rsa 2013 presentation: stacking the security deck in your favor

© 2013 nCircle. All Rights Reserved.nCircle Company Confidential

Stacking the Security Deck in your Favor

Deal yourself a winning hand


• Operating Systems• Databases• Office Applications• Networking Gear• Browsers

Your hand


The Vulnerability Deck is Increasing

0

1000

2000

3000

4000

5000

6000

7000


Aces


• Custom Apps• Legacy• 0-Day

Wild Cards


• Rule: RegistryQuery GetKey[HKLM] THEN CHECK Exists

• Explanation: Request the HKLM registry key and check to see if it exists.

Custom ASPL - Basics


• Rule: SEND String[GET / HTTP/1.0\x0d\x0a\x0d\x0a] THEN CHECK Contains/HTTP\/1\.[01] 200/ WITH Offset[0], Length[12]

• Explanation:Send data (in this case an HTTP 1.0 request) to a host and check that the response matches a typical HTTP response pattern in the first 12 bytes of the response data.

Custom ASPL - Basics


• Rule:EXECUTE {rule.CIFSGetFile('C$:\\Windows\\WIN.INI')if not rule.success: rule.STOP(False)transcript = rule.buffertranscriptIsFull = True}

• Details: Get the contents of C:\Windows\WIN.INI and store them to the rule instance data.

Custom ASPL – Now with Python


• Rule:EXECUTE {import aspl_sshcoreaspl_sshcore.startSSH(rule)rule.SEND('cat /etc/resolv.conf')rule.waitForData()if '8.8.8.8' not in rule.buffer and '8.8.4.4' not in rule.buffer: rule.STOP(True) rule.STOP(False)}

• Details:Here we’re connecting via SSH to a host to check the /etc/resolv.conf file to determine if we’re using Google’s DNS servers or not. If we aren’t, we fire the rule to inform us of that fact.

Custom Rules – Now with Python


Stack the Odds in Your Favor

Heuristic Scoring

Using:• Time• Risk Factors• Skill

Scores form 0 - 55,000+


• Vulnerability Date Modifiers

• Risk Modifiers• Vulnerability Class

Modifiers

Adjusting Scores

rsa 2013 presentation: stacking the security deck in your favor

Technology

tothe rule instance

custom aspl basics

custom rules

import aspl

hostand check

security deck

length12 explanation

sendcat etcresolv