reading the security tea leaves
DESCRIPTION
Lessons learned from processing over 50 million vulnerabilities daily against security breaches in the wild.TRANSCRIPT
SECURITY TEA LEAVES
NOVEMBER 2013
Matt JohansenThreat Research Center Manager
@mattjay
Ed BellisFounder & CEO of Risk I/O
@ebellis
© 2013 WhiteHat Security, Inc. 2
SPEAKERS
Matt JohansenThreat Research Center Manager
•BlackHat, DEFCON, RSA Speaker•Oversees assessment of 15,000+ websites•Background in Penetration Testing•Hacker turned Management•I'm hiring… a lot…
Ed BellisCoFounder, CEO
•Contributing Author, Beautiful Security•Manages 50M+ vulnerabilities daily•Background in Baseball•Former Orbitz CISO, 20+ years experience•I'm hiring… a lot…
© 2013 Risk IO, Inc.
NICE TO MEET YOU
✓ DataWeek 2012 Top Security Innovator
✓ Chicago & San Francisco
✓ Data-Driven Vulnerability Intelligence Platform
✓ Processing 50M+ Vulnerabilities Daily
3© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
4
ABOUT
WhiteHat Security, Inc.3970 Freedom Cir #200, Santa Clara, CA 95054
Founded 2001Head quartered in Santa Clara, CAEmployees: 260+WhiteHat Sentinel: SaaS end-to-end website risk
management platform (static and dynamic analysis)Customers: 500+ (banking, retail, healthcare, etc.)
Founded in 2001 by Jeremiah Grossman–a former Yahoo! information security officer–WhiteHat
combines a revolutionary, cloud-based technology platform with a team of leading security experts to
help customers in the toughest, most regulated industries, including e-commerce, financial services,
information technology, healthcare and more.
Dozens of companies in the Fortune 500 rely on WhiteHat to help them prevent website attacks that
could cost them millions.
© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
5
REPORT
WhiteHat Stats Report
In a recent customer survey for our 2012 WhiteHat
Stats report we were asked what the major reason to
fix a vulnerability was.
Answer: Compliance
We also asked if a choice was made to NOT fix a
vulnerability what the major reason was.
Answer: Compliance.
Something wrong with this picture. How do we better
prioritize finding and fixing vulnerabilities in our web
applications?
© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
COUNTERTERRORISM
Known Groups
Surveillance
Threat Intel, Analysts
Targets, Layouts
Past Incidents, Close Calls
6© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
INFOSEC?
7© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
DATA
8
Industry Vuln DataWhiteHat Stats Report
Industry Attack DataImperva WAF traffic report.
Verizon DBIR
In House Vuln DataFind your vulns!
In House Attack Data
What are the attackers using against YOU!
Data pieces
© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
9
Groups, Motivations
Exploits
Vulnerability Definitions
Asset Topology, Actual Vulns on System
Learning from Breaches
DEFEND LIKE YOU’VE DONE IT BEFORE
© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
WORK WITH WHAT YOU’VE GOT
10
Akamai, Safenet
ExploitDB, Metasploit
NVD, MITRE
© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
11
ARTICLES
BlackhatsTalking to Blackhats gives us great intelligence, even if it’s not always 100% reliable intel.
For those of you who didn’t see the blog posts:• Blackhat part 1
• Blackhat part 2
• Blackhat part 3
© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
“What are the most used web based vulnerabilities?”
Answer:
• “Adam” admits that he doesn’t keep track
•However, he believed that in his world XSS and SQL injection are the most used
12
DATA
Most Used Vulns?
© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
“As you read the OWASP top 10 release candidate for 2013 does the order make sense in terms of how risky and/or common they are for companies to have in their sites if you are going to attack them?”
Answer:
• OWASP release candidate is unhelpful (to put it politely).
• Concept of top 10 vulnerabilities are is “stupid, flawed and inaccurate.”
• For it to be accurate he felt that you would have to update it daily, which is, of course practically impossible.
13
VULNERABILITY
OWASP 2013 RC
© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
“How do you feel about LDAP injection, XML injection and XPath injection?”
Answer:
• “gangs” tend not to share information
•However he wasn’t aware of anyone who was using those.
14
VULNERABILITY
Esoteric Vulns?
© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
“What are the characteristics of a "good" web application vulnerability?”
Answer:
• Fast to exploit
• Persistent
• Full access (root)
• Ability to deface/redirect
• Ability to wipe IP logs
15
VULNERABILITY
Useful Vulns?
© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
“Do blackhats prefer command injection, SQL injection and brute force?”
Answer:
• It depended on the target and the value of the compromise
• However, he indicated again that if it’s vulnerable that’s a problem, and it doesn’t really matter how it’s exploited.
• The one exception to that is that he did concur with me is that “new” attacks tend not to be used much.
16
VULNERABILITY
Preferred Vulns?
© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
“How would would you prioritize fixes?”
