Upgrade to Pro — share decks privately, control downloads, hide ads and more …

What is in your inventories?

Toufiq Ali
January 14, 2022
Programming
0
110

What is in your inventories?

Weaponizing your inventories with potential Hacker Breach Points and Vulnerability Risks 

We may like to believe we have mastered the dark art of asset management/inventory management or nearly perfected it. But getting breached via “that” one asset or application or an open-source library or a server with a weak password, or a subcontractor that your supplier used that you were not aware of, has become the new normal.

In this presentation I share my thoughts on what I sees is missing in your asset inventory and how we could be often blindsided by the data we collect in an attempt to map the security posture of our enterprise. In addition, where the collected data may not be adequate to make a data-driven decision for cybersecurity teams (red & blue teams) the next time when a ZERO DAY or report from a security researcher with a serious Vulnerability is submitted.

Last but not least, he will discuss a framework for what your Asset inventory could look like and how you could make better data-driven decisions to triage, prioritize and remediate, next time a new CVE is published.

Toufiq Ali

January 14, 2022
Tweet

More Decks by Toufiq Ali

See All by Toufiq Ali
Data Governance in the world privacy
toufiq
1
150

Other Decks in Programming

See All in Programming
Better Code Design in PHP
afilina
PRO
0
130
Make Impossible States Impossibleを 意識してReactのPropsを設計しよう
ikumatadokoro
0
220
エンジニアとして関わる要件と仕様(公開用)
murabayashi
0
300
Click-free releases & the making of a CLI app
oheyadam
2
120
TypeScript Graph でコードレビューの心理的障壁を乗り越える
ysk8hori
2
1.1k
どうして僕の作ったクラスが手続き型と言われなきゃいけないんですか
akikogoto
1
120
Less waste, more joy, and a lot more green: How Quarkus makes Java better
hollycummins
0
100
ローコードSaaSのUXを向上させるためのTypeScript
taro28
1
630
OSSで起業してもうすぐ10年 / Open Source Conference 2024 Shimane
furukawayasuto
0
110
シェーダーで魅せるMapLibreの動的ラスタータイル
satoshi7190
1
480
CSC509 Lecture 09
javiergs
PRO
0
140
Ethereum_.pdf
nekomatu
0
460

Featured

See All Featured
Designing for Performance
lara
604
68k
What's new in Ruby 2.0
geeforr
343
31k
Typedesign – Prime Four
hannesfritz
40
2.4k
10 Git Anti Patterns You Should be Aware of
lemiorhan
655
59k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
KATA
mclloyd
29
14k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Into the Great Unknown - MozCon
thekraken
32
1.5k
YesSQL, Process and Tooling at Scale
rocio
169
14k
Unsuck your backbone
ammeep
668
57k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.5k

Transcript

  1. BUSINESS DOCUMENT This document is intended for business use and

    should be distributed to intended recipients only. What is in your inventories? Weaponizing your inventories with potential Hacker Breach Points and Vulnerability Risks Toufiq Ali - Principal Cybersecurity Assurance, Emirates Group

  2. BUSINESS DOCUMENT This document is intended for business use and

    should be distributed to intended recipients only. ➜ ~ whoami • Toufiq Ali @Principal Cybersecurity Assurance • Passionate about tailoring Offensive & Defensive Security Practices at scale • Speaker/Trainer at security events like BlackHat USA, nullCon Goa, null Dubai, etc. • Active Member of https://null.community/ • Linked In: https://www.linkedin.com/in/toufiq-ali/

  3. BUSINESS DOCUMENT This document is intended for business use and

    should be distributed to intended recipients only. Challenge You can’t protect what you can’t see .. You can’t protect what you don’t know ..

  4. BUSINESS DOCUMENT This document is intended for business use and

    should be distributed to intended recipients only. What this talk is not about? • It is not a debate for open source vs commercial software • It is not about how imperfect your inventories are • It is not about, how asset or inventory management should be done

  5. BUSINESS DOCUMENT This document is intended for business use and

    should be distributed to intended recipients only. This is how inventories probably look ..

