A preliminary analysis of vulnerability scores for attacks in wild

NVD and Exploit-DB are the de facto standard databases used for research on vulnerabilities, and the CVSS score is the standard measure for risk. On open question is whether such databases and scores are actually representative of at- tacks found in the wild. To address this question we have constructed a database (EKITS) based on the vulnerabili- ties currently used in exploit kits from the black market and extracted another database of vulnerabilities from Symantec's Threat Database (SYM). Our nal conclusion is that the NVD and EDB databases are not a reliable source of in- formation for exploits in the wild, even after controlling for the CVSS and exploitability subscore. An high or medium CVSS score shows only a signi cant sensitivity (i.e. prediction of attacks in the wild) for vulnerabilities present in exploit kits (EKITS) in the black market. All datasets ex- hibit a low speci city

Predicting Exploitation of Disclosed Software Vulnerabilities Using Open-source Data

Each year, thousands of software vulnerabilities are discovered and reported to the public. Unpatched known vulnerabilities are a significant security risk. It is imperative that software vendors quickly provide patches once vulnerabilities are known and users quickly install those patches as soon as they are available. However, most vulnerabilities are never actually exploited. Since writing, testing, and installing software patches can involve considerable resources, it would be desirable to prioritize the remediation of vulnerabilities that are likely to be exploited. Several published research studies have reported moderate success in applying machine learning techniques to the task of predicting whether a vulnerability will be exploited. These approaches typically use features derived from vulnerability databases (such as the summary text describing the vulnerability) or social media posts that mention the vulnerability by name. However, these prior studies share multiple methodological shortcomings that inflate predictive power of these approaches. We replicate key portions of the prior work, compare their approaches, and show how selection of training and test data critically affect the estimated performance of predictive models. The results of this study point to important methodological considerations that should be taken into account so that results reflect real-world utility

Adversarial Detection of Flash Malware: Limitations and Open Issues

During the past four years, Flash malware has become one of the most insidious threats to detect, with almost 600 critical vulnerabilities targeting Adobe Flash disclosed in the wild. Research has shown that machine learning can be successfully used to detect Flash malware by leveraging static analysis to extract information from the structure of the file or its bytecode. However, the robustness of Flash malware detectors against well-crafted evasion attempts - also known as adversarial examples - has never been investigated. In this paper, we propose a security evaluation of a novel, representative Flash detector that embeds a combination of the prominent, static features employed by state-of-the-art tools. In particular, we discuss how to craft adversarial Flash malware examples, showing that it suffices to manipulate the corresponding source malware samples slightly to evade detection. We then empirically demonstrate that popular defense techniques proposed to mitigate evasion attempts, including re-training on adversarial examples, may not always be sufficient to ensure robustness. We argue that this occurs when the feature vectors extracted from adversarial examples become indistinguishable from those of benign data, meaning that the given feature representation is intrinsically vulnerable. In this respect, we are the first to formally define and quantitatively characterize this vulnerability, highlighting when an attack can be countered by solely improving the security of the learning algorithm, or when it requires also considering additional features. We conclude the paper by suggesting alternative research directions to improve the security of learning-based Flash malware detectors

Quantifying the security risk of discovering and exploiting software vulnerabilities

2016 Summer.Includes bibliographical references.Most of the attacks on computer systems and networks are enabled by vulnerabilities in a software. Assessing the security risk associated with those vulnerabilities is important. Risk mod- els such as the Common Vulnerability Scoring System (CVSS), Open Web Application Security Project (OWASP) and Common Weakness Scoring System (CWSS) have been used to qualitatively assess the security risk presented by a vulnerability. CVSS metrics are the de facto standard and its metrics need to be independently evaluated. In this dissertation, we propose using a quantitative approach that uses an actual data, mathematical and statistical modeling, data analysis, and measurement. We have introduced a novel vulnerability discovery model, Folded model, that estimates the risk of vulnerability discovery based on the number of residual vulnerabilities in a given software. In addition to estimating the risk of vulnerabilities discovery of a whole system, this dissertation has furthermore introduced a novel metrics termed time to vulnerability discovery to assess the risk of an individual vulnerability discovery. We also have proposed a novel vulnerability exploitability risk measure termed Structural Severity. It is based on software properties, namely attack entry points, vulnerability location, the presence of the dangerous system calls, and reachability analysis. In addition to measurement, this dissertation has also proposed predicting vulnerability exploitability risk using internal software metrics. We have also proposed two approaches for evaluating CVSS Base metrics. Using the availability of exploits, we first have evaluated the performance of the CVSS Exploitability factor and have compared its performance to Microsoft (MS) rating system. The results showed that exploitability metrics of CVSS and MS have a high false positive rate. This finding has motivated us to conduct further investigation. To that end, we have introduced vulnerability reward programs (VRPs) as a novel ground truth to evaluate the CVSS Base scores. The results show that the notable lack of exploits for high severity vulnerabilities may be the result of prioritized fixing of vulnerabilities

Understanding emerging client-Side web vulnerabilities using dynamic program analysis

