CG - Getting CVSS, NVD, and CVEs to Work for You: Standardizing and Scaling Your Vulnerability Risk

okay good afternoon welcome to you besides Las Vegas common ground this talk is already getting CBS s NV D and CVEs to work for you standardizing and scaling your vulnerability risk assessment with Matthew and Luke Zukowski I tried I'm sorry no worries thank you real quick we'd like to thank our sponsors especially our inner circle sponsors critical stack and Bell email and our stellar sponsors Amazon of Microsoft and Robin Hood it is their support along with our other sponsors donors and volunteers that make this event possible these talks are being streamed live and as a courtesy to our speakers and audience we ask that you check to make sure your cell phones are set to silent and if you have a question

use the audience microphone which I am holding please raise your hand and I'll bring it over and with that let's get started welcome to Luke and Matthew cool thank you is that working you guys hear me okay I should probably use mine working too

[Music] yes it's working for it in some sense alright so thank you for coming Luke and I want to talk about CSS scoring how we can help you with it Luke and I have worked together for several years doing vulnerability management ability analysis as you can see we have some different interests and has moved on to a new job so he has to give a quick disclaimer I currently work for Microsoft as a security analyst I'm here not representing Microsoft those are my own views and opinions and don't necessarily reflect that on Microsoft just want to get that other way cool so hopefully a lot of you have seen these acronyms we'd have to go through them in

too much detail CBE's those are the common vulnerabilities and exposures MBD has a database of all the CDs including CSS scores and see this s vectors and they have an API that anybody can use so you can access that data CSS is what we're going to talk about there handle managed by first and I want to point out I work for first information technology services which is Fitz and I am not working for first back compute Iowa so when we want to help you guys do today is we want to talk about how to do su possess 3.1 scoring also how to categorize your assets look at your inventory understand your environment and do some scalable integration of that

data which turns out doesn't have to actually be that hard and can help you with your security and your compliance folks both so there are some stakeholders you might recognize and these are folks that CDs that's gonna be useful for we're going to show you things today that internal security teams can use to drive remediation can meet compliance requirement with auditors can help management make informed decisions about you know what they want to do with the business before they'll make investments and can help relate your security posture to clients there's many other uses for this but they're just some of the stakeholders one thing before you get started - we want to make very clear I think this

happens in our industry a lot that words get used to mean things that are not as specific they should be used to be so CSS is specifically designed to score severity of vulnerabilities in that risk once you start using CSS environmental scores you can start getting closer to risk but there's a lot of factors that come into play that you should be considering when you're talking about actual risk you need to talk about think about the threats the exposures your business impacts how you're gonna yep regulatory requirements how you're managing risk and that's it was putting out well in a paper by cert back in December and CSS actually just got updated from 3.0 to 3.1 which wasn't

really many from formulaic updates his more language and interpretation and they do address that somewhat there but it still gets misused in our industry a lot it's particularly for example FedRAMP and PCI both call their risk ratings they call the risk ratings in their CSF scores they're really just severity so you know it's pervasive throughout what we see out there so just want to be very clear we're talking about severity we're trying to get close to your risk by doing environmental scoring so why are we using CSS there's a lot different ways to score vulnerabilities penetration testers will come up with what they think the risk is just qualitatively they might also use CSS but at first blush they might think

of you know is it high risk is lower if we know there's those tables with where its impact versus likelihood you can get a chart but that's fairly qualitative as well there are quantitative values here the scanners they spit out to risk ratings they also spit out CDs s ratings the tourist ratings their numbers but we don't have access to them so what we're looking for here is we want to make something that we can look at all of your assets for all the vulnerabilities that we're finding and understand and be able to manipulate those efficiently right and also because of that we need to have something that's publicly available to so we can't have

something that's obfuscated we can't have just qualitative analysis we need numbers and availability and C this offers both of those CMAs s it has vectors that have variables in them you can manipulate those variables and it gives you numbers from zero point zero to ten point zero and if you're not doing your penetration testing in the R he might be doing it wrong so how we gonna get there you can run a rawski and you can get it get a scan your system right you can scan all your assets get Ross scan data that has CDs in it you can get CVA data from MDD like we heard so those two are given to you right you

don't have to do anything for them the pieces you have to do is you have to understand the inventory in your environment the assets and how mitigations or the environment factors affect them how they data classifications affect them things like that then you have to take that information and see how that affects three-point-one environmental scoring and and that these are the two pieces we're going to help talk through today once you've done that this is all just data right this is just tables of data so you can automate it you guys get to do that yourselves and hopefully out of that you get some useful data that's specific to your environment and it can be done efficiently so we're going to

