Advanced Enterprise Vulnerability

My name is Evgeni Sabev. I work and represent the company SAP, SAP Germany. I work in the Advanced Vulnerability Management Team or its other more fancy name is Attack Surface Reduction Team in Germany, in SAP. We already see it. It is engaged in prevention of everything that the colleagues started talking about. Peter with the regulations, the implementation of the regulations and the colleague in front of me with the prevention of these incidents that are in the public sector, in the state sector, the same attacks can be in the private sector and have in some cases absolutely the same consequences as we saw that there may be for the state. Very briefly, with a few statistics and definitions, I will start. What is ATT&CK Surface? EVM 1 on 1, Advanced Vulnerability Management, so called 1 EVM view, according to the way we understand it and our interpretation of it. And maybe a roadmap for those who will build it first, possibly for the future vision of the country. Before we continue with these things, is there anyone in the room who is engaged in vulnerability management or has a pen testing, red teaming background or works somewhere like a super pen tester, red teamer? Super. My previous job was as an Open Data Rereader in Deloitte. So I didn't expect that on the other hand when a person is dealing with the implementation of the reports that we deliver to the companies and their understanding is as complex as it is in a large corporation. What is Vulnerability Management? A simple definition. The simplest explanation is that it is very difficult to quantify, but the best explanation is something that is trying to prevent the worst from happening. If the vulnerability management was successful, we would not have such an attack as we saw in the previous talk. several famous people and the GPT chat, of course, define it in different ways. We won't get into read exactly what is written in the chart GPT, but generally speaking, Vulnerability Management is the identification, classification and making some measures to prevent the exploitation of some vulnerabilities or by removing the vulnerability as a whole or, as the colleague was talking about, by adding some other technologies that actually prevent successful exploitation. Also, vulnerability management is not just a scanner, it is much more important to say, I know that some people think that I am just asking to not mention any product names, because this is not the purpose of the presentation, so I will not do it, but maybe some of you already know what are the vulnerability assessment scanners, This is not vulnerability management, much more than that is. Unfortunately there are a lot of processes, unfortunately there are a lot of regulations, which Peter was talking about, which should also be covered. Yes, some more definitions, what is vulnerability management and yes, actually the most important slide. What we are trying to prove and what we know is actually a very small part of the whole aspect, of the whole information that is available at the moment, of all the vulnerabilities that someone has. I myself, as a pen tester, have tried to have I want to report some vulnerability somewhere. This is also a big problem. I assume some of you are familiar with bug bounties. I've been doing bug bounties for some time. I assume some of you are also dealing with bug bounties. This is common in companies that have a bug bounty program or some VRP, Vulnerability Responsible Disclosure program. But unfortunately, a big part of big companies still don't have one. And, to be honest, I have seen many times, even the most shameful ones, in forums, where someone has found some kind of vulnerability, whatever it is, I will not go into classifications, but, for example, the worst is some remote code execution. Nobody pays attention to it and it reaches the point where it writes in Reddit, in forums, and so on. I have this payload and I have a remote code and nobody pays attention to it. We have seen these things, we have seen them in Darknet. We will get to this part with this. Just to move to the next slide. Something, however, is... In this aspect of thinking, what we try to protect is the so called attack surface, for what has already been mentioned. In a big company, as in the state enterprises, I suppose in every enterprise, even in the university, countless devices that are already intelligent, which participate in this surface attack of every large corporation or every company, every institution. I have shown those which are the most popular or the most commonly perceived things. We have at the moment all kinds of things that are cloud containers, multi-cloud, Azure, AWS instances. Also, every institution, enterprise has its own infrastructure, networking components, routers, firewalls. There is Wi-Fi in the building, I tested it this morning. You are talking about some, I think, I think I mentioned the BGP, end-to-end VPN connections, all these border firewalls that exist in companies. Most of the companies already have some OT components or IoT, the BIMER, the cameras in the building, most of them are in the network, they are smart devices, they can be available. Some of them are much more complicated, some are relatively more elementary. and there we will go into some aspects for those who are more elementary and more so old. SCAD, ICS, it directly depends on what business you are in, is also a very big topic, but after that it is a topic for a separate talk. And the classic IT things, web applications, virtual machines, mobile devices, bring your own devices, workstations for all employees of the company and servers, data centers are also something that should be protected. How? For those who are trying or will try, and also it is important for the state, for everyone who, I also assume, should have a program at some point, and a team that deals with this. The most important thing, point one, what your organization is doing, that is, If you are protecting something, you should know what it is, what are all kinds of assets. As for all kinds of assets, I have in mind every single thing. As I said, this beamer is most likely connected to the network, that is, we have seen very interesting Chinese beamers, which are publicly available through some proxies, through some other public services, we are not mentioning products, we said. But they also had direct access and bypassed indirectly some solutions that were implemented. Absolutely every device that is in the network, whatever it is, printers, if you have printers, for example, this was also a very interesting method that we used in our company and it is used very actively, exploiting a printer, hiding malware in the printer's firmware and waiting, as we understood, some attacks await a convenient moment. The fact that you are not being attacked at the moment doesn't mean that someone is not in your network and is waiting for a specific moment, whatever it is. War, global events, Olympic Games, whatever it is. In the ideal case, It is good to understand if there is such a person or such an attacker before executing them and to understand if there is such a presence at all. Or to block him in the process of trying to hide somewhere in your infrastructure. Here I am talking about serious big infrastructures, not for a company of 10 people with 10 laptops. The percentage of SaaS and the solutions that are used We should also take into account that in most cases a program like ours is very difficult to interfere with because there are some contracts with the vendor and there is mainly a count of what is included as a contract and we may have much less influence on the solution itself, but nevertheless it is very important to understand what is being used and what would be the consequences if something is mixed up with the solution that is being used. and Network Architecture. I have written it here, but in SAP this is a very complex topic. We can write 20 PhDs on the subject of SAP infrastructure. So, I assume that from company to company, from state institution to state institution is quite complex and quite different. The next thing that most probably and must be Besides all these assets, all these softwares, technologies, how do you maintain all these technologies that are implemented in your company? Who updates the Beemer? Who is in charge of the payment of the Beemer? And the most important question is whether the Beemer we bought is supported by any vendor. It may have been a very cheap Chinese product, yes, we saved some costs for buying a new, cheap Beemer, but After I have worked with the pentesting team, we have spent a wonderful weekend and we have found about 20 vulnerabilities in this BIMER and there is no way to mediate them, including no answer from the vendor. What do we do in this case if we have 12,000 such BMRs all over the world? These are complex questions and these are just BMRs. When you start to understand each device, here we are talking in our case about many, many millions of assets, each asset, the solution to the problem is becoming more and more complicated. Also, the most important thing, the big companies, what do they do most often? They buy other companies. It happens very often, with some companies we understood very soon, you publicly announce on the Internet that, I will not give names, company A, a huge corporation, buys company B. Individuals who would be interested in destroying the existence of the company, whether politically, the appetite, who are governmental sponsored, Of course, the company A, which is huge and represents some threat to their country or according to the instructions of the country, will buy company B, which is very small, they have no security at all, they are not involved, but they will become an integral part of the new company in the next 6 months. What happens? Company B on the day of the public announcement of this information somewhere in the Internet, on the same day is exploited, attackers or hackers, whatever you want to call them, the wrong-finders hide the company in resources that even if there is such a program, as we said, the BIMs, printers, smart devices, RFID reader on the doors, nobody scans them, why should we scan them, what is this, they can't do anything to us with them, absolutely, unfortunately, it's not exactly like that. And finally, after the company B was founded, after 6 months, these people, after the company B became an integral part of the company A, depending on the policies, if there are or not, They are completely normal now, after they have built VPN end-to-end connections from one company to another, without any problems, just open the door, imagine opening this door, this is our company and it has invited company B to come in, just like that and they come in with all their so to speak, exploited devices, sometimes even the end point stations are not reimagined, they are simply inherited by business lines and this leads to the consequence of seeing the company A in three months later, at the start of the war, to be exploited. For example, because this was a good moment, we talked a lot about this event in February last year, there were a lot of attacks, which I guess were well executed before they happened. And of course, all the complexities must be considered. The so called procurement teams, I won't go into the definition of what is procurement, but every big company that would like to buy something, to achieve it in some way, sometimes there is a big obstacle for that, even for removing some existing software that is inherited And for various reasons, whether it is a contract, political or not, there are internal and political companies, it is very difficult to implement different events. Bad habits and a few very subtle tricks that you need to be careful with. I think time is going very fast, I will try to be quick. When you build and until the moment your vulnerability management is already existing, the ideal is to get reports from pentesters, red teaming, scanners, vulnerability assessment solutions, all other reports you can get, CTI teams also provide you intelligence, The most important thing that was very often or at least existed with us, existed with other companies was an email with an excel sheet with all the possibilities. It's just like that, for some people it's a number, a mistake, even confused faces in the email, reach a confidential email to some people who have nothing to do with it. That is, it is extremely important to to classify the vulnerability management as confidential data and the vulnerability management program itself to have in mind that each of you that it actually is something like a critical system in the company which is the ideal goal for each attacker. Why to try to exploit the vulnerability A of the 200,000 attack surface if the assumption is that it can simply try to target your vulnerability management program and take access to everything. Or at least that's what I would have done. Also, if your EVM program is missing, if there is no support from the executive management in the form of policies and standards, most likely there won't be any success, because as you said in the previous lecture, from the real perspective, many IT people just do their job according to the definition, but the question is for this definition to exist, to be well described in the rules that are mentioned, the policies and standards are the rules that help us to live better in our normal life and also in a big company, and also in the security world. Also, after your program starts working, most likely someone who is very happy that you are doing this, will support you 100%, they are very happy, these people need to be given credit, they need to be put in the right light of the presentation, to show that this is your team, they are a role model, they do exactly what they need to do, they are very good with the goal, first, to give them the credit they deserve for improving the company's security. From the point of view of "we don't have Windows XP", as we understood, believe me, what they said in the previous lecture, as a consultant in the previous consulting company, in DAX 30 companies in Germany, I saw everything and more than that. This is not only in the country, in Bulgaria, but in the whole world, in big companies, you have heard about them, some of them you are using them in your hands. Things are really bad or not everywhere they are the way they should be. So this is very important, those who work and improve the situation to get a loan. Also to do regular exercises. What happens when they find a vulnerability? Just for information, for example, we are currently running an emergency from 4 days to the end and we are currently in an emergency mode, the whole corporation, in the whole world, because of vulnerability A, because we think that if it is exploited, it will be fatal for our company. These things need to be well practiced, well trained, because the moment they happen, it turns out that everything you thought on paper that would happen, somehow somehow you thought, doesn't happen. We saw this, for some of you to have heard about "Walk4J", great, some people have. "Walk4J", I don't know if you had nightmares that we didn't have, but we had very big nightmares, very long weeks. What we thought on paper for the first huge emergency that will happen, that will happen, absolutely nothing of this will happen. Full chaos, everyone does what they want, no one represents, people are worried and even in trying to help, actually they prevent the success of the program. I continue forward, time is very advanced, difficulties, that is, small tricks, whatever tool you buy, From now on I can tell you that he won't allow you to solve the problems. The problems in many cases are: first of all all tools have bugs, we have tried them all, SAP, you have heard about the company, it has the possibilities, you can afford everything, we are writing software, we have tried everything, we have seen everything, there is no solution that, although it is forbidden for me to mention it, I can mention it and say "this is a mess, I will solve all the problems", there is none, I don't know if it exists, and I don't believe that it will ever exist because of the complexity of this thing that everything has to be included in one program for vulnerability management. Another important thing, even the most beautiful tool to take, which we like the most, this tool has some limitations and does not cover anything. For example, it can't scan the BIMs for some reason, for example, or a better example, cannot log in to VMware virtual servers for some reason, it crushes their port. This is the case. You cannot use it, there is another solution that works perfectly with this product of VMware. So what do you do in this case? A plan for action must be made, what will happen? I am moving to the last point, the most important thing when you talk to some people from the company about the topic of vulnerability is to speak the language of the person you are talking to. I assume most of the people here are IT people, pen testers, red teamers, we have seen some of you talking about vulnerabilities, exploits, attack services, all these wonderful words. When you enter the room with the CEO of the company and he is a sub-company, All these words mean nothing to them. Executives can only talk to you about business risk and the financial impact of this business risk. What does the exploitation of the emergencies we are facing mean to me? In financial numbers, most often in numbers. Developers are not interested in these things at all and they ask themselves which package or which library do I need or which library should I take to be good. The administrators are not interested in your wonderful words, they are interested in the configuration. We heard about Windows, I assume some of you live in the Unix world. What configuration is currently feasible, what should be done to improve the configuration of the image. What update or patch do I need? For those of you who don't know, 5/4 and Tuesday, the most terrible day of the month in most corporations. What do I need? A few very quick things about asset management. Some of you, to be familiar with asset management or to have heard of it, great, there are people, I am very glad that this word means something to someone. This is basically a thing that is like a mirage in companies, you enter and ask where is the asset management platform and the people are and what you have in mind. Are the people who are in the companies that work? No, no, no, the assets, the IT assets. They are everywhere, right? They are everywhere. I have a laptop, this is one asset, but things don't work like that when you deal with huge corporations. We even heard in the state, a state structure with 3000 offices, this means that the complexity of asset management is very big. In a scattered structure, in organizations that are all over the world, at least in Bulgaria, in Bulgarian Posts, are in Bulgaria in one country. And if you are in 280 or 220, 205 countries with 30-20 offices, then things get complicated. The most important takeaway is that asset management is extremely important. One platform, only one, not two. Some say two is also ok, but no. One platform in which all assets are. Most often it happens that all assets are in the asset management platform. Yes, but without - There is no such thing. Either with everyone or you have a problem, most likely, if not now, later. What is the criticality of all these assets you have? Just for your information, talking about this, I don't know how many of you are familiar with this, in Germany the state created the so-called program "Critis" for critical infrastructure and the state comes into he goes back to the companies and says "Hello, we have estimated that you are