Download PDF - Codenomicon

More documents

Recommendations

Info

CODENOMICON WHITEPAPER - Proactive Cyber Security: Stay Ahead of Advanced Persistent Threats (APTs) 4 Known and Unknown Vulnerabilities In this paper we focus on the fourth quadrant, the unidentified zero-day vulnerabilities. These vulnerabilities are the biggest threat to an organization’s security [7]. Their existence is unknown, there are no defenses against them and an attack can go completely unnoticed [7]. If an attacker finds a zero-day vulnerability in a network, service or application, they can do what they want with it from website defacing, obstructing operations to stealing confidential information. It is unlikely that targets of high profile attacks are not keeping their patches upto-date. It is the zero-day vulnerabilities in their systems that make APTs possible. How can APTs be mitigated Figure 2 divides vulnerabilities into known and unknown vulnerabilities for which there are already patches available or not. If you have vulnerabilities within your systems for which patches already exist, then clearly you should be doing better vulnerability research and be more vigilant about patch updates [6]. Most organizations do a good job, employing various technologies like anti-virus, firewall, IPS/IDS to defend against known attacks and keep up-to-date with software updates [6]. During the small window when a vulnerability has been discovered but there is no patch yet, a workaround needs to be implemented. Zero-Day vulnerabilities and APTs Patch Not available Implement workaround 5 Fuzzing Fuzzing is a black-box robustness testing technique used to reveal unknown zero-day vulnerabilities by triggering them with unexpected inputs. Basically, unexpected data in the form of modified protocol messages are fed to the inputs of a system, and the behavior of the system is monitored [9]. If the system fails, e.g., by crashing or by failing built-in code assertions, then there is an exploitable vulnerability in the software [10]. While many security techniques focus on finding known vulnerabilities or variations of them, fuzzing reveals previously unknown vulnerabilities, so called zero-day vulnerabilities by triggering them with unexpected inputs [4]. Figure 3 depicts the flow of fuzzing tests. Discovering Zero-Day Vulnerabilities A survey conducted by a large independent software vendor found that every single unique vulnerability found had been discovered by fuzzing [6]. The Internet is full of fuzzing kits, like the Phoenix Exploit Kit, Blackhole and Crimepack, favored among crackers to find exploitable vulnerabilities in networks and applications [6]. Industry leading companies are already using fuzzing to protect their networks against zero-day attacks. By finding zero-day vulnerabilities proactively, networks can be made more robust against attacks reducing the risk of advanced cyber attacks [4]. Patch Available Apply the patch Known Vulnerability Do better vulnerability research Unknown/Zero-Day Vulnerability Figure 2: Known and Unknown Vulnerabilities.[8] 6 Automating Fuzzing In fuzzing, thousands and even millions of misuse-cases are created for each use-case, thus most robustness testing solutions contain at least some degree of automation. There are two popular ways to automate fuzzing: generation and mutation-based fuzzing [11]. In mutation-based fuzzing, real-life inputs such as network traffic and files, are used to generate test cases by
CODENOMICON WHITEPAPER - Proactive Cyber Security: Stay Ahead of Advanced Persistent Threats (APTs) Figure 3: The flow of fuzzing. [9] modifying the samples either randomly or based on the sample structure [11]. In generation-based fuzzing, the process of data element identification is automated by using protocol models [11]. Specification-based Fuzzing Specification-based fuzzing is a form of generation-based fuzzing, which uses protocol and file format specifications to provide the fuzzer with protocol or file format specific information, e.g., on the boundary limits of the data elements [11]. Specification-based test generation achieves excellent coverage testing the protocol features included in the specification. However, new features and proprietary features not included in the specification are not covered [12]. If no specification is available, then the best fuzzing results can be achieved with mutation-based fuzzers [12]. Generation-based testing can also be complemented with longer mutation-based fuzzing test runs. Some vulnerabilities might only be triggered through more aggressive input space testing [12]. Thus, the best test results are achieved by combining testing techniques. 7 Abuse Situation Awareness Human error is frequently attributed as the main cause of security breaches [13]. Endsley argues that the term “human error” is misleading, because it implies that the problems are caused by careless, poorly trained employees, when in most cases the real problem is inadequate situation awareness [14]. Security personnel operate in highly complex networks and handle vast amounts of information [14]. The problem is not that they do not know what is the correct way to react to incidents. Finding and identifying security incidents from the flood of network information is very difficult [14].
Page 1 and 2: Codenomicon whitepaper: Proactive C
Page 3: CODENOMICON WHITEPAPER - Proactive
Page 7 and 8: CODENOMICON WHITEPAPER - Proactive

Download PDF - Codenomicon

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?