THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Similar documents
WHITE PAPER: THREAT INTELLIGENCE RANKING

UNCLASSIFIED. Briefing to Critical Infrastructure Sector Organizations on the Canadian Cyber Incident Response Centre (CCIRC)

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

24/7 Visibility into Advanced Malware on Networks and Endpoints

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

IBM Advanced Threat Protection Solution

Unified Security, ATP and more

Cisco Advanced Malware Protection for Endpoints

A Systems Engineering Approach to Developing Cyber Security Professionals

Concierge SIEM Reporting Overview

Practical Threat Intelligence. with Bromium LAVA

Cisco Advanced Malware Protection for Endpoints

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

Cyber Security Metrics Dashboards & Analytics

Trend Micro. Advanced Security Built for the Cloud

Requirements When Considering a Next- Generation Firewall

Speed Up Incident Response with Actionable Forensic Analytics

IBM Security Strategy

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Symantec Cyber Security Services: DeepSight Intelligence

Vulnerability Management

Symantec Advanced Threat Protection: Network

Why The Security You Bought Yesterday, Won t Save You Today

Endpoint Security - HIPS. egambit, your defensive cyber-weapon system. You have the players. We have the game.

End-user Security Analytics Strengthens Protection with ArcSight

BladeLogic Software-as-a- Service (SaaS) Solution. Help reduce operating cost, improve security compliance, strengthen cybersecurity posture

Cloud and Critical Infrastructures how Cloud services are factored in from a risk perspective

Software that provides secure access to technology, everywhere.

First Line of Defense

Security Analytics for Smart Grid

How Attackers are Targeting Your Mobile Devices. Wade Williamson

5 Steps to Advanced Threat Protection

Securing SharePoint 101. Rob Rachwald Imperva

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Threat Advisory: Accellion File Transfer Appliance Vulnerability

IDS or IPS? Pocket E-Guide

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY

First Line of Defense

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Information Security Attack Tree Modeling for Enhancing Student Learning

Unknown threats in Sweden. Study publication August 27, 2014

Threat Spotlight: Angler Lurking in the Domain Shadows

Security Controls Implementation Plan

Protecting Your Organisation from Targeted Cyber Intrusion

Defending Against Cyber Attacks with SessionLevel Network Security

THE TOP 4 CONTROLS.

Advanced Threat Protection with Dell SecureWorks Security Services

Virtualization Journey Stages

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

QRadar SIEM and FireEye MPS Integration

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

Practical Steps To Securing Process Control Networks

Ty Miller. Director, Threat Intelligence Pty Ltd

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

High End Information Security Services

How To Monitor Your Entire It Environment

Advanced Persistent Threats

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

Critical Security Controls

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

Comprehensive Advanced Threat Defense

On-Premises DDoS Mitigation for the Enterprise

Breaking the Cyber Attack Lifecycle

2016 Trends in Cybersecurity: A Quick Guide to the Most Important Insights in Security

Information Security Organizations trends are becoming increasingly reliant upon information technology in

Eight Essential Elements for Effective Threat Intelligence Management May 2015

I D C A N A L Y S T C O N N E C T I O N

Introduction to Network Discovery and Identity

Endpoint Security for DeltaV Systems

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

IBM Security re-defines enterprise endpoint protection against advanced malware

Cyber Essentials PLUS. Common Test Specification

Secure Your Mobile Workplace

Stop advanced targeted attacks, identify high risk users and control Insider Threats

DDoS ATTACKS: MOTIVES, MECHANISMS AND MITIGATION

Nessus and Antivirus. January 31, 2014 (Revision 4)

How To Manage Security On A Networked Computer System

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

Continuous Network Monitoring

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

How To Manage A Network Security Risk

NERC CIP VERSION 5 COMPLIANCE

Endpoint Threat Detection without the Pain

N-Dimension Solutions Cyber Security for Utilities

EXTENSIVE FEATURE DESCRIPTION SECUNIA CORPORATE SOFTWARE INSPECTOR. Non-intrusive, authenticated scanning for OT & IT environments. secunia.

