Vulnerability Analysis And
Assessment
Monther Aldwairi
Hacking Steps
1. Reconnaissance: Information Gathering
1.
2.
Footprinting
Port Scanning
2. Enumeration/Threat-modeling/Vulnerability Analysis
3. Exploitation/Gaining Access/System Hacking
4. Post Exploitation
•
•
•
•
Privilege Escalation
Lateral Movement
Maintaining Access
Clearing Tracks
5. Reporting/Exfiltration
2
Terms
• Threat: a possible danger that might damage your computer network.
• It’s important to identify threats, but they can’t be controlled.
• Threats can cause harm when your organization has security vulnerabilities
(burglar or burglary)
• Vulnerability: is being susceptible to an attack due to security flaws in
your system.
• Vulnerabilities can be identified and corrected to protect your organization.
(forgot to lock door)
• Risk: refers to the potential for damage when a threat exploits a
vulnerability.
Cyber Threat Intelligence
• Cyber Threat Intelligence (CTI) collects and analyzes data to determine the
motivations, targets and TTPs (Tactics, Techniques, and Procedures ) of
cyber attacks / threat actors against your organization
• Cyber threat intelligence life cycle
1.
2.
3.
4.
Planning: Determining the purpose, objective and requirements of the CTI (SOC
Analyst, security products (IPS/IDS/EDR/Firewall, SIEM))
Data Collection & Processing: Collecting data and making it ready for analysis.
(Threat hunters and indecent responders)
Analysis: Analyzing the processed data, transforming the information into
intelligence and making it ready for sharing.
Dissemination & Feedback: Sharing threat intelligence data and determine
whether arrangements should be made for future threat intelligence operations.
Cyber Threat Hunting?
• Unlike most other SecOps, cyber threat hunting is proactive humanled defense activity that seeks out threat actors before successfully
launching an attack on your system
• The goal is to intercept potential attacks before damage is done, or to
mitigate damage of an attack in progress.
• Threat analysts (security, forensics, and intelligence analysis skills) work with
your security teams to build indicators of compromise (IOC), and profile the
TTPs of your adversary.
• The threat hunter will seek out evidence of malicious activities that did not
generate security alerts, using data analytics tools.
• Threat hunting is particularly needed in battling APTs that start with an initial
undetected compromise, and then build out long-term multi-phase attacks.
Threat Hunting Tactics
1. Recognizing Suspicious Software. Identify by process name or by process
hash.
2. Behavior Changes (monitoring processes)
3. Scripting Abuse (monitor for execution of a scripting engines (cscript,
wscript, and powershell)
4. Antivirus Follow-Up
5. Persistence. Monitor programs that run every time the system boots up,
logs on …etc.
6. Lateral Movement. Monitor unusual user/endpoint logon combinations,
as well as abnormal network connections made between systems.
7. Bait the Bad Guys. Honeypots, vulnerable ports, weak passwords …etc.
Vulnerability Management
• Vulnerability management is a proactive approach to mitigate or prevent the exploitation
of IT vulnerabilities.
• The goal is to reduce the likelihood that your system will be compromised.
1.
2.
3.
4.
5.
Keep up with security threats and trends.
Install, configure and continuously update your vulnerability management software
• Automated vulnerability scanners, allow you to regularly search and identify vulnerabilities
You are likely to find thousands of vulnerabilities.
• Classify and define the severity of each vulnerability and the level of risk it poses to your company.
Mitigate. Determine how you will prevent vulnerabilities from being exploited.
• Patch promptly or automate with patch management tools. (NIST Guide to Patch Management)
Reporting and Notification. Sharing information about how vulnerabilities are being
exploited by adversaries can help defenders across the world.
Vulnerability Response
• Standard vulnerability management programs
include: phases for identifying, analyzing,
remediating, and reporting vulnerabilities.
• Proactively identify reports of vulnerabilities that are actively exploited in the wild by
monitoring threat feeds and information sources:
•
•
•
•
•
•
•
•
CISA/US-CERT National Cyber Awareness System (NCAS)
CISA Binding Operational Directive (BOD), to manage the unacceptable risk of known vulnerabilities.
NIST’s National Vulnerability Database (NVD)
CVE Details
MITRE CVE, Common Weaknesses Enumeration (CWE)
Common Vulnerability Scoring System (CVSS)
OSVDB (open source vulnerability database)
Chinese National Vulnerability Database (CNVD)
• Internal SOC monitoring and incident response.
Remediation
• In most cases, remediation should consist of patching!
• Other mitigations (patches do not exist or not tested yet)
1.
2.
3.
4.
5.
Limiting access;
Isolating vulnerable systems, applications, services, profiles, or other assets;
Making permanent configuration changes;
Disabling services, reconfiguring firewalls to block access;
Increasing monitoring to detect exploitation.
Common Vulnerabilities
Common Vulnerabilities
• Major categories of network vulnerabilities
1. Software or firmware defects (See following slides)
2. Configuration or implementation errors
• Apache HTTP configuration. MaxClients: concurrent users default value is 256
• Must have memory capacity to process those requests
3. Process or procedure weaknesses: vulnerabilities that result from human
error
• More difficult to detect and fix
• Policy is violated
• Solutions ➔ Awareness and training sessions for employees
Defects in Software or Firmware
1. Buffer overruns (overflows)
2. Integer overflows (Programmer does not restrict data to data type
size boundaries)
3. Format string problems (user input passed to a formatting function
without validation)
4. C++ catastrophes (uninitialized function pointers)
5. Failure to handle errors correctly
6. Catching exceptions (incorrect or intercepting error-handling calls)
7. Injection (program does not properly validate user input)
Defects in Software or Firmware
8. Failure to protect stored data (Protect data during transit and while
at rest)
9. Information leakage (release of sensitive data outside intended
organization)
10. Race conditions (two threads, processes, or applications are able to
modify a resource not ensuring desired order of events)
11. Poor usability (application difficult to work with and users find ways
to bypass security features)
12. Not updating easily
13. Executing code with too much privilege
Defects in Software or Firmware
14. Weaknesses introduced with mobile code (ActiveX control, Flash
application, Java applets)
15. Weak password-based systems
16. Weak random numbers
17. Using cryptography incorrectly
18. Failing to protect network traffic (eavesdropping)
19. Improper use of PKI, especially SSL
20. Trusting network name resolution (DNS manipulation)
Finding Vulnerabilities
• Manual process of penetration testing
• Various automated tools available
•
•
•
•
•
•
•
•
•
Footprinting
Port scanners
Vulnerability scanners (Nessus, OpenVAS, GFI LanGuard, Qualys Cloud Platform)
Web scanners
Fuzzers produce a variety of user inputs to monitor programs for unexpected crashes/outcomes
Packet sniffers, MiTM (Wireshark, Ettercap, Cain and Abel)
Wireless security tools (Kismet, NetStumbler, AirSnare, Vistumbler, Aircrack-ng)
Firewall analysis tools (Firewalk, wafw00f)
Penetration Testing Framework
1.
2.
3.
4.
5.
6.
Metasploit
Mitre ATT&CK
Immunity’s CANVAS
CORE Impact
Cobalt Strike
Burp Suite
Vulnerability Disclosure
• Approaches to handling the disclosure of vulnerabilities
• Full disclosure
• Delayed disclosure
• Disclose only after a fix is available
• Responsible disclosure
• Report vulnerability to the vendor first
• Allow vendor time to fix
• SANS Internet Storm Center monitors the level of malicious activity on the
Internet
• Information Sharing and Analysis Center (IT-ISAC)
• Forum of Incident Response and Security Teams (FIRST) enables reactive
and proactive incident