Despite the best efforts of the security community—and big claims from security vendors—large areas of vulnerabilities and exploits remain to be leveraged by adversaries.You will learn about:
- A new perspective on the current state of software flaws.
- The wide margin between disclosed vulnerabilities and
public exploits including a historical analysis and
trending patterns.
- Effective countermeasures that can be deployed to
detect, and prevent, the exploitation of vulnerabilities.
- The limitations of Operating System provided mitigations,
and how a combination of increased countermeasures
with behavioral analysis will get defenders closer to
preventing the largest number of threats.
WordPress Websites for Engineers: Elevate Your Brand
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defenses to combat emerging threats
1. Vulnerability and Exploit Trends: Combining behavioral analysis
and OS defenses to combat emerging threats
Cody Pierce, Director of Vulnerability Research
2. About myself
6 years researching vulnerabilities at Endgame
4 years as a senior researcher for TippingPoint Zero Day
Initiative
Discovered dozens of vulnerabilities in major vendor
software for over a decade
3. Vulnerabilities do not compromise systems. An
exploit is needed to effectively demonstrate the
impact of flaws.
4. Sample
Vulnerabilities covering 2006 - 2014
NVD CVE XML data set
CVSS Score Medium+
Counted vendors have a minimum of 5 CVE per year or
15 CVE total.
Category grouping using CWE (Common Weakness
Enumeration)
Exploits cross-referenced by CVE ID with Metasploit,
Core Impact, and Canvas
10. Why?
An increase in the size of the security
community, and advancement in tools and
techniques has led to the increase in
vulnerability discoveries
13. 0
10
20
30
40
50
60
2006 2007 2008 2009 2010 2011 2012 2013 2014
Sampling of Exploited CWE Over Time
Auth Bypass Buffer Mismanagement Privilege Escalation Input Validation SQL Injection
Sampling of exploited CWE over time
14. Observation
The number of public exploits is small and in
relative decline compared to vulnerabilities
15. Why?
• Few – or zero – exploits are needed to
have an effective arsenal
• Unpatched and misconfigured systems are
the norm. No reason to make new exploits
when old ones still work!
• Writing exploits is getting harder and more
expensive
16. Exploit mitigations
Exploit mitigations are very effective and can
often prevent 0day attacks.
Proper implementation has directly led to a
relative decline in exploit development.
19 types of mitigations available today ???
17. Why am I still getting hacked?
Mitigations typically only apply to memory
corruption vulnerabilities.
It’s hard enough to patch and properly
configure software, much less upgrade
compilers, applications, and operating
systems.
18. Exploitation often has a behavior. Using these
behaviors we can increase the detection and
prevention of a greater number of flaws on current
and legacy systems.
Behavior analysis
19. Exploit Indicators
(Process/ Thread creation)
Behavior
Abnormal process
creation
• New thread entry point
outside of loaded
modules code section
Intent
Stage next phase of
persistence or privilege
escalation
Avoid user detection
Attackers spawn malicious code in new contexts.
20. Exploit Indicators
(Library Usage)
Behavior
Loading non-ASLR
libraries
Loading DLLs over the
network into memory
Loading abnormal
libraries
Intent
Bypassing Mitigations
Exploit vulnerabilities in
legacy components
Exploit vulnerabilities in
library loading
Attackers use weaknesses in legacy libraries to
exploit software and bypass mitigations.
21. Exploit Indicators
(Memory Usage)
Behavior
Abnormal Memory usage
Allocations of consistent
sizes
Large contiguous
memory blocks
Executable Memory
Intent
Reliably corrupt memory
Control Use After Free
conditions
Create predictable
addresses
Attackers often have to control the memory
layout of software being exploited.
22. Behavioral Analysis
Is complementary to mitigations
Detects and prevent exploitation of unknown
threats
Correlate environmental data like network flows
Adapts through additional modeling
23. Key Takeaways
Vulnerability discoveries are increasing
Exploitation of some vulnerability categories is
on the decline
A small exploit arsenal is still effective
Mitigations have raised the difficulty of memory
corruption exploitation
Exploitation, Malware, and Adversarial behaviors
often generate a signal
Abnormal behavioral monitoring can add to the
defensive posture of systems