SlideShare a Scribd company logo
Exploring
The Most Exploited
Vulnerabilities of 2019
(so far!)
Jonathan Cran
Head of Research
Kenna Security
July 16th, 2019
2
• Obtain intelligence about what attackers are doing (Likelihood!)
- Internal sources: IPS / IDS, AV, Honeypots
- External sources: threat feeds, threat exchanges, online chatter
• Maintain visibility of assets, and how important they are (Impact!)
- CMDB & Vulnerability Scanners
- IAM, Finance, etc … extremely long tail
• Cross-reference intelligence with problems in your environment
- ATT&CK, CVE, CPE, CWE, Internal Identifiers
• Distribute information continuously
Defining Risk Based Vulnerability Management
Impact Likelihood
3
Sources of Useful Intelligence
1. Open Source Intelligence & Dark Web
2. Intrusion Detection Systems
3. File-oriented AV analysis APIs - samples from malspam, some APT
4. Honeypots such as Bad Packets and Greynoise - internet-wide scans
(often focused on compromised IoT or early info gathering)
5. Local Honeypots
6. Antivirus and Endpoint - on-device attempts
4
So Let’s Explore!
1. OSINT & DarkWeb
2. IDS Signatures (Events)
3. Suspicious File Analysis
All analyzed across a set of 12 months historical
Intelligence
Source:
Open Source
Intelligence
(OSINT)
and
DarkWeb
6
OSINT and Dark Web by Category
(All Time) History(All Time) (All Time)
7
CVE-2017-0148, Malware (Historical), 2019-06-23T06:16:34.000Z, 3328, 1085, 3610880, 3328 sightings on
1085 sources. Most recent link (Jun 23; 2019):
https://twitter.com/CybazeSocial/statuses/1142677809225224192
OSINT / Darkweb - Sources vs Sightings
8
Top 10… OSINT (# Sightings)
9
ETERNALBLUE, Wannacry, Petya, NotPetya
Source: Ned Pyle @ Microsoft
10
Top 10… OSINT (# Sources)
11
12
Top 10… OSINT (# Sources x # Sightings)
13
More Recently, CVE-2018-8453 emerges
14
FruityArmor & 0day vulnerabilities
October 20, 2016 - CVE-2016-3393
...
October 10, 2018 - CVE-2018-8453
November 14, 2018 - CVE-2018-8589
December 12 2018 - CVE-2018-8611
March 13, 2019 - CVE-2019-0797
Source: securelist.com (Kaspersky)
15
Recent OSINT by Rule Triggered
16
17
OSINT and Darkweb As a Source
APT activity intermingled with more widespread activity
OSINT can be gamed by simply publishing fake information
It can be a great leading indicator, Also helpful for predictions.
Intelligence
Source:
Intrusion Detection
Systems
19
IDS - Unique CVEs by Source
20
IDS - CVEs by Event Count (Source 1)
21
IDS - CVEs by Event Count (Source 2)
22
IDS - Top 10 CVEs by Unique Event Groups
23
IDS - Top 10 CVEs by Unique Event Groups
(2017+)
24
Scanned vulnerabilities drive the high counts- but are they the most important?
Normalization by unique CVEs can help
Consider placement: Perimeter? Datacenter? Cloud?
Helpful to understand the process of signature creation … driven by exploits?
IDS Events As A Source
Intelligence
Source:
Suspicious File
Analysis
26
CVEs Detected (unique count - 12 mo)
27
CVEs Detected By Product (12 mo)
28
Suspicious Files (# days seen - 12 mo)
29
Microsoft Office dominating this year – fits with common knowledge
Less prone to false positives than OSINT, but also require a sig, time needed.
Significantly less volume than IDS in hits
Grounded in signatures (a good thing!)
Suspicious Files As a Source
Let’s combine
these sources!
31
Challenges to a Single “Top X”
1. Cannot compare on pure count, or weighted counts
2. Technique-to-detect and perspective matter
3. Your threat model matters!
4. Is the vulnerability even still out there?
Context matters… so where to begin?
32
Identifying the most exploited CVEs
Methodology:
• Gathered CVEs identified by all 3 sources
• Cross-referenced with vulnerability prevalence
• Ranked from (1) most prevalent to (10) least
• Tagged with the source that identified the
Vulnerability in our analysis
Presenting… a Combined Top 10
CVE CPE METHOD
1. CVE-2014-3566 cpe:2.3:o:openssl:openssl ids 1, ids 1,2
2. CVE-2019-0703 cpe:2.3:o:microsoft:windows_10 ids 1
3. CVE-2018-8453 cpe:2.3:o:microsoft:windows_10 osint
4. CVE-2018-8174 cpe:2.3:o:microsoft:windows_10 osint
5. CVE-2018-15982 cpe:2.3:a:adobe:flash_player osint
6. CVE-2017-8759 cpe:2.3:a:microsoft:.net_frame… file analysis
7. CVE-2017-0199 cpe:2.3:a:microsoft:office osint
8. CVE-2018-4878 cpe:2.3:a:adobe:flash_player file analysis
9. CVE-2017-11882 cpe:2.3:a:microsoft:office osint, file analysis
10.CVE-2017-11774 cpe:2.3:a:microsoft:outlook osint
34
The Real Top 10 … er, Top 3*!
1) Oracle Java (JDK and JRE)
2) Adobe Flash Player
3) Microsoft Office (Word, Excel etc)
… (then everything else)
* product list is derived by pulling CPE data from the 255 vulnerabilities scored at 100 on Kenna’s Risk Meter Score
Context Matters!
https://kennasecurity.com/signup
hello@kennasecurity.com
Questions