  6. BUSINESS DOCUMENT This document is intended for business use and

    should be distributed to intended recipients only. Looking at your inventory, what questions can you answer next time a CVE is published? CVE that affects a specific build of Windows 2016? CVE that affects a specific kernel version of RHEL 7.2? CVE that affects specific version of Oracle or MYSQL or RDS? CVE that affects one of the components running on one of the tech stack? CVE that affects a library that was used inside one of the components?

  7. BUSINESS DOCUMENT This document is intended for business use and

    should be distributed to intended recipients only. If you cannot make reliable decisions with the data in your inventory, then… These questions apply to all in house applications, vendor supplied softwares, on premise, cloud etc. How do you assess the impact of the CVE to your org? How do you triage your vulnerabilities? Do you want to apply a patch, or do you want to apply a workaround? How reliably & quickly can you make decisions? Even if you made the decision, are you sure you have not missed a nook or a corner?

  8. BUSINESS DOCUMENT This document is intended for business use and

    should be distributed to intended recipients only. Most common Challenges with asset inventories There is an oversized cost for running them & keeping them up to date Data is gathered in a more structured way - the way you like it Reliance on manual processes and people Data may be polled on scheduled intervals or not polled at all Data collected may not be relevant to all the teams and departments Creating custom integration between multiple tools has a cost Data in your inventories may not help you assess the impact of the next vulnerability or 0 day affecting your Org Spinning up elastic workloads in cloud has domino effect on your inventories

  9. BUSINESS DOCUMENT This document is intended for business use and

    should be distributed to intended recipients only. What am I proposing?

  10. BUSINESS DOCUMENT This document is intended for business use and

    should be distributed to intended recipients only. How can Red Team help you? • Recon the perimeter continiously like a hacker would (waybackurl, meg, asset-finder, wordlists, project sonar, FastDNS data, DNS Dumpster, amass, nuclei etc.) • Certificate Transparency logs (crt.sh, censys.io, Virustotal etc.) • Bruteforce for variations for subdomains and TLD’s using wordlists • Scanning your perimeter for known issues (nuclei) • Host Discovery and Service discovery (nmap, nessus, rumble.run etc.) Thumb rule: Identify the dataset that you need to make a reliable decision and choose the tool(s) that will get you the data

  11. BUSINESS DOCUMENT This document is intended for business use and

    should be distributed to intended recipients only. How can Blue Team help you? • Logs correlated from different network devices (firewalls, Waf, reverse proxies, taps, routers, switches etc.) • Certificate Transparency logs (crt.sh, censys.io, Virustotal etc.) • DHCP Servers, DNS Servers, DNS Zone files • Threat hunting exercises • Host Discovery and Service discovery (nmap, nessus, rumble.run etc.) Thumb rule: Identify the data that you need to make a reliable decision and choose the source of that data accordingly

  12. BUSINESS DOCUMENT This document is intended for business use and

    should be distributed to intended recipients only. How your Dev Teams can help you? • Automate ingesting data in your inventory for infrastructure generated via IaC or CI/CD pipelines • Generate Software Bill of Material for all the code that is pushed in production (Tools per language) • Software Compositions Analysis (SCA) Thumb rule: Identify the dataset that you need to make a reliable decision and choose intgerations that work for you

  13. BUSINESS DOCUMENT This document is intended for business use and

    should be distributed to intended recipients only. What is Software Bill of Material ? • Modern software is assembled using third-party and open-source components, glued together in complex and unique ways, and integrated with original code to provide the desired functionality (OWASP Ref) • Automate generation of 3rd party libraries or open-source components used in your code and their versions (Hint: Supply chain attacks) • Ask your vendors to provide the same dataset that you would rely on for making decisions • Adding such datasets and relationships to your assets will make your inventory data even more powerful

  14. BUSINESS DOCUMENT This document is intended for business use and

    should be distributed to intended recipients only. Putting it all togther • Choose a repository that allows querying data • Create standard pipeline for all the tools you would like to integrate • Choose a standardized output format for your tools (json, xml, csv) • Feed the data in your inventories via API or any repository you like • Define the relationship between assets and datasets • Identify and eliminate false positives • Rinse + Repeat

  15. BUSINESS DOCUMENT This document is intended for business use and

    should be distributed to intended recipients only. Thank you! Any questions?