Three times the vulnerability prioritization
When it comes to vulnerabilities, I always say: “not all vulnerabilities are created equal”. Some are more important than others, for some of the following reasons:
- Vulnerabilities might be related to exploits, malware and targeted attacks in the wild at a certain point in time;
- Vulnerabilities might be talked about on social media more than others because of their technical interest and by the “bad guys” for plausible deniability – ie posting techniques and exploits on social media so that if they will ever get caught they can say that those techniques were already public;
- Vulnerabilities affect critical assets in the organization;
- Vulnerabilities affect software platforms that might be more prone to software flaws than others.
As part of Unified VRM, we have a separate engine microservice that helps make all the above mentioned decisions about vulnerabilities. And more. We call this comprehensive engine the E3 engine, which stands for “Evaluate, Explore and Enrich”. The E3 engine legerages a Machine-Learning algorithm to calculate our proprietary NopSec Risk Score based on the “features” and criteria described above. In calculating this risk score it also evaluates the value of each asset and it leverages that knowledge to refine the calculation.
Additional functions the E3 engine performs are:
- It sets aside non-relevant ancillary information, that does not represent vulnerabilities, that it gathers from the scanner’s result import, such as “a certain host is pingable”.
- It eliminates “false-positives” that the scanner might encounter on certain host platforms: i.e. an Apache server which is fully patched but uses and older banner that triggers scanner findings.
- The third and most important function of the E3 engine is to validate security controls.
Fig 1: Vulnerabilities in and out of the E3 engine
The imported and prioritized vulnerabilities are evaluated automatically for their real-world exploitability and their ability to kick-off a lateral movement chain across their organization’s internal network. So, prioritized vulnerabilities are matched with existing public exploits in order to exploit them.
These exploits are executed in very specific and controlled conditions and – when possible – reverse shells obtained. After a reverse shell is obtained the following lateral movement chain is initiated:
- If the exploit does not achieve maximum local privileges (i.e. SYSTEM in Windows), a local privilege escalation exploit is initiated to attain local SYSTEM or root privileges;
- After SYSTEM or root privileges are attained, local and domain account password hashes are retrieved and clear text account passwords are extracted from memory.
- Domain account grouping information is extracted and hosts where domain administrators are logged in are identified.
- With obtained credentials, E3 attempts to login to those hosts to extract domain administrators’ credentials. If initially unsuccessful, E3 continues looping on the steps above until it identifies a host it can login where domain administrator was logged in.
- With domain administrator’s credentials E3 logs into the Primary Domain Controller for the local Domain, to prove the successful Domain compromise and Lateral movement attack.
In this case the process starts with the vulnerabilities’ exploitation. The process is aimed at proving that starting with vulnerabilities an attacker can move laterally throughout the network laterally bypassing a series of security controls until arriving at the total Domain compromise.
Fig. 2: Various categories of vulnerabilities and Attack Path
NopSec UVRM uses Data Science and Machine Learning Techniques to evaluate the probability that a certain vulnerability could be used in malware, exploits and targeted attacks at any given point in time.
At the same time, the E3 engine practically evaluates how those same vulnerabilities could be exploited and privileges escalated to move laterally to “conquer” more important targets in the network. This could be used for vulnerability prioritization, for security control validation and for breach / attack simulation. The objective is the same though: demonstrate practically how important is to fix vulnerabilities promptly and how easily an attacker leverage foothold on a host system to compromise highly valued network and application assets.
In this sense, NopSec’s new Unified VRM is both a vulnerability risk management platform and a breach and adversarial simulation platform.
Fig. 3: Graphical journey from imported vulnerabilities to lateral movement actions