BSides LV 2023 - Common Ground - Tuesday

[Music] thank you baby [Music] [Music] don't leave me alone [Music] don't wanna overthink it baby [Music] baby you killed me giving me Wind and Rain some kind of butterfly [Music] that up [Music] you can put my appetite [Music] but I don't wanna jinx it baby [Music] [Music] [Music] thank you [Music] baby you'll give me my appetite don't leave me alone [Music] [Music] [Music] [Music] oh [Music] [Music] foreign [Music] thank you [Music] foreign [Music] [Music] foreign [Music] [Music] [Music] thank you foreign [Music] [Music] [Music] [Music] [Music] thank you [Music] [Music] thank you [Music] foreign [Music] [Music] foreign [Music] thank you [Music] [Music] wow [Music] foreign [Music] [Music] all right [Music] oh yeah [Music] thank you [Music] foreign [Music] foreign [Music] foreign [Music] foreign [Music] thank you [Music] foreign [Music] thank you [Music] all right [Music] thank you [Music] thank you [Music] foreign [Music] foreign [Music] [Music] [Music] thank you [Music] thank you [Music] [Music] thank you [Music] foreign [Music] [Music] [Music] thank you [Music] foreign [Music] thank you [Music] [Music] foreign [Music] [Music] [Music] thank you foreign [Music] [Applause] [Music] thank you [Music] foreign [Music] [Music] baby [Music] [Music] don't wanna overthink it baby [Music] [Music] baby you okay you'll whip up my appetite [Music] but I don't wanna jinx it baby [Music] so it's okay [Music] thank you [Music] baby [Music] foreign [Music] [Music] [Music] oh [Music] bigger over to you [Applause] so hi everyone um very excited to be here um before we start just to get a sense of the crowd um I would love to get a show of hands who here directly deals with vulnerability management as part of their day job okay very good and who knows maybe doesn't uh directly work with vulnerabilities but know how its organization prioritize vulnerabilities okay a few more so and out of all those hands uh how many of your organizations rely either solely on cbss score or primarily on CVSs score to do vulnerability prioritization okay so great um okay a few other questions so who here uh has heard of vex in the show of hands okay csaf okay uh epss okay so so that's good so the the a lot of topics to cover and uh this talk was originally supposed to be 45 minutes uh it got turned to 20 so I apologize in advance if I'll Rush some of the pieces I have a lot of Links at the end so you can dive further and also I'm around the conference feel free to to approach me with the questions and I can talk about this topic for hours but today I'll hold it to 20 minutes so um let's start so I'm your time I currently lead the vulnerability management at startup called resilient prior to that I worked at PayPal doing thread intelligence insiders threat uh and vulnerability management research I also take part in several open ssf uh working groups around open source security uh and see Server groups around s-bomb and vex uh and organize the pycon IL one of the organizers of the pycon air conference okay so uh the reason you see an iceberg here isn't because we're going to talk about climate change or global warming uh this kind of reflects the way we are standing the way we're at with uh software uh supply chain uh currently most code in your production environment is in code that you wrote uh we use third-party code whether it's open source or commercial and that's good it allows us to move fast it allows us to focus on our Core Business logic but on the other hand uh it also comes with risk and one of those risks is uh in the form of vulnerabilities non-vulnerabilities as that and as you can see here the the amount of vulnerability is constantly Rising this is up to August 2023 you can also you can already see that we're 2 000 uh ish vulnerabilities over what we were at in terms of the publish rate uh last year and this isn't something that is going to change anytime soon um and um exploitation of known vulnerabilities still is the one of the major factors attack vectors for uh initial access to organizations and um organization simply don't seem to keep up and be able to remediate or patch uh all of these vulnerabilities so what do we normally do about it so we turn to CVSs and the thing with CVSs is that it's not uh it's sub-optimal uh I would say it's not effective it's not scalable and it doesn't even reflect actual risk and I'll explain so it isn't scalable I say that because around 57 percent of all of the vulnerabilities with cbss3 score in nvd are CVSs are high in critical vulnerabilities so even if you do prioritize and focus only on the hides and the crits it's not it's still 57 of nvd that we're talking about hundreds of thousands of vulnerabilities it's not scalable um it's also not effective the reality is that only a fraction of vulnerabilities will ever be exploited and only a fraction of those are are actually exploitable in the context of specific environments so when you focus your time uh on vulnerabilities there are not likely to be exploited or will never be exploited you're wasting your valuable and limited resources as is on uh uh on the wrong things um and uh attackers are already a step ahead because they don't rely on CVSs scores in order to determine which vulnerabilities to exploit um so um again it's not it's not an effective thing to do and moreover it's not really a smart thing to do as well so pause here yeah so as I said uh it's not that attackers only exploiting critical vulnerabilities this quote is actually from the folks who uh are in the CVSs working group who invented the standard and they strictly mention and say that it's only a measure of technical severity it's not recommended to use CVSs base score alone to determine remediation priority but that is the current status quo so clearly this isn't working um we have about 16 of vulnerabilities according to research from Cynthia Institute there are left unattended for over a year after their initial Publications uh as I said huge backloggers are vulnerabilities and uh attackers exploit these vulnerabilities this is from research we did analyzing the public attack surface for the sisa Kev catalog the known exploited vulnerability catalog and um and as you can see there are millions literally millions of instances publicly facing that are vulnerable to these actively exploited with known patches vulnerabilities um but that that's that's the that's the reality and and a lot of these are are also not new vulnerabilities as you can see um so how can we move forward what's what's the road uh going forward and also something I didn't mention the average organization