SlideShare une entreprise Scribd logo

Vulnerability and Exploit Trends: Combining behavioral analysis and OS defenses to combat emerging threats

Télécharger en tant que PPTX, PDF
E
EndgameInc

Despite the best efforts of the security community—and big claims from security vendors—large areas of vulnerabilities and exploits remain to be leveraged by adversaries.You will learn about: - A new perspective on the current state of software flaws. - The wide margin between disclosed vulnerabilities and public exploits including a historical analysis and trending patterns. - Effective countermeasures that can be deployed to detect, and prevent, the exploitation of vulnerabilities. - The limitations of Operating System provided mitigations, and how a combination of increased countermeasures with behavioral analysis will get defenders closer to preventing the largest number of threats.

Technologie
1  sur  24
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defenses to combat emerging threats Cody Pierce, Director of Vulnerability Research
About myself  6 years researching vulnerabilities at Endgame  4 years as a senior researcher for TippingPoint Zero Day Initiative  Discovered dozens of vulnerabilities in major vendor software for over a decade
Vulnerabilities do not compromise systems. An exploit is needed to effectively demonstrate the impact of flaws.
Sample  Vulnerabilities covering 2006 - 2014  NVD CVE XML data set  CVSS Score Medium+  Counted vendors have a minimum of 5 CVE per year or 15 CVE total.  Category grouping using CWE (Common Weakness Enumeration)  Exploits cross-referenced by CVE ID with Metasploit, Core Impact, and Canvas
Sample Size  18,027 Qualifying CVE Entries  34% of Total CVE Entries
0 500 1000 1500 2000 2500 3000 3500 2006 2007 2008 2009 2010 2011 2012 2013 2014 CVE Entries Total CVEs over timeNumberofCVEs
Resource Management/Use After Free 10% Race Condition 1% Cross-Site Request Forgery (CSRF) 2% Cryptographic Issues 3% Improper Authentication/Authenti cation Bypass 3% Privilege Escalation 13% Credentials Management 1% Credential Management 0% Information Exposure 5% Information Management Errors 0% Numeric Errors 5% Format String 0% Buffer Mismanagement 21% Code Injection 5% SQL Injection 4% Cross Site Scripting 11% Command Injection/Shell Injection 0% Command Injection 0% Input Validation 0% Link Following/Symlink Attack 1% Path Traversal 2% Input Validation 12% Data Handling 0% Design Flaw 0% Configuration 1% Total CWE distribution
0 100 200 300 400 500 600 700 2006 2007 2008 2009 2010 2011 2012 2013 2014 Auth Bypass Buffer Mismanagement Privilege Escalation Input Validation SQL Injection Sampling of CWE over time NumberofCVEs
Observation Vulnerability discoveries are increasing but category distribution appears consistent
Why? An increase in the size of the security community, and advancement in tools and techniques has led to the increase in vulnerability discoveries
0 500 1000 1500 2000 2500 3000 3500 2006 2007 2008 2009 2010 2011 2012 2013 2014 Exploited CVE Total CVE CVEs compared to CVE exploitsNumberofCVEs
Resource Management/Use After Free 6% Race Condition 1% Cross-Site Request Forgery (CSRF) 0% Cryptographic Issues 1%Improper Authentication/Authen tication Bypass 2% Privilege Escalation 10% Credentials Management 1% Information Exposure 2% Numeric Errors 3% Format String 1% Buffer Mismanagement 38% Code Injection 14% SQL Injection 2% Cross Site Scripting 1% Command Injection/Shell Injection 2% Command Injection 0% Link Following/Symlink Attack 0% Path Traversal 5% Input Validation 11% Data Handling 0% Configuration 1% Exploited CWE distribution
0 10 20 30 40 50 60 2006 2007 2008 2009 2010 2011 2012 2013 2014 Sampling of Exploited CWE Over Time Auth Bypass Buffer Mismanagement Privilege Escalation Input Validation SQL Injection Sampling of exploited CWE over time
Observation The number of public exploits is small and in relative decline compared to vulnerabilities
Why? • Few – or zero – exploits are needed to have an effective arsenal • Unpatched and misconfigured systems are the norm. No reason to make new exploits when old ones still work! • Writing exploits is getting harder and more expensive
Exploit mitigations  Exploit mitigations are very effective and can often prevent 0day attacks.  Proper implementation has directly led to a relative decline in exploit development.  19 types of mitigations available today ???
Why am I still getting hacked?  Mitigations typically only apply to memory corruption vulnerabilities.  It’s hard enough to patch and properly configure software, much less upgrade compilers, applications, and operating systems.
Exploitation often has a behavior. Using these behaviors we can increase the detection and prevention of a greater number of flaws on current and legacy systems. Behavior analysis
Exploit Indicators (Process/ Thread creation) Behavior  Abnormal process creation • New thread entry point outside of loaded modules code section Intent  Stage next phase of persistence or privilege escalation  Avoid user detection Attackers spawn malicious code in new contexts.
Exploit Indicators (Library Usage) Behavior  Loading non-ASLR libraries  Loading DLLs over the network into memory  Loading abnormal libraries Intent  Bypassing Mitigations  Exploit vulnerabilities in legacy components  Exploit vulnerabilities in library loading Attackers use weaknesses in legacy libraries to exploit software and bypass mitigations.
Exploit Indicators (Memory Usage) Behavior  Abnormal Memory usage  Allocations of consistent sizes  Large contiguous memory blocks  Executable Memory Intent  Reliably corrupt memory  Control Use After Free conditions  Create predictable addresses Attackers often have to control the memory layout of software being exploited.
Behavioral Analysis  Is complementary to mitigations  Detects and prevent exploitation of unknown threats  Correlate environmental data like network flows  Adapts through additional modeling
Key Takeaways  Vulnerability discoveries are increasing  Exploitation of some vulnerability categories is on the decline  A small exploit arsenal is still effective  Mitigations have raised the difficulty of memory corruption exploitation  Exploitation, Malware, and Adversarial behaviors often generate a signal  Abnormal behavioral monitoring can add to the defensive posture of systems
For more information contact: egs-info@endgame.com