Answer:
• “Adam” said the hardest vuln to exploit/find would be last to be fixed and the easiest to exploit/find first.
• In his opinion SQL injection would probably be the first to get fixed.
17
VULNERABILITY
Prioritization
© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
“Any web-application issues that are extremely useful to attackers that aren't on the OWASP top 10?“
Answer:
•Clickjacking
•Denial of Service/DDoS
18
VULNERABILITY
Additional Vulns
© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
“if followed perfectly, is the OWASP top 10 is enough to stop credit card theft through web application vulnerabilities?”
Answer:
•The whole idea of testing for only 10 is “crazy”.
•He felt that the banks are just as bad in many cases as the merchants.
•Small online merchants should be banned outright from handling payment info
19
VULNERABILITY
Best Practice?
© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
From these answers we know:
• Blackhats don’t care about lists – the top 10 should only be used for prioritization, not as a matter of completeness or “best practice”
• We were right to focus our energies on certain classes of attack first during human review, but also we know to start focusing on those vulns first during automated scans as well.
• Most valuable vulns to attackers are the most valuable vulns to our customers, so why shouldn’t we prioritize ourselves similarly, while still maintaining the same coverage?
20
BLACKHATS
Blackhats
© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
SHOW ME THE MONEY
21© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
22
CVSS AND REMEDIATION METRICS
© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
CVSS AND REMEDIATION METRICS - LESSONS FROM A CISO
23© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
THE KICKER - LIVE BREACH DATA
24© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
25
CVSS AND REMEDIATION - NOPE
© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
26
CVSS - A VERY GENERAL GUIDE FOR REMEDIATION - YEP
© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
27
THE ONE BILLION DOLLAR QUESTION
Probability(You Will Be Breached On A Particular Open Vulnerability)?
1.98%
© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
28
I LOVE IT WHEN YOU CALL ME BIG DATA
© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
29
ENTER, THE SECURITY MENDOZA LINE
Wouldn’t it be nice if we had something that helped us divide who we considered “Amateur” and who we considered
“Professional”?
http://riskmanagementinsight.com/riskanalysis/?p=294
Josh Corman expands the Security Mendoza Line
“Compute power grows at the rate of doubling about every 2 years”
“Casual attacker power grows at the rate of Metasploit”
http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/
Alex Hutton comes up with Security Mendoza Line
© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
30
I LOVE IT WHEN YOU CALL ME BIG DATA
© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
Data!
• We have another piece of the puzzle. What the bad guys are actually using.
• Prioritization of testing and finding.
• Prioritization of mitigating and fixing.
31
DATA
How do we utilize this?
© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
Use all the Industry and in house data to figure out what to try to test for across your entire web footprint.
SQLi being used heavily by attackers? FIND ALL OF THEM!
Command Injection not being used as much? Find it but not until you find every single SQLi.
32
PRIORITY
Prioritize Testing & Finding
© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
Nobody likes the pile of bug tickets that show up after a vulnerability assessment.
Virtual Patch to buy time. IDS blaring alarms of XSS? Turn up the WAF rules for XSS. Will help block low hanging fruit scanners.
Prioritize your bug tickets for Devs in swallowable chunks. What sounds better. “Ok team lets figure out how to parameterize our SQL queries and go through site by site and implement that.” OR “$Web_Scanner found 120 pages of vulns! Fix them now!!!110101”
32
FIXING
Prioritize Mitigating & Fixing
© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
33
I LOVE IT WHEN YOU CALL ME BIG DATA
Spray and Pray => 2%
CVSS 10 => 4%
Metasploit + ExploitDB => 30%
© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
RoR case study timeline (hope to get the actual visual from our customer)
Shows importance of staying on top of bugs that are being actively exploited and prioritizing the finding and fixing of them.
34
CASE STUDY
Case Study
1/9/20131/8/2013 1/10/2013 1/11/2013 1/13/20131/12/2013 1/14/2013
1/8/2013Rails team releases patches
and blog post describing critical vulnerabilities in the
Rails framework
1/9/2013Security Team notifies
Developer Team about the new vulnerabilities
1/9/2013Security Team receives
notification from WhiteHat with findings of Rails vulnerability
1/8/2013Security Team receives
notification from Intelligence team about Rails vulnerability
1/13/2013Another exploit attempt seen against large application from
Germany
1/9/2013Highest priority site upgraded
to fully remediate the vulnerability
1/10/2013Metasploit releases a
command injection exploit for CVE-2012-0156
1/11/2013The rest of the vulnerable
applications apply temporary workaround patch
1/10/2013IDS signatures updated to detect/prevent exploitation
1/11/2013Security Team receives first exploit attempt notification from IDS. The
exploit was attempted from a Russian Federation IP address.
2 Hours between workaround and first
identified exploit attempt!
© 2013 WhiteHat Security, Inc.© 2013 Risk IO, Inc.
Matt JohansenThreat Research Center Manager
@mattjay
Ed BellisFounder & CEO of Risk I/O
@ebellis
THANK YOU