only has the capacity to deal with 10 of their uh vulnerability backlog in a given months also from Cynthia Institute so we need Focus uh and what can give us font uh Focus uh context so this blob you see here will slightly get more focused as hopefully as the talk progresses um and I'll I'll try to describe a few um aspects of this context so first of all um the initial kind of base level of context is a software build of materials or an s-bomb this is not the topic of my talk also feel free to approach me later and it allows us to know exactly what we have in our environment without memorizing or guessing which is great because at least we know what we have but even if we have the perfect s-bomb which most organizations unfortunately still don't have and all of the different aspects that are still being worked on are in place is the problem solved so I argue that no unfortunately because actually the opposite is true because we know more and when we know more we have more things to deal with which is good but again this isn't something that the current the average organization has the capacity to handle um so it isn't a silver bullet and we need more uh more context so context so there are several layers as I said s-bomb is is kind of the base level of context but you can add on top of that additional layers of context for example exploitability you have things like EPS score which is I won't go into that because again a shorter of time but it's a a machine learning model that lets you predict the likelihood of exploitability within the next 30 days we have a research on that it's it's it's a very strong signal for prioritization the sisa care of non-explored vulnerability catalog of threat Intel speeds uh the vulnerability itself also provides context the attack Vector is it exploited via the network only physical or privileges is required do you need authentication to exploit it Etc environmental context so do you have mitigation mitigating control in this place uh do you have reachability analysis is this code even being loaded even used and of course business context is uh what's the asset criticality is it exposed or internal Etc but again this is nice it's good but it's not really actionable because in order for it to be actionable uh we need automation and uh in order for it to scale so um this is the current how do we do about how do we go about answering gamma affected today so we can run a vulnerability scan but again uh noisy um and this is also a Shameless plug I have a talk about that specific topic later today uh at six at the breaking ground but um uh not always reliable and a lot of things to deal with independent investigation uh time consuming not effective as the vendor as well not scalable security advisor is nice but uh not always will have those and also not something that we can currently automate and s-bomb as I mentioned not everyone has it and it's not alone it's not the Cure so this is where csaf comes in is the common security advisory framework and basically you can think of it and you can think of it as a machine readable security advisor so you have for example in this case uh Cisco issuing uh uh security advisory currently it can be in HTML format it can be in the text format it can be in a PDF you don't really know where it's at uh and it's not something that you can automate consumption of csap tries to solve that that uh that issue um and it's easily discoverable uh via several methods in this case we see a security exists of our or try to see I'll try to highlight it a bit um so we have uh the security txt file with the reference to where can where can I consume that csap from and then the csap itself uh is the the bottom link which is basically a Json file with the same security advisories that we saw before only in a machine readable uh format that allows for automation um so this is how it looks like and you see there's various layers and and uh pieces of metadata that can go into such a csaf but the main thing to remember about this is that again it's machine readable it can be automated and you can you can start to consume it and Cisco is doing a great job uh of of advocating for it there was recently a summit um and there there I hope this will get more traction uh as time goes by so that's one and so we can we can see the picture a bit more clearly now but another important piece of the puzzle is vex vex the vulnerability exploitability exchange um as Alan uh often uh feel sorry for the name but that's the name and we'll leave it uh so um basically this is a way to communicate whether a piece of software is affected by a specific vulnerability so um I'll read the quote to provide users additional information on whether a product is impacted by specific vulnerability in an including component and if affected whether there are actions recommended to remediate so that's the purpose again machine readable way to for your vendor to say this product is not affected by vulnerability X also it has the ability to say if something is affected we'll discuss that shortly and again aims to be machine readable you can embed that you know as a profile in csaf that we mentioned before so all of the pieces of the puzzle come together it can be linked to a netspomb it can be separate and it allows us to handle this this issue of false positives from in a more scalable way and from a vendor perspective it saves them money because you don't have to have your uh phone centers crash whenever something major comes up and I think the the promising direction for it is also from the consumer side so if I as a consumer have a product that can tell me whether something is impacted by specific vulnerability because it's not loaded because the configuration is in place and it can issue a Vex for me again then I'll have this this this language automated language that I can help to reduce my attack service so uh sorry I'm rushing I want to get to the core part which is in a few slides and again there are several statuses for vex you can say something isn't affected affected fixed or under investigation and obviously this is dynamic you can change over time um and because it's machine readable that's not really an issue um okay so uh and there are several justification those are the current ones I'll give an example just for context let's say vulnerable code not present so if you remember lock for Shell five minutes okay five minutes I'm good so look for Shell uh so one of the remediation advice that were that was provided that was to remove the vulnerable class from the job file uh the gndi lookup class so if you remove that class you still