use this example we can talk through this one and we'll use this to look at some scoring yeah so I we're basically talking about this remote code execution vulnerability against the remote desktop protocol I just came out a few months back and this was weaponized relatively quickly from just a see me all the way to Metasploit module just a few months so we using this throughout the examples as we kind of look at the calculator and this is just the NBD basically it's scoring right here and all the vector components as well so I just as a show of hands how many of you have a have some exposure to CBS s scoring okay so it's alright a lot of you so uh

you're very familiar with this this is just the vector string I showing all the various components although through the environmental score I soon as obviously has three components to it the bass score that beads into the temporal scoring the temporal scoring feeds into environmental scoring so one other work that you're going to be doing is in the environmental scoring section and basically creating standardized medications applied to certain asset groups and asset types and other categorizations like that so and it's usually manipulated with this you can put it into the URL just directly write the vector string so you can easily get to a quick look at what the actual vector looks like so if you

need like a visual and you want to show something exactly how this one particular things scores you just plug that into the URL so this is a the bass score which when you're probably familiar with and we're just scoring that particular remote desktop protocol RCE this is a fairly severe vulnerability full high impacts to confidentiality integrity availability another thing I would point out maybe isn't super clear sometimes is confidential integrity and integrity impacts here refer to the data itself the confidential confidentiality and the integrity of the data ours availability is referring to whether this service is still up so if you had a web application and it was hacked and all your data was encrypted or deleted

that would be a high impact to integrity he was letting the service still up that would not be the impact availability it's just something to keep in mind as we kind of go through that thought experiment and as you can just see there's some basic components this is that all you need to be able to send traffic to this particular box and you'll be able to if you have the exploit code you'll be able to display module or the POC you'll be able to do this exploit there's low attack complexity no privileges are required you don't have to trick the user into anything so the base characteristic that apply to everybody Chuck sure you get very

familiar with uh its scope and scope actually is one that we're not gonna go in depth with in depth with but in this case it's not changed its go kebabian and tired of hour-long talk I think one was complicated components so this case it's unchanged the security authority that was compromised by this vulnerability does not immediately impact another security authorities so and remember this this base core comes directly from mvd so this is given to you right you're not manipulating this one so I'm moving under the temporal score here this is what our dprc looked like initially I was unproven and that it was a CD but there was no code out there there was no slide deck out there to

kind of figure out how to reverse it yourself now also I want to point out with more confidence remediation level we said that it's confirmed as a Microsoft Bulletin I can kind of take that to the bank that's a real vulnerability their mediation level there was a patch available right away so that's actually the remediation I was going to bring down the score a bit because there's actually a way to fix it Windows updates tend to be automatic in most cases hopefully so it's not gonna be quite as severe now quickly happened with this one though over just a few months was that it quickly moved to slides that you could actually build something off of to

a Python POC do Metasploit module very rapidly so you can see as that as explained maturity and the code maturity advances you can see the score going up and up and up which makes sense because this becomes a lot more exploitable as the bar for exploiting it goes down so moving on from that into the environmental scores what they just wanted to point out which is the scoring here is that these components here for all we modified components these are exactly the same as which you have in the base score these are so basically represent mitigations or different configurations your environment that may change some of those impacts or change some of the layer you're saying somes

components on the other side you have the requirements for integrity confidentiality availability we're talking at the asset level right now so for a particular given asset I you know how important is the data being confidential and it's accurate and how available they need this to be ready what kind of thought experience again to specifics looking at this exact so yeah and one thing I want to point out as well is those confidentially requirement the requirements section actually are a multiplier of the magnitude of how much changing modified confidentiality integrity or availability will actually you know alter the overall score so there's some interplay between those two sets of components setting that to not defines me I've in this example leaves

all those scores exactly zero in the base score but the overall score is going down lower because we set requirements too low in this particular case and just taking up the other way exact same scenario if for the requirements for this particular asset are it's got an API on it your person identify identifiable information we really care about it we need high availability for this server it's critical you can see the score right go right back up which definitely makes sense now and in this scenario we had the same kind of idea but we're saying we've got some really incredible mitigations in our environment for confidentiality integrity and availability that bring those impacts down to low this particular scenario

whatever they might be and you can see the score going back down again although not as much as if those requirements were set to low and if you had the same scenario let's go again or if those were set to none as well yeah I guess so ok so just curious any of the components that this is a small very very small list of things that would impact certain components if you're behind a firewall the attack vector for this movie is network for this vulnerability but if you're behind a firewall it's a there's no port forwarding of any sort you f---ing on the internal LAN before you can rat tracked with this then you the

