advanced vulnerability scoring and prioritization
TRANSCRIPT
Advanced Vulnerability Scoring & PrioritizationMichael McKay, CISSP, CISA, Consulting Security EngineerNovember 4, 2015
2
Overview
How Tripwire IP360 Scans The Elements of the Tripwire IP360 Vulnerability Risk Score
Risk Classes
Skill Ratings
Time
The Risk Score Equation
How to interpret Risk Scores for remediation prioritization Tripwire IP360 Scores vs CVSS, pros and cons Best Practices for preparing actionable vulnerability reports The VERT Vulnerability Class Risk Modifications
Application-centric Vulnerability Detection
IIS 3.0 and 4.0 SSL "Error Message" Vulnerability IIS 4 Redirect Remote Buffer Overflow Vulnerability IIS 4 Web Server Available IIS 4.0 IISADMPWD Proxied Password Attack IIS 4.0/5.0 File Permission Canonicalization Vulnerability IIS 4.0/5.0 Malformed File Extension DoS Vulnerability IIS Administrative Pages Cross Site Scripting Vulnerabilities IIS IIS Chunked Encoding Transfer Heap Overflow Vulnerability IIS Escape Character Parsing Vulnerability IIS Failure To Log Undocumented TRACK Requests Vulnerability
Sendmail Address Prescan Memory Corruption VulnerabilitySendmail DNS Map TXT Record Buffer Overflow VulnerabilitySendmail File Locking Denial Of Service VulnerabilitySendmail Header Processing Buffer Overflow Vulnerability Sendmail Long Ident Logging Circumvention Weakness
Efficient, Accurate, Non-intrusive, and automated application inventory
Tripwire IP360 Vulnerability Risk Prioritization
Tripwire IP360 Score
30758
6929
865
777
203
MS Advisory Severity
MS07-017 Critical
MS08-014 Critical
MS07-010 Critical
MS08-009 Critical
MS07-027 Critical
Which vulnerability is most important?
Tripwire IP360 Vulnerability Risk Scoring Matrix
Ease
of E
xplo
itatio
n
Risk Class of Host Compromise
Increasin
g Risk
Tripwire’s IP360 Vulnerability Risk Classes
Risk Descriptor Determination0 Exposure Potential point of attack (e.g., FTP is available)1 Local Availability Local attacks against availability (e.g., DoS)2 Local Access Local methods for obtaining or increasing user-level privileges3 Local Privileged Local methods for obtaining complete administrative privileges4 Remote Availability Remote methods against availability5 Remote Access Remote methods for obtaining or increasing user-level privileges6 Remote Privileged Remote methods for obtaining complete administrative privileges
rn, aka “Risk”. The threat inherent of having vulnerability “n” on a system.
Tripwire’s IP360 Skill Ratings
Skill Descriptor Determination1 Automated An exploit is available in an exploit kit, exploit framework, or malware2 Easy Fully functional exploit code is available, likely in an exploit repository3 Moderate Exploit code is available but may not be fully functional4 Difficult A proof of concept is available5 Extremely Difficult Minimal details are available, such as a technical write-up6 No Known Exploit No exploits are known to be available
sn, aka “Skill”. The ease of exploiting a vulnerability “n” based on the availability and sophistication of exploit tools in the wild
Computing the Tripwire IP360 Vulnerability Risk Score:
Where: tn = Days since the vulnerability was publically discovered rn = Risksn = Skill
Accurate Metrics For Prioritization
Numerical Vulnerability Scores (zero to 60,000+) Based On: Severity of potential host compromise Requirement for user participation for exploit Skill level required to achieve exploit Availability of exploits “in the wild” Time since exploit was first reported
Host Scores (sum of vulnerability scores) Asset Values Network Average Scores and Trends
Tripwire IP360 Scores vs CVSSv2
CVSSv2 base scores are available for all vulnerabilities in Tripwire IP360 In Tripwire IP360 they are included in the description of the vulnerability In SIH, reports break out CVSSv2 as a separate field and report filter options VERT assigns CVSSv2 base scores when they are not available from the vendor or other
authoritative source
Issues with CVSSv2: Very little guidance was provided on how to score vulnerabilities properly Many analysts (most notably NVD) scored some vulnerabilities incorrectly or inconsistently
due to misunderstandings Vendors were also confused and some like Oracle tried to implement their own “corrections” Almost no one implements the “Temporal” component of CVSS
Tripwire IP360 Scores vs CVSSv3
CVSSv3 addresses major deficiencies of CVSSv2 The majority of CVSSv3 attributes line up very well with Tripwire IP360 parameters However, CVSSv3 is brand new and not formally supported yet by many (any?) vendors.
Even NVD has only announced “plans” to begin support of CVSSv3 sometime this fall PCI certification of Internet-facing IPs still based on CVSSv2 CVSSv3 scores will be added to ASPL and will be available in Tripwire IP360 Release 7.5.1 CVSSv3 scores will be supported in the SIH next year
Tripwire IP360 Scores vs CVSS
The continued benefit of Tripwire IP360 risk scores: Tripwire VERT—Highly consistent methodology is a applied across all Tripwire IP360
content, regardless of vendor Continual grooming of content as new exploit methods are discovered Automatically applies the age of the vulnerability to its score Easy filtration of vulnerabilities based on multiple well-defined attributes Full support for CVSSv2 and CVSSv3
How to make your reports more actionable
Unfiltered Vulnerability Inventory Report in SIH 81 hosts, 2,190 unique vulnerabilities
Vulnerability Inventory Report, filtered for Local and Remote Privileged Vulnerabilities with Automated or Easy Exploits 38 hosts, 160 unique vulnerabilities
VERT Vulnerability Class Risk Modifications—An important refinement
Local Vulnerabilities are much more risky than a decade ago Hackers and malware actively target Local Vulnerabilities in MS Office, Adobe,
browsers, Java, etc. Tripwire IP360 scores of some Local Vulnerabilities can make them seem
lower risk than they are Some Local Vulnerabilities are so easily and automatically exploited that they
approach the risk of Remote Vulnerabilities VERT has a great solution: The Vulnerability Class Risk Modifications
The VERT Vulnerability Class Risk Modifications
Implemented as a set of VnE database modifications applied by Tripwire Support Can be applied individually to nine classes of Local products that you may wish to label as
Remote because of the prevalence and sophistication of exploit methods The Classes are:
Web Browsers Java Web Technologies (e.g., Flash, Shockwave) PDF Readers Media Players Microsoft Office Products Exploit Kits* Exploit Frameworks*
*If these modifications are applied, a Local vulnerability for which there is an Exploit Kit or Exploit Framework plugin will be assigned a Risk of “Remote Privileged” and a Skill of “Automated Exploit”, giving it the highest possible score.
The VERT Vulnerability Class Risk Modifications
A few things to know: These changes take effect during the installation of ASPL, so the scores won’t change until
your next ASPL update The same is true if you decide to remove one or more of these patches The new scores will also appear in your SIH reports Scoring trends, metrics, and report filters based on Risk Class will be immediately affected
going forward—historical results are not affected
tripwire.com | @TripwireInc
Thank you!