Tuesday, May 08, 2007 9:34 AM
cmosby
McAfee Avert Labs Blog -Tales of Threat Assessment
Tales of Threat Assessment
Monday May 7, 2007 at 4:15 pm CST
Posted by Kevin Beets
Trackback
As one of the Researchers responsible for the McAfee Avert Labs Security Advisories, my job is to find and report on issues that could affect our customer’s networks and resources in any number of negative ways.
Let’s face it, with vulnerabilities released almost constantly it’s extremely difficult for administrators to not only find all the latest threats, but to also map them to how well they can mitigate against them. Questions like, “Does my defense-in-depth strategy protect me against vulnerability X?” or “How does this new malware affect my remote VPN hosts?” will replace those sugar-plum dreams quicker than you can say ‘covered’. Vulnerabilities, exploits and patches are published at a pace that seems to increase daily. Sometimes these are coordinated in ‘responsible disclosure’ ways with coordinated researcher/vendor notification. More often than not however, they are not. Ever hear of the term ‘Zero Day’?
As the aforementioned threat researcher by trade, I would like to give you a little narrative about the basics one may follow to find and mitigate threats. You may not have the resources available to you such as several research teams that are dedicated to discovery like McAfee and others do, so just adjust to your size pond as necessary.
Step One. Grab your net.
You obviously want to have the biggest net possible to gather the most issues. This is true in threat discovery as well as in fishing (notice, no ‘ph’ pun here). Like the growing numbers of disclosures, the sheer numbers of sources can overwhelm. Just think - how many URLs are in your ’security favorites’? Or how many newsletters and RSS feeds do you subscribe to? Can you possibly cover them all? Sticking with the ‘heavy-weights’ is a safe bet for major issues, but what about one-offs that are published on obscure sites? Be sure to grab as many resources as feasible to use the biggest net.
Step Two. Evaluate the net.
Now that you have the mother-of-all fishnets, evaluate it. If the holes are too big, you may let the fish slip through. If the holes are too small, you can gather way more information than you could possibly use – let alone even care about. A local denial-of-service vulnerability in Joe Bob’s Digital 8-Track Player most likely does not warrant review. This is especially true when a vulnerability will certainly be popping up in a more widely-used application. Fishnets have holes for a reason. Pinpointing your sources can assist in making sure the holes are just the right size.
You may have resource limitations that limit the amount of data you can process - so relevance is important. Remember, pure security is about defending what you can –and- accepting the risk for what you can’t. (Of course, tell your boss that right?)
When looking for threats, evaluate the needs of your enterprise before-hand. A list of applications that can be found on any important host is a start. That way, when you discover an issue - you can reference this list and correlate quickly with what is important to you. Although really nice, an asset inventory application may not fit your budget. Script up some quick and dirty code to scan an Excel doc if need be. Just be sure that you are capturing only the relevant threats - information overload can become your enemy when attempting to determine a threat’s importance.
Step Three. Evaluate the catch.
So now you’ve thrown the net and pulled in the catch. That’s a lot of food – or is it? What you find in your net may range from the best-of-breed sport fish to the algae feeding bottom dwellers. You may not even know if they are edible.
Now you need to filter the most pressing issues. Risk ratings (another topic for another day) alone may or may not tell the whole story - there are few across-the-board standards for ratings. You need to just jump in and look at the threat and determine its potential impact. Ask yourself questions like: Does it execute code? Does it execute code remotely? Is user interaction needed? Is there a public exploit? Follow the Threat to its end-result if it was successfully exploited and make a list of ones to watch for, in order of importance.
You can now compare the list of issues with your defense audits. (You have done your audits to know what you’ve got to defend with, potential threat vectors, and user account access to name a few - right?) Follow the path an attacker may use from external and internal start points to the most valuable of assets that may be affected. Along these points you will know where your defenses lie. This will get you a list of changes that need to be made in order to mitigate, or that will allow you to have some time before patching.
Step Four. Fish Fry
Now that you have chosen the net, cast it, and sorted your catch, you can go out and fry up the perfect one that didn’t get away.
Armed with a plan, you can set about defending against the most potent of threats.