modified attack vector in the environmental score would be going down to adjacent a 3.1 as soon as the scoring actually makes that really clear and give some some clarifications on how to change that modified attack vector data classification is super important do you have low medium or high business impact data as this the boss's cat videos or hard you know is this like credit card information and things like that so it's gonna definitely impact the confidentiality integrity and ability requirements for monetary data transactional data you know for doing financial transactions you always want very high availability is that requirement very high and there's some other things that we just listed out there it's very very important to

maintain people with an accurate inventory and accurate metadata about your inventory otherwise you're gonna start being environmental scoring about an environment that you don't actually operate in and that's kind of a surefire recipe for disaster so I'm doing this in a dynamic sort of fashion is what I would recommend so as new assets come online you're constantly harvesting information about them that you can plug into these calculations so so in this particular case what we've done is what we're saying is that this is going to be medium requirements across the board and this example we're taking the same already PRC and what we're doing is we're saying that this is like proprietary non-public game assets so not like high but not

like publicly available data doesn't contain any PII or anything like that with a medium integrity requirement and we've decided that the server can be down for up to one to five days so based on first doors guidance that can be a medium or requirement there now we haven't really changed anything on the modified side we just clicked Network just to remind you that that was what was I in the Malheur so I actually isn't any impact on the score so so I think it's moving not to the next slide here so right now we're gonna say that section behind the firewall so as we're saying before announcing Jason network a modified attack vector and the scores

starting to come down we're also adding an additional mitigation here saying that data is the data is encrypted arrests so the data we care about in the server even the server's compromised that encryption will actually limit the full disclosure of confidentialities we're actually gonna set that to a low because the actual data we care about is encrypted at rest so and taking a step further now what we're showing here is essentially additional mitigations we're saying we've got volume shadow copies or alleys snapshots of some sort so and maybe some monitoring of the integrity of our data so it is corrupted we can very quickly restore it from a brief remote in time that's not too far back

and if Ramona federal 'ti or saying here that this is now and a fully redundant cloud environment so if the server goes down it's running in a high availability cluster so odds are you probably even notice another server just take over that workload and you probably won't even know so now you can see we've gone from what looked like an apocalyptic nine point eight you know critical Bowl to a severity of 6.0 based on what's on that asset and you know what kind of negations we have in place I have a feeling that you probably not put the same prioritization or reading this particular server as you would for when it's coming out like a nine point eight

so you can see this could actually influence the kind of business decisions you're making the kind of remediation decisions you're just I'm gonna do and then just take them back the other way exact same scenario except what we've done is what changes the PRI over here for the requirements so the integrity and confidentiality we've gone back up to high and right here we then take away the encryption at rest so there's no mitigation here for modified confidentiality so I set to high but in reality on since it was high in the base score that's no difference than saying it's not defined or just kind of reminding you of that fact that you know that that we took away that mitigation

so the score back goes back up and that makes sense you have much more critical data much higher and higher integrity requirement and a fewer mitigations in place for the bills relevant components cool so we've done this for one asset it for one loan how do we start getting more we know how can we do this more for your full environment so first you run rawski let's talk first about 1:1 asset for multiple phones right so you're on your C ends you get some data you get some phones they have CVS and go to NBD you learn more about the CVS you get the CB SS scores you get the vectors most importantly the vectors right that's

we're going to manipulate them now and that again is just the data that you're given basically now you have to do that in the the work that Luke was talking about understanding how your inventory affects those various components but you can do you've done that you say okay how is this asset that what mitigations do I have in place for this asset right and you've done the work how do those mitigations work within your own particular environment right and it's specific to your environment so you can combine those and say alright these effects are going to happen on this asset to these vectors that I've been given that I found my asset has volatile to and now you just you can you can work

that into the environmental scoring right so it's really just variable replacement and you can come up with new scores that are specific to your environment and that's for this one asset so what it's not now you now what you have to do next is you just have to do this for your entire inventory right hopefully your inventory isn't completely disparate for every asset right your your inventory should be homogeneous in at least various places and you can generalize and have the same mitigations in place for various assets right so that makes this more efficient you can say these groups of assets have these mitigations and I know how those mitigations work for within my environment for c versus CSS 3.1 scoring

so once you do the work once and you categorize everything and group everything I feel a scale this relatively quickly because certain assets coming into service or service team or certain type of role I can have the same characteristics so you've kind of already done all the analysis you can apply available environmental factors requirements based on you know what type of asset that is what its function is where it sits in the boundary and so very quickly you can scale this up to a very large number of assets and again these are just data tables right once you have all this data fill out and they're connected by the various components of those data tables right so

