rsa 2013 presentation: stacking the security deck in your favor
Post on 18-May-2015
119 Views
Preview:
DESCRIPTION
TRANSCRIPT
© 2013 nCircle. All Rights Reserved.nCircle Company Confidential
Stacking the Security Deck in your Favor
Deal yourself a winning hand
© 2013 nCircle. All Rights Reserved.nCircle Company Confidential
• Operating Systems• Databases• Office Applications• Networking Gear• Browsers
Your hand
© 2013 nCircle. All Rights Reserved.nCircle Company Confidential
The Vulnerability Deck is Increasing
0
1000
2000
3000
4000
5000
6000
7000
© 2013 nCircle. All Rights Reserved.nCircle Company Confidential
Aces
© 2013 nCircle. All Rights Reserved.nCircle Company Confidential
• Custom Apps• Legacy• 0-Day
Wild Cards
© 2013 nCircle. All Rights Reserved.nCircle Company Confidential
• Rule: RegistryQuery GetKey[HKLM] THEN CHECK Exists
• Explanation: Request the HKLM registry key and check to see if it exists.
Custom ASPL - Basics
© 2013 nCircle. All Rights Reserved.nCircle Company Confidential
• Rule: SEND String[GET / HTTP/1.0\x0d\x0a\x0d\x0a] THEN CHECK Contains/HTTP\/1\.[01] 200/ WITH Offset[0], Length[12]
• Explanation:Send data (in this case an HTTP 1.0 request) to a host and check that the response matches a typical HTTP response pattern in the first 12 bytes of the response data.
Custom ASPL - Basics
© 2013 nCircle. All Rights Reserved.nCircle Company Confidential
• Rule:EXECUTE {rule.CIFSGetFile('C$:\\Windows\\WIN.INI')if not rule.success: rule.STOP(False)transcript = rule.buffertranscriptIsFull = True}
• Details: Get the contents of C:\Windows\WIN.INI and store them to the rule instance data.
Custom ASPL – Now with Python
© 2013 nCircle. All Rights Reserved.nCircle Company Confidential
• Rule:EXECUTE {import aspl_sshcoreaspl_sshcore.startSSH(rule)rule.SEND('cat /etc/resolv.conf')rule.waitForData()if '8.8.8.8' not in rule.buffer and '8.8.4.4' not in rule.buffer: rule.STOP(True) rule.STOP(False)}
• Details:Here we’re connecting via SSH to a host to check the /etc/resolv.conf file to determine if we’re using Google’s DNS servers or not. If we aren’t, we fire the rule to inform us of that fact.
Custom Rules – Now with Python
© 2013 nCircle. All Rights Reserved.nCircle Company Confidential
Stack the Odds in Your Favor
Heuristic Scoring
Using:• Time• Risk Factors• Skill
Scores form 0 - 55,000+
© 2013 nCircle. All Rights Reserved.nCircle Company Confidential
• Vulnerability Date Modifiers
• Risk Modifiers• Vulnerability Class
Modifiers
Adjusting Scores
top related