Tag Archives: Threat Intelligence

CVE September Awareness Bulletin

[Following last month’s CVE Awareness Bulletin, I introduced more IDS vendors and documented the process of gathering and producing such information. As a result, the article should offer a more consistent outlook across the upcoming months even though the effort is almost exclusively manual.]

The CVE September Awareness Bulletin is an initiative that aims to provide further intelligence and analysis concerning the last vulnerabilities published by the National Institute of Standards and Technology (NIST), National Vulnerability Database (NVD) and the IDS vendors’ coverage for these vulnerabilities.

Common Vulnerabilities and Exposures (CVE) is a public list of common names made available by MITRE Corporation for vulnerabilities and exposures that are publicly known.

This is the most popular list of vulnerabilities and is used as a reference across the whole security industry. It should not be considered absolute but due to the nature of its mission and the current sponsors – Department of Homeland Security (DHS), National Cybersecurity and Communications Integration Center (NCCIC) – it is widely adopted across the industry.

Based on this public information I decided to take a look at what has been released during the month of September. There were 464 vulnerabilities published where 100 were issued with a Common Vulnerability Scoring System (CVSS) score of 8 or higher – CVSS provides a standardized method for rating vulnerabilities using a scoring system based on their different properties from 1 to 10. From these security vulnerabilities, I compared the last signature updates available from products that have a significant share of the market i.e., Checkpoint, Tipping point, SourceFire, Juniper, Cisco and Palo Alto. The result is that Checkpoint has the best coverage with 20%. Tipping point and Sourcefire have 19%, Juniper 16%, Cisco 12% and the last Palo Alto with 10%.

The following graph illustrates the mapping between the CVEs published in September with a CVSS equal or higher than 8 by vulnerability type and the vendor coverage:

cve-september

In addition to looking at all the vulnerabilities released, it is also essential to look into detail for specific coverage like Microsoft products vulnerabilities. On the 10th of September the Microsoft Security Bulletin (a.k.a Patch Tuesday) announced 47 vulnerabilities. From these 30 have a CVSS score equal or higher than 8. From these the vendor coverage is shown in the following table:

MSBulletin-September

The vendors analyzed have provided signatures on the same date (10 of September) or few days later. The mentioned signatures and patches should be applied as soon as possible but you should also fully evaluate them (when possible) before applying it production systems.

In addition to that, following signature update deployment, you should always check which signatures have been enabled by default.  Plus you should be evaluating what is the impact in your environment for the CVEs that don’t have coverage.

Bottom line, the vendors that were analyzed have a quick response but the coverage should be broader. September we saw 100 vulnerabilities with a CVSS higher than 8 but only 20% of them have coverage in the best case (Checkpoint). This means 80% of the published vulnerabilities don’t have coverage. Regarding the vendor response to the Microsoft Security Bulletin Summary for September 2013, the coverage is better and goes up to 40% in the best case (Checkpoint). Interesting to note that some of these vulnerabilities are related to software that don’t have significant share in the market. Worth to mention that 15 of these vulnerabilities (15%) are related to Adobe products and they are not covered. Even if the vendors would have 100% coverage they would not apply to all environments. Furthermore, the likelihood of these vulnerabilities to be successful exploited should also be considered since some of them could be very hard to pull off. So it’s key that you know your infrastructure, your assets and mainly where are your business crown jewels. Then you should be able to help them better protect your intellectual property and determine will be the impact if your intellectual property gets disclosed, altered or destroyed.

Tagged , ,

CVE August Awareness Bulletin

The CVE August Awareness Bulletin is a personal initiative and experience that aims to provide further intelligence and analysis concerning the last vulnerabilities published by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) and the vendors coverage for this vulnerabilities.

Common Vulnerabilities and Exposures (CVE) is a public list of common names made available by MITRE Corporation for vulnerabilities and exposures that are publicly known.

This is the most popular list of vulnerabilities used as a reference across the security industry. It should not be considered as absolute but due to nature of its mission and current sponsors – Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) – it carries a great amount of adoption across the industry.

Based on this public information I decided to take a look what has been publicized during the month of August. As of today, there were 300 vulnerabilities discovered In the current month where 40 security vulnerabilities were published with a Common Vulnerability Scoring System (CVSS) score of 8 or higher – CVSS provides a standardized method for rating vulnerabilities using a scoring system based on their different properties -. From these security vulnerabilities, I compared the last signature updates available from Juniper, Checkpoint, Tipping point and SourceFire for their NSM and IPS-1, SMS and DigitalCenter products respectively.  The result is that at the moment Checkpoint, Tipping point and Sourcefire have 25% coverage and Juniper 22,5%,

Eleven of forty published security vulnerabilities are related to Microsoft products. From these eleven, nine of them affect Internet Explorer.  Checkpoint, TippingPoint, SourceFire covers ten of the eleven vulnerabilities. Juniper only covers the ones related to Internet Explorer and not protecting against the CVE-2013-3175 and CVE-2013-3181.

The following graph illustrates the mapping between the CVEs published in August with a CVSS equal or higher than 8 by type and the vendor coverage:

CVE-August

The following table shows the August published CVEs related to Microsoft products that have been covered in the latest Checkpoint,  Juniper, Tipping Point and SourceFire  signature updates. It also includes the related Microsoft security bulletin:

CVE-table-August

Interesting that it looks like that Microsoft patch Tuesday is somehow coordinated with the security vendors signature updates. The ones analyzed have provided signatures on the same date (13 of August). The mentioned signatures and patches should be applied  as soon as possible but you should also fully evaluate them (when possible) before applying it production systems.

For further reference I include here where you can check the signatures on Juniper NSM and Checkpoint SmartCenter Server.

For Juniper NSM you can check the signatures under Configure – Object Manager – Attack Objects – IDP Objects:

NSM-Signatures

For Checkpoint IPS-1 you can check the signatures under IPS – Protections – By Type – Signatures:

Checkpoint-Signatures

For TippingPoint, on the SMS, go to Profiles. Then, from the navigation pane on the left, click the + sign next to the IPS Profiles to expand the category. Then select the search type (global or standard). The Profiles – Search screen displays and is divided in four areas. In the Filter Criteria are you can click the arrow next to it and specify the CVE id.

For SourceFire you can locate rules based on CVE numbers from within your intrusion policy by searching all rules using a certain search filter. Go to Policies – Intrusion – Intrusion Policy. Choose “Edit” next to your policy. Click on Rules. In the search filter, type “reference:” followed by the CVE that you wish to look for.

In addition, after deploying signature updates to the sensors you should check which signatures have been enabled by default.  Plus you should be checking and evaluating what is the impact on your environment for the CVEs that don’t have coverage.

Bottom line, the vendors that were analyzed have pretty quick and decent coverage for the signatures that are related to the big software vendors e.g., Microsoft. However, in August we saw 40 vulnerabilities with a CVSS higher than 8 but only 25% of them have coverage. This means 75% of the published vulnerabilities don’t have coverage. Interesting to note that these vulnerabilities are related to software that don’t have significant penetration in the market. Noteworthy, is that 5 vulnerabilities are related to Mozilla Firefox (CVE-2013-1701, CVE-2013-1702,CVE-2013-1704, CVE-2013-1705 and CVE-2013-1710) and they are not covered. Even if the vendors would have 100% coverage for all vulnerabilities they would not apply to all environments. So it’s key that you know your infrastructure, your assets and mainly where are and what are your business crown jewels. Then you should know how to protect your intellectual property and what will be the impact if your intellectual property gets disclosed, altered or destroyed.

Tagged , ,

Start with 334

Effective and reliable security monitoring that produces actionable information is one of the toolset’s that can help us adjust to today’s complex threat landscape. One of the existing mechanisms under security monitoring is the use of real time blacklists (RBLs). These blacklists keep track of IP addresses that are considered malicious or offensive and will help people and organizations keeping track of IP addresses that they own. For example, you can monitor and potentially detect if your public IP address space is being blacklisted ; or one of your systems has been compromised and is communicating with a blacklisted IP (e.g. sending intellectual property overseas or receiving command and control commands with malevolent instructions).

The information available is mainly public and is a contribution of well-known individuals – like Roman Hussy from Abuse.ch or Steven Adair from Shadowserver Foundation –  to the security community. I have reasons to believe that when combining information from reliable and trustworthy blacklist data source with the defense mechanisms in place – traditionally blacklists are used at perimeter due to the volume of data – we have a straight forward method which will accurately identify signs of dangerous, reduce our exposure to today threats and provides actionable intelligence.

From the available data sources of blacklist, three of them worth to remark (description taken from their respective websites):

Abuse.ch is one of the best public resources that you can use to track botnet command and control domains and IP addresses. At the moment is contains three trackers:

  1. Zeus tracker is a list of all ZeuS C&Cs as well as Fake URLs which are currently known to the ZeuS Tracker. You can browse the ZeuS Tracker to get a list of ZeuS C&Cs and FakeURLs in a specified Country or AS number. Additionally the ZeuS Tracker provides a feature which allows to filter the ZeuS C&Cs for specified Nameservers, Level, Status and many more.
  2. SpyEye Tracker is another project by abuse.ch. It is similar to the ZeuS Tracker with the slight difference that SpyEye Tracker tracks and monitors malicious SpyEye Command&Control Servers (and not ZeuS C&Cs). SpyEye Tracker provides blocklists in different formats (eg. for Squid Web-Proxy or iptables) to avoid that infected clients can access the C&C servers. Additionally, SpyEye Tracker should help ISPs, CERTs and Law Enforcement to track malicious SpyEye C&C servers which are their responsibility
  3. Palevo tracker is a list of Palevo infections. Palevo is a worm that spreads using instant messaging, P2P networks and removable drives (like USB sticks). It is being sold in underground forums like ZeuS. The worm (also known as Rimecud, Butterfly bot and Pilleuz) made big press in 2010 (see Trend Micro: “Clipping Mariposa’s Wings” / Symantec: “Symantec: The Mariposa Butterfly“).

Shadowserver Foundation is an all volunteer watchdog group of security professionals that gather, track, and report on malware, botnet activity, and electronic fraud. It is the mission of the Shadowserver Foundation to improve the security of the Internet by raising awareness of the presence of compromised servers, malicious attackers, and the spread of malware. You might have heard about them on their collaborationw with Microsoft on taking down the Waledac botnet.

Emerging Threats is an open source community for collecting Suricata and Snort rules, firewall rules, and other IDS rulesets. The open source community still plays an active role in Internet security, with more than 200,000 active users downloading the ruleset daily.

Other than those three, the following picture illustrates a compilation of data sources of blacklisted IPs with the amount of addresses they provide and the respective site to download the blacklist. Most of them are free for private use.

Block Lists

All these lists contain a sum of 16749 IPs (type = address) from which 95.4 % are unique. The amount of IPs for Shadowserver is not mentioned because their monitoring service works based on the information that is provide to them by you about the ASN or CIDR ranges that you own.

Besides that, you can search through these block lists to get valuable information, which at the same time it can be time consuming. Nonetheless, online services like the Anti-Abuse Project automatically checks IP addresses and domains against 60 Real-time blacklists and would give you actionable information. For example if the IP address is listed in more than 10 block listed is positively malicious.

Well, after all this text, the name of this blog entry is 334 due to the fact that at the moment of writing this is the number of IP addresses that you should certainly monitor. This 334 IP addresses are the sum of the IP addresses on the lists provided by : Zeus, Spyeye and Palevo tracker from Abuse repository (+) RBN (Russian Business Network) Frequent Malware Advertisers from Emerging Threats repository.

If you use any of these blacklist, you should updated them at reasonable intervals. These blacklists will definitely help you creating a list of prohibited events and build procedures for remediating them. Use them as you see fit.

Tagged , ,