Upgrade to Pro — share decks privately, control downloads, hide ads and more …

What is in your inventories?

What is in your inventories?

Weaponizing your inventories with potential Hacker Breach Points and Vulnerability Risks 

We may like to believe we have mastered the dark art of asset management/inventory management or nearly perfected it. But getting breached via “that” one asset or application or an open-source library or a server with a weak password, or a subcontractor that your supplier used that you were not aware of, has become the new normal.

In this presentation I share my thoughts on what I sees is missing in your asset inventory and how we could be often blindsided by the data we collect in an attempt to map the security posture of our enterprise. In addition, where the collected data may not be adequate to make a data-driven decision for cybersecurity teams (red & blue teams) the next time when a ZERO DAY or report from a security researcher with a serious Vulnerability is submitted.

Last but not least, he will discuss a framework for what your Asset inventory could look like and how you could make better data-driven decisions to triage, prioritize and remediate, next time a new CVE is published.

4956bf234bea86034767059e75792b93?s=128

Toufiq Ali

January 14, 2022
Tweet

Transcript

  1. BUSINESS DOCUMENT This document is intended for business use and

    should be distributed to intended recipients only. What is in your inventories? Weaponizing your inventories with potential Hacker Breach Points and Vulnerability Risks Toufiq Ali - Principal Cybersecurity Assurance, Emirates Group
  2. BUSINESS DOCUMENT This document is intended for business use and

    should be distributed to intended recipients only. ➜ ~ whoami • Toufiq Ali @Principal Cybersecurity Assurance • Passionate about tailoring Offensive & Defensive Security Practices at scale • Speaker/Trainer at security events like BlackHat USA, nullCon Goa, null Dubai, etc. • Active Member of https://null.community/ • Linked In: https://www.linkedin.com/in/toufiq-ali/
  3. BUSINESS DOCUMENT This document is intended for business use and

    should be distributed to intended recipients only. Challenge You can’t protect what you can’t see .. You can’t protect what you don’t know ..
  4. BUSINESS DOCUMENT This document is intended for business use and

    should be distributed to intended recipients only. What this talk is not about? • It is not a debate for open source vs commercial software • It is not about how imperfect your inventories are • It is not about, how asset or inventory management should be done
  5. BUSINESS DOCUMENT This document is intended for business use and

    should be distributed to intended recipients only. This is how inventories probably look ..
  6. BUSINESS DOCUMENT This document is intended for business use and

    should be distributed to intended recipients only. Looking at your inventory, what questions can you answer next time a CVE is published? CVE that affects a specific build of Windows 2016? CVE that affects a specific kernel version of RHEL 7.2? CVE that affects specific version of Oracle or MYSQL or RDS? CVE that affects one of the components running on one of the tech stack? CVE that affects a library that was used inside one of the components?
  7. BUSINESS DOCUMENT This document is intended for business use and

    should be distributed to intended recipients only. If you cannot make reliable decisions with the data in your inventory, then… These questions apply to all in house applications, vendor supplied softwares, on premise, cloud etc. How do you assess the impact of the CVE to your org? How do you triage your vulnerabilities? Do you want to apply a patch, or do you want to apply a workaround? How reliably & quickly can you make decisions? Even if you made the decision, are you sure you have not missed a nook or a corner?
  8. BUSINESS DOCUMENT This document is intended for business use and

    should be distributed to intended recipients only. Most common Challenges with asset inventories There is an oversized cost for running them & keeping them up to date Data is gathered in a more structured way - the way you like it Reliance on manual processes and people Data may be polled on scheduled intervals or not polled at all Data collected may not be relevant to all the teams and departments Creating custom integration between multiple tools has a cost Data in your inventories may not help you assess the impact of the next vulnerability or 0 day affecting your Org Spinning up elastic workloads in cloud has domino effect on your inventories
  9. BUSINESS DOCUMENT This document is intended for business use and

    should be distributed to intended recipients only. What am I proposing?
  10. BUSINESS DOCUMENT This document is intended for business use and

    should be distributed to intended recipients only. How can Red Team help you? • Recon the perimeter continiously like a hacker would (waybackurl, meg, asset-finder, wordlists, project sonar, FastDNS data, DNS Dumpster, amass, nuclei etc.) • Certificate Transparency logs (crt.sh, censys.io, Virustotal etc.) • Bruteforce for variations for subdomains and TLD’s using wordlists • Scanning your perimeter for known issues (nuclei) • Host Discovery and Service discovery (nmap, nessus, rumble.run etc.) Thumb rule: Identify the dataset that you need to make a reliable decision and choose the tool(s) that will get you the data
  11. BUSINESS DOCUMENT This document is intended for business use and

    should be distributed to intended recipients only. How can Blue Team help you? • Logs correlated from different network devices (firewalls, Waf, reverse proxies, taps, routers, switches etc.) • Certificate Transparency logs (crt.sh, censys.io, Virustotal etc.) • DHCP Servers, DNS Servers, DNS Zone files • Threat hunting exercises • Host Discovery and Service discovery (nmap, nessus, rumble.run etc.) Thumb rule: Identify the data that you need to make a reliable decision and choose the source of that data accordingly
  12. BUSINESS DOCUMENT This document is intended for business use and

    should be distributed to intended recipients only. How your Dev Teams can help you? • Automate ingesting data in your inventory for infrastructure generated via IaC or CI/CD pipelines • Generate Software Bill of Material for all the code that is pushed in production (Tools per language) • Software Compositions Analysis (SCA) Thumb rule: Identify the dataset that you need to make a reliable decision and choose intgerations that work for you
  13. BUSINESS DOCUMENT This document is intended for business use and

    should be distributed to intended recipients only. What is Software Bill of Material ? • Modern software is assembled using third-party and open-source components, glued together in complex and unique ways, and integrated with original code to provide the desired functionality (OWASP Ref) • Automate generation of 3rd party libraries or open-source components used in your code and their versions (Hint: Supply chain attacks) • Ask your vendors to provide the same dataset that you would rely on for making decisions • Adding such datasets and relationships to your assets will make your inventory data even more powerful
  14. BUSINESS DOCUMENT This document is intended for business use and

    should be distributed to intended recipients only. Putting it all togther • Choose a repository that allows querying data • Create standard pipeline for all the tools you would like to integrate • Choose a standardized output format for your tools (json, xml, csv) • Feed the data in your inventories via API or any repository you like • Define the relationship between assets and datasets • Identify and eliminate false positives • Rinse + Repeat
  15. BUSINESS DOCUMENT This document is intended for business use and

    should be distributed to intended recipients only. Thank you! Any questions?