Recommandé

Machine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and ClusteringMachine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and ClusteringAshwini Almad
 
Worst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedWorst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedAshwini Almad
 
Data mining techniques for malware detection.pptx
Data mining techniques for malware detection.pptxData mining techniques for malware detection.pptx
Data mining techniques for malware detection.pptxAditya Deshmukh
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseAshwini Almad
 
Fighting advanced malware using machine learning (English)
Fighting advanced malware using machine learning (English)Fighting advanced malware using machine learning (English)
Fighting advanced malware using machine learning (English)FFRI, Inc.
 
An Introduction to Malware Classification
An Introduction to Malware ClassificationAn Introduction to Malware Classification
An Introduction to Malware ClassificationJohn Seymour
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveChong-Kuan Chen
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learningSecurity Bootcamp
 

Recommandé

Machine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and ClusteringMachine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and ClusteringAshwini Almad
 
Worst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedWorst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedAshwini Almad
 
Data mining techniques for malware detection.pptx
Data mining techniques for malware detection.pptxData mining techniques for malware detection.pptx
Data mining techniques for malware detection.pptxAditya Deshmukh
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseAshwini Almad
 
Fighting advanced malware using machine learning (English)
Fighting advanced malware using machine learning (English)Fighting advanced malware using machine learning (English)
Fighting advanced malware using machine learning (English)FFRI, Inc.
 
An Introduction to Malware Classification
An Introduction to Malware ClassificationAn Introduction to Malware Classification
An Introduction to Malware ClassificationJohn Seymour
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveChong-Kuan Chen
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learningSecurity Bootcamp
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware GenerationStephan Chenette
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingAmine SAIGHI
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the CheapEndgameInc
 
Hunting before a Known Incident
Hunting before a Known IncidentHunting before a Known Incident
Hunting before a Known IncidentEndgameInc
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
 
Another Side of Hacking
Another Side of HackingAnother Side of Hacking
Another Side of HackingSatria Ady Pradana
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious CodeSatria Ady Pradana
 
