2. 2
• Obtain intelligence about what attackers are doing (Likelihood!)
- Internal sources: IPS / IDS, AV, Honeypots
- External sources: threat feeds, threat exchanges, online chatter
• Maintain visibility of assets, and how important they are (Impact!)
- CMDB & Vulnerability Scanners
- IAM, Finance, etc … extremely long tail
• Cross-reference intelligence with problems in your environment
- ATT&CK, CVE, CPE, CWE, Internal Identifiers
• Distribute information continuously
Defining Risk Based Vulnerability Management
Impact Likelihood
3. 3
Sources of Useful Intelligence
1. Open Source Intelligence & Dark Web
2. Intrusion Detection Systems
3. File-oriented AV analysis APIs - samples from malspam, some APT
4. Honeypots such as Bad Packets and Greynoise - internet-wide scans
(often focused on compromised IoT or early info gathering)
5. Local Honeypots
6. Antivirus and Endpoint - on-device attempts
4. 4
So Let’s Explore!
1. OSINT & DarkWeb
2. IDS Signatures (Events)
3. Suspicious File Analysis
All analyzed across a set of 12 months historical
17. 17
OSINT and Darkweb As a Source
APT activity intermingled with more widespread activity
OSINT can be gamed by simply publishing fake information
It can be a great leading indicator, Also helpful for predictions.
23. 23
IDS - Top 10 CVEs by Unique Event Groups
(2017+)
24. 24
Scanned vulnerabilities drive the high counts- but are they the most important?
Normalization by unique CVEs can help
Consider placement: Perimeter? Datacenter? Cloud?
Helpful to understand the process of signature creation … driven by exploits?
IDS Events As A Source
29. 29
Microsoft Office dominating this year – fits with common knowledge
Less prone to false positives than OSINT, but also require a sig, time needed.
Significantly less volume than IDS in hits
Grounded in signatures (a good thing!)
Suspicious Files As a Source
31. 31
Challenges to a Single “Top X”
1. Cannot compare on pure count, or weighted counts
2. Technique-to-detect and perspective matter
3. Your threat model matters!
4. Is the vulnerability even still out there?
Context matters… so where to begin?
32. 32
Identifying the most exploited CVEs
Methodology:
• Gathered CVEs identified by all 3 sources
• Cross-referenced with vulnerability prevalence
• Ranked from (1) most prevalent to (10) least
• Tagged with the source that identified the
Vulnerability in our analysis
34. 34
The Real Top 10 … er, Top 3*!
1) Oracle Java (JDK and JRE)
2) Adobe Flash Player
3) Microsoft Office (Word, Excel etc)
… (then everything else)
* product list is derived by pulling CPE data from the 255 vulnerabilities scored at 100 on Kenna’s Risk Meter Score