Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

Vulnerability and Exploit Trends: Combining behavioral analysis and OS defenses to combat emerging threats

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Wird geladen in …3
×

Hier ansehen

1 von 24 Anzeige

Vulnerability and Exploit Trends: Combining behavioral analysis and OS defenses to combat emerging threats

Herunterladen, um offline zu lesen

Despite the best efforts of the security community—and big claims from security vendors—large areas of vulnerabilities and exploits remain to be leveraged by adversaries.You will learn about:
- A new perspective on the current state of software flaws.
- The wide margin between disclosed vulnerabilities and
public exploits including a historical analysis and
trending patterns.
- Effective countermeasures that can be deployed to
detect, and prevent, the exploitation of vulnerabilities.
- The limitations of Operating System provided mitigations,
and how a combination of increased countermeasures
with behavioral analysis will get defenders closer to
preventing the largest number of threats.

Despite the best efforts of the security community—and big claims from security vendors—large areas of vulnerabilities and exploits remain to be leveraged by adversaries.You will learn about:
- A new perspective on the current state of software flaws.
- The wide margin between disclosed vulnerabilities and
public exploits including a historical analysis and
trending patterns.
- Effective countermeasures that can be deployed to
detect, and prevent, the exploitation of vulnerabilities.
- The limitations of Operating System provided mitigations,
and how a combination of increased countermeasures
with behavioral analysis will get defenders closer to
preventing the largest number of threats.

Anzeige
Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)

Ähnlich wie Vulnerability and Exploit Trends: Combining behavioral analysis and OS defenses to combat emerging threats (20)

Anzeige

Aktuellste (20)

Anzeige

Vulnerability and Exploit Trends: Combining behavioral analysis and OS defenses to combat emerging threats