Malware classification using Machine Learning
Malware classification using Machine LearningMalware classification using Machine Learning
Malware classification using Machine LearningJapneet Singh
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testingMohit Belwal
 
Web application Testing
Web application TestingWeb application Testing
Web application TestingOWASP Foundation
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingWon Ju Jub
 
Penetration testing in wireless network
Penetration testing in wireless networkPenetration testing in wireless network
Penetration testing in wireless networkHadi Fadlallah
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware AnalysisRamin Farajpour Cami
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)FFRI, Inc.
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxRahul Mohandas
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)Sophos Benelux
 
This is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XThis is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XSophos Benelux
 

Contenu connexe

Tendances

The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware GenerationStephan Chenette
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingAmine SAIGHI
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the CheapEndgameInc
 
Hunting before a Known Incident
Hunting before a Known IncidentHunting before a Known Incident
Hunting before a Known IncidentEndgameInc
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious CodeSatria Ady Pradana
 
Malware classification using Machine Learning
Malware classification using Machine LearningMalware classification using Machine Learning
Malware classification using Machine LearningJapneet Singh
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testingMohit Belwal
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingWon Ju Jub
 
Penetration testing in wireless network
Penetration testing in wireless networkPenetration testing in wireless network
Penetration testing in wireless networkHadi Fadlallah
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)FFRI, Inc.
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxRahul Mohandas
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 

Tendances (20)

The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
 
Hunting before a Known Incident
Hunting before a Known IncidentHunting before a Known Incident
Hunting before a Known Incident
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
 
Another Side of Hacking
Another Side of HackingAnother Side of Hacking
Another Side of Hacking
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
 
Malware classification using Machine Learning
Malware classification using Machine LearningMalware classification using Machine Learning
Malware classification using Machine Learning
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testing
 
Web application Testing
Web application TestingWeb application Testing
Web application Testing
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
 
Penetration testing in wireless network
Penetration testing in wireless networkPenetration testing in wireless network
Penetration testing in wireless network
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 

Similaire à Vulnerability and Exploit Trends: Combining behavioral analysis and OS defenses to combat emerging threats

Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)Sophos Benelux
 
This is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XThis is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XSophos Benelux
 
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...DevOps Indonesia
 
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019Eoin Keary
 
IISF-March2023.pptx
IISF-March2023.pptxIISF-March2023.pptx
IISF-March2023.pptxEoin Keary
 
Raging Ransomware Roadshow May
Raging Ransomware Roadshow MayRaging Ransomware Roadshow May
Raging Ransomware Roadshow MaySophos Benelux
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Kymberlee Price
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learningBryan Fendley
 
Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Osama Salah
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbersEoin Keary
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsAlan Kan
 
Ceh certified ethical hacker
Ceh certified ethical hackerCeh certified ethical hacker
Ceh certified ethical hackerbestip
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 
10h 35m remaining CHAPTER 12 Common Software Vulnerabili
10h 35m remaining CHAPTER 12 Common Software Vulnerabili10h 35m remaining CHAPTER 12 Common Software Vulnerabili
10h 35m remaining CHAPTER 12 Common Software VulnerabiliBenitoSumpter862
 
10h 35m remaining CHAPTER 12 Common Software Vulnerabili
10h 35m remaining CHAPTER 12 Common Software Vulnerabili10h 35m remaining CHAPTER 12 Common Software Vulnerabili
10h 35m remaining CHAPTER 12 Common Software VulnerabiliSantosConleyha
 

Similaire à Vulnerability and Exploit Trends: Combining behavioral analysis and OS defenses to combat emerging threats (20)

Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
 
This is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XThis is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept X
 
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
 
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
 
IISF-March2023.pptx
IISF-March2023.pptxIISF-March2023.pptx
IISF-March2023.pptx
 
Raging Ransomware Roadshow May
Raging Ransomware Roadshow MayRaging Ransomware Roadshow May
Raging Ransomware Roadshow May
 
NetWitness
NetWitnessNetWitness
NetWitness
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learning
 
Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbers
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging Threats
 
Ceh certified ethical hacker
Ceh certified ethical hackerCeh certified ethical hacker
Ceh certified ethical hacker
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
 