Complete Patch Management

Symantec Endpoint Protection Datasheet

RSA Security Analytics

Cisco Advanced Malware Protection

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Transcription:

THREAT VISIBILITY & VULNERABILITY ASSESSMENT Date: April 15, 2015 IKANOW Analysts: Casey Pence IKANOW Platform Build: 1.34 11921 Freedom Drive, Reston, VA 20190 IKANOW.com

TABLE OF CONTENTS 1 Key Findings & Methodology 5 Quantitative Risk Measurement 2 TOP IOC Matches & Chain of Events 6 High Risk Applications 3 Top Vulnerabilities 7 Threat Intelligence Measurement 4 Policy Identification 8 Recommended Schedule

KEY FINDINGS After scanning [customer] s networks and running correlations between key data sets, the following are the highest priority issues to be addressed Undetected Malicious Code on Network Undetected malicious code in the form of exploit kits exists on a number of clients and web servers in the [customer] network. Applications with a high number of exploits found on Network Applications on the network introducing significant business risk. Critical Vulnerabilities Administrators do not possess the business intelligence to keep pace with and determine critical vulnerabilities in the rapidly changing threat landscape. Highest Value Feed Using the sample Enterprise data provided isight Partners threat intelligence provided the highest number of IOC matches.

METHODOLOGY IKANOW cyber security analysts conducted a sample threat visibility and vulnerability assessment for <Sample Customer> using the IKANOW Threat Analytics Platform. Built on leading big data technologies, the IKANOW platform provides visibility and control over private and open source threat intelligence feeds and enables the analysis of this intelligence against any Enterprise data source. The IKANOW Threat Analytics Platform is built on leading open source big-data technology This report summarizes the results of the proof-of-concept. Beyond this, the report provides specific results from a discrete set of analytics that demonstrate the capabilities of the IKANOW Threat Analytics Platform. The report closes with a more detailed overview of the solution and recommended actions.

TOP IOC MATCHES: COMPROMISED ASSETS The IKANOW Threat Analytics platform extracted IOC data from aggregated isight, Symantec and Open Source Intelligence feeds and compared it against sample [customer] data. Analysis determined that malicious code is installed on the network. The table below displays IOCs matching the highest number of unique victims over the past 60 days and domains presenting landing pages for exploit kits to potentially direct victims to download malware. IOC Attribution Victims cluster015.ovh.net Neutrino Exploit Kit 52 sg-investment.com Neutrino Exploit Kit 52 d.95.b6.static.xlhost.com Angler Exploit Kit 39 usloft3957.serverprofi24.com Angler Exploit Kit 27 megap.net Angler Exploit Kit 3 Recommendations As a next step your asset repositories can be correlated to provide additional context and statistical analysis around the vulnerabilities. Further open-source forensic investigation is necessary to provide context around these domains, which can be obtained through the IKANOW Threat Analytics Platform.

EXPLOIT KIT HIGHLIGHT: NEUTRINO AND ANGLER Key Points Fraudulent Websites Code Injection Install malicious software Ranking: N/A Neutrino Exploit Kit Neutrino Exploit Kit is a malicious code present on fraudulent websites or illegally injected on legitimate but hacked websites without the knowledge of the administrator. The intention behind these code injections is to detect and exploit vulnerabilities on applications installed on your computer to install malicious and unwanted software that compromise the security of all data on the affected PC.Neutrino Exploit Kit is currently ranked in the world of online malware. Key Points Zero day Web application Web browser vulnerability Install malicious software Installs through infected links and email attachments Ranking: 5938 Angler Exploit Kit The Angler Exploit Kit is a more advanced version of the Blackhole Exploit Kit enabling Zero Days and other intrusion methods. The Blackhole Exploit Kit Detection is a Web application that takes advantage of a vulnerability in a web-browser in order to hack computers via malicious scripts planted on compromised websites to remotely attack your computer. When surfing to a website with browser exploits, it may result in unwanted software (see also Trojan Horse) being downloaded to your computer. These type of threats invade a PC with the help of infected links, websites and email attachments among others. Blackhole Exploit Kit Detection is currently ranked 5938 in the world of online malware. A current definition of the Angler Exploit Kit is not currently available on AVG Threat Labs. http://www.avgthreatlabs.com/us-en/virus-and-malware-information/info/neutrinoexploit-kit/ http://www.avgthreatlabs.com/virus-and-malware-information/info/blackhole-exploitkit-detection/