Today's Web heavily relies on JavaScript as it is the main driving force behind the plethora of Web applications that we enjoy daily. The complexity and amount of this client-side code have been steadily increasing over the years. At the same time, new vulnerabilities keep being uncovered, for which we mostly rely on manual analysis of security experts. Unfortunately, such manual efforts do not scale to the problem space at hand. Therefore in this thesis, we present techniques capable of finding vulnerabilities automatically and at scale that originate from malicious inputs to postMessage handlers, polluted prototypes, and client-side storage mechanisms. Our results highlight that the investigated vulnerabilities are prevalent even among the most popular sites, showing the need for automated systems that help developers uncover them in a timely manner. Using the insights gained during our empirical studies, we provide recommendations for developers and browser vendors to tackle the underlying problems in the future. Furthermore, we show that security mechanisms designed to mitigate such and similar issues cannot currently be deployed by first-party applications due to their reliance on third-party functionality. This leaves developers in a no-win situation, in which either functionality can be preserved or security enforced.JavaScript ist die treibende Kraft hinter all den Web Applikationen, die wir heutzutage täglich nutzen. Allerdings ist über die Zeit hinweg gesehen die Masse, aber auch die Komplexität, von Client-seitigem JavaScript Code stetig gestiegen. Außerdem finden Sicherheitsexperten immer wieder neue Arten von Verwundbarkeiten, meistens durch manuelle Analyse des Codes. In diesem Werk untersuchen wir deshalb Methodiken, mit denen wir automatisch Verwundbarkeiten finden können, die von postMessages, veränderten Prototypen, oder Werten aus Client-seitigen Persistenzmechnanismen stammen. Unsere Ergebnisse zeigen, dass die untersuchten Schwachstellen selbst unter den populärsten Websites weit verbreitet sind, was den Bedarf an automatisierten Systemen zeigt, die Entwickler bei der rechtzeitigen Aufdeckung dieser Schwachstellen unterstützen. Anhand der in unseren empirischen Studien gewonnenen Erkenntnissen geben wir Empfehlungen für Entwickler und Browser-Anbieter, um die zugrunde liegenden Probleme in Zukunft anzugehen. Zudem zeigen wir auf, dass Sicherheitsmechanismen, die solche und ähnliche Probleme mitigieren sollen, derzeit nicht von Seitenbetreibern eingesetzt werden können, da sie auf die Funktionalität von Drittanbietern angewiesen sind. Dies zwingt den Seitenbetreiber dazu, zwischen Funktionalität und Sicherheit zu wählen

Defesa por ataque: simulando ataques para promover fortes políticas de segurança organizacional

Cyber crime is continuously growing in current times due to the constant digitization of everyday activities. Recently, after the world was hit with the COVID-19 pandemic, this effect was even more noticeable. With more digital activity, cyber crime has a tendency to also increase. The simulation of adversaries as a testing tool is one of the most important instruments when evaluating an organization’s security. Penetration tests are not enough, as attackers resort to many other methods such as social engineering and its techniques (phishing, impersonation, tailgating, etc.). By simulating a full scale attack with minimal restrictions, "red teaming" is introduced. There was an attempt to perform a red team assessment to the University of Aveiro in order to evaluate, test and improve the security policies of the organization. However, due to legal and bureaucratic restrictions related mostly to data protection policies and other privacy measures, the plan was cut short to merely the planning of the red team. The TIBER-EU Framework was also introduced, representing the state of the art guidelines to red teaming in Europe. This framework was followed during the planning of the assessment, which allowed me, the author of this thesis and also the emulated red team, to find a couple of flaws in the University’s security by executing brief threat intelligence analysis sessions.O cibercrime está continuamente a crescer nos tempos atuais devido à constante digitalização das atividades do quotidiano. Recentemente, após a pandemia de COVID-19 ter atingido o planeta, este efeito foi ainda mais acentuado. Com mais atividade digital, o cibercrime tem também uma tendência a aumentar. A simulação de adversário como ferramenta de testagem é um dos instrumentos mais importantes quando se avalia a segurança de uma organização. Testes de intrusão não são suficientes, pois os atacantes recorrem a muitos outros métodos como à engenharia social e às respetivas técnicas (phishing, personificação, tailgating, etc.). O conceito "red teaming" é introduzido através da simulação de um ataque de larga escala com restrições mínimas. Nesta dissertação houve uma tentativa de executar um teste de red team à Universidade de Aveiro com o objetivo de avaliar, testar e melhorar as políticas de segurança da organização. No entanto, devido a restrições legais e bureocráticas relacionadas maioritariamente com políticas de proteção de dados e outras medidas a favor da privacidade, o plano inicial ficou apenas pelo planeamento de um teste red team. O TIBER-EU Framework foi também introduzido, contendo as normas consideradas como estado da arte no que toca a red teaming na Europa. Estas diretrizes foram seguidas durante o planeamento do teste, o que me permitiu, como autor da dissertação e único membro da red team simulada, encontrar algumas falhas de segurança na Universidade através de breves sessões de análise de threat intelligence.Mestrado em Ciberseguranç

The Investigative Dynamics of the Use of Malware by Law Enforcement

The police have started to use malware—and other forms of government hacking—to solve crimes. Some fear coming abuses—the widespread use of malware when traditional investigative techniques would work just as well or to investigate political opponents or dissident speakers. This Article argues that these abuses will be checked, at least in part, by the very nature of malware and the way it must be controlled. This analysis utilizes a previously unformalized research methodology called “investigative dynamics” to come to these conclusions. Because every use of malware risks spoiling the tool—by revealing a software vulnerability that can be patched—the police will always encounter constraints and disincentives to widespread and unchecked use. These constraints will operate much like so-called legislative “superwarrant” requirements, which some have urged Congress to enact for malware. The investigative dynamics of malware suggest that Congress could follow this advice without disrupting police conduct in any significant measure