 13. © Copyright 2018 NETMONASTERY Inc - In this query we are fetching logs from the Checkpoint firewall for a duration of seven days and we are grouping the CVEs by their unique counts. - We then add a context menu that will help us deep dive into a particular CVE. By using the context menu option, we ensure that any further analysis can be done by a simple right click. DNIF Query
  • 14. © Copyright 2018 NETMONASTERY Inc
  • 15. © Copyright 2018 NETMONASTERY Inc
  • 16. © Copyright 2018 NETMONASTERY Inc
  • 17. © Copyright 2018 NETMONASTERY Inc 17 Query 4
  • 18. © Copyright 2018 NETMONASTERY Inc _fetch * from event where $LogName=CHECKPOINT AND $Duration=30d group count_unique $CVE , $LogName, $SrcIP, $AtkDesc limit 1 >>_lookup vfeed-pro get_cvss3_score $CVE >>_checkif int_compare $VFCVSS3Base > 7 include >>_raise module dnif_konnect high_severity_vulnerability_detected $CVE 4 12h >>_trigger api freshdesk create_ticket High Severity Vulnerability detected : , $CVE , CVE.txt DNIF Query
  • 19. © Copyright 2018 NETMONASTERY Inc DNIF Query - In this query we are checking for Checkpoint firewall logs in the duration of 30 days. We are grouping all the unique CVEs along with the log name, source IP and attack description - We are now running a lookup on vFeeds Professional where in we are retrieving the CVSS3 details for the CVE - Here we are checking and comparing if the CVSS3 base score is greater than 7 as the scores that fall between 7 and 9 are categorized as high severity vulnerabilities. If they satisfy the condition, we include the results in the next pipelined query. - Based on the results of the earlier query, we raise the following module “High Severity Vulnerability Detected” - As the final step we go ahead and raise a ticket in Freshdesk from Freshworks using the Freshdesk API
  • 20. © Copyright 2018 NETMONASTERY Inc
  • 21. © Copyright 2018 NETMONASTERY Inc
  • 22. © Copyright 2018 NETMONASTERY Inc Thank You 22