IOC CHAIN OF EVENTS The below chain of events occurred on March 31st, between 10:00 AM and 2:00 PM with the enterprise hosts being directed to exploit kit landing pages through malicious emails, malicious websites, or compromised sites. Command and Control Server (C2) IP 178.62.149.46 Command and Control Server (C2) IP 178.208.85.57 (v133876.vps.mcdir.ru, v135320.vps.mcdir.ru, v124834.vps.mcdir.ru) Command and Control Server (C2) IP 50.7.240.10 (cz.gigabit.perfectprivacy.com) Command and Control Server (C2) IP 46.63.127.64 Command and Control Server (C2) IP 185.45.192.179 Command and Control Server (C2) IP 108.61.197.150 (apple.destinatech.uk)

RECOMMENDED POLICY UPDATES BASED ON IOC ANALYSIS Priority CVE Exploit Application Port Inbound Outbound Protocol Tag 4 CVE-2015-0071 Neutrino SMTP 25 10.1.1.0/24 v133876.vps.mcdir.ru TCP/UDP ika-pol-neu 3 CVE-2015-0071 Neutrino SMTP 25 10.1.1.0/24 v133876.vps.mcdir.ru TCP/UDP ika-pol-neu 1 CVE-2014-4227 Angler OpenSSL 389 10.1.4.0/24 178.62.149.46 TCP/UDP ika-pol-ang 5 CVE-2015-0311 Angler OpenSSL 389 10.1.4.0/24 178.62.149.46 TCP/UDP ika-pol-ang Recommendations Recommended prioritization of proactive firewall rule updates based on the correlation of the CVE to exploit and associated application. This is a first order analytic that can be amplified by additional information regarding your organization s network topology mapping and asset information. This is a first line of defense recommendation.

TOP VULNERABILITIES The table below displays the top vulnerabilities which should be prioritized by patching. This table is calculated by the top vulnerabilities being reported by security analysts report in the wild mapped to <sample customer s> attack surface.. Source Severity Application Vulnerability Technology Known Exploit CVE-2015-0071 4.3 Internet Explorer 9, 11 Allows remote attackers to bypass the ASLR protection mechanism. CVE-2014-4227 10 Oracle Java SE 6u75, 7u60, 8u5 Allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. CVE-2015-0311 10 Adobe Flash Player through 13.0.0.262 and 14.x, 15.x, and 16.x through 16.0.0.287 Allows remote attackers to execute arbitrary code via unknown vectors, as exploited in the wild in January 2015. CVE-2014-0297 9.3 Internet Explorer 8, 11 Allows remote attackers to execute arbitrary code or cause a denial of service. CVE-2015-0006 6.1 Microsoft Windows Server 2003 SP2, Windows Vista SP2 Allows remote attackers to trigger an unintended permissive configuration by spoofing DNS and LDAP responses on a local network, aka "NLA Security Feature Bypass Vulnerability." Client Yes 25120 Client Yes 14203 Client Yes 36125 Client No 34002 Server/Client No 40253 Vulnerable Hosts Recommendations: Security updates MS15-009 and MS15-013 should be applied to patch the Microsoft vulnerabilities. The Oracle July 2014 Critical Patch should be applied to all hosts with vulnerable Java versions. and all hosts with vulnerable Adobe Flash should be upgraded to at least version 16.0.0.287.

