THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Transcription

1 THREAT VISIBILITY & VULNERABILITY ASSESSMENT Date: April 15, 2015 IKANOW Analysts: Casey Pence IKANOW Platform Build: Freedom Drive, Reston, VA IKANOW.com

2 TABLE OF CONTENTS 1 Key Findings & Methodology 5 Quantitative Risk Measurement 2 TOP IOC Matches & Chain of Events 6 High Risk Applications 3 Top Vulnerabilities 7 Threat Intelligence Measurement 4 Policy Identification 8 Recommended Schedule

3 KEY FINDINGS After scanning [customer] s networks and running correlations between key data sets, the following are the highest priority issues to be addressed Undetected Malicious Code on Network Undetected malicious code in the form of exploit kits exists on a number of clients and web servers in the [customer] network. Applications with a high number of exploits found on Network Applications on the network introducing significant business risk. Critical Vulnerabilities Administrators do not possess the business intelligence to keep pace with and determine critical vulnerabilities in the rapidly changing threat landscape. Highest Value Feed Using the sample Enterprise data provided isight Partners threat intelligence provided the highest number of IOC matches.

4 METHODOLOGY IKANOW cyber security analysts conducted a sample threat visibility and vulnerability assessment for <Sample Customer> using the IKANOW Threat Analytics Platform. Built on leading big data technologies, the IKANOW platform provides visibility and control over private and open source threat intelligence feeds and enables the analysis of this intelligence against any Enterprise data source. The IKANOW Threat Analytics Platform is built on leading open source big-data technology This report summarizes the results of the proof-of-concept. Beyond this, the report provides specific results from a discrete set of analytics that demonstrate the capabilities of the IKANOW Threat Analytics Platform. The report closes with a more detailed overview of the solution and recommended actions.

5 TOP IOC MATCHES: COMPROMISED ASSETS The IKANOW Threat Analytics platform extracted IOC data from aggregated isight, Symantec and Open Source Intelligence feeds and compared it against sample [customer] data. Analysis determined that malicious code is installed on the network. The table below displays IOCs matching the highest number of unique victims over the past 60 days and domains presenting landing pages for exploit kits to potentially direct victims to download malware. IOC Attribution Victims cluster015.ovh.net Neutrino Exploit Kit 52 sg-investment.com Neutrino Exploit Kit 52 d.95.b6.static.xlhost.com Angler Exploit Kit 39 usloft3957.serverprofi24.com Angler Exploit Kit 27 megap.net Angler Exploit Kit 3 Recommendations As a next step your asset repositories can be correlated to provide additional context and statistical analysis around the vulnerabilities. Further open-source forensic investigation is necessary to provide context around these domains, which can be obtained through the IKANOW Threat Analytics Platform.

6 EXPLOIT KIT HIGHLIGHT: NEUTRINO AND ANGLER Key Points Fraudulent Websites Code Injection Install malicious software Ranking: N/A Neutrino Exploit Kit Neutrino Exploit Kit is a malicious code present on fraudulent websites or illegally injected on legitimate but hacked websites without the knowledge of the administrator. The intention behind these code injections is to detect and exploit vulnerabilities on applications installed on your computer to install malicious and unwanted software that compromise the security of all data on the affected PC.Neutrino Exploit Kit is currently ranked in the world of online malware. Key Points Zero day Web application Web browser vulnerability Install malicious software Installs through infected links and attachments Ranking: 5938 Angler Exploit Kit The Angler Exploit Kit is a more advanced version of the Blackhole Exploit Kit enabling Zero Days and other intrusion methods. The Blackhole Exploit Kit Detection is a Web application that takes advantage of a vulnerability in a web-browser in order to hack computers via malicious scripts planted on compromised websites to remotely attack your computer. When surfing to a website with browser exploits, it may result in unwanted software (see also Trojan Horse) being downloaded to your computer. These type of threats invade a PC with the help of infected links, websites and attachments among others. Blackhole Exploit Kit Detection is currently ranked 5938 in the world of online malware. A current definition of the Angler Exploit Kit is not currently available on AVG Threat Labs.

7 IOC CHAIN OF EVENTS The below chain of events occurred on March 31st, between 10:00 AM and 2:00 PM with the enterprise hosts being directed to exploit kit landing pages through malicious s, malicious websites, or compromised sites. Command and Control Server (C2) IP Command and Control Server (C2) IP (v vps.mcdir.ru, v vps.mcdir.ru, v vps.mcdir.ru) Command and Control Server (C2) IP (cz.gigabit.perfectprivacy.com) Command and Control Server (C2) IP Command and Control Server (C2) IP Command and Control Server (C2) IP (apple.destinatech.uk)

8 RECOMMENDED POLICY UPDATES BASED ON IOC ANALYSIS Priority CVE Exploit Application Port Inbound Outbound Protocol Tag 4 CVE Neutrino SMTP /24 v vps.mcdir.ru TCP/UDP ika-pol-neu 3 CVE Neutrino SMTP /24 v vps.mcdir.ru TCP/UDP ika-pol-neu 1 CVE Angler OpenSSL / TCP/UDP ika-pol-ang 5 CVE Angler OpenSSL / TCP/UDP ika-pol-ang Recommendations Recommended prioritization of proactive firewall rule updates based on the correlation of the CVE to exploit and associated application. This is a first order analytic that can be amplified by additional information regarding your organization s network topology mapping and asset information. This is a first line of defense recommendation.

