Presentation is loading. Please wait.

Presentation is loading. Please wait.

APRICOT 2015 Security Day Cooperation between Security Teams and Network Operators: Actionable Intelligence on ShellShock Arnold S. Yoon Information Security.

Published byWillis Hampton Modified over 8 years ago

Similar presentations

Presentation on theme: "APRICOT 2015 Security Day Cooperation between Security Teams and Network Operators: Actionable Intelligence on ShellShock Arnold S. Yoon Information Security."— Presentation transcript:

1 APRICOT 2015 Security Day Cooperation between Security Teams and Network Operators: Actionable Intelligence on ShellShock Arnold S. Yoon Information Security Research Consultant, Counter Threat Unit (CTU) ayoon@secureworks.com

2 2 Dell - Internal Use - Confidential Classification: //Dell SecureWorks/Confidential - Limited External Distribution: Agenda Cooperation between NW Operators and Security Teams Vulnerability Handling –Traditional questions Challenges and Gaps ShellShock example –Enrichment of OSINT Conclusion: Actionable intelligence

3 Dell - Internal Use - Confidential 3 Classification: //Dell SecureWorks/Confidential - Limited External Distribution: Traditional Cooperation Model/Cases Between N/W Operators and Security Teams Identify a stakeholder –Where does this hostile resource (IP/Domain) belongs to? –Who is the attacker? –Overload or Side work on N/W operation Vulnerability on N/W appliances –H/W and S/W –Management Console (Software) N/W protocol based vulnerability –POODLE SSL v3 DDoS attack –NTP, DNS reflective Amplification attack

4 Dell - Internal Use - Confidential 4 Classification: //Dell SecureWorks/Confidential - Limited External Distribution: Traditional questions on a vulnerability Both for Security Teams and Network operators –For all stakeholders Questions –What is the technical detail for the new vulnerability? –Does a technical mitigation resolution exists? –Zero-day vulnerability –Mitigation plan –What and who is impacted? –Impacted products (Hardware / Software) –Scope of impact in constituency –Is there an (successful) exploit / incident case? –Exploit activity –Malware or Tools associated –Alternative mitigation plan? –Disable service –Actionable Intelligence CVSS (Common Vulnerability Scoring System) framework is widely adopted to address the questions.

5 5 Dell - Internal Use - Confidential Classification: //Dell SecureWorks/Confidential - Limited External Distribution: Challenges and Gap Security Teams –Vendor Dependent –Lack of information ›Identify the stakeholder –Deliverables ›Vuln. Advisory ›Link to Patches ›Indicators Network Operators –Legal issues ›Client information disclosure –Additional workload –Mitigation Plan ›Implementing Patches on production N/W –Lack of Contents for indicators –Perception on N/W availability

6 Dell - Internal Use - Confidential 6 Classification: //Dell SecureWorks/Confidential - Limited External Distribution: Change in Threat Landscape N/W providers involvement in IT services increases –Outsourced N/W service, including security –Could Computing (data centers) N/W Admins are often targeted as an initial attack vector

7 7 Dell - Internal Use - Confidential Classification: //Dell SecureWorks/Confidential - Limited External Distribution: What is ShellShock Shellshock, also known as Bashdoor, is a family of security bugs[2] in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system. Attackers exploited Shellshock within hours of the initial disclosure by creating botnets of compromised computers to perform distributed denial-of-service attacks and vulnerability scanning. Reference: http://en.wikipedia.org/wiki/Shellshock_(software_bug)

8 8 Dell - Internal Use - Confidential Classification: //Dell SecureWorks/Confidential - Limited External Distribution: Enrichment of OSINT OSINT –List of CVEs –List of CPEs –(Malicious indicators) Enrichment –Additional payload or malware –Association with known TG –Association with known malicious infrastructure –Passive DNS records –etc. Demonstration on ShellShock investigation

9 9 Dell - Internal Use - Confidential Classification: //Dell SecureWorks/Confidential - Limited External Distribution: Conclusion: Actionable Intelligence Vulnerability Advisories are not easy to digest or to take action –Mostly lack of content –Risk of blocking legitimate services Security Teams should start to provide more details N/W operators need to focus more on vulnerabilities mitigation in a N/W level. Still do not forget about host based vulnerabilities. Actionable intelligence promotes the coordination and better mitigation plan in timely manner

Download ppt "APRICOT 2015 Security Day Cooperation between Security Teams and Network Operators: Actionable Intelligence on ShellShock Arnold S. Yoon Information Security."

Similar presentations

Driving Factors Security Risk Mgt Controls Compliance.

Driving Factors Security Risk Mgt Controls Compliance.
Incident Response Managing Security at Microsoft Published: April 2004.

Incident Response Managing Security at Microsoft Published: April 2004.
1 Dell World 2014 Dell & Trend Micro Boost VM Density with AV Designed for VDI TJ Lamphier, Sr. Director Trend Micro & Aaron Brace, Solution Architect.

1 Dell World 2014 Dell & Trend Micro Boost VM Density with AV Designed for VDI TJ Lamphier, Sr. Director Trend Micro & Aaron Brace, Solution Architect.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
ISO 29147 How to leverage Dick Hacking Cornerstones of Trust 2014.

ISO How to leverage Dick Hacking Cornerstones of Trust 2014.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
(Geneva, Switzerland, September 2014)

(Geneva, Switzerland, September 2014)
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
INFORMATION SECURITY UPDATE Al Arboleda Chief Information Security Officer.

INFORMATION SECURITY UPDATE Al Arboleda Chief Information Security Officer.
Joel Maloff Phone.com February, 2012.

Joel Maloff Phone.com February, 2012.
Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September.

Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September.
Beyond DDoS: Case Studies on Attack Mitigation for Financial Services Mike Kun and Patrick Laverty, Akamai CSIRT.

Beyond DDoS: Case Studies on Attack Mitigation for Financial Services Mike Kun and Patrick Laverty, Akamai CSIRT.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.

Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.

Similar presentations

Ads by Google