10h 35m remaining CHAPTER 12 Common Software Vulnerabili
10h 35m remaining CHAPTER 12 Common Software Vulnerabili10h 35m remaining CHAPTER 12 Common Software Vulnerabili
10h 35m remaining CHAPTER 12 Common Software Vulnerabili
 
10h 35m remaining CHAPTER 12 Common Software Vulnerabili
10h 35m remaining CHAPTER 12 Common Software Vulnerabili10h 35m remaining CHAPTER 12 Common Software Vulnerabili
10h 35m remaining CHAPTER 12 Common Software Vulnerabili
 

Plus de EndgameInc

Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_EndgameInc
 
Hardware-Assisted Rootkits & Instrumentation
Hardware-Assisted Rootkits & InstrumentationHardware-Assisted Rootkits & Instrumentation
Hardware-Assisted Rootkits & InstrumentationEndgameInc
 
​Dynamic Detection of Malicious Behavior
​Dynamic Detection of Malicious Behavior​Dynamic Detection of Malicious Behavior
​Dynamic Detection of Malicious BehaviorEndgameInc
 
Machine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and ClusteringMachine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and ClusteringEndgameInc
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseEndgameInc
 
Worst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedWorst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedEndgameInc
 

Plus de EndgameInc (6)

Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_
 
Hardware-Assisted Rootkits & Instrumentation
Hardware-Assisted Rootkits & InstrumentationHardware-Assisted Rootkits & Instrumentation
Hardware-Assisted Rootkits & Instrumentation
 
​Dynamic Detection of Malicious Behavior
​Dynamic Detection of Malicious Behavior​Dynamic Detection of Malicious Behavior
​Dynamic Detection of Malicious Behavior
 
Machine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and ClusteringMachine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and Clustering
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet Noise
 
Worst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedWorst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are Detected
 

Dernier

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 

Dernier (20)

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 

Vulnerability and Exploit Trends: Combining behavioral analysis and OS defenses to combat emerging threats

