Reading the Security Tea Leaves

SECURITY TEA LEAVES
NOVEMBER 2013

Ed Bellis

Matt Johansen

Founder & CEO of Risk I/O

Threat Research Center Manager

@ebellis

@mattjay

SPEAKERS

Ed Bellis
CoFounder, CEO

• Contributing Author, Beautiful Security
• Manages 50M+ vulnerabilities daily
• Background in Baseball
• Former Orbitz CISO, 20+ years experience
• I'm hiring… a lot…

© 2013 Risk IO, Inc.

Matt Johansen

• BlackHat, DEFCON, RSA Speaker
• Oversees assessment of 15,000+ websites
• Background in Penetration Testing
• Hacker turned Management
• I'm hiring… a lot…

© 2013 WhiteHat Security, Inc.

2

NICE TO MEET YOU

✓ Data-Driven Vulnerability Intelligence Platform
✓ DataWeek 2012 Top Security Innovator
✓ Chicago & San Francisco
✓ Processing 50M+ Vulnerabilities Daily



3

ABOUT

WhiteHat Security, Inc.
3970 Freedom Cir #200, Santa Clara, CA 95054

 Founded 2001
 Head quartered in Santa Clara, CA
 Employees: 260+
 WhiteHat Sentinel: SaaS end-to-end website risk
management platform (static and dynamic analysis)
 Customers: 500+ (banking, retail, healthcare, etc.)
Founded in 2001 by Jeremiah Grossman–a former Yahoo! information security officer–WhiteHat
combines a revolutionary, cloud-based technology platform with a team of leading security experts to
help customers in the toughest, most regulated industries, including e-commerce, financial services,
information technology, healthcare and more.
Dozens of companies in the Fortune 500 rely on WhiteHat to help them prevent website attacks that
could cost them millions.



4

REPORT

WhiteHat Stats Report
In a recent customer survey for our 2012 WhiteHat
Stats report we were asked what the major reason to
fix a vulnerability was.
Answer: Compliance
We also asked if a choice was made to NOT fix a
vulnerability what the major reason was.
Answer: Compliance.
Something wrong with this picture. How do we better
prioritize finding and fixing vulnerabilities in our web
applications?



5

COUNTERTERRORISM

Known Groups
Past
Incidents,
Close
Calls

Threat
Intel,
Analysts

Targets,
Layouts


Surveillance


6

INFOSEC?



7

DATA

Data pieces
Industry Vuln Data

Industry Attack Data

WhiteHat Stats Report

Imperva WAF traffic report.
Verizon DBIR

In House Vuln Data
Find your vulns!


In House Attack Data
What are the attackers using against
YOU!


8

DEFEND LIKE YOU’VE DONE IT
BEFORE

Groups,
Motivations
Learning
from
Breache
s
Asset
Topology,
Actual
Vulns on
System

Vulnerability
Definitions

Exploits


9

WORK WITH WHAT YOU’VE GOT

Akamai, Safenet

NVD,
MITRE

ExploitDB,
Metasploit



10

ARTICLES

Blackhats
Talking to Blackhats gives us great intelligence, even if it’s not always 100% reliable intel.

For those of you who didn’t see the blog posts:
• Blackhat part 1
• Blackhat part 2
• Blackhat part 3



11

DATA

Most Used Vulns?
“What are the most used web
based vulnerabilities?”
Answer:
• “Adam” admits that he doesn’t
keep track
• However, he believed that in
his world XSS and SQL
injection are the most used



12

VULNERABILITY

OWASP 2013 RC
“As you read the OWASP top 10 release candidate for
2013 does the order make sense in terms of how
risky and/or common they are for companies to have
in their sites if you are going to attack them?”
Answer:
• OWASP release candidate is unhelpful (to put it
politely).
• Concept of top 10 vulnerabilities are is “stupid, flawed
and inaccurate.”
• For it to be accurate he felt that you would have to
update it daily, which is, of course practically
impossible.



13

VULNERABILITY

Esoteric Vulns?
“How do you feel about LDAP injection, XML
injection and XPath injection?”
Answer:
• “gangs” tend not to share information
• However he wasn’t aware of anyone who was
using those.



14

VULNERABILITY

Useful Vulns?
“What are the characteristics of a "good" web
application vulnerability?”
Answer:
• Fast to exploit
• Persistent
• Full access (root)
• Ability to deface/redirect
• Ability to wipe IP logs



15

VULNERABILITY

Preferred Vulns?
“Do blackhats prefer command injection, SQL
injection and brute force?”
Answer:
• It depended on the target and the value of the
compromise
• However, he indicated again that if it’s vulnerable
that’s a problem, and it doesn’t really matter how
it’s exploited.
• The one exception to that is that he did concur
with me is that “new” attacks tend not to be used
much.



16

VULNERABILITY

Prioritization
“How would would you prioritize fixes?”
Answer:
• “Adam” said the hardest vuln to
exploit/find would be last to be fixed
and the easiest to exploit/find first.
• In his opinion SQL injection would
probably be the first to get fixed.



