Vulnerability / Cybersecurity Research Discussion Dwayne Melancon, CISA Chief Technology Officer and VP of Research & Development
2 Tripwire delivers advanced threat protection, security, and compliance solutions 9,000+ Customers in 96 Countries $$$ Profitable 450+ Employees $195M+ Annual
3 Threat Landscape Percentage of breaches that could be prevented by remediating known vulnerabilities US-CERT Average time to detect an advanced persistent threat on a corporate network Mandiant Percentage of unauthorized data access was through compromised servers Verizon DBIR Days the average malicious data breach took to resolve Ponemon
4 Solution: Adaptive Threat Protection Adaptive Threat Protection Endpoint Intelligence Vulnerability Intelligence Threat Intelligence Threat Analytics Forensics Zero-Day Detection Threat Response Log & Event Intelligence
PRIMARYSECONDARYTERTIARY Vulnerabilities
PRIMARYSECONDARYTERTIARY Most Common Programmatic Vulnerability Types Buffer Overflow Format String Race Condition Privilege Escalation Denial of Service
PRIMARYSECONDARYTERTIARY Buffer Overflows Program requires first name input Developer writes char firstName[10] User’s name is ‘Christopher’. Program Crashes Attacker exploits this to control the return address (EIP) Images from Wikipedia: Stack buffer overflowWikipedia: Stack buffer overflow
PRIMARYSECONDARYTERTIARY Format String Injection Often involves improper use of printf Allows potential disclosure and manipulation of memory Can allow privilege escalation, arbitrary execution of commands
PRIMARYSECONDARYTERTIARY Race Condition Program that checks and then uses something. Sometimes referred to as TOCTTOU (TOCK-too) > “Time Of Check vs. Time Of Use” E.g. > SUID program checks to see if a user has permissions to access a file, then accesses the file with SUID permissions. > Program checks to see if a file exists, then writes data to that file. In either situation, there’s a race between the attacker and the software to attempt to manipulate access between the check and the use.
PRIMARYSECONDARYTERTIARY Privilege Escalation The ability to take yourself from a regular user to Administrator/root to SYSTEM (or any single step). Program abc.exe runs as a service as LocalSystem. User replaces abc.exe with cmd.exe. Cmd.exe now runs as LocalSystem instead of running as User.
PRIMARYSECONDARYTERTIARY Denial of Service Attacks which prevent a system or program from providing service. E.g. > Resource Utilization > E.g. HTTP Post Attacks > Crash Condition > E.g. Buffer Overflow
PRIMARYSECONDARYTERTIARY Finding Vulnerabilities Five primary ways: Fuzzing Reverse Engineering Static Code Analysis Manual Testing Accidental Discovery
PRIMARYSECONDARYTERTIARY What Do We Do With Them?
PRIMARYSECONDARYTERTIARY MITRE & NIST – Vulnerability Normalization CVE > Dictionary of publicly known vulnerabilities > E.g. CVE or CVE CPE > Dictionary of Platforms (Apps & OSs) > E.g. cpe:/o:microsoft:windows_xp::gold > E.g. cpe:/a:microsoft:windows_explorer CWE > Dictionary of publicly known weaknesses (programming flaws) > E.g. CWE-120 (Classic Buffer Overflow)
PRIMARYSECONDARYTERTIARY CVE – CWE Why Vulnerabilities, Exposures & Weaknesses A vulnerability is a unique instance of a flaw that leads to access to a system or network An exposure is a unique instance of a flaw that reveals information about a system or network A weakness is the generic flaw that lead to the unique instance described by a vulnerability or exposure. In other words, each CVE is based on at least one CWE.
PRIMARYSECONDARYTERTIARY 16
PRIMARYSECONDARYTERTIARY Responsible Disclosure
PRIMARYSECONDARYTERTIARY 18 Responsible Disclosure Allows entities to correct “Zero Day” vulnerabilities prior to public disclosure Essentially a “code of ethics” for white hat researchers Process (typical): > Researcher discovers vulnerability > Researcher reports vulnerability to vendor / creator > Dialog occurs between researcher and vendor > Fix is made available (typically in a patch) > Vulnerability is publicly disclosed > Note: Some organizations pay for responsible disclosure via “bug bounties” or similar programs
PRIMARYSECONDARYTERTIARY Q&A