have the vulnerable jar in the vulnerable version your scanner would say you're affected but you're not really affected so if you have this Vex you can update this status and let your your security tooling your Insider threat Personnel your whatever organization and if you're a supplier then to the folks that consume your software that you're not affected by that specific vulnerability and there are several other justifications um so it's it's really a flexible format okay so now I'll try to put all of these pieces together and see so as you can see we can already see the picture clear um so this is something that again I won't go too deep into the stakeholder specific vulnerability categorization or ssvc there are Links at the end of the presentation but you can think of it as a decision tree you have a decision tree that allows you to decide what to do in various circumstances or situation regarding a specific vulnerability and I know you can't see well so I try to to give some context so there are three actions that you can take this I I stuck with the sisa approach for this one but this is very flexible uh just for the sake of the example the same Act is patch remediate the 10 to now attend is okay I know I need to fix this but I'll first deal with the act and get to this and crack So currently it's not something that I'm uh actively doing something about but I'm keeping track so and here you see for example three layers of context exploitability context so you have epss six that we have threat Intel to tell you whether the vulnerability is actively exploited is this badge the middle bench is uh highly likely to be exploited or uh not likely on the right hand side and then you have another uh layer of decision which is the asset context sorry the automatable which is from the vulnerability so if the vulnerability is exploitable via the network and also doesn't require privileged authentication that then it's automatable and then it's in a higher risk from my perspective and then I I send it to a different branch of the team and then we have the asset content so how critical is this asset low medium or high and then I make a decision so if for example I have a vulnerability that is actively exploited and automatable and on a critical asset obviously I need to act upon it and again the decision here is isn't the focus like you can we can debate the decisions it's not a purpose but um the thing is you you have this thing that you can communicate internally and to stakeholder and say this is how we do things now according to these these these parameters and you can tune that according to your capacity of the organization so you know you can only deal with 10 of our vulnerabilities make sure that that's a 10 that actually count that matter most and you can let's say okay I don't have an asset criticality that's not a problem it's flexible so I I chopped off the last layer of the tree and I added for example I have a a product a vendor that can tell me whether something is loaded or not the reachability analysis so maybe that's my uh first decision decision uh that I want to take after I know if something is uh what's the likelihood of exploitation um and uh maybe I wanna I have all these things that I can put everything together and I get a lot more context so and then I can make more educated uh uh um assumption and prioritization to focus on what actually matters and you can look of it as like a funnel okay so you have your vulnerability scanner output and then you have what we talked about the csan Vex that tells you what uh what you should focus on what affected and what isn't and then you have this decision to be with all this context that filters that out and then you start from the bottom you start working with what uh uh most critical in terms of risk reduction to your organization and work your way up okay so um this the The Blob that you saw and this picture is from a movie called The Truman Show which is about a man that lives his whole life as a in a scene of a movie but he doesn't realize that and the quote is when they asked the director um uh What uh uh how does how does it not suspect and he said we accept the reality of the world which we are presented uh and so what I ask of you is don't accept the reality of the world as you are presented um and and be inquisitive and and uh know that there are these resources out there and uh transform your vulnerability Management program into a more modern risk-based vulnerability Management program um so that's it no time for question I'm sorry so in case I don't see a good afternoon good evening and good night also from The Truman Show thank you [Applause] yes what yeah sure sure [Music] foreign [Music] foreign [Music] thank you [Music] foreign [Music] [Music] [Music] foreign [Music] [Music] thank you [Music] [Music] thank you [Music] thank you [Music] [Music] [Music] thank you [Music] foreign [Music] foreign [Music] foreign [Music] thank you foreign [Music] [Music] [Applause] [Music] thank you [Music] questions [Music] [Applause] [Music] [Music] foreign [Music] [Music] but my appetite don't leave me alone [Music] [Music] how to communicate with non-security Specialists to drive action and without further Ado I would like to welcome our speaker Ashley Lee [Applause] hi everyone um my name is Ashley I am Senior product marketing manager at Jupiter one and I've been doing marketing for over a decade now the last seven years in cyber security uh and uh in the four and a half years that I was at now secure which was my previous gig I observed a rather unnerving cycle and maybe you've experienced this too basically our pen testing team would scope out a project with a client they would spend several days testing the mobile app then they would spend several more days maybe a week or so compiling that report of the findings and suggested courses of action they'd have some calls with the client to figure out the best course of action do some more explanation and whatnot and after a period of time they would send back a new app binary to test and lo and behold what would they find the pen testing team would retest it and they'd find a lot of the same findings if not more now for someone who was attracted to cyber security in the first place uh to with the mission to defend and to protect against threats it really boggled my mind that customers would be okay with leaving in weaknesses that would expose customer data like payment data pii it was really mind-boggling for me um what was the point of fixing or finding all those weaknesses without fixing them so when I moved on to Jupiter 1 in 2020 I found that th