17

VULNERABILITY

Additional Vulns
“Any web-application issues that are
extremely useful to attackers that aren't
on the OWASP top 10?“
Answer:
• Clickjacking
• Denial of Service/DDoS



18

VULNERABILITY

Best Practice?
“if followed perfectly, is the OWASP top 10
is enough to stop credit card theft
through web application vulnerabilities?”
Answer:
• The whole idea of testing for only 10 is
“crazy”.
• He felt that the banks are just as bad in
many cases as the merchants.
• Small online merchants should be
banned outright from handling payment
info



19

BLACKHATS

Blackhats
From these answers we know:
• Blackhats don’t care about lists – the top
10 should only be used for prioritization,
not as a matter of completeness or “best
practice”
• We were right to focus our energies on
certain classes of attack first during
human review, but also we know to start
focusing on those vulns first during
automated scans as well.
• Most valuable vulns to attackers are the
most valuable vulns to our customers, so
why shouldn’t we prioritize ourselves
similarly, while still maintaining the same
coverage?



20

SHOW ME THE MONEY



21

CVSS AND REMEDIATION METRICS



22

CVSS AND REMEDIATION METRICS LESSONS FROM A CISO



23

THE KICKER - LIVE BREACH DATA



24

CVSS AND REMEDIATION - NOPE



25

CVSS - A VERY GENERAL GUIDE FOR
REMEDIATION - YEP



26

THE ONE BILLION DOLLAR QUESTION

Probability(You Will Be Breached On A Particular Open Vulnerability)?

1.98%


27

I LOVE IT WHEN YOU CALL ME BIG DATA



28

ENTER, THE SECURITY MENDOZA LINE

Alex Hutton comes up with
Security Mendoza Line

Josh Corman expands the
Security Mendoza Line
“Compute power grows at the rate
of doubling about every 2 years”

Wouldn’t it be nice if we had something that
helped us divide who we considered
“Amateur” and who we considered
“Professional”?

“Casual attacker power grows at
the rate of Metasploit”

http://riskmanagementinsight.com/riskanalysis/?
p=294

http://blog.cognitivedissidents.com/2011/11/01/introto-hdmoores-law/



29




30

DATA

How do we utilize this?
Data!
• We have another piece of the puzzle.
What the bad guys are actually using.
• Prioritization of testing and finding.
• Prioritization of mitigating and fixing.



31

PRIORITY

Prioritize Testing & Finding
Use all the Industry and in house data to figure out
what to try to test for across your entire web
footprint.
SQLi being used heavily by attackers? FIND ALL
OF THEM!
Command Injection not being used as much? Find it
but not until you find every single SQLi.



32

FIXING

Prioritize Mitigating & Fixing
Nobody likes the pile of bug tickets that show up
after a vulnerability assessment.
Virtual Patch to buy time. IDS blaring alarms of
XSS? Turn up the WAF rules for XSS. Will help block
low hanging fruit scanners.
Prioritize your bug tickets for Devs in swallowable
chunks. What sounds better. “Ok team lets figure out
how to parameterize our SQL queries and go
through site by site and implement that.” OR
“$Web_Scanner found 120 pages of vulns! Fix them
now!!!110101”



32


Spray and Pray => 2%
CVSS 10 => 4%
Metasploit + ExploitDB => 30%



33

CASE STUDY

Case Study
RoR case study timeline (hope to get the actual visual from our customer)
Shows importance of staying on top of bugs that are being actively exploited and prioritizing the
finding and fixing of them.
1/10/2013
1/8/2013
1/9/2013
IDS signatures updated to
Rails team releases patches Security Team notifies
detect/prevent exploitation
and blog post describing Developer Team about the
critical vulnerabilities in the
new vulnerabilities
Rails framework

1/8/2013

1/9/2013

1/10/2013

1/11/2013

1/8/2013
Security Team receives
1/10/2013
notification from Intelligence
Metasploit releases a
team about Rails vulnerability
command injection exploit
1/9/2013
for CVE-2012-0156
Security Team receives
notification from WhiteHat with
findings of Rails vulnerability
1/9/2013
Highest priority site upgraded
to fully remediate the
vulnerability


2 Hours between
workaround and first
identified exploit attempt!

1/12/2013

1/13/2013
Another exploit attempt seen
against large application from
Germany

1/13/2013

1/14/2013

1/11/2013
Security Team receives first exploit
attempt notification from IDS. The
exploit was attempted from a Russian
Federation IP address.

1/11/2013
The rest of the vulnerable
applications apply temporary
workaround patch


34

THANK YOU
Ed Bellis

Matt Johansen

Founder & CEO of Risk I/O


@ebellis

@mattjay

Reading the Security Tea Leaves

More Related Content

What's hot

Viewers also liked

Similar to Reading the Security Tea Leaves

Recently uploaded

Reading the Security Tea Leaves