  • 1. Vulnerability and Exploit Trends: Combining behavioral analysis and OS defenses to combat emerging threats Cody Pierce, Director of Vulnerability Research
  • 2. About myself  6 years researching vulnerabilities at Endgame  4 years as a senior researcher for TippingPoint Zero Day Initiative  Discovered dozens of vulnerabilities in major vendor software for over a decade
  • 3. Vulnerabilities do not compromise systems. An exploit is needed to effectively demonstrate the impact of flaws.
  • 4. Sample  Vulnerabilities covering 2006 - 2014  NVD CVE XML data set  CVSS Score Medium+  Counted vendors have a minimum of 5 CVE per year or 15 CVE total.  Category grouping using CWE (Common Weakness Enumeration)  Exploits cross-referenced by CVE ID with Metasploit, Core Impact, and Canvas
  • 5. Sample Size  18,027 Qualifying CVE Entries  34% of Total CVE Entries
  • 6. 0 500 1000 1500 2000 2500 3000 3500 2006 2007 2008 2009 2010 2011 2012 2013 2014 CVE Entries Total CVEs over timeNumberofCVEs
  • 7. Resource Management/Use After Free 10% Race Condition 1% Cross-Site Request Forgery (CSRF) 2% Cryptographic Issues 3% Improper Authentication/Authenti cation Bypass 3% Privilege Escalation 13% Credentials Management 1% Credential Management 0% Information Exposure 5% Information Management Errors 0% Numeric Errors 5% Format String 0% Buffer Mismanagement 21% Code Injection 5% SQL Injection 4% Cross Site Scripting 11% Command Injection/Shell Injection 0% Command Injection 0% Input Validation 0% Link Following/Symlink Attack 1% Path Traversal 2% Input Validation 12% Data Handling 0% Design Flaw 0% Configuration 1% Total CWE distribution
  • 8. 0 100 200 300 400 500 600 700 2006 2007 2008 2009 2010 2011 2012 2013 2014 Auth Bypass Buffer Mismanagement Privilege Escalation Input Validation SQL Injection Sampling of CWE over time NumberofCVEs
  • 9. Observation Vulnerability discoveries are increasing but category distribution appears consistent
  • 10. Why? An increase in the size of the security community, and advancement in tools and techniques has led to the increase in vulnerability discoveries
  • 11. 0 500 1000 1500 2000 2500 3000 3500 2006 2007 2008 2009 2010 2011 2012 2013 2014 Exploited CVE Total CVE CVEs compared to CVE exploitsNumberofCVEs
  • 12. Resource Management/Use After Free 6% Race Condition 1% Cross-Site Request Forgery (CSRF) 0% Cryptographic Issues 1%Improper Authentication/Authen tication Bypass 2% Privilege Escalation 10% Credentials Management 1% Information Exposure 2% Numeric Errors 3% Format String 1% Buffer Mismanagement 38% Code Injection 14% SQL Injection 2% Cross Site Scripting 1% Command Injection/Shell Injection 2% Command Injection 0% Link Following/Symlink Attack 0% Path Traversal 5% Input Validation 11% Data Handling 0% Configuration 1% Exploited CWE distribution
  • 13. 0 10 20 30 40 50 60 2006 2007 2008 2009 2010 2011 2012 2013 2014 Sampling of Exploited CWE Over Time Auth Bypass Buffer Mismanagement Privilege Escalation Input Validation SQL Injection Sampling of exploited CWE over time
  • 14. Observation The number of public exploits is small and in relative decline compared to vulnerabilities
  • 15. Why? • Few – or zero – exploits are needed to have an effective arsenal • Unpatched and misconfigured systems are the norm. No reason to make new exploits when old ones still work! • Writing exploits is getting harder and more expensive
  • 16. Exploit mitigations  Exploit mitigations are very effective and can often prevent 0day attacks.  Proper implementation has directly led to a relative decline in exploit development.  19 types of mitigations available today ???
  • 17. Why am I still getting hacked?  Mitigations typically only apply to memory corruption vulnerabilities.  It’s hard enough to patch and properly configure software, much less upgrade compilers, applications, and operating systems.
  • 18. Exploitation often has a behavior. Using these behaviors we can increase the detection and prevention of a greater number of flaws on current and legacy systems. Behavior analysis
  • 19. Exploit Indicators (Process/ Thread creation) Behavior  Abnormal process creation • New thread entry point outside of loaded modules code section Intent  Stage next phase of persistence or privilege escalation  Avoid user detection Attackers spawn malicious code in new contexts.
  • 20. Exploit Indicators (Library Usage) Behavior  Loading non-ASLR libraries  Loading DLLs over the network into memory  Loading abnormal libraries Intent  Bypassing Mitigations  Exploit vulnerabilities in legacy components  Exploit vulnerabilities in library loading Attackers use weaknesses in legacy libraries to exploit software and bypass mitigations.
  • 21. Exploit Indicators (Memory Usage) Behavior  Abnormal Memory usage  Allocations of consistent sizes  Large contiguous memory blocks  Executable Memory Intent  Reliably corrupt memory  Control Use After Free conditions  Create predictable addresses Attackers often have to control the memory layout of software being exploited.
  • 22. Behavioral Analysis  Is complementary to mitigations  Detects and prevent exploitation of unknown threats  Correlate environmental data like network flows  Adapts through additional modeling
  • 23. Key Takeaways  Vulnerability discoveries are increasing  Exploitation of some vulnerability categories is on the decline  A small exploit arsenal is still effective  Mitigations have raised the difficulty of memory corruption exploitation  Exploitation, Malware, and Adversarial behaviors often generate a signal  Abnormal behavioral monitoring can add to the defensive posture of systems
  • 24. For more information contact: egs-info@endgame.com

Notes de l'éditeur

  1. Bug bounties Are exploits increasing at the same rate as disclosures?
  2. No
  3. But they do categorically
  4. Trend note: decline of overflow exploits Trend note: LPE necessity
  5. Cite EMET bypasses
  6. Heap spray Row hammer Vgx.dll
  7. Heap spray Row hammer Vgx.dll
  8. Heap spray Row hammer Vgx.dll “Rowhammer” Use-After-Free Exploits Heap Buffer Overflows