QUANTITATIVE PATCH PRIORITIZATION VS. CURRENT RISKS <Customer Ranking> Source Asset Type Overall Labor Effort Patch Difficulty Vulnerable Hosts Initial Estimate Known Exploits Anticipated Risk Level 4 CVE-2015-0071 Microsoft Office low low 23,412 $320,000 yes low 3 CVE-2015-0071 Android mid mid 4,213 $200,000 yes med 1 CVE-2014-4227 Cisco high high 976 $500,000 yes high 2 CVE-2014-4227 Red Hat Enterprise high high 456 $200,000 no high 5 CVE-2015-0311 SUSE high high 126 $600,000 yes low Overall Labor Effort Resource Costs/Hr are gathered from SANS Institute average labor rates for incident response teams Labor Effort Hours Low.5 Medium.75 High 1.0 Patch Difficulty is calculated using automated or manual patches. A low level of difficulty = automated patching, medium & high = manual patching Patch Difficulty Hours Low.25 Medium.6 High 1.2 Anticipated Risk Level is an IKANOW model for projecting business risk based on the correlation of known exploits, assets and labor to derive patch prioritization.

HIGH RISK APPLICATIONS ON NETWORK The IKANOW Threat Analytics platform extracted a list of applications running on the network from the supplied Enterprise data sources and compared these against threat Intelligence and vulnerability databases to identify the applications with the greatest number of exploits associated with them. Application Technology Number of Exploits Oracle JAVA Client 30 Adobe Flash Client 28 Internet Explorer Client 20 Mozilla Firefox Client 15 Microsoft Office Client 10 Recommendations: Non-compliant applications should be removed from the network in order to reduce the attack surface. All hosts running high risk applications should be identified and audited to ensure they have not been compromised and whether they are vulnerable to any of the exploits identified. Firewalls, Intrusion Prevention and Anti-Malware systems should be updated to increase the organization's security posture relative to the risk associated with these applications.

THREAT INTEL VALUE The table below compares the existing threat intelligence sources utilized by <Sample Customer>. APT Alerts displays the number of alerts associated with a known hacking group from the contextual information provided with IOCs. Exploit Kit Alerts displays the number of alerts which are attributed to known Exploit Kits. General Alerts displays the number of alert generated from open source or paid threat feeds which do not currently have known associations to APT groups or specific malware families. Threat Feed APT Alerts Exploit Kit Alerts General Alerts Related CVE(s) isight 20 10 0 56 Symantec DeepSight 10 5 0 35 Aggregated Open Source 0 85 150 1 Recommendations: Continue to measure the value of each threat intelligence feed over time based on the quantity and quality of the data and the availability of the source.

NEXT STEPS TO DEPLOY IKANOW (KICKSTARTER) Deploy Customize Operationalize 3 weeks 3 weeks 2 weeks Enable the platform, define user permissions and most importantly ingest open source intelligence, private threat intelligence and enterprise data sources Define high priority analytics and schedule, tailor visualization dashboards, and generate executive reports Workflow integration, analytics and development training, and system performance measurement, monitoring and tuning

The recommendations in this report provide a sample of the types of quantitative intelligence that can be produced using IKANOW s Threat Analytics Platform in order to maximize the value derived from threat intelligence sources and constantly optimize [sample customer s] security posture in the rapidly changing threat landscape. To enable the recommended kickstarter project and subscription to IKANOW s Threat Analytics Platform please contact IKANOW today. General Inquiries: info@ikanow.com Jason Pender, SVP of Field Operations: jpender@ikanow.com Scott Spencer, Sr Systems Engineer: sspencer@ikanow.com HeadQuarters: 11921 Freedom Drive Suite #550 Reston, VA 20190

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information