you can you can scale this up and then we're gonna let you do the automation right and then you can start looking at what this data is telling you you can get some nice visualizations what we like to do is look at the asset you know a list of all the assets your environment get a list of all the vulnerabilities you've done the automation to integrate the data sets that you had and for example you can click on an asset and see all the different vulnerabilities on it you can sort those vulnerabilities by their scores those scores are now specific to your environment so that's telling you prioritization within your environment it's getting you closer to that that

knowledge of the risk of these these actual vulnerabilities you can also select a vulnerability and see all the assets and you can base what you're selecting based on that score if you want to and then you can you know if a bunch of assets all the same vulnerability maybe you can go push a patch right so that gets gets things more both more efficient and more and it's specific to your environment those are the keys to this right now of course there are improvements limitations to CSS which I'm sure we've all encountered in our network a couple that we want to highlight that are specific to what we're talking about here vulnerabilities are often roll-ups of

several CDs so CVS doesn't actually address what to do with I'll sit with multiple CVS we tend to take the high watermark and say look this is the the worst one and in the set of CVS vulnerability chaining CVS does talk about that in their guidance but it's not built into the calculator of course there are ways to take two vulnerabilities and we could talk about that later with folks if you're interested there's also it'd be good to have a more robust statistical analysis of CSS and how how does it actually correlate to the real world they've given us these formulas and these numbers but is that what we actually see when we go out there then so there needs

to be more of that and we talked about the difference between risk and severity so you need to always be to thinking of all the aspects of risk when you're talking about the vulnerabilities that you're finding your environment right so yeah hopefully that that's kind of outlines what uh what hopefully you can start doing for yourself you can if you categorize those assets and if you understand how those categorizations of the assets allow you to do see this this 13.1 scoring in particularly those environmental metrics right that's what's key to this once you do that you have a bunch of data that you can you guys get to automate and hopefully that allows you to you know do some scans of

your assets and get these compiled reports and make money right yeah that's that's what we had those are contacts I can give you my contact as well if you're interested and I'm happy to send out the slides to if people like them

okay we have a few minutes we can take a few questions from the audience if there are any when you work for a large organization you need some ultimately I need a product basically to do this for you I guess because just a lot of it's a lot of work Tutuola do all of this manually do you know if any of the vulnerability management products that actually implement this like maybe serve like other products I'm thinking of is like ServiceNow or a rapid 7 or tenable and stuff like that in full because I haven't seen it yet that's why I'm asking you know I need that do it I have a mic I use that mic so yeah I agree I

haven't seen a lot of that built by especially about those industry companies right that's where I would look I know there are some smaller companies out there that have implemented sort of compliance solutions but they don't necessarily address it with cbss that I've seen weave fits where I work we have our own automation that we use we don't sell it but it's you know we as a service and it isn't actually that complicated like I saying that you really just have these data tables you can do it easily in Python and with you sequel right that's all you really need and it's it's not super complicated you can mostly just build it up but yeah I

haven't seen it out there does the aggregate quantify for outliers just your systems that are out that may not necessarily conform to what the main cbss the example that you brought up with zero seven zero eight and how there are patches available for everything XP and above but I was thinking more about 2000 and T he's wondering CBS s would handle outliers such as those because we know those systems are still running start talking if you want so I think I mean if I remember correctly about that particular already PRC it was well that Windows Server 2008 r2 that Windows Server 2003 and as far back as Windows XP as far as outliers I'd have to see

specifically how that vulnerability impacts a specific Windows operating system I get a sense of whether or not the scoring Lisbon was gonna look give us an accurate picture of the severity of the risk this Orion is designed to be general so that you can you know do it for any if they if you're given a bone with a base score it should be applicable to general cases but I'm sure there are outliers where the base score isn't necessarily perfect or your environmental scoring doesn't take into account everything because there's I mean if there's something specific about that that system that you're saying that it's not gonna have the same impacts of confidential confidentiality integrity availability you can even come up with

an environmental score for that particular asset that makes those adjustments to come up with an accurate score for that particular asset maybe for a good example is let's and I'm not really sure this is possible but just like a hypothetical experiment let's say for whatever reason you're writing some hardened image and the wrote desktop protocol is only running with limited user privileges as opposed to like full you know local administrator privileges in which case that were the case the impacts to confidentiality technique available you've actually all be low in that case but you don't have a full compromise of those even if they exploited they were little were to occur I don't think that's gonna be the case

of the RDP but I can think with other types of listening services you may be using a non-default config what the default configuration is running with full local admin rights but your implementation may be pardoned it and you create a special service account for it that's limited rights likely following like a least privilege kind of thing alright uh thank you for your questions if anybody has any more feel free to catch up with Luke and Matt outside yep we'll be up if you thank you very much [Applause]