  1. 1. Vulnerability and Exploit Trends: Combining behavioral analysis and OS defenses to combat emerging threats Cody Pierce, Director of Vulnerability Research
  2. 2. About myself  6 years researching vulnerabilities at Endgame  4 years as a senior researcher for TippingPoint Zero Day Initiative  Discovered dozens of vulnerabilities in major vendor software for over a decade
  3. 3. Vulnerabilities do not compromise systems. An exploit is needed to effectively demonstrate the impact of flaws.
  4. 4. Sample  Vulnerabilities covering 2006 - 2014  NVD CVE XML data set  CVSS Score Medium+  Counted vendors have a minimum of 5 CVE per year or 15 CVE total.  Category grouping using CWE (Common Weakness Enumeration)  Exploits cross-referenced by CVE ID with Metasploit, Core Impact, and Canvas
  5. 5. Sample Size  18,027 Qualifying CVE Entries  34% of Total CVE Entries
  6. 6. 0 500 1000 1500 2000 2500 3000 3500 2006 2007 2008 2009 2010 2011 2012 2013 2014 CVE Entries Total CVEs over timeNumberofCVEs
  7. 7. Resource Management/Use After Free 10% Race Condition 1% Cross-Site Request Forgery (CSRF) 2% Cryptographic Issues 3% Improper Authentication/Authenti cation Bypass 3% Privilege Escalation 13% Credentials Management 1% Credential Management 0% Information Exposure 5% Information Management Errors 0% Numeric Errors 5% Format String 0% Buffer Mismanagement 21% Code Injection 5% SQL Injection 4% Cross Site Scripting 11% Command Injection/Shell Injection 0% Command Injection 0% Input Validation 0% Link Following/Symlink Attack 1% Path Traversal 2% Input Validation 12% Data Handling 0% Design Flaw 0% Configuration 1% Total CWE distribution
  8. 8. 0 100 200 300 400 500 600 700 2006 2007 2008 2009 2010 2011 2012 2013 2014 Auth Bypass Buffer Mismanagement Privilege Escalation Input Validation SQL Injection Sampling of CWE over time NumberofCVEs
  9. 9. Observation Vulnerability discoveries are increasing but category distribution appears consistent
  10. 10. Why? An increase in the size of the security community, and advancement in tools and techniques has led to the increase in vulnerability discoveries
  11. 11. 0 500 1000 1500 2000 2500 3000 3500 2006 2007 2008 2009 2010 2011 2012 2013 2014 Exploited CVE Total CVE CVEs compared to CVE exploitsNumberofCVEs
  12. 12. Resource Management/Use After Free 6% Race Condition 1% Cross-Site Request Forgery (CSRF) 0% Cryptographic Issues 1%Improper Authentication/Authen tication Bypass 2% Privilege Escalation 10% Credentials Management 1% Information Exposure 2% Numeric Errors 3% Format String 1% Buffer Mismanagement 38% Code Injection 14% SQL Injection 2% Cross Site Scripting 1% Command Injection/Shell Injection 2% Command Injection 0% Link Following/Symlink Attack 0% Path Traversal 5% Input Validation 11% Data Handling 0% Configuration 1% Exploited CWE distribution
  13. 13. 0 10 20 30 40 50 60 2006 2007 2008 2009 2010 2011 2012 2013 2014 Sampling of Exploited CWE Over Time Auth Bypass Buffer Mismanagement Privilege Escalation Input Validation SQL Injection Sampling of exploited CWE over time
  14. 14. Observation The number of public exploits is small and in relative decline compared to vulnerabilities
  15. 15. Why? • Few – or zero – exploits are needed to have an effective arsenal • Unpatched and misconfigured systems are the norm. No reason to make new exploits when old ones still work! • Writing exploits is getting harder and more expensive
  16. 16. Exploit mitigations  Exploit mitigations are very effective and can often prevent 0day attacks.  Proper implementation has directly led to a relative decline in exploit development.  19 types of mitigations available today ???
  17. 17. Why am I still getting hacked?  Mitigations typically only apply to memory corruption vulnerabilities.  It’s hard enough to patch and properly configure software, much less upgrade compilers, applications, and operating systems.
  18. 18. Exploitation often has a behavior. Using these behaviors we can increase the detection and prevention of a greater number of flaws on current and legacy systems. Behavior analysis
  19. 19. Exploit Indicators (Process/ Thread creation) Behavior  Abnormal process creation • New thread entry point outside of loaded modules code section Intent  Stage next phase of persistence or privilege escalation  Avoid user detection Attackers spawn malicious code in new contexts.
  20. 20. Exploit Indicators (Library Usage) Behavior  Loading non-ASLR libraries  Loading DLLs over the network into memory  Loading abnormal libraries Intent  Bypassing Mitigations  Exploit vulnerabilities in legacy components  Exploit vulnerabilities in library loading Attackers use weaknesses in legacy libraries to exploit software and bypass mitigations.
  21. 21. Exploit Indicators (Memory Usage) Behavior  Abnormal Memory usage  Allocations of consistent sizes  Large contiguous memory blocks  Executable Memory Intent  Reliably corrupt memory  Control Use After Free conditions  Create predictable addresses Attackers often have to control the memory layout of software being exploited.
  22. 22. Behavioral Analysis  Is complementary to mitigations  Detects and prevent exploitation of unknown threats  Correlate environmental data like network flows  Adapts through additional modeling
  23. 23. Key Takeaways  Vulnerability discoveries are increasing  Exploitation of some vulnerability categories is on the decline  A small exploit arsenal is still effective  Mitigations have raised the difficulty of memory corruption exploitation  Exploitation, Malware, and Adversarial behaviors often generate a signal  Abnormal behavioral monitoring can add to the defensive posture of systems
  24. 24. For more information contact: egs-info@endgame.com

Hinweis der Redaktion

  • Bug bounties
    Are exploits increasing at the same rate as disclosures?
  • No
  • But they do categorically
  • Trend note: decline of overflow exploits
    Trend note: LPE necessity
  • Cite EMET bypasses
  • Heap spray
    Row hammer
    Vgx.dll
  • Heap spray
    Row hammer
    Vgx.dll
  • Heap spray
    Row hammer
    Vgx.dll
    “Rowhammer”
    Use-After-Free Exploits
    Heap Buffer Overflows

×