More Related Content

What's hot

Malware self protection-matrix
Malware self protection-matrixMalware self protection-matrix
Malware self protection-matrix
Cyphort
 
CSS Trivia
CSS TriviaCSS Trivia
CSS Trivia
Alert Logic
 
Malware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemMalware Most Wanted: Security Ecosystem
Malware Most Wanted: Security Ecosystem
Cyphort
 
How to assign a CVE to yourself?
How to assign a CVE to yourself?How to assign a CVE to yourself?
How to assign a CVE to yourself?
Ramin Farajpour Cami
 
The Threat Landscape in the Era of Directed Attacks - Webinar
The Threat Landscape in the Era of Directed Attacks - Webinar The Threat Landscape in the Era of Directed Attacks - Webinar
The Threat Landscape in the Era of Directed Attacks - Webinar
Kaspersky
 
The Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber IntelligenceThe Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber Intelligence
Tieu Luu
 
UN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - MaccagliaUN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - Maccaglia
Stefano Maccaglia
 
New wave of attacks in Ukraine 2016
New wave of attacks in Ukraine 2016New wave of attacks in Ukraine 2016
New wave of attacks in Ukraine 2016
Marina Krotofil
 
Oh... that's ransomware and... look behind you a three-headed Monkey
Oh... that's ransomware and... look behind you a three-headed MonkeyOh... that's ransomware and... look behind you a three-headed Monkey
Oh... that's ransomware and... look behind you a three-headed Monkey
Stefano Maccaglia
 
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE - ATT&CKcon
 
Utilizing cyber intelligence to combat cyber adversaries (OA Cyber Summit)
Utilizing cyber intelligence to combat cyber adversaries (OA Cyber Summit)Utilizing cyber intelligence to combat cyber adversaries (OA Cyber Summit)
Utilizing cyber intelligence to combat cyber adversaries (OA Cyber Summit)
Open Analytics
 
The Modern Malware Review March 2013
The Modern Malware Review March 2013The Modern Malware Review March 2013
The Modern Malware Review March 2013
- Mark - Fullbright
 
Exploring the Capabilities and Economics of Cybercrime
Exploring the Capabilities and Economics of CybercrimeExploring the Capabilities and Economics of Cybercrime
Exploring the Capabilities and Economics of Cybercrime
Cylance
 
MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...
MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...
MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...
MITRE - ATT&CKcon
 
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
Nathan Anderson
 
Últimos retos en el ámbito de la Ciberseguridad: Análisis de amenazas Ciberné...
Últimos retos en el ámbito de la Ciberseguridad: Análisis de amenazas Ciberné...Últimos retos en el ámbito de la Ciberseguridad: Análisis de amenazas Ciberné...
Últimos retos en el ámbito de la Ciberseguridad: Análisis de amenazas Ciberné...
Cristian Garcia G.
 
Mc afee conectando las piezas
Mc afee conectando las piezasMc afee conectando las piezas
Mc afee conectando las piezas
Software Guru
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
MITRE ATT&CK
 
Ibm risk management-30min
Ibm risk management-30minIbm risk management-30min
Ibm risk management-30min
Kim Aarenstrup
 
INTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSINTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICS
Sylvain Martinez
 

What's hot (20)

Malware self protection-matrix
Malware self protection-matrixMalware self protection-matrix
Malware self protection-matrix
 
CSS Trivia
CSS TriviaCSS Trivia
CSS Trivia
 
Malware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemMalware Most Wanted: Security Ecosystem
Malware Most Wanted: Security Ecosystem
 
How to assign a CVE to yourself?
How to assign a CVE to yourself?How to assign a CVE to yourself?
How to assign a CVE to yourself?
 
The Threat Landscape in the Era of Directed Attacks - Webinar
The Threat Landscape in the Era of Directed Attacks - Webinar The Threat Landscape in the Era of Directed Attacks - Webinar
The Threat Landscape in the Era of Directed Attacks - Webinar
 
The Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber IntelligenceThe Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber Intelligence
 
UN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - MaccagliaUN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - Maccaglia
 
New wave of attacks in Ukraine 2016
New wave of attacks in Ukraine 2016New wave of attacks in Ukraine 2016
New wave of attacks in Ukraine 2016
 
Oh... that's ransomware and... look behind you a three-headed Monkey
Oh... that's ransomware and... look behind you a three-headed MonkeyOh... that's ransomware and... look behind you a three-headed Monkey
Oh... that's ransomware and... look behind you a three-headed Monkey
 
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
 
Utilizing cyber intelligence to combat cyber adversaries (OA Cyber Summit)
Utilizing cyber intelligence to combat cyber adversaries (OA Cyber Summit)Utilizing cyber intelligence to combat cyber adversaries (OA Cyber Summit)
Utilizing cyber intelligence to combat cyber adversaries (OA Cyber Summit)
 
The Modern Malware Review March 2013
The Modern Malware Review March 2013The Modern Malware Review March 2013
The Modern Malware Review March 2013
 
Exploring the Capabilities and Economics of Cybercrime
Exploring the Capabilities and Economics of CybercrimeExploring the Capabilities and Economics of Cybercrime
Exploring the Capabilities and Economics of Cybercrime
 
MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...
MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...
MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...
 
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
2016 ISACA NACACS - Audit As An Impact Player For Cybersecurity
 
Últimos retos en el ámbito de la Ciberseguridad: Análisis de amenazas Ciberné...
Últimos retos en el ámbito de la Ciberseguridad: Análisis de amenazas Ciberné...Últimos retos en el ámbito de la Ciberseguridad: Análisis de amenazas Ciberné...
Últimos retos en el ámbito de la Ciberseguridad: Análisis de amenazas Ciberné...
 
Mc afee conectando las piezas
Mc afee conectando las piezasMc afee conectando las piezas
Mc afee conectando las piezas
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
 
Ibm risk management-30min
Ibm risk management-30minIbm risk management-30min
Ibm risk management-30min
 
INTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSINTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICS
 

Similar to Top 10 exploited vulnerabilities 2019 (thus far...)

Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!
Priyanka Aash
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakout
Splunk
 
Why do women love chasing down bad guys?
Why do women love chasing down bad guys? Why do women love chasing down bad guys?
Why do women love chasing down bad guys?
SITA
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat Hunting
Splunk
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
The next generation of IT security
The next generation of IT securityThe next generation of IT security
The next generation of IT security
Sophos Benelux
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst
Priyanka Aash
 
Splunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk Threat Hunting Workshop
Splunk Threat Hunting Workshop
Splunk
 
The Evolution of IDS: Why Context is Key
The Evolution of IDS: Why Context is KeyThe Evolution of IDS: Why Context is Key
The Evolution of IDS: Why Context is Key
AlienVault
 
AMP_Security_ Malware Protection Presentatiion
AMP_Security_ Malware Protection PresentatiionAMP_Security_ Malware Protection Presentatiion
AMP_Security_ Malware Protection Presentatiion
SohanGole1
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
DefCamp
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
Splunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Threat Hunting with Splunk
Threat Hunting with Splunk Threat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
JoAnna Cheshire
 
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksThe Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
AlienVault
 

Similar to Top 10 exploited vulnerabilities 2019 (thus far...) (20)

Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakout
 
Why do women love chasing down bad guys?
Why do women love chasing down bad guys? Why do women love chasing down bad guys?
Why do women love chasing down bad guys?
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat Hunting
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
The next generation of IT security
The next generation of IT securityThe next generation of IT security
The next generation of IT security
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst
 
Splunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk Threat Hunting Workshop
Splunk Threat Hunting Workshop
 
The Evolution of IDS: Why Context is Key
The Evolution of IDS: Why Context is KeyThe Evolution of IDS: Why Context is Key
The Evolution of IDS: Why Context is Key
 
AMP_Security_ Malware Protection Presentatiion
AMP_Security_ Malware Protection PresentatiionAMP_Security_ Malware Protection Presentatiion
AMP_Security_ Malware Protection Presentatiion
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Threat Hunting with Splunk
Threat Hunting with Splunk Threat Hunting with Splunk
Threat Hunting with Splunk
 
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
 
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksThe Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
 

Recently uploaded

Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
TIPNGVN2
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Zilliz
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Zilliz
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 

Recently uploaded (20)

Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 

Top 10 exploited vulnerabilities 2019 (thus far...)

  • 1. Exploring The Most Exploited Vulnerabilities of 2019 (so far!) Jonathan Cran Head of Research Kenna Security July 16th, 2019
  • 2. 2 • Obtain intelligence about what attackers are doing (Likelihood!) - Internal sources: IPS / IDS, AV, Honeypots - External sources: threat feeds, threat exchanges, online chatter • Maintain visibility of assets, and how important they are (Impact!) - CMDB & Vulnerability Scanners - IAM, Finance, etc … extremely long tail • Cross-reference intelligence with problems in your environment - ATT&CK, CVE, CPE, CWE, Internal Identifiers • Distribute information continuously Defining Risk Based Vulnerability Management Impact Likelihood
  • 3. 3 Sources of Useful Intelligence 1. Open Source Intelligence & Dark Web 2. Intrusion Detection Systems 3. File-oriented AV analysis APIs - samples from malspam, some APT 4. Honeypots such as Bad Packets and Greynoise - internet-wide scans (often focused on compromised IoT or early info gathering) 5. Local Honeypots 6. Antivirus and Endpoint - on-device attempts
  • 4. 4 So Let’s Explore! 1. OSINT & DarkWeb 2. IDS Signatures (Events) 3. Suspicious File Analysis All analyzed across a set of 12 months historical
  • 6. 6 OSINT and Dark Web by Category (All Time) History(All Time) (All Time)
  • 7. 7 CVE-2017-0148, Malware (Historical), 2019-06-23T06:16:34.000Z, 3328, 1085, 3610880, 3328 sightings on 1085 sources. Most recent link (Jun 23; 2019): https://twitter.com/CybazeSocial/statuses/1142677809225224192 OSINT / Darkweb - Sources vs Sightings
  • 8. 8 Top 10… OSINT (# Sightings)
  • 9. 9 ETERNALBLUE, Wannacry, Petya, NotPetya Source: Ned Pyle @ Microsoft
  • 10. 10 Top 10… OSINT (# Sources)
  • 11. 11
  • 12. 12 Top 10… OSINT (# Sources x # Sightings)
  • 14. 14 FruityArmor & 0day vulnerabilities October 20, 2016 - CVE-2016-3393 ... October 10, 2018 - CVE-2018-8453 November 14, 2018 - CVE-2018-8589 December 12 2018 - CVE-2018-8611 March 13, 2019 - CVE-2019-0797 Source: securelist.com (Kaspersky)
  • 15. 15 Recent OSINT by Rule Triggered
  • 16. 16
  • 17. 17 OSINT and Darkweb As a Source APT activity intermingled with more widespread activity OSINT can be gamed by simply publishing fake information It can be a great leading indicator, Also helpful for predictions.
  • 19. 19 IDS - Unique CVEs by Source
  • 20. 20 IDS - CVEs by Event Count (Source 1)
  • 21. 21 IDS - CVEs by Event Count (Source 2)
  • 22. 22 IDS - Top 10 CVEs by Unique Event Groups
  • 23. 23 IDS - Top 10 CVEs by Unique Event Groups (2017+)
  • 24. 24 Scanned vulnerabilities drive the high counts- but are they the most important? Normalization by unique CVEs can help Consider placement: Perimeter? Datacenter? Cloud? Helpful to understand the process of signature creation … driven by exploits? IDS Events As A Source
  • 26. 26 CVEs Detected (unique count - 12 mo)
  • 27. 27 CVEs Detected By Product (12 mo)
  • 28. 28 Suspicious Files (# days seen - 12 mo)
  • 29. 29 Microsoft Office dominating this year – fits with common knowledge Less prone to false positives than OSINT, but also require a sig, time needed. Significantly less volume than IDS in hits Grounded in signatures (a good thing!) Suspicious Files As a Source
  • 31. 31 Challenges to a Single “Top X” 1. Cannot compare on pure count, or weighted counts 2. Technique-to-detect and perspective matter 3. Your threat model matters! 4. Is the vulnerability even still out there? Context matters… so where to begin?
  • 32. 32 Identifying the most exploited CVEs Methodology: • Gathered CVEs identified by all 3 sources • Cross-referenced with vulnerability prevalence • Ranked from (1) most prevalent to (10) least • Tagged with the source that identified the Vulnerability in our analysis
  • 33. Presenting… a Combined Top 10 CVE CPE METHOD 1. CVE-2014-3566 cpe:2.3:o:openssl:openssl ids 1, ids 1,2 2. CVE-2019-0703 cpe:2.3:o:microsoft:windows_10 ids 1 3. CVE-2018-8453 cpe:2.3:o:microsoft:windows_10 osint 4. CVE-2018-8174 cpe:2.3:o:microsoft:windows_10 osint 5. CVE-2018-15982 cpe:2.3:a:adobe:flash_player osint 6. CVE-2017-8759 cpe:2.3:a:microsoft:.net_frame… file analysis 7. CVE-2017-0199 cpe:2.3:a:microsoft:office osint 8. CVE-2018-4878 cpe:2.3:a:adobe:flash_player file analysis 9. CVE-2017-11882 cpe:2.3:a:microsoft:office osint, file analysis 10.CVE-2017-11774 cpe:2.3:a:microsoft:outlook osint
  • 34. 34 The Real Top 10 … er, Top 3*! 1) Oracle Java (JDK and JRE) 2) Adobe Flash Player 3) Microsoft Office (Word, Excel etc) … (then everything else) * product list is derived by pulling CPE data from the 255 vulnerabilities scored at 100 on Kenna’s Risk Meter Score