Attacker Behavior Boston Security Conference 2015
1 like682 views
Game theory applied to information security. Data from 2014 shows that attackers go after the low hanging fruit when it comes to choosing which vulnerabilities to exploit.
Attacker Behavior Boston Security Conference 2015
- 2. INFORMATION SECURITY IS A GAME
- 4. Remove the Threat REMEDIATION Accept the Risk Repair the Vulnerability
- 5. C(ommon) V(ulnerability) S(coring) S(ystem) CVSS is designed to rank information system vulnerabilities Exploitability/Temporal (Likelihood) Impact/Environmental (Severity) The Good: Open, Standardized Scores
- 6. F1: Data Fundamentalism Since 2006 Vulnerabilities have declined by 26 percent. http:// csrc.nist.gov/groups/SNS/rbac/documents/vulnerability-trends10.pdf The total number of vulnerabilities in 2013 is up 16 percent so far when compared to what we saw in the same time period in 2012. http://www.symantec.com/content/en/us/enterprise/other_resources/b- intelligence_report_06-2013.en-us.pdf
- 7. FAIL 2: A Priori Modeling Following up my previous email, I have tweaked my equation to try to achieve better separation between adjacent scores and to have CCC have a perfect (storm) 10 score...There is probably a way to optimize the problem numerically, but doing trial and error gives one plausible set of parameters...except that the scores of 9.21 and 9.54 are still too close together. I can adjust x.3 and x.7 to get a better separation . . .
- 8. F3: Stochastic Ignorance Attackers Change Tactics Daily
- 10. I LOVE IT WHEN YOU CALL ME BIG DATA 150,000,000 LIVE VULNERABILITIES 1,500,000 ASSETS 2,000 ORGANIZATIONS
- 11. 100,000,000 BREACHES I LOVE IT WHEN YOU CALL ME BIG DATA
- 15. 2014 Q1 Q2 Q3 Q4
- 18. ATTACKERS DONT CARE WHEN YOUR VULN WAS PUBLISHED
- 23. ATTACKERS DONT CARE ABOUT YOUR VULNS LOGO
- 24. BREACHES by CVSS
- 26. CWE
- 27. DEADLY SOFTWARE SINS: 1. ACCESS CONTROL 2. INPUT VALIDATION 3. BUFFER OVERFLOW 4. INJECTION 5. BAD CRYPTO
- 28. CVSS AS A BREACH VOLUME PREDICTOR:
- 30. ATTACKERS DONT CARE ABOUT CVSS
- 34. CVEs OVER TIME
- 37. Probability A Vuln Having Property X Has Observed Breaches RandomVuln CVSS 10 Exploit DB Metasploit MSP+EDB 0.0 0.1 0.2 0.2 0.3
- 38. DATA RULES EVERYTHING AROUND ME RANDOM = 2% CVSS 10 = 4% METASPLOIT + EXPLOITDB = 30%