9 TOP VULNERABILITIES The table below displays the top vulnerabilities which should be prioritized by patching. This table is calculated by the top vulnerabilities being reported by security analysts report in the wild mapped to <sample customer s> attack surface.. Source Severity Application Vulnerability Technology Known Exploit CVE Internet Explorer 9, 11 Allows remote attackers to bypass the ASLR protection mechanism. CVE Oracle Java SE 6u75, 7u60, 8u5 Allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. CVE Adobe Flash Player through and 14.x, 15.x, and 16.x through Allows remote attackers to execute arbitrary code via unknown vectors, as exploited in the wild in January CVE Internet Explorer 8, 11 Allows remote attackers to execute arbitrary code or cause a denial of service. CVE Microsoft Windows Server 2003 SP2, Windows Vista SP2 Allows remote attackers to trigger an unintended permissive configuration by spoofing DNS and LDAP responses on a local network, aka "NLA Security Feature Bypass Vulnerability." Client Yes Client Yes Client Yes Client No Server/Client No Vulnerable Hosts Recommendations: Security updates MS and MS should be applied to patch the Microsoft vulnerabilities. The Oracle July 2014 Critical Patch should be applied to all hosts with vulnerable Java versions. and all hosts with vulnerable Adobe Flash should be upgraded to at least version

10 QUANTITATIVE PATCH PRIORITIZATION VS. CURRENT RISKS <Customer Ranking> Source Asset Type Overall Labor Effort Patch Difficulty Vulnerable Hosts Initial Estimate Known Exploits Anticipated Risk Level 4 CVE Microsoft Office low low 23,412 $320,000 yes low 3 CVE Android mid mid 4,213 $200,000 yes med 1 CVE Cisco high high 976 $500,000 yes high 2 CVE Red Hat Enterprise high high 456 $200,000 no high 5 CVE SUSE high high 126 $600,000 yes low Overall Labor Effort Resource Costs/Hr are gathered from SANS Institute average labor rates for incident response teams Labor Effort Hours Low.5 Medium.75 High 1.0 Patch Difficulty is calculated using automated or manual patches. A low level of difficulty = automated patching, medium & high = manual patching Patch Difficulty Hours Low.25 Medium.6 High 1.2 Anticipated Risk Level is an IKANOW model for projecting business risk based on the correlation of known exploits, assets and labor to derive patch prioritization.

11 HIGH RISK APPLICATIONS ON NETWORK The IKANOW Threat Analytics platform extracted a list of applications running on the network from the supplied Enterprise data sources and compared these against threat Intelligence and vulnerability databases to identify the applications with the greatest number of exploits associated with them. Application Technology Number of Exploits Oracle JAVA Client 30 Adobe Flash Client 28 Internet Explorer Client 20 Mozilla Firefox Client 15 Microsoft Office Client 10 Recommendations: Non-compliant applications should be removed from the network in order to reduce the attack surface. All hosts running high risk applications should be identified and audited to ensure they have not been compromised and whether they are vulnerable to any of the exploits identified. Firewalls, Intrusion Prevention and Anti-Malware systems should be updated to increase the organization's security posture relative to the risk associated with these applications.

12 THREAT INTEL VALUE The table below compares the existing threat intelligence sources utilized by <Sample Customer>. APT Alerts displays the number of alerts associated with a known hacking group from the contextual information provided with IOCs. Exploit Kit Alerts displays the number of alerts which are attributed to known Exploit Kits. General Alerts displays the number of alert generated from open source or paid threat feeds which do not currently have known associations to APT groups or specific malware families. Threat Feed APT Alerts Exploit Kit Alerts General Alerts Related CVE(s) isight Symantec DeepSight Aggregated Open Source Recommendations: Continue to measure the value of each threat intelligence feed over time based on the quantity and quality of the data and the availability of the source.

13 NEXT STEPS TO DEPLOY IKANOW (KICKSTARTER) Deploy Customize Operationalize 3 weeks 3 weeks 2 weeks Enable the platform, define user permissions and most importantly ingest open source intelligence, private threat intelligence and enterprise data sources Define high priority analytics and schedule, tailor visualization dashboards, and generate executive reports Workflow integration, analytics and development training, and system performance measurement, monitoring and tuning

14 The recommendations in this report provide a sample of the types of quantitative intelligence that can be produced using IKANOW s Threat Analytics Platform in order to maximize the value derived from threat intelligence sources and constantly optimize [sample customer s] security posture in the rapidly changing threat landscape. To enable the recommended kickstarter project and subscription to IKANOW s Threat Analytics Platform please contact IKANOW today. General Inquiries: [email protected] Jason Pender, SVP of Field Operations: [email protected] Scott Spencer, Sr Systems Engineer: [email protected] HeadQuarters: Freedom Drive Suite #550 Reston, VA 20190