1.
Vulnerability and Exploit Trends: Combining behavioral analysis
and OS defenses to combat emerging threats
Cody Pierce, Director of Vulnerability Research

2.
About myself
 6 years researching vulnerabilities at Endgame
 4 years as a senior researcher for TippingPoint Zero Day
Initiative
 Discovered dozens of vulnerabilities in major vendor
software for over a decade

3.
Vulnerabilities do not compromise systems. An
exploit is needed to effectively demonstrate the
impact of flaws.

4.
Sample
 Vulnerabilities covering 2006 - 2014
 NVD CVE XML data set
 CVSS Score Medium+
 Counted vendors have a minimum of 5 CVE per year or
15 CVE total.
 Category grouping using CWE (Common Weakness
Enumeration)
 Exploits cross-referenced by CVE ID with Metasploit,
Core Impact, and Canvas

5.
Sample Size
 18,027 Qualifying CVE Entries
 34% of Total CVE Entries

6.
0
500
1000
1500
2000
2500
3000
3500
2006 2007 2008 2009 2010 2011 2012 2013 2014
CVE Entries
Total CVEs over timeNumberofCVEs

7.
Resource
Management/Use
After Free
10%
Race Condition
1%
Cross-Site Request
Forgery (CSRF)
2%
Cryptographic Issues
3%
Improper
Authentication/Authenti
cation Bypass
3%
Privilege Escalation
13%
Credentials
Management
1%
Credential
Management
0%
Information
Exposure
5%
Information
Management Errors
0%
Numeric
Errors
5%
Format String
0%
Buffer Mismanagement
21%
Code Injection
5%
SQL Injection
4%
Cross Site Scripting
11%
Command
Injection/Shell
Injection
0%
Command Injection
0%
Input Validation
0%
Link Following/Symlink
Attack
1%
Path
Traversal
2%
Input Validation
12%
Data Handling
0%
Design Flaw
0%
Configuration
1%
Total CWE distribution

8.
0
100
200
300
400
500
600
700
2006 2007 2008 2009 2010 2011 2012 2013 2014
Auth Bypass Buffer Mismanagement Privilege Escalation Input Validation SQL Injection
Sampling of CWE over time
NumberofCVEs

9.
Observation
Vulnerability discoveries are increasing but
category distribution appears consistent

10.
Why?
An increase in the size of the security
community, and advancement in tools and
techniques has led to the increase in
vulnerability discoveries

11.
0
500
1000
1500
2000
2500
3000
3500
2006 2007 2008 2009 2010 2011 2012 2013 2014
Exploited CVE Total CVE
CVEs compared to CVE exploitsNumberofCVEs

12.
Resource
Management/Use
After Free
6%
Race Condition
1%
Cross-Site Request
Forgery (CSRF)
0%
Cryptographic
Issues
1%Improper
Authentication/Authen
tication Bypass
2%
Privilege Escalation
10%
Credentials
Management
1%
Information
Exposure
2%
Numeric Errors
3%
Format String
1%
Buffer
Mismanagement
38%
Code Injection
14%
SQL
Injection
2%
Cross Site
Scripting
1%
Command
Injection/Shell
Injection
2%
Command
Injection
0%
Link Following/Symlink
Attack
0%
Path Traversal
5%
Input Validation
11%
Data Handling
0%
Configuration
1%
Exploited CWE distribution

13.
0
10
20
30
40
50
60
2006 2007 2008 2009 2010 2011 2012 2013 2014
Sampling of Exploited CWE Over Time
Auth Bypass Buffer Mismanagement Privilege Escalation Input Validation SQL Injection
Sampling of exploited CWE over time

14.
Observation
The number of public exploits is small and in
relative decline compared to vulnerabilities

15.
Why?
• Few – or zero – exploits are needed to
have an effective arsenal
• Unpatched and misconfigured systems are
the norm. No reason to make new exploits
when old ones still work!
• Writing exploits is getting harder and more
expensive

16.
Exploit mitigations
 Exploit mitigations are very effective and can
often prevent 0day attacks.
 Proper implementation has directly led to a
relative decline in exploit development.
 19 types of mitigations available today ???

17.
Why am I still getting hacked?
 Mitigations typically only apply to memory
corruption vulnerabilities.
 It’s hard enough to patch and properly
configure software, much less upgrade
compilers, applications, and operating
systems.

18.
Exploitation often has a behavior. Using these
behaviors we can increase the detection and
prevention of a greater number of flaws on current
and legacy systems.
Behavior analysis

19.
Exploit Indicators
(Process/ Thread creation)
Behavior
 Abnormal process
creation
• New thread entry point
outside of loaded
modules code section
Intent
 Stage next phase of
persistence or privilege
escalation
 Avoid user detection
Attackers spawn malicious code in new contexts.

20.
Exploit Indicators
(Library Usage)
Behavior
 Loading non-ASLR
libraries
 Loading DLLs over the
network into memory
 Loading abnormal
libraries
Intent
 Bypassing Mitigations
 Exploit vulnerabilities in
legacy components
 Exploit vulnerabilities in
library loading
Attackers use weaknesses in legacy libraries to
exploit software and bypass mitigations.

21.
Exploit Indicators
(Memory Usage)
Behavior
 Abnormal Memory usage
 Allocations of consistent
sizes
 Large contiguous
memory blocks
 Executable Memory
Intent
 Reliably corrupt memory
 Control Use After Free
conditions
 Create predictable
addresses
Attackers often have to control the memory
layout of software being exploited.

22.
Behavioral Analysis
 Is complementary to mitigations
 Detects and prevent exploitation of unknown
threats
 Correlate environmental data like network flows
 Adapts through additional modeling

23.
Key Takeaways
 Vulnerability discoveries are increasing
 Exploitation of some vulnerability categories is
on the decline
 A small exploit arsenal is still effective
 Mitigations have raised the difficulty of memory
corruption exploitation
 Exploitation, Malware, and Adversarial behaviors
often generate a signal
 Abnormal behavioral monitoring can add to the
defensive posture of systems

24.
For more information